Thank you for your help and patience.
________________________________
From: Francois Gaudreault [mailto:[email protected]]
Sent: Friday, August 19, 2011 9:08 AM
To: [email protected]
Subject: Re: [Packetfence-users] EAP failure
You won't loose any features.
Thanks!
On 11-08-19 10:04 AM, Tom Fischer wrote:
I can connect if I leave the perl out of the authorize section.
I don't have any devices that are doing EAP mac authentication. Am I
losing any other features by doing this?
________________________________
From: Francois Gaudreault [mailto:[email protected]]
Sent: Friday, August 19, 2011 7:49 AM
To: [email protected]
Subject: Re: [Packetfence-users] EAP failure
This is very weird, we are not mangling the User-Name
(technically) in the perl module, we are leaving it as-is. It should
not enter that if:
# is it EAP-based Wired MAC Authentication?
if (is_eap_mac_autentication()) {
and return NOOP, which I think is the case :
++[perl] returns noop
Well, I don't know what to say... A quick fix would be to take
out perl from the authorize section unless you have devices that does
EAP mac authentication (ie. Juniper).
On 11-08-18 8:20 PM, Tom Fischer wrote:
I turned on all the debugging that I could find. Sure
seems to me like the original rad request and the perl output are the
same:
Ready to process requests.
rad_recv: Access-Request packet from host 10.20.254.220
port 1645, id=206, length=132
User-Name = "OG\\tom"
Framed-MTU = 1400
Called-Station-Id = "0022.90b3.9501"
Calling-Station-Id = "0090.4b78.9270"
Service-Type = Login-User
Message-Authenticator =
0xac81fe949ceb58f2db8dade3959bbab7
EAP-Message = 0x0202000b014f475c746f6d
NAS-Port-Type = Wireless-802.11
NAS-Port = 83948
NAS-Port-Id = "83948"
NAS-IP-Address = a.b.c.d
NAS-Identifier = "ap"
+- entering group authorize {...}
++[preprocess] returns ok
[eap] EAP packet type response id 2 length 11
[eap] No EAP Start, assuming it's an on-going EAP
conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
GOT CLONE 884732496 0x19257490
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: RAD_REQUEST: Service-Type = Login-User
rlm_perl: RAD_REQUEST: Calling-Station-Id =
0090.4b78.9270
rlm_perl: RAD_REQUEST: Called-Station-Id =
0022.90b3.9501
rlm_perl: RAD_REQUEST: Message-Authenticator =
0xac81fe949ceb58f2db8dade3959bbab7
rlm_perl: RAD_REQUEST: User-Name = OG\\tom
rlm_perl: RAD_REQUEST: NAS-Identifier = ap
rlm_perl: RAD_REQUEST: EAP-Message =
0x0202000b014f475c746f6d
rlm_perl: RAD_REQUEST: EAP-Type = Identity
rlm_perl: RAD_REQUEST: NAS-IP-Address = a.b.c.d
rlm_perl: RAD_REQUEST: NAS-Port = 83948
rlm_perl: RAD_REQUEST: NAS-Port-Id = 83948
rlm_perl: RAD_REQUEST: Framed-MTU = 1400
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Calling-Station-Id = 0090.4b78.9270
rlm_perl: Added pair Called-Station-Id = 0022.90b3.9501
rlm_perl: Added pair Message-Authenticator =
0xac81fe949ceb58f2db8dade3959bbab7
rlm_perl: Added pair User-Name = OG\\tom
rlm_perl: Added pair NAS-Identifier = ap
rlm_perl: Added pair EAP-Message =
0x0202000b014f475c746f6d
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = a.b.c.d
rlm_perl: Added pair NAS-Port = 83948
rlm_perl: Added pair NAS-Port-Id = 83948
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from
EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
________________________________
From: Francois Gaudreault
[mailto:[email protected]]
Sent: Thursday, August 18, 2011 1:13 PM
To: [email protected]
Subject: Re: [Packetfence-users] EAP failure
Let's do the test.
Remove the perl module from the authenticate section.
On 11-08-18 2:08 PM, Tom Fischer wrote:
Samba 3.5.11
The server is joined to the domain and I can run
the ntlm_auth command and login with either name format.
I commented out the ntlm_auth line in mschap,
but that didn't change anything. We need to enter the EAP tunnel before
it will try to authenticate with mschap, don't we?
rlm_perl runs packetfence.pm. Is that module
having an issue with the backslash?
