DHCP configuration on Free Radius
Hi; Ive installed the Free Radius on FC4 OS, I need to know if its possible to configure DHCP on this server. I want that the dial up users take an IP from a pool, dynamically configured on the Radius server itself. If its possible, can you tell me the steps, otherwise, can you provide me with a solution? Thanks Elie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault when loading a module in rlm_perl?
On Wednesday 12 July 2006 20:13, Nikola Pavkovic wrote: Hello all, I'm expiriencing strange behaviour when starting freeradius using rlm_perl. When I include any module (for example DBI) inside my custom AAA script, i get a segfault. (Debian sarge, freeradius 1.1.2). Any hints are very welcome. Any traces are welcome :-) -- Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP configuration on Free Radius
Elie Hani wrote: I’ve installed the Free Radius on FC4 OS, I need to know if it’s possible to configure DHCP on this server. I want that the dial up users take an IP from a pool, dynamically configured on the Radius server itself. If it’s possible, can you tell me the steps, otherwise, can you Not out of the box. provide me with a solution? See the ippool module - it is extensively commented in radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
removing domain data from user name
Hello list, I'm using freeradius server as a radius server that forward the auth to an LDAP server, on a RH enterprise system (freeradius-1.0.1-1.1.RHEL3) I want one of my service providers to authenticate against this radius, After enabling some debug option I found that it sends me the users in the form of [EMAIL PROTECTED], that (of course) my ldap don't know and refuse to auth. Is there a way on freeradius to pass to the ldap server only the left site of the @ sign ? I tried to use with_ntdomain_hack = yes in my ldap section on radiusd.conf w/o success. thanks, --Yedidia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:- Authenticating user with FDS
Yes, that method is working fine.
Thank you very much for your help.
Hariharan R wrote:
Hi all,
I am using FreeRADIUS1.1.1 with Fedora Directory server as a backend
data store.
Let us consider the scenario..
I have two servers, one is a mail server and another one is a proxy
server. Both servers are configured to use RADIUS+FDS for user
authentication. In FDS i have two organizational unit under root domain.
For Ex;
ou=mailusers,dc=example,dc=com
ou=proxyusers,dc=example,dc=com
In the 'raddb/radiusd.conf' file i specified the base domain as
(In LDAP module)
basedn = dc=example,dc=com
So whenever a client request comes to the RADIUS server it will look
for the username in FDS.
The problem is, how the RADIUS will identify that whether the request
is comes from the 'mail server' or from the 'proxy server'. Because for
mailserver users i have to look in the ou=mailusers,dc=example,dc=com
and for proxy users i have to look in the
ou=proxyusers,dc=example,dc=com.
Try this:
/etc/raddb/huntgroups:
mailNAS-IP-Address == the.mail.server.ip
proxy NAS-IP-Address == the.proxy.server.ip
/etc/radiusd.conf:
modules {
ldap {
basedn = ou=%{Huntgroup-Name},dc=example,dc=com
}
}
How i can change the LDAP basedn according to the request.
Use any string expansion you like, as above.
---
Regards,
Hariharan.R
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault when loading a module in rlm_perl?
On Thu, Jul 13, 2006 at 10:41:57AM +0300, Boian Jordanov wrote: On Wednesday 12 July 2006 20:13, Nikola Pavkovic wrote: Any hints are very welcome. Any traces are welcome :-) Boian, but it seems that we resolved the issue following the advices found at http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg19699.html It seems that it was a libperl issue on Debian. Thanks anyway ;) Sincerely, Nikola Pavkovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: removing domain data from user name
Yedidia Klein wrote:
Hello list,
I'm using freeradius server as a radius server that forward the auth to
an LDAP server,
on a RH enterprise system (freeradius-1.0.1-1.1.RHEL3)
I want one of my service providers to authenticate against this radius,
After enabling some debug option I found that it sends me the users in
the form of [EMAIL PROTECTED], that (of course) my ldap don't know and
refuse to auth.
Is there a way on freeradius to pass to the ldap server only the left
site of the @ sign ?
I tried to use with_ntdomain_hack = yes in my ldap section on
radiusd.conf w/o success.
