Hi Luca,
it still miss the assl10 realm, can you share your realm.conf file ?
Does winbind is running ?
Did you restart radiusd after adding the realm ?
Regards
Fabrice
Le 2017-01-27 à 12:22, Luca Messori a écrit :
>
> Hi Fabrice,
>
> we have reconfigured the Realm and we have done some new test but we
> have the following error:
>
>
>
> (7) Fri Jan 27 12:00:12 2017: ERROR: mschap: External script says:
> Reading winbind reply failed! (0xc0000001)
>
> (7) Fri Jan 27 12:00:12 2017: ERROR: mschap: MS-CHAP2-Response is
> incorrect
>
>
>
> I have attached the raddebug output.
>
>
>
> Can you help us?
>
>
>
> Kindly regards
>
>
>
> */Luca Messori/*
>
> _________________________
>
>
>
> Descrizione: mead
>
>
>
>
>
> *Mead Informatica Srl*
> *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
> Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
> Tel. +39 049 8702540 Fax +39 049 8706249
>
>
>
> http://www.meadinformatica.it <http://www.meadinformatica.it/>
>
> -----------------------------------------------------------------------
>
>
>
> Questo messaggio puo' contenere informazioni di carattere riservato e
> confidenziale. Qualora non foste i destinatari, vi preghiamo di
> notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali allegati,
> senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
> contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili e
> penali.
>
>
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please immediately
> notify us
> and destroy this message and any attachments without retaining a copy.
> Any unauthorized use of this message can expose the responsabile party
> to civil and/or criminal penalties.
>
>
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>
>
>
>
> *Da:*Fabrice Durand [mailto:[email protected]]
> *Inviato:* giovedì 26 gennaio 2017 14:54
> *A:* [email protected]
> *Oggetto:* Re: [PacketFence-users] R: Issue authenticathing WPA2 WLAN
>
>
>
> Hello Lucas,
>
>
>
> here is the error:
>
> (52) Wed Jan 25 13:51:23 2017: Debug: mschap: Executing:
> /usr/local/pf/bin/ntlm_auth_wrapper -- --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}:
> (52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
> --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
> (52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
> --username=integrazionewifi
> (52) Wed Jan 25 13:51:23 2017: Debug: mschap: Creating challenge hash
> with username: integrazionewifi
> (52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
> --challenge=%{mschap:Challenge:-00}
> (52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
> --challenge=c7224e97b4103ad9
> (52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
> --nt-response=%{mschap:NT-Response:-00}
> (52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
> --nt-response=ad0e31b4fa7cad4f8ebecb1c9eb46025e8c52715f60f9183
> (52) Wed Jan 25 13:51:23 2017: ERROR: mschap: Program returned code
> (1) and output 'Reading winbind reply failed! (0xc0000001)'
> (52) Wed Jan 25 13:51:23 2017: Debug: mschap: External script failed
> (52) Wed Jan 25 13:51:23 2017: ERROR: mschap: External script says:
> Reading winbind reply failed! (0xc0000001)
> (52) Wed Jan 25 13:51:23 2017: ERROR: mschap: MS-CHAP2-Response is
> incorrect
>
> Freeradius try to use winbind but it can't, so you must join the
> server to the domain to fix that and you need to create a realm that
> match assl10 and point to the domain you just created (Admin Gui).
>
> Also for just ldap you need to have the clear password or the nthash
> in the ldap directory.
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
> Regards
> Fabrice
>
> Le 2017-01-26 à 04:00, Luca Messori a écrit :
>
> Ho Fabrice,
>
> I have attached two file containing the logs saved as you required.
>
> The two file names contains the username used during the test
> tryin to connect to the WLAN.
>
>
>
> I have tested both AD integration (putting PF in the Microsoft
> domain) and LDAP.
>
> Actually we are using LDAP.
>
>
>
> Thank you veri much,
>
> Kindly ergards
>
>
>
> */Luca Messori/*
>
> _________________________
>
>
>
> Descrizione: mead
>
>
>
>
>
> *Mead Informatica Srl*
> *SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
> Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
> Tel. +39 049 8702540 Fax +39 049 8706249
>
>
>
> http://www.meadinformatica.it
>
> -----------------------------------------------------------------------
>
>
>
> Questo messaggio puo' contenere informazioni di carattere
> riservato e confidenziale. Qualora non foste i destinatari, vi
> preghiamo di notificarcelo
> e di provvedere ad eliminare il messaggio, con gli eventuali
> allegati, senza trattenerne copia. Qualsivoglia utilizzo non
> autorizzato del contenuto
> di questo mesaggio espone il responsabile alle conseguenze civili
> e penali.
