Hello Lucas,
here is the error:
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: Executing:
/usr/local/pf/bin/ntlm_auth_wrapper -- --request-nt-key
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}:
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
--username=integrazionewifi
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: Creating challenge hash
with username: integrazionewifi
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
--challenge=%{mschap:Challenge:-00}
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
--challenge=c7224e97b4103ad9
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
--nt-response=%{mschap:NT-Response:-00}
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
--nt-response=ad0e31b4fa7cad4f8ebecb1c9eb46025e8c52715f60f9183
(52) Wed Jan 25 13:51:23 2017: ERROR: mschap: Program returned code (1)
and output 'Reading winbind reply failed! (0xc0000001)'
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: External script failed
(52) Wed Jan 25 13:51:23 2017: ERROR: mschap: External script says:
Reading winbind reply failed! (0xc0000001)
(52) Wed Jan 25 13:51:23 2017: ERROR: mschap: MS-CHAP2-Response is incorrect
Freeradius try to use winbind but it can't, so you must join the server
to the domain to fix that and you need to create a realm that match
assl10 and point to the domain you just created (Admin Gui).
Also for just ldap you need to have the clear password or the nthash in
the ldap directory.
http://deployingradius.com/documents/protocols/compatibility.html
Regards
Fabrice
Le 2017-01-26 à 04:00, Luca Messori a écrit :
>
> Ho Fabrice,
>
> I have attached two file containing the logs saved as you required.
>
> The two file names contains the username used during the test tryin to
> connect to the WLAN.
>
>
>
> I have tested both AD integration (putting PF in the Microsoft domain)
> and LDAP.
>
> Actually we are using LDAP.
>
>
>
> Thank you veri much,
>
> Kindly ergards
>
>
>
> */Luca Messori/*
>
> _________________________
>
>
>
> Descrizione: mead
>
>
>
>
>
> *Mead Informatica Srl*
> *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
> Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
> Tel. +39 049 8702540 Fax +39 049 8706249
>
>
>
> http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
> -----------------------------------------------------------------------
>
>
>
> Questo messaggio puo' contenere informazioni di carattere riservato e
> confidenziale. Qualora non foste i destinatari, vi preghiamo di
> notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali allegati,
> senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
> contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili e
> penali.
>
>
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please immediately
> notify us
> and destroy this message and any attachments without retaining a copy.
> Any unauthorized use of this message can expose the responsabile party
> to civil and/or criminal penalties.
>
>
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>
>
>
>
> *Da:*Fabrice Durand [mailto:[email protected]]
> *Inviato:* mercoledì 25 gennaio 2017 14:18
> *A:* [email protected]
> *Oggetto:* Re: [PacketFence-users] Issue authenticathing WPA2 WLAN
>
>
>
> Hello Luca,
>
> are you using an active directory ?
>
> If it's the case then first you need to join PacketFence to the domain.
>
> Also can you do a : raddebug -f /usr/local/pf/var/run/radius.sock -t 3000
>
> and retry your authentication (you will have more details).
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le 2017-01-25 à 04:51, Luca Messori a écrit :
>
> Hi all,
>
> I’m trying to configure my PF to authenticate wireless users.
>
>
>
> I have created a WPA2 enterprise WLAN on my Aps and I have
> configured the PF IP as radius server.
>
> I have configured a LDAP user source that should be used by the
> Radius server.
>
> Using pftest I have this output:
>
> [root@mitelwifi ~]# /usr/local/pf/bin/pftest authentication
> integrazionewifi <MYPASSWD> <LDAP_SOURCE>
>
> Testing authentication for "integrazionewifi"
>
>
>
> Authenticating against <LDAP_SOURCE>
>
> Authentication SUCCEEDED against <LDAP_SOURCE> (Authentication
> successful.)
>
> Matched against <LDAP_SOURCE>for 'authentication' rules
>
> set_role : impiegati
>
> set_access_duration : 5D
>
> Did not match against <LDAP_SOURCE>
>
>
>
> When a wireless client try to connect to the WLAN I see this log
> on radius log file:
>
> Wed Jan 25 02:41:29 2017 : Auth: (11) Login incorrect (eap:
> Tried to start unsupported EAP type MSCHAPv2 (26)):
> [<MYDOMAIN>\integrazionewifi] (from client 10.12.15.0/24 port 1
> cli 70:77:81:1a:d2:c5 via TLS tunnel)
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection
> (1): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection
> (2): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection
> (3): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection
> (4): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection
> (0): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection
> (5): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Opening additional
> connection (6), 1 of 64 pending slots used
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Need 2 more
> connections to reach 10 spares
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Opening additional
> connection (7), 1 of 63 pending slots used
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: The users
> session was previously rejected: returning reject (again.)
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: This means you
> need to read the PREVIOUS messages in the debug output
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: to find out the
> reason why the user was rejected
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: Look for
> "reject" or "fail". Those earlier messages will tell you
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: what went wrong,
> and how to fix the problem
>
> Wed Jan 25 02:41:29 2017 : Auth: (12) Login incorrect (eap: Failed
> continuing EAP PEAP (25) session. EAP sub-module failed):
> [<MYDOMAIN>\integrazionewifi] (from client 10.12.15.0/24 port 1
> cli 70:77:81:1a:d2:c5)
>
> Wed Jan 25 02:41:29 2017 : [mac:70:77:81:1a:d2:c5] Rejected user:
> assl10\integrazionewifi
>
>
>
> Using tcpdump I cannot see any connection to LDAP serevr
>
>
>
> I don’t understand why I have this log.
>
> I have enabled PEAP and MSCHAPv2 as authentication method.
>
>
>
> Thank you very much
>
>
>
> Luca Messori
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
>
> _______________________________________________
>
> PacketFence-users mailing list
>
> [email protected]
> <mailto:[email protected]>
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Fabrice Durand
> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135) ::
> www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