Two ways:
1. Use /etc/raddb/hints to rewrite the packet, e.g.
DEFAULT NAS-IP-Address == the.isp.server.ip, User-Name =~ ^(.*)@.*$
User-Name := `%{1}`
# or maybe
DEFAULT Suffix = @domain.tld, Strip-User-Name = Yes
Hint = FromTheIsp
2. Use the proxy/realm feature - see the various realm module
definitions in radiusd.conf and the realm definitions in proxy.conf.
Basically:
modules {
realm suffix {
format = suffix
delimiter = @
ignore_default = yes
ignore_null = yes
}
}
authorize {
preprocess
suffix
ldap
# other stuff
}
...then in proxy.conf:
realm domain.tld {
type = radius
authhost = LOCAL
accthost = LOCAL
strip
}
Method 1. is simpler and probably best for this situation. Method 2. is
really intended for when you make requests to another server, as opposed
to when they make them to you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: removing domain data from user name
I was able to strip the domain portion of it by having
radius execute an external script. Here is what I
have in radius to execute the external script..
ldapldap_ldap1 {
server =
identity =
password =
#basedn =
basedn =
# filter =
(SamAccountName=%{Stripped-User-Name:-%{User-Name}})
filter =
(SamAccountName=%{exec:/usr/local/freeradius/etc/raddb
/nodomain.pl %u})
I wrote a perl script to strip that off, using a shell
script it always add a return character which adds a
space after the uid.
--- Yedidia Klein [EMAIL PROTECTED] wrote:
Hello list,
I'm using freeradius server as a radius server that
forward the auth to
an LDAP server,
on a RH enterprise system
(freeradius-1.0.1-1.1.RHEL3)
I want one of my service providers to authenticate
against this radius,
After enabling some debug option I found that it
sends me the users in
the form of [EMAIL PROTECTED], that (of course) my
ldap don't know and
refuse to auth.
Is there a way on freeradius to pass to the ldap
server only the left
site of the @ sign ?
I tried to use with_ntdomain_hack = yes in my ldap
section on
radiusd.conf w/o success.
thanks,
--Yedidia
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freerad routing problem
Hello, I have in my LAN a ColubrisAccess Conroller (IP: 192.168.10.81, gw: 192.168.10.1/80.B.C.D) which I authenticate on a freeradiusvia Internet (IP offreerad server : 63.E.F.G). My server receives:rad_recv: Access-Request packet from host 80.B.C.D:10901, id=64, length=251Acct-Session-Id = "7592eefb"NAS-Port = 0NAS-Port-Type = Wireless-802.11User-Name = "noven-ac1"Calling-Station-Id = "00-03-52-01-FC-33"Called-Station-Id = "00-03-52-01-FC-33"Framed-IP-Address = 192.168.1.1User-Password = "novenac1"NAS-Identifier = "noven.Vincennes.0"NAS-IP-Address = 192.168.10.81Framed-MTU = 1496Connect-Info = "HTTPS"Service-Type = Administrative-UserWISPr-Location-Name = "noven.Noven-WiFi"WISPr-Location-ID = "noven2/Noven-WiFi"Message-Authenticator = 0xa4619c3e1b4b1f7f5a877de95f208ab0 Processing the authorize section of radiusd.conf.and returns :Sending Access-Accept of id 64 to 80.B.C.D:10901Framed-Protocol := PPPService-Type := Framed-UserFramed-MTU := 1500Colubris-AVPair += "transport-page=https://192.168.10.82/Noven/transport.html"Colubris-AVPair += "session-page=https://192.168.10.82/Noven/session.html" My problem is that the response from the radius server does not reach my AC (IP 192.168.10.81) although the answer was indeed turned over to my router (IP :80.B.C.D) !!! Someone can help me? Please Thanks; Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple post-auth sql queries, possible?
Is it possible to run a module twice in one
section...
meaning can I run the sql module twice in the
post-auth section ?
I am thinking I could, but I would have to call it
by a new name and then copy the lib files to also this new name.
