Thank you very much Antoine.
I have reviewed the logs keeping in mind you explaination and I think that I've
understood the behaviour.
This is sufficient for me,
Have a nice day
Luca Messori
_________________________
[Descrizione: mead]
Mead Informatica Srl
SEDE - Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it<http://www.meadinformatica.it/>
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere riservato e
confidenziale. Qualora non foste i destinatari, vi preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali allegati, senza
trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze civili e penali.
This message may contain information which is confidential or privileged. if
you are not the intended recipient, please immediately notify us
and destroy this message and any attachments without retaining a copy. Any
unauthorized use of this message can expose the responsabile party
to civil and/or criminal penalties.
Da: Antoine Amacher [mailto:[email protected]]
Inviato: lunedì 30 gennaio 2017 19:07
A: [email protected]
Oggetto: Re: [PacketFence-users] R: R: R: R: Issue authenticathing WPA2 WLAN
Hi Luca,
Upon receiving a RADIUS request we are trying to strip the username if there is
a REALM in (i.e: ASSL10), if when sending your request there is no realm, it
will try to loggin using the REALM NULL/DEFAULT, this is why you need to link
the domain to those REALM.
You do not have to delete your REALM ASSL10 btw, leave it be.
Without adding the domain to those, you should have been able to login using
ASSL10\ in front of your username.
Thanks
On 01/30/2017 12:28 PM, Luca Messori wrote:
Hi Antoine,
thank you very much for your help.
I have the client authenticated doing the same thing that you suggested for the
domain DEFAULT.
What that I don't understand is why!
Have a nice day
Luca Messori
_________________________
[Descrizione: mead]
Mead Informatica Srl
SEDE - Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere riservato e
confidenziale. Qualora non foste i destinatari, vi preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali allegati, senza
trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze civili e penali.
This message may contain information which is confidential or privileged. if
you are not the intended recipient, please immediately notify us
and destroy this message and any attachments without retaining a copy. Any
unauthorized use of this message can expose the responsabile party
to civil and/or criminal penalties.
Da: Antoine Amacher [mailto:[email protected]]
Inviato: lunedì 30 gennaio 2017 14:52
A:
[email protected]<mailto:[email protected]>
Oggetto: Re: [PacketFence-users] R: R: R: Issue authenticathing WPA2 WLAN
Hello Luca,
When you see winbind isn't started, it is actually running. When doing a domain
join via the admin interface, winbind is started in a chroot, that allow you to
have 1 winbind daemon by domain. So you should not need to start it manually.
Go in the section configuration -> realm and add ASSL10 as the domain for the
realm NULL.
Thanks
On 01/29/2017 01:10 PM, Luca Messori wrote:
Hi Fabrice,
I trie to start winbondd manually; this is the output:
[root@mitelwifi samba]# /usr/sbin/winbindd -s /etc/samba/ASSL10.conf -S -F
winbindd version 3.6.23-36.el6_8 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
Kindly regards
Luca Messori
_________________________
[Descrizione: mead]
Mead Informatica Srl
SEDE - Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere riservato e
confidenziale. Qualora non foste i destinatari, vi preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali allegati, senza
trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze civili e penali.
This message may contain information which is confidential or privileged. if
you are not the intended recipient, please immediately notify us
and destroy this message and any attachments without retaining a copy. Any
unauthorized use of this message can expose the responsabile party
to civil and/or criminal penalties.
Da: Fabrice Durand [mailto:[email protected]]
Inviato: venerdì 27 gennaio 2017 19:42
A:
[email protected]<mailto:[email protected]>
Oggetto: Re: [PacketFence-users] R: R: Issue authenticathing WPA2 WLAN
Hi Luca,
it still miss the assl10 realm, can you share your realm.conf file ?
Does winbind is running ?
Did you restart radiusd after adding the realm ?
Regards
Fabrice
Le 2017-01-27 à 12:22, Luca Messori a écrit :
Hi Fabrice,
we have reconfigured the Realm and we have done some new test but we have the
following error:
(7) Fri Jan 27 12:00:12 2017: ERROR: mschap: External script says: Reading
winbind reply failed! (0xc0000001)
(7) Fri Jan 27 12:00:12 2017: ERROR: mschap: MS-CHAP2-Response is incorrect
I have attached the raddebug output.
Can you help us?
Kindly regards
Luca Messori
_________________________
[Descrizione: mead]
Mead Informatica Srl
SEDE - Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere riservato e
confidenziale. Qualora non foste i destinatari, vi preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali allegati, senza
trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze civili e penali.
This message may contain information which is confidential or privileged. if
you are not the intended recipient, please immediately notify us
and destroy this message and any attachments without retaining a copy. Any
unauthorized use of this message can expose the responsabile party
to civil and/or criminal penalties.