Were the servers you were connecting to Win
2008?
________________________________
From: Francois Gaudreault
[mailto:[email protected]]
Sent: Thursday, August 18, 2011 12:35 PM
To: [email protected]
Subject: Re: [Packetfence-users] EAP failure
Tom,
The wierd thing is that I installed that same
package on maybe 3 deployments, and it worked at the first try for all
of them. Is it possible that the samba configuration is, for a weird
reason, not right? Which version of samba you installed?
Can you comment the ntlm_auth line in the mschap
module, at least it should fail saying RADIUS cannot find the proper
username. Are the machines joined to the domain? Can you also provide
the samba configuration and your krb5.conf?
Also, what are the user rights for :
/var/lib/samba/winbindd_privileged/
On 11-08-18 1:15 PM, Tom Fischer wrote:
I gave up on the box I built and
dowloaded the VM image. I configured and tested the Active Directory
connection for Samba. I setup PF with the configurator for option2 ARP.
I added a test AP and configured it to authorize through PF. If I try to
connect with an XP workstation, I get the identity mismatch from EAP. I
get this error whether I use the Windows credentials domain\user
rad_recv: Access-Request packet from
host a.b.c.d port 1645, id=112, length=132
User-Name = "domain\\user"
Framed-MTU = 1400
Called-Station-Id =
"0022.90b3.9501"
Calling-Station-Id =
"0090.4b78.9270"
Service-Type = Login-User
Message-Authenticator =
0xcdf952bf1241e5ec93f0736e54d149d6
EAP-Message =
0x0202000b014f475c746f6d
NAS-Port-Type = Wireless-802.11
NAS-Port = 83777
NAS-Port-Id = "83777"
NAS-IP-Address = a.b.c.d
NAS-Identifier = "ap"
+- entering group authorize {...}
++[preprocess] returns ok
[eap] EAP packet type response id 2
length 11
[eap] No EAP Start, assuming it's an
on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type =
Wireless-802.11
rlm_perl: Added pair Service-Type =
Login-User
rlm_perl: Added pair Calling-Station-Id
= 0090.4b78.9270
rlm_perl: Added pair Called-Station-Id =
0022.90b3.9501
rlm_perl: Added pair
Message-Authenticator = 0xcdf952bf1241e5ecccf0736e54d149d6
rlm_perl: Added pair User-Name =
domain\\user
rlm_perl: Added pair NAS-Identifier = ap
rlm_perl: Added pair EAP-Message =
0x0202000b014fdddc746f6d
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address =
a.b.c.d
rlm_perl: Added pair NAS-Port = 83777
rlm_perl: Added pair NAS-Port-Id = 83777
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name,
setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
If I go to manual login on the
workstation and enter user@domain, the EAP identity is okay. The only
differences that I can see are the EAP response length, and there is a
GOT CLONE message for the user@domain.
+- entering group authorize {...}
++[preprocess] returns ok
[eap] EAP packet type response id 2
length 17
[eap] No EAP Start, assuming it's an
on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
GOT CLONE -1342070192 0xf476580
rlm_perl: Added pair NAS-Port-Type =
Wireless-802.11
I have no realms defined, and the
conf files are as vanilla as they can be. I have tried nostrip in the
proxy.conf and tried yes/no for with_ntdomain_hack in the mschap module.
Can someone please help me get past this?
------------------------------------------------------------------------
------
Get a FREE DOWNLOAD! and learn more
about uberSVN rich system,
user administration capabilities and
model configuration. Take
the hassle out of deploying and managing
Subversion and the
tools developers use with it.
http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918
(x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo
(www.sogo.nu) and PacketFence (www.packetfence.org)
------------------------------------------------------------------------
------
Get a FREE DOWNLOAD! and learn more about
uberSVN rich system,
user administration capabilities and model
configuration. Take
the hassle out of deploying and managing
Subversion and the
tools developers use with it.
http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) ::
www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and
PacketFence (www.packetfence.org)
------------------------------------------------------------------------
------
Get a FREE DOWNLOAD! and learn more about uberSVN rich
system,
user administration capabilities and model
configuration. Take
the hassle out of deploying and managing Subversion and
the
tools developers use with it.
http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) ::
www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and
PacketFence (www.packetfence.org)
------------------------------------------------------------------------
------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