Thanks
Duane Cox
- Original Message -
From:
Duane Cox
To: freeradius-users@lists.freeradius.org
Sent: Wednesday, July 12, 2006 4:24
PM
Subject: multiple post-auth sql queries,
possible?
Hello List
Is there a way to have freeradius 1.1.1 send two
or more sql postauth queries?
I tried to put together an update statement and
an insert statement with a "go" command, but mssql didn't like it because the
insert, go, update was all on the same "line"
executing the above statement; but broken out on
three lines with "go" by itself, works, but I'm not sure if I can do this in
freeradius.
So is it possible to have freeradius process sql1
and then sql2 in the post-auth section, if so what would be the best way to
set this up.
here is my current config ...
post-auth { sql
Post-Auth-Type REJECT
{
sql }}
and then mssql.conf contains one
postauth_query
Thanks
Duane Cox
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: multiple post-auth sql queries, possible?
Hi Duane
If you use a DB backend that supports stored procedures
(like mysql 5) you can make a procedure in your mysql server containing several
queries.
You can evenuse IF THEN ELSE structures,
and call that procedure from post-authas a single
query.
like : postauth_query = "call
postauth1('%{SQL-User-Name}');"
this calls the stored procedure postauth1 and gives the
sql user name as parameter for the procedure to work with.
Maybe that solves your problem :)
Good luck!
Jurgen van Vliet
WANBound
Technologies| Veldzigt 28 | 3454 PW De Meern | The
Netherlands
Tel: +31 30 66 61
940 | Fax: +31 30 66
64 339 | Email: [EMAIL PROTECTED] | Website:
www.wanbound.com
Van:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Namens Duane CoxVerzonden: donderdag 13 juli 2006
16:32Aan: FreeRadius users mailing listOnderwerp: Re:
multiple post-auth sql queries, possible?
Is it possible to run a module twice in one
section...
meaning can I run the sql module twice in the
post-auth section ?
I am thinking I could, but I would have to call it
by a new name and then copy the lib files to also this new name.
Thanks
Duane Cox
- Original Message -
From:
Duane Cox
To: freeradius-users@lists.freeradius.org
Sent: Wednesday, July 12, 2006 4:24
PM
Subject: multiple post-auth sql queries,
possible?
Hello List
Is there a way to have freeradius 1.1.1 send two
or more sql postauth queries?
I tried to put together an update statement and
an insert statement with a "go" command, but mssql didn't like it because the
insert, go, update was all on the same "line"
executing the above statement; but broken out on
three lines with "go" by itself, works, but I'm not sure if I can do this in
freeradius.
So is it possible to have freeradius process sql1
and then sql2 in the post-auth section, if so what would be the best way to
set this up.
here is my current config ...
post-auth { sql
Post-Auth-Type REJECT
{
sql }}
and then mssql.conf contains one
postauth_query
Thanks
Duane Cox
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: removing domain data from user name
thanks, this way did it.
--yedidia
fvt3 wrote:
I was able to strip the domain portion of it by having
radius execute an external script. Here is what I
have in radius to execute the external script..
ldapldap_ldap1 {
server = ""
identity = ""
password = ""
#basedn = ""
basedn = ""
# filter =
"(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"
filter =
"(SamAccountName=%{exec:/usr/local/freeradius/etc/raddb
/nodomain.pl %u})"
I wrote a perl script to strip that off, using a shell
script it always add a return character which adds a
space after the uid.
--- Yedidia Klein [EMAIL PROTECTED] wrote:
Hello list,
I'm using freeradius server as a radius server that
forward the auth to
an LDAP server,
on a RH enterprise system
(freeradius-1.0.1-1.1.RHEL3)
I want one of my service providers to authenticate
against this radius,
After enabling some debug option I found that it
sends me the users in
the form of [EMAIL PROTECTED], that (of course) my
ldap don't know and
refuse to auth.
Is there a way on freeradius to pass to the ldap
server only the left
site of the @ sign ?