>
>
>
> This message may contain information which is confidential or
> privileged. if you are not the intended recipient, please
> immediately notify us
> and destroy this message and any attachments without retaining a
> copy. Any unauthorized use of this message can expose the
> responsabile party
> to civil and/or criminal penalties.
>
>
>
> Descrizione: Descrizione: cid:696372015@22072008-1A64
>
>
>
>
>
> *Da:*Fabrice Durand [mailto:[email protected]]
> *Inviato:* mercoledì 25 gennaio 2017 14:18
> *A:* [email protected]
> <mailto:[email protected]>
> *Oggetto:* Re: [PacketFence-users] Issue authenticathing WPA2 WLAN
>
>
>
> Hello Luca,
>
> are you using an active directory ?
>
> If it's the case then first you need to join PacketFence to the
> domain.
>
> Also can you do a : raddebug -f /usr/local/pf/var/run/radius.sock
> -t 3000
>
> and retry your authentication (you will have more details).
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le 2017-01-25 à 04:51, Luca Messori a écrit :
>
> Hi all,
>
> I’m trying to configure my PF to authenticate wireless users.
>
>
>
> I have created a WPA2 enterprise WLAN on my Aps and I have
> configured the PF IP as radius server.
>
> I have configured a LDAP user source that should be used by
> the Radius server.
>
> Using pftest I have this output:
>
> [root@mitelwifi ~]# /usr/local/pf/bin/pftest authentication
> integrazionewifi <MYPASSWD> <LDAP_SOURCE>
>
> Testing authentication for "integrazionewifi"
>
>
>
> Authenticating against <LDAP_SOURCE>
>
> Authentication SUCCEEDED against <LDAP_SOURCE>
> (Authentication successful.)
>
> Matched against <LDAP_SOURCE>for 'authentication' rules
>
> set_role : impiegati
>
> set_access_duration : 5D
>
> Did not match against <LDAP_SOURCE>
>
>
>
> When a wireless client try to connect to the WLAN I see this
> log on radius log file:
>
> Wed Jan 25 02:41:29 2017 : Auth: (11) Login incorrect (eap:
> Tried to start unsupported EAP type MSCHAPv2 (26)):
> [<MYDOMAIN>\integrazionewifi] (from client 10.12.15.0/24 port
> 1 cli 70:77:81:1a:d2:c5 via TLS tunnel)
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing
> connection (1): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing
> connection (2): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing
> connection (3): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing
> connection (4): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing
> connection (0): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing
> connection (5): Hit idle_timeout, was idle for 204 seconds
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Opening
> additional connection (6), 1 of 64 pending slots used
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Need 2 more
> connections to reach 10 spares
>
> Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Opening
> additional connection (7), 1 of 63 pending slots used
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: The users
> session was previously rejected: returning reject (again.)
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: This means
> you need to read the PREVIOUS messages in the debug output
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: to find out
> the reason why the user was rejected
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: Look for
> "reject" or "fail". Those earlier messages will tell you
>
> Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: what went
> wrong, and how to fix the problem
>
> Wed Jan 25 02:41:29 2017 : Auth: (12) Login incorrect (eap:
> Failed continuing EAP PEAP (25) session. EAP sub-module
> failed): [<MYDOMAIN>\integrazionewifi] (from client
> 10.12.15.0/24 port 1 cli 70:77:81:1a:d2:c5)
>
> Wed Jan 25 02:41:29 2017 : [mac:70:77:81:1a:d2:c5] Rejected
> user: assl10\integrazionewifi
>
>
>
> Using tcpdump I cannot see any connection to LDAP serevr
>
>
>
> I don’t understand why I have this log.
>
> I have enabled PEAP and MSCHAPv2 as authentication method.
>
>
>
> Thank you very much
>
>
>
> Luca Messori
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
>
>
> _______________________________________________
>
> PacketFence-users mailing list
>
> [email protected]
> <mailto:[email protected]>
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> --
>
> Fabrice Durand
>
> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135)
> :: www.inverse.ca <http://www.inverse.ca>
>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
>
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
>
> _______________________________________________
>
> PacketFence-users mailing list
>
> [email protected]
> <mailto:[email protected]>
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Fabrice Durand
> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135) ::
> www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
