Hi Luca,
Upon receiving a RADIUS request we are trying to strip the username if
there is a REALM in (i.e: ASSL10), if when sending your request there is
no realm, it will try to loggin using the REALM NULL/DEFAULT, this is
why you need to link the domain to those REALM.
You do not have to delete your REALM ASSL10 btw, leave it be.
Without adding the domain to those, you should have been able to login
using ASSL10\ in front of your username.
Thanks
On 01/30/2017 12:28 PM, Luca Messori wrote:
Hi Antoine,
thank you very much for your help.
I have the client authenticated doing the same thing that you
suggested for the domain DEFAULT.
What that I don’t understand is why!
Have a nice day
*/Luca Messori/*
_________________________
Descrizione: mead
*Mead Informatica Srl*
*SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it <http://www.meadinformatica.it/>
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere riservato e
confidenziale. Qualora non foste i destinatari, vi preghiamo di
notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali allegati,
senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
contenuto
di questo mesaggio espone il responsabile alle conseguenze civili e
penali.
This message may contain information which is confidential or
privileged. if you are not the intended recipient, please immediately
notify us
and destroy this message and any attachments without retaining a copy.
Any unauthorized use of this message can expose the responsabile party
to civil and/or criminal penalties.
Descrizione: Descrizione: cid:696372015@22072008-1A64
*Da:*Antoine Amacher [mailto:aamac...@inverse.ca]
*Inviato:* lunedì 30 gennaio 2017 14:52
*A:* packetfence-users@lists.sourceforge.net
*Oggetto:* Re: [PacketFence-users] R: R: R: Issue authenticathing WPA2
WLAN
Hello Luca,
When you see winbind isn't started, it is actually running. When doing
a domain join via the admin interface, winbind is started in a chroot,
that allow you to have 1 winbind daemon by domain. So you should not
need to start it manually.
Go in the section configuration -> realm and add ASSL10 as the domain
for the realm NULL.
Thanks
On 01/29/2017 01:10 PM, Luca Messori wrote:
Hi Fabrice,
I trie to start winbondd manually; this is the output:
[root@mitelwifi samba]# /usr/sbin/winbindd -s
/etc/samba/ASSL10.conf -S -F
winbindd version 3.6.23-36.el6_8 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
initialize_winbindd_cache: clearing cache and re-creating with
version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
Kindly regards
*/Luca Messori/*
_________________________
Descrizione: mead
*Mead Informatica Srl*
*SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere
riservato e confidenziale. Qualora non foste i destinatari, vi
preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali
allegati, senza trattenerne copia. Qualsivoglia utilizzo non
autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze civili
e penali.
This message may contain information which is confidential or
privileged. if you are not the intended recipient, please
immediately notify us
and destroy this message and any attachments without retaining a
copy. Any unauthorized use of this message can expose the
responsabile party
to civil and/or criminal penalties.
Descrizione: Descrizione: cid:696372015@22072008-1A64
*Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
*Inviato:* venerdì 27 gennaio 2017 19:42
*A:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Oggetto:* Re: [PacketFence-users] R: R: Issue authenticathing
WPA2 WLAN
Hi Luca,
it still miss the assl10 realm, can you share your realm.conf file ?
Does winbind is running ?
Did you restart radiusd after adding the realm ?
Regards
Fabrice
Le 2017-01-27 à 12:22, Luca Messori a écrit :
Hi Fabrice,
we have reconfigured the Realm and we have done some new test
but we have the following error:
(7) Fri Jan 27 12:00:12 2017: ERROR: mschap: External script
says: Reading winbind reply failed! (0xc0000001)
(7) Fri Jan 27 12:00:12 2017: ERROR: mschap: MS-CHAP2-Response
is incorrect
I have attached the raddebug output.
Can you help us?
Kindly regards
*/Luca Messori/*
_________________________
Descrizione: mead
*Mead Informatica Srl*
*SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522
393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere
riservato e confidenziale. Qualora non foste i destinatari, vi
preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali
allegati, senza trattenerne copia. Qualsivoglia utilizzo non
autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze
civili e penali.
This message may contain information which is confidential or
privileged. if you are not the intended recipient, please
immediately notify us
and destroy this message and any attachments without retaining
a copy. Any unauthorized use of this message can expose the
responsabile party
to civil and/or criminal penalties.
Descrizione: Descrizione: cid:696372015@22072008-1A64
*Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
*Inviato:* giovedì 26 gennaio 2017 14:54
*A:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Oggetto:* Re: [PacketFence-users] R: Issue authenticathing
WPA2 WLAN
Hello Lucas,
here is the error:
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: Executing:
/usr/local/pf/bin/ntlm_auth_wrapper -- --request-nt-key
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}:
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
--username=integrazionewifi
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: Creating
challenge hash with username: integrazionewifi
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
--challenge=%{mschap:Challenge:-00}
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
--challenge=c7224e97b4103ad9
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
--nt-response=%{mschap:NT-Response:-00}
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
--nt-response=ad0e31b4fa7cad4f8ebecb1c9eb46025e8c52715f60f9183
(52) Wed Jan 25 13:51:23 2017: ERROR: mschap: Program returned
code (1) and output 'Reading winbind reply failed! (0xc0000001)'
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: External script
failed
(52) Wed Jan 25 13:51:23 2017: ERROR: mschap: External script
says: Reading winbind reply failed! (0xc0000001)
(52) Wed Jan 25 13:51:23 2017: ERROR: mschap:
MS-CHAP2-Response is incorrect
Freeradius try to use winbind but it can't, so you must join
the server to the domain to fix that and you need to create a
realm that match assl10 and point to the domain you just
created (Admin Gui).