I tried to use "with_ntdomain_hack = yes" in my ldap
section on
radiusd.conf w/o success.
thanks,
--Yedidia
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_passwd usage
Hi
We used to list all our fifty thousand usernames individually in the
users file, but this made it quite large so following advice on this
mailing list I decided to use rlm_passwd instead. This seems to work
very well and the file size is much smaller. I have configured my
passwd style users file as follows :-
passwd york_passwd {
filename = /etc/raddb/yorkpasswd
format = *Stripped-User-Name:NT-Password:Crypt-Password
hashsize = 10
ignorenislike = yes
}
However, I would now like to restrict access to a particular NAS
device to a particular set of users and I am not sure how best to go
about this. If these users were still listed in the users file I could
do something like this for users allowed access :-
user1 NT-Password := blah, Crypt-Password := blah
...and this for disallowed users :-
user2 NT-Password := blah, Crypt-Password := blah, NAS-Identifier !=
restrictednas
Could anybody suggest a solution using my rlm_passwd setup?
Thanks
--
Ben Thompson
University of York
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd usage
B Thompson [EMAIL PROTECTED] wrote: However, I would now like to restrict access to a particular NAS device to a particular set of users and I am not sure how best to go about this. Create a group, and put those users into that group, also using rlm_passwd. You could add a new file, or simply add the group name as another field in the current file. See man rlm_passwd for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hello,Has anyone used Freeradius with AlvarionBreezeaccess to do accounting ? I am having a big issue get the theradiustounderstandtherodiosAttribs.Or there other ways to track user traffic. We are in Russia doing a chartity project for Russian Orpahs, So any help to resolve this issues would be a big help. -- Robert Dukes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Robert Dukes [EMAIL PROTECTED] wrote: Has anyone used Freeradius with Alvarion Breezeaccess to do accounting ? I am having a big issue get the the radius to understand the rodios Attribs. Could you be more specific? I have a problem, how do I fix it? doesn't let anyone help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Sorry, Ok I use Alvarion Su radios that has radius accountingoption.buttheradiossendsomeVSAthatisnotreconizableintheradius. Breezenet/Breezecom/Alvarion VSA's. These NASs sendEthernet port data in VSAs (up to 11 per accounting request) but unfortunately dont use the same attribute numbers each time. Instead,the attribute number increments each time, then wraps at 256. Radiatorautomatically maps the fist one in a packet to Breezecom-Attr1, the second to Breezecom-Attr2 etc through to Breezecom-Attr11.I can send a dump log if you wantOn 7/13/06, Alan DeKok [EMAIL PROTECTED] wrote: Robert Dukes [EMAIL PROTECTED] wrote: Has anyone used Freeradius with Alvarion Breezeaccess to do accounting ? I am having a big issue get the the radius to understand the rodios Attribs.Could you be more specific?I have a problem, how do I fix it?doesn't let anyone help you.Alan DeKok. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-- Robert Dukes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
How about adding a dictionary will all 256 numbers? - Original Message - From: Robert Dukes To: FreeRadius users mailing list Sent: Thursday, July 13, 2006 9:26 PM Subject: Re: (no subject) Sorry, Ok I use Alvarion Su radios that has radius accounting option. but the radios send some VSA that is not reconizable in the radius. Breezenet/Breezecom/Alvarion VSA's. These NASs send Ethernet port data in VSAs (up to 11 per accounting request) but unfortunately dont use the same attribute numbers each time. Instead, the attribute number increments each time, then wraps at 256. Radiator automatically maps the fist one in a packet to Breezecom-Attr1, the second to Breezecom-Attr2 etc through to Breezecom-Attr11. I can send a dump log if you want - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confused about 'hints' file
I have an entry in the hints file, that when I uncomment, the authentication fails. And I can't figure out why. When/where during the process does the hints file come into play? Im watching everything under debug mode, and I can't figure it out Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alvarion attributes Re: (no subject)
