The answer is in the packetfence.log file. Paste it when you connect. Le lun. 31 oct. 2022, 18 h 23, Alexander <leonoff.sany...@gmail.com> a écrit :
> thank you very much! I achieved what was described by changing the base > config. i Get* [mschap] = ok. * But I am now getting a different error! > Could you see the file attachment? > > (0) mschap: Found NT-Password > (0) mschap: Client is using MS-CHAPv1 with NT-Password > (0) mschap: adding MS-CHAPv1 MPPE keys > *(0) [mschap] = ok* > > *......* > (0) rest: Expanding URI components > (0) rest: EXPAND http://containers-gateway.internal:7070 > (0) rest: --> http://containers-gateway.internal:7070 > (0) rest: EXPAND //radius/rest/authorize > (0) rest: --> //radius/rest/authorize > (0) rest: Sending HTTP POST to " > http://containers-gateway.internal:7070//radius/rest/authorize"; > (0) rest: Encoding attribute "User-Name" > (0) rest: Encoding attribute "NAS-IP-Address" > (0) rest: Encoding attribute "NAS-Port" > (0) rest: Encoding attribute "Event-Timestamp" > (0) rest: Encoding attribute "Message-Authenticator" > (0) rest: Encoding attribute "MS-CHAP-Response" > (0) rest: Encoding attribute "MS-CHAP-Challenge" > (0) rest: Encoding attribute "Stripped-User-Name" > (0) rest: Encoding attribute "Realm" > (0) rest: Encoding attribute "Module-Failure-Message" > (0) rest: Encoding attribute "FreeRADIUS-Client-IP-Address" > (0) rest: Encoding attribute "PacketFence-UserNameAttribute" > (0) rest: Encoding attribute "PacketFence-KeyBalanced" > (0) rest: Encoding attribute "PacketFence-Radius-Ip" > (0) rest: Encoding attribute "PacketFence-NTLMv2-Only" > (0) rest: Processing response header > > > > > *(0) rest: Status : 401 (Unauthorized)(0) rest: Type : json > (application/json)(0) rest: Adding reply:REST-HTTP-Status-Code = "401"(0) > rest: ERROR: Server returned:(0) rest: ERROR: > {"control:PacketFence-Authorization-Status":"allow"}* > rlm_rest (rest): Released connection (0) > *......* > > пн, 31 окт. 2022 г. в 22:37, Fabrice Durand <oeufd...@gmail.com>: > >> Hello Alexander, >> >> the difference is on the default radius config, it calls the ldap module >> in the authorize section. >> >> You can follow this logic in >> https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute >> (it´s based on freeradius 2 but the logic is there) >> >> ``` >> >> authorize { >> >> .... >> suffix >> ntdomain >> .... >> ldap >> if (ok) { >> update control { >> MS-CHAP-Use-NTLM-Auth := No >> } >> } >> >> ``` >> >> Regards >> >> Fabrice >> >> >> Le lun. 31 oct. 2022 à 13:25, Alexander via PacketFence-users < >> packetfence-users@lists.sourceforge.net> a écrit : >> >>> Hello friends! I need help >>> >>> i am testing *local installed freeradius* configuration to work with >>> freeipa (ldap) on nthash via mschap-v2 >>> >>> what did i do for this: >>> >>> 1) yum install freeradius-ldap >>> 2) ln -s /etc/raddb/mods-available/ldap /etc/raddb/mods-enabled/ldap >>> 3) change /etc/raddb/mods-available/ldap >>> >>> server = ''server.dmosk.local" >>> identity = 'uid=services,cn=users,cn=accounts,dc=test,dc=com' >>> password = my_password >>> base_dn = 'cn=users,cn=accounts,dc=test,dc=com' >>> update { >>> ... >>> control:NT-Password := 'ipaNTHash' >>> ... >>> 4)change /etc/raddb/mods-available/eap >>> ... >>> default_eap_type = mschapv2 >>> ... >>> 5) reload freeradius >>> 6) TESTING: >>> radtest -t mschap ldap_user test12345 localhost:1812 0 testing123 >>> >>> and get Received *Access-ACCEPT* >>> >>> *Question:* >>> Can anyone tell me how to set up this configuration on packetfence? >>> I tried to do this, but it didn't work for me: >>> 1. Create authentication source - LDAP - define server, identity, >>> password, base_dn, Username Attribute. And checked through the test button >>> 2. add update control:NT-Password := 'ipaNTHash' to file >>> /usr/local/pf/raddb/mods-enabled/ldap_packetfence >>> 3. change default_eap_type = mschapv2 >>> in /usr/local/pf/raddb/mods-enabled/eap >>> 4. add to Standard Connection Profile sources ldap >>> 5. tried adding default and null in tab stripping to Realms - ldap source >>> 6. TESTING: >>> radtest -t mschap ldap_user test12345 localhost:1812 0 testing123 >>> and get: >>> >>> Received Access-Reject Id 247 from 127.0.0.1:1812 to 127.0.0.1:56955 >>> length 61 >>> MS-CHAP-Error = "\000E=691 R=0 C=1cef2a7d250330ff V=2" >>> (0) -: Expected Access-Accept got Access-Reject >>> >>> I do not understand what the problem is. I also attached the logs of >>> freeradius running in debug mode(/usr/sbin/freeradius -d >>> /usr/local/pf/raddb -n auth -fxx -l stdout). See attachment. Pleae help me >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