Also for just ldap you need to have the clear password or the
nthash in the ldap directory.
http://deployingradius.com/documents/protocols/compatibility.html
Regards
Fabrice
Le 2017-01-26 à 04:00, Luca Messori a écrit :
Ho Fabrice,
I have attached two file containing the logs saved as you
required.
The two file names contains the username used during the
test tryin to connect to the WLAN.
I have tested both AD integration (putting PF in the
Microsoft domain) and LDAP.
Actually we are using LDAP.
Thank you veri much,
Kindly ergards
*/Luca Messori/*
_________________________
Descrizione: mead
*Mead Informatica Srl*
*SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39
0522 393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere
riservato e confidenziale. Qualora non foste i
destinatari, vi preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli
eventuali allegati, senza trattenerne copia. Qualsivoglia
utilizzo non autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze
civili e penali.
This message may contain information which is confidential
or privileged. if you are not the intended recipient,
please immediately notify us
and destroy this message and any attachments without
retaining a copy. Any unauthorized use of this message can
expose the responsabile party
to civil and/or criminal penalties.
Descrizione: Descrizione: cid:696372015@22072008-1A64
*Da:*Fabrice Durand [mailto:fdur...@inverse.ca]
*Inviato:* mercoledì 25 gennaio 2017 14:18
*A:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Oggetto:* Re: [PacketFence-users] Issue authenticathing
WPA2 WLAN
Hello Luca,
are you using an active directory ?
If it's the case then first you need to join PacketFence
to the domain.
Also can you do a : raddebug -f
/usr/local/pf/var/run/radius.sock -t 3000
and retry your authentication (you will have more details).
Regards
Fabrice
Le 2017-01-25 à 04:51, Luca Messori a écrit :
Hi all,
I’m trying to configure my PF to authenticate wireless
users.
I have created a WPA2 enterprise WLAN on my Aps and I
have configured the PF IP as radius server.
I have configured a LDAP user source that should be
used by the Radius server.
Using pftest I have this output:
[root@mitelwifi ~]# /usr/local/pf/bin/pftest
authentication integrazionewifi <MYPASSWD> <LDAP_SOURCE>
Testing authentication for "integrazionewifi"
Authenticating against <LDAP_SOURCE>
Authentication SUCCEEDED against <LDAP_SOURCE>
(Authentication successful.)
Matched against <LDAP_SOURCE>for 'authentication' rules
set_role : impiegati
set_access_duration : 5D
Did not match against <LDAP_SOURCE>
When a wireless client try to connect to the WLAN I
see this log on radius log file:
Wed Jan 25 02:41:29 2017 : Auth: (11) Login
incorrect (eap: Tried to start unsupported EAP type
MSCHAPv2 (26)): [<MYDOMAIN>\integrazionewifi] (from
client 10.12.15.0/24 port 1 cli 70:77:81:1a:d2:c5 via
TLS tunnel)
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql):
Closing connection (1): Hit idle_timeout, was idle for
204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql):
Closing connection (2): Hit idle_timeout, was idle for
204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql):
Closing connection (3): Hit idle_timeout, was idle for
204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql):
Closing connection (4): Hit idle_timeout, was idle for
204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql):
Closing connection (0): Hit idle_timeout, was idle for
204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql):
Closing connection (5): Hit idle_timeout, was idle for
204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql):
Opening additional connection (6), 1 of 64 pending
slots used
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Need 2
more connections to reach 10 spares
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql):
Opening additional connection (7), 1 of 63 pending
slots used
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: The
users session was previously rejected: returning
reject (again.)
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: This
means you need to read the PREVIOUS messages in the
debug output
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: to
find out the reason why the user was rejected
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: Look
for "reject" or "fail". Those earlier messages will
tell you
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: what
went wrong, and how to fix the problem
Wed Jan 25 02:41:29 2017 : Auth: (12) Login incorrect
(eap: Failed continuing EAP PEAP (25) session. EAP
sub-module failed): [<MYDOMAIN>\integrazionewifi]
(from client 10.12.15.0/24 port 1 cli 70:77:81:1a:d2:c5)
Wed Jan 25 02:41:29 2017 : [mac:70:77:81:1a:d2:c5]
Rejected user: assl10\integrazionewifi
Using tcpdump I cannot see any connection to LDAP serevr
I don’t understand why I have this log.
I have enabled PEAP and MSCHAPv2 as authentication method.
Thank you very much
Luca Messori
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918
(x135) ::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
aamac...@inverse.ca <mailto:aamac...@inverse.ca> ::www.inverse.ca <http://www.inverse.ca>
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and
PacketFence (www.packetfence.org <http://www.packetfence.org>)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
aamac...@inverse.ca :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users