This really sucks :) We invested so much into the gear here as our project is funding by caring people. So there is no way to get this done ah On 7/14/06, Alan DeKok [EMAIL PROTECTED] wrote: Robert Dukes [EMAIL PROTECTED] wrote: Breezenet/Breezecom/Alvarion VSA's. These NASs send Ethernet port data in VSAs (up to 11 per accounting request) but unfortunately dont use the same attribute numbers each time. Instead, the attribute number increments each time, then wraps at 256. Radiator automatically maps the fist one in a packet to Breezecom-Attr1, the second to Breezecom-Attr2 etc through to Breezecom-Attr11.Ah.*That* vendor.My suggestion is to throw away their equipmentand buy equipment that works.Barring that, file a bug with them, and tell them their product is retarded.If you *have* to use their equipment, write a module to do thatre-mapping.It should be 30-40 lines of Perl, or about 200 lines of C.Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-- Robert Dukes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused about 'hints' file
Brenckle, Nicholas wrote: I have an entry in the hints file, that when I uncomment, the authentication fails. And I can't figure out why. When/where during the process does the hints file come into play? Im watching everything under debug mode, and I can't figure it out Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html You have to match on it in the users file. Create your huntgroup in the huntgroups file as shown in the examples, although you can match on any attribute you like not just prefix and suffix. For example I create huntgroups and use NAS-IP-Address frequently. In your users file just match on the huntgroup-name. Here's my setup with data modified for security purposes... ### huntgroup file ### huntgroup1 NAS-IP-Address == 192.168.0.1 huntgroup1 NAS-IP-Address == 192.168.0.2 huntgroup1 NAS-IP-Address == 192.168.0.3 ### users file ### DEFAULT Huntgroup-Name == huntgroup1 Idle-Timeout = 900, Framed-Protocol = PPP, Service-Type = Framed-User, Fall-Through = no Chris Carver Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alvarion attributes Re: (no subject)
Robert Dukes [EMAIL PROTECTED] wrote:
This really sucks :) We invested so much into the gear here as our project
is funding by caring people. So there is no way to get this done ah
Try the patch below, which should work in 1.1.x.
No guarantees... it just compiles, and I haven't tested it.
You'll also have to create a dictionary, but I leave that part up to
you.
Alan DeKok.
Index: src/include/libradius.h
===
RCS file: /source/radiusd/src/include/libradius.h,v
retrieving revision 1.76.2.2.2.9
diff -u -r1.76.2.2.2.9 libradius.h
--- src/include/libradius.h 15 Jun 2006 21:47:14 - 1.76.2.2.2.9
+++ src/include/libradius.h 13 Jul 2006 21:22:18 -
@@ -65,12 +65,13 @@
#define CHAP_VALUE_LENGTH 16
#define MAX_STRING_LEN 254 /* RFC2138: string 0-253 octets */
+# define VENDOR(x)((x 16) 0x)
+
#ifdef _LIBRADIUS
# define AUTH_HDR_LEN 20
# define VENDORPEC_USR429
#define VENDORPEC_LUCENT 4846
#define VENDORPEC_STARENT 8164
-# define VENDOR(x)((x 16) 0x)
# define DEBUGif (librad_debug) printf
# define debug_pair(vp) do { if (librad_debug) { \
putchar('\t'); \
Index: src/modules/rlm_preprocess/rlm_preprocess.c
===
RCS file: /source/radiusd/src/modules/rlm_preprocess/rlm_preprocess.c,v
retrieving revision 1.52.2.1.2.1
diff -u -r1.52.2.1.2.1 rlm_preprocess.c
--- src/modules/rlm_preprocess/rlm_preprocess.c 5 May 2006 17:31:53 -
1.52.2.1.2.1
+++ src/modules/rlm_preprocess/rlm_preprocess.c 13 Jul 2006 21:22:18 -
@@ -48,6 +48,7 @@
int with_ntdomain_hack;
int with_specialix_jetstream_hack;
int with_cisco_vsa_hack;
+ int with_alvarion_vsa_hack;
} rlm_preprocess_t;
static CONF_PARSER module_config[] = {
@@ -69,6 +70,8 @@
no },
{ with_cisco_vsa_hack,PW_TYPE_BOOLEAN,
offsetof(rlm_preprocess_t,with_cisco_vsa_hack), NULL, no },
+ { with_alvarion_vsa_hack,PW_TYPE_BOOLEAN,
+ offsetof(rlm_preprocess_t,with_alvarion_vsa_hack), NULL, no },
{ NULL, -1, 0, NULL, NULL }
};
@@ -115,7 +118,7 @@
charnewattr[MAX_STRING_LEN];
for ( ; vp != NULL; vp = vp-next) {
- vendorcode = (vp-attribute 16); /* HACK! */
+ vendorcode = VENDOR(vp-attribute);
if (!((vendorcode == 9) || (vendorcode == 6618))) continue; /*
not a Cisco or Quintum VSA, continue */
if (vp-type != PW_TYPE_STRING) continue;
@@ -170,6 +173,26 @@
}
}
+
+/*
+ * Don't even ask what this is doing...
