On 01/04/2019 15.34, [email protected] wrote:
Sat Mar 21 11:30:37 2019: WARNING: NTLM Could not authenticate user 'USER': No logon servers
Sat Mar 21 11:30:37 2019: INFO: Accounting: User: USER AuthBy; authby-withoutrealm, OriginalUserName: USER, NAS-IP-Address: 1.2.3.4, NAS-Identifier: eduroam, NAS-Port: 0, Calling-Station-Id: AABBCC112233, Form-Station-Id: 11:22:33:AA:BB:CC, Result: 1, Result String: EAP MSCHAP-V2 Authentication failure
This message is send as an 'access-reject' to the radsecproxy and client. Which is a legitim radius message for all network devices, even though this should not happen. At this point, the radsecproxy sees no reason to failover upcoming authentication-requests to the second radiator, which works fine with the DCs.
I can see why this is a problem. Unfortunately, currently the NTLM credentials check returns binary output: OK or not OK. There's no method to say "Can't tell".
I've been looking at this and while there are ways to make this work, it requires code changes and can not be solved with configuration only. The good part is, that at the same time, we could make the reason code available too.
Another thing currently is that while the a more detailed reason is logged in the debug log, it's not available in the authentication log.
Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