Da: Fabrice Durand [mailto:[email protected]]
Inviato: giovedì 26 gennaio 2017 14:54
A:
[email protected]<mailto:[email protected]>
Oggetto: Re: [PacketFence-users] R: Issue authenticathing WPA2 WLAN
Hello Lucas,
here is the error:
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: Executing:
/usr/local/pf/bin/ntlm_auth_wrapper -- --request-nt-key
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: --> --username=integrazionewifi
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: Creating challenge hash with
username: integrazionewifi
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
--challenge=%{mschap:Challenge:-00}
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
--challenge=c7224e97b4103ad9
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
--nt-response=%{mschap:NT-Response:-00}
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
--nt-response=ad0e31b4fa7cad4f8ebecb1c9eb46025e8c52715f60f9183
(52) Wed Jan 25 13:51:23 2017: ERROR: mschap: Program returned code (1) and
output 'Reading winbind reply failed! (0xc0000001)'
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: External script failed
(52) Wed Jan 25 13:51:23 2017: ERROR: mschap: External script says: Reading
winbind reply failed! (0xc0000001)
(52) Wed Jan 25 13:51:23 2017: ERROR: mschap: MS-CHAP2-Response is incorrect
Freeradius try to use winbind but it can't, so you must join the server to the
domain to fix that and you need to create a realm that match assl10 and point
to the domain you just created (Admin Gui).
Also for just ldap you need to have the clear password or the nthash in the
ldap directory.
http://deployingradius.com/documents/protocols/compatibility.html
Regards
Fabrice
Le 2017-01-26 à 04:00, Luca Messori a écrit :
Ho Fabrice,
I have attached two file containing the logs saved as you required.
The two file names contains the username used during the test tryin to connect
to the WLAN.
I have tested both AD integration (putting PF in the Microsoft domain) and LDAP.
Actually we are using LDAP.
Thank you veri much,
Kindly ergards
Luca Messori
_________________________
[Descrizione: mead]
Mead Informatica Srl
SEDE - Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere riservato e
confidenziale. Qualora non foste i destinatari, vi preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali allegati, senza
trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze civili e penali.
This message may contain information which is confidential or privileged. if
you are not the intended recipient, please immediately notify us
and destroy this message and any attachments without retaining a copy. Any
unauthorized use of this message can expose the responsabile party
to civil and/or criminal penalties.
Da: Fabrice Durand [mailto:[email protected]]
Inviato: mercoledì 25 gennaio 2017 14:18
A:
[email protected]<mailto:[email protected]>
Oggetto: Re: [PacketFence-users] Issue authenticathing WPA2 WLAN
Hello Luca,
are you using an active directory ?
If it's the case then first you need to join PacketFence to the domain.
Also can you do a : raddebug -f /usr/local/pf/var/run/radius.sock -t 3000
and retry your authentication (you will have more details).
Regards
Fabrice
Le 2017-01-25 à 04:51, Luca Messori a écrit :
Hi all,
I'm trying to configure my PF to authenticate wireless users.
I have created a WPA2 enterprise WLAN on my Aps and I have configured the PF IP
as radius server.
I have configured a LDAP user source that should be used by the Radius server.
Using pftest I have this output:
[root@mitelwifi ~]# /usr/local/pf/bin/pftest authentication integrazionewifi
<MYPASSWD> <LDAP_SOURCE>
Testing authentication for "integrazionewifi"
Authenticating against <LDAP_SOURCE>
Authentication SUCCEEDED against <LDAP_SOURCE> (Authentication successful.)
Matched against <LDAP_SOURCE>for 'authentication' rules
set_role : impiegati
set_access_duration : 5D
Did not match against <LDAP_SOURCE>
When a wireless client try to connect to the WLAN I see this log on radius log
file:
Wed Jan 25 02:41:29 2017 : Auth: (11) Login incorrect (eap: Tried to start
unsupported EAP type MSCHAPv2 (26)): [<MYDOMAIN>\integrazionewifi] (from client
10.12.15.0/24 port 1 cli 70:77:81:1a:d2:c5 via TLS tunnel)
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection (1): Hit
idle_timeout, was idle for 204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection (2): Hit
idle_timeout, was idle for 204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection (3): Hit
idle_timeout, was idle for 204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection (4): Hit
idle_timeout, was idle for 204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection (0): Hit
idle_timeout, was idle for 204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing connection (5): Hit
idle_timeout, was idle for 204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Opening additional connection
(6), 1 of 64 pending slots used
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Need 2 more connections to
reach 10 spares
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Opening additional connection
(7), 1 of 63 pending slots used
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: The users session was
previously rejected: returning reject (again.)
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: This means you need to read
the PREVIOUS messages in the debug output
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: to find out the reason why
the user was rejected
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: Look for "reject" or "fail".
Those earlier messages will tell you
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: what went wrong, and how to
fix the problem
Wed Jan 25 02:41:29 2017 : Auth: (12) Login incorrect (eap: Failed continuing
EAP PEAP (25) session. EAP sub-module failed): [<MYDOMAIN>\integrazionewifi]
(from client 10.12.15.0/24 port 1 cli 70:77:81:1a:d2:c5)
Wed Jan 25 02:41:29 2017 : [mac:70:77:81:1a:d2:c5] Rejected user:
assl10\integrazionewifi
Using tcpdump I cannot see any connection to LDAP serevr
I don't understand why I have this log.
I have enabled PEAP and MSCHAPv2 as authentication method.
Thank you very much
Luca Messori
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected]<mailto:[email protected]> ::
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected]<mailto:[email protected]> ::
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