+ */
+static void alvarion_vsa_hack(VALUE_PAIR *vp)
+{
+ int vendorcode;
+ int number = 1;
+
+ for ( ; vp != NULL; vp = vp-next) {
+ vendorcode = VENDOR(vp-attribute);
+ if (vendorcode != 12394) continue;
+ if (vp-type != PW_TYPE_STRING) continue;
+
+ vp-attribute = number | (12394 16);
+ snprintf(vp-name, sizeof(vp-name),
+Breezecom-Attr%d, number++);
+ }
+}
+
/*
* Mangle username if needed, IN PLACE.
*/
@@ -515,6 +538,14 @@
cisco_vsa_hack(request-packet-vps);
}
+ if (data-with_alvarion_vsa_hack) {
+ /*
+* We need to run this hack because the Alvarion
+* people are crazy.
+*/
+ alvarion_vsa_hack(request-packet-vps);
+ }
+
/*
* Note that we add the Request-Src-IP-Address to the request
* structure BEFORE checking huntgroup access. This allows
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth - rlm_mschap: No User-Password configured. Cannot create NT-Password.
Please help I cannot see the problem after a day of reading the
lists and googling... hopefully a fresh pair of eyes
I am trying to authorize to the network via an ntlm_auth lookup against
winbind using PEAP and MS-CHAP v2 etc etc
Doing an ntlm_auth on the command line returns success... but on my
radius server does not want to authenticate.
I am fairly sure I have the certificates ok ??
Samba is joined to the windows domain o.k.
I am trying to autheticate against a different domain that than the
samba server is joined to.. should be ok ??
[EMAIL PROTECTED] raddb]# ntlm_auth --request-nt-key
--domain=admin4182 --username=e2052982
password:
NT_STATUS_OK: Success (0x0)
[EMAIL PROTECTED] raddb]#
.
.
.
.
my stuff is
XP-SP2
Fedora Core 5
Samba 3.0.22-1
Freeradius 1.1.2
Windows 2003 Server AD
Cisco Aironet 1100 series
.
.
.
Error message is
modcall: entering group MS-CHAP for request 7
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for e2052982 with NT-Password
radius_xlat: Running registered xlat function of module mschap for
string 'User-Name'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Domain'
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
mschap2: d6
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=e2052982
--domain=ADMIN4182 --challenge=7801a84637ef5c68
--nt-response=4f77faa8137d60ae186c5f910fea83f936dbd827ac54f757'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=e2052982
--domain=ADMIN4182 --challenge=7801a84637ef5c68
--nt-response=4f77faa8137d60ae186c5f910fea83f936dbd827ac54f757
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module mschap returns reject for request 7
.
.
.
radius -X dump follows sorry about the length .. trimmed after
first error.
TIA
Peter
Peter de Groot
Windows Re-Installation Engineer
Eastern Goldfields College
Ph 08) 90801800 Fax 08) 90801866 Mob 0418915312
http://egshs.wa.edu.au
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}
Module: Instantiated mschap (mschap)
Module: Loaded System
unix:
Re: ntlm_auth - rlm_mschap: No User-Password configured. Cannot create NT-Password.
Peter de Groot [EMAIL PROTECTED] wrote: I am trying to autheticate against a different domain that than the samba server is joined to.. should be ok ?? Probably not. [EMAIL PROTECTED] raddb]# ntlm_auth --request-nt-key --domain=admin4182 --username=e2052982 password: NT_STATUS_OK: Success (0x0) That's nice, but it's not what the server is doing: radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 --challenge=7801a84637ef5c68 --nt-response=4f77faa8137d60ae186c5f910fea83f936dbd827ac54f757' What happens when you run the above command from the command line? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Crypt-Password Problem
Excuse me if this has been asked before but I am having a hard time finding
it in the archives. I have a script that builds a radius users file out of
a htpasswd file, the password entries are encrypted. This worked great on
a Redhat Enterprise AS 3 server running freeradius-0.9.3. I have since had
to upgrade my linux box (to RHEL 4) and used the version that came with it,
freeradius-1.0.1. Now users can not authenticate.
Here is an entry for the user in the USERS file:
juser Auth-Type := Local, Crypt-Password == H25nfgL4rCxBY
Service-Type = Framed-User,
Framed-Protocol = PPP,
THIS IS THE DEBUG OUTPUT FROM THE SERVER
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = root
main: group = root
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/passwd
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm =
Re: Crypt-Password Problem
Quoting [EMAIL PROTECTED]: Excuse me if this has been asked before but I am having a hard time finding it in the archives. I have a script that builds a radius users file out of a htpasswd file, the password entries are encrypted. This worked great on a Redhat Enterprise AS 3 server running freeradius-0.9.3. I have since had to upgrade my linux box (to RHEL 4) and used the version that came with it, freeradius-1.0.1. Now users can not authenticate. Here is an entry for the user in the USERS file: juser Auth-Type := Local, Crypt-Password == H25nfgL4rCxBY Service-Type = Framed-User, Framed-Protocol = PPP, Here is the problem in your debugging data. rad_recv: Access-Request packet from host 172.24.0.14:36180, id=72, length=46 User-Name = user User-Password = password The password is coming through as User-Password, NOT Crypt-Password. So, it matches nothing in the users file. Furthermore, probably in plain text not encrypted form like you expect. Chris Carver Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt-Password Problem
[EMAIL PROTECTED] wrote on 07/13/2006 11:06:56 PM: Quoting [EMAIL PROTECTED]: Excuse me if this has been asked before but I am having a hard time finding it in the archives. I have a script that builds a radius users file out of a htpasswd file, the password entries are encrypted. This worked great on a Redhat Enterprise AS 3 server running freeradius-0.9.3. I have since had to upgrade my linux box (to RHEL 4) and used the version that came with it, freeradius-1.0.1. Now users can not authenticate. Here is an entry for the user in the USERS file: juser Auth-Type := Local, Crypt-Password == H25nfgL4rCxBY Service-Type = Framed-User, Framed-Protocol = PPP, Here is the problem in your debugging data. rad_recv: Access-Request packet from host 172.24.0.14:36180, id=72, length=46 User-Name = user User-Password = password The password is coming through as User-Password, NOT Crypt-Password. So, it matches nothing in the users file. Furthermore, probably in plain text not encrypted form like you expect. Chris Carver Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html First off Chris thank you for responding to me email so quickly. Here is a DEBUG from the 0.9.3 server that is still working, using the same users file, and same client request. Here you see the same User-Password but further down you see: rad_check_password: Found Auth-Type Local auth: type Crypt Login OK: [d4lane] (from client slpma1nagioswan port 0) FULL DEBUG BELOW: [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /var/log/radius main: libdir = /usr/local/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = /var/run/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 Module: Instantiated eap (eap) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id,
EAP-TTLS-PAP-LDAP
Trying to do EAP-TTLS-PAP with CRYPT passwd in LDAP.. The tunelling seems
fine.. but up to comparing the password it will failed. Refer below logs
config
Some says (http://felipe-alfaro.org/blog/category/radius/) PAP is tunneled
inside EAP-TTLS through EAP-GTC... Tried that as well.. still same error..
gtc {
auth_type = PAP [even trying to change to LDAP/OCE - still same error)
}
Error
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED] (from client localhost port 0)
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module eap returns invalid for request 9
modcall: leaving group authenticate (returns invalid) for request 9
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED] (from client OCE_JARING port 241 cli
00-11-5b-2d-b2-8e)
With setting:-
a) radiusd.conf
ldapOCE {
--some setting
}
authorize {
eap
Autz-Type OCE {
ldapOCE
}
}
authenticate {
Auth-Type OCE {
ldapOCE
}
eap
}
b) eap.conf
eap {
default_eap_type = ttls
tls {
--some setting
}
ttls {
default_eap_type = md5
}
c) users:-
DEFAULT Realm == my015.com, Autz-Type := OCE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 15, Issue 45
But still, you can try as he said.:-( -- Message: 4 Date: Thu, 13 Jul 2006 23:16:35 -0400 From: [EMAIL PROTECTED] Subject: Re: Crypt-Password Problem To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=US-ASCII [EMAIL PROTECTED] wrote on 07/13/2006 11:06:56 PM: Quoting [EMAIL PROTECTED]: Excuse me if this has been asked before but I am having a hard time finding it in the archives. I have a script that builds a radius users file out of a htpasswd file, the password entries are encrypted. This worked great on a Redhat Enterprise AS 3 server running freeradius-0.9.3. I have since had to upgrade my linux box (to RHEL 4) and used the version that came with it, freeradius-1.0.1. Now users can not authenticate. Here is an entry for the user in the USERS file: juser Auth-Type := Local, Crypt-Password == H25nfgL4rCxBY Service-Type = Framed-User, Framed-Protocol = PPP, Here is the problem in your debugging data. rad_recv: Access-Request packet from host 172.24.0.14:36180, id=72, length=46 User-Name = user User-Password = password The password is coming through as User-Password, NOT Crypt-Password. So, it matches nothing in the users file. Furthermore, probably in plain text not encrypted form like you expect. Chris Carver Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html First off Chris thank you for responding to me email so quickly. Here is a DEBUG from the 0.9.3 server that is still working, using the same users file, and same client request. Here you see the same User-Password but further down you see: rad_check_password: Found Auth-Type Local auth: type Crypt Login OK: [d4lane] (from client slpma1nagioswan port 0) FULL DEBUG BELOW: [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /var/log/radius main: libdir = /usr/local/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = /var/run/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 Module: Instantiated eap (eap) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
ntlm_auth - rlm_mschap: No User-Password configured. Cannot create NT-Password.
eter de Groot [EMAIL PROTECTED] wrote: I am trying to autheticate against a different domain that than the samba server is joined to.. should be ok ?? Probably not. [EMAIL PROTECTED] raddb]# ntlm_auth --request-nt-key --domain=admin4182 --username=e2052982 password: NT_STATUS_OK: Success (0x0) That's nice, but it's not what the server is doing: radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 --challenge=7801a84637ef5c68 --nt-response=4f77faa8137d60ae186c5f910fea83f936dbd827ac54f757' What happens when you run the above command from the command line? Alan DeKok. Thanks for the reply I re-ran the connect and then copy and pasted onto the command line from the (radiusd -X ) log.. [EMAIL PROTECTED] raddb]# [EMAIL PROTECTED] raddb]# [EMAIL PROTECTED] raddb]# /usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 --challenge=6151ad29f27eff47 --nt-response=01e42eabc464bf9915883d804457069d4702d95534ce4d53 Logon failure (0xc06d) [EMAIL PROTECTED] raddb]# [EMAIL PROTECTED] raddb]# Not good. :-( .. but they do give me the domain option .. so it should be ok. ? . . . Sorry ... couple more idiot (newbie) questions I am using PEAP with MSCHAPv2 .. and (I think) according to the how-tos .. I do NOT need ANY certificate(s) on the client PC... Is this correct ?? or, if not .. which certificate(s) are REQUIRED on the PC... ?? I am using tinyCA with the OID extra bits for the XP extensions. Is this an error in the following certficate stuff ?? . . . rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHelloTLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHelloTLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0927], CertificateTLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error::lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED . . . . IS the following significant ... ?? It seems to say it cannot create the password ?? modcall: entering group MS-CHAP for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for e2052982 with NT-Password Thanks Peter de Groot Windows Re-Installation Engineer Eastern Goldfields College Ph 08) 90801800 Fax 08) 90801866 Mob 0418915312 http://egshs.wa.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
