subject:"FreeRADIUS \+ 802.1x \(WPA\) \+ WinXP \+ smbpasswd"

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-31 Thread Jim Seymour

Artur Hecker <[EMAIL PROTECTED]> wrote:
> 
> would you mind writing down a small doc with your experiences?
> 
> i'm sure it would be nice to know for everyone.
[snip]

Actually, I had planned to do just that :).

First I need to find out why my MS-WinXP Pro laptop is prepending
"WindowsName\" to username, rather than, say, the workgroup name.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-31 Thread Artur Hecker

would you mind writing down a small doc with your experiences?
i'm sure it would be nice to know for everyone.

Jim Seymour wrote:
"Alan DeKok" <[EMAIL PROTECTED]> wrote:
[EMAIL PROTECTED] (Jim Seymour) wrote:
Clarification: Giving the server ADMINNB\jseymour works.  Giving it
just "jseymour" does not.
 Because the regex on the line above doesn't match.  So, do:
DEFAULT   User-Name =~ blah
  My-Local-User-Name = "%{1}"
DEFAULT 
My-Local-User-Name = "%{My-Local-User-Name:-%{User-Name}}"

Boy, I sure am missing some of the more obvious ones, aren't I?
Okay, that worked.  Thanks for all the help, Alan.  And all you
others, too!
Jim
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-31 Thread Jim Seymour

"Alan DeKok" <[EMAIL PROTECTED]> wrote:
> 
> [EMAIL PROTECTED] (Jim Seymour) wrote:
> > Clarification: Giving the server ADMINNB\jseymour works.  Giving it
> > just "jseymour" does not.
> 
>   Because the regex on the line above doesn't match.  So, do:
> 
> DEFAULT User-Name =~ blah
> My-Local-User-Name = "%{1}"
> 
> DEFAULT   
>   My-Local-User-Name = "%{My-Local-User-Name:-%{User-Name}}"
> 

Boy, I sure am missing some of the more obvious ones, aren't I?

Okay, that worked.  Thanks for all the help, Alan.  And all you
others, too!

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-31 Thread Alan DeKok

[EMAIL PROTECTED] (Jim Seymour) wrote:
> Clarification: Giving the server ADMINNB\jseymour works.  Giving it
> just "jseymour" does not.

  Because the regex on the line above doesn't match.  So, do:

DEFAULT   User-Name =~ blah
  My-Local-User-Name = "%{1}"

DEFAULT 
My-Local-User-Name = "%{My-Local-User-Name:-%{User-Name}}"

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-31 Thread Jim Seymour

[EMAIL PROTECTED] (Jim Seymour) wrote:
> 
> "Alan DeKok" <[EMAIL PROTECTED]> wrote:
> > 
> > [EMAIL PROTECTED] (Jim Seymour) wrote:
> [snip]
> > 
> > > Now, if possible, is there a way to persuade FreeRADIUS to try
> > > My-Local-User-Name, if available, Stripped-User-Name it it's not, and
> > > User-Name if Stripped-User-Name is not available?
> > 
> >   Sure.  But you'll need another layer of indirection, because
> > rlm_passwd takes an attribute name, not an "if/then/else" condition.
> > 
> > e.g. Key-For-RLM-Passwd = 
> > "%{My-Local-User-Name:-%{Stripped-User-Name:-%{User-Name}}}"
> > 
> >   Where that goes, though, is a little more complex.  It has to go
> > after "preproces", and after "realms", but before "passwd".  Find a
> > module which can do that, and you're set...
> 
> I tried putting that directly in the DEFAULT hint, following the
> My-Local-User-Name setting.  It doesn't appear to work.  Or maybe
> that's not a good place to put it?

Clarification: Giving the server ADMINNB\jseymour works.  Giving it
just "jseymour" does not.  Is it possible the Key-For-RLM-Passwd test
is failing?  That My-Local-User-Name is "set," even if empty, by the
regexp?

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-31 Thread Jim Seymour

"Alan DeKok" <[EMAIL PROTECTED]> wrote:
> 
> [EMAIL PROTECTED] (Jim Seymour) wrote:
[snip]
> 
> > Now, if possible, is there a way to persuade FreeRADIUS to try
> > My-Local-User-Name, if available, Stripped-User-Name it it's not, and
> > User-Name if Stripped-User-Name is not available?
> 
>   Sure.  But you'll need another layer of indirection, because
> rlm_passwd takes an attribute name, not an "if/then/else" condition.
> 
> e.g. Key-For-RLM-Passwd = 
> "%{My-Local-User-Name:-%{Stripped-User-Name:-%{User-Name}}}"
> 
>   Where that goes, though, is a little more complex.  It has to go
> after "preproces", and after "realms", but before "passwd".  Find a
> module which can do that, and you're set...

I tried putting that directly in the DEFAULT hint, following the
My-Local-User-Name setting.  It doesn't appear to work.  Or maybe
that's not a good place to put it?

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-31 Thread Alan DeKok

[EMAIL PROTECTED] (Jim Seymour) wrote:
>   I should've thought of that!  It's not like I haven't
> been working with regexps for about a million years.  That worked!
> Thanks :).

  That's good to hear.

> Now, if possible, is there a way to persuade FreeRADIUS to try
> My-Local-User-Name, if available, Stripped-User-Name it it's not, and
> User-Name if Stripped-User-Name is not available?

  Sure.  But you'll need another layer of indirection, because
rlm_passwd takes an attribute name, not an "if/then/else" condition.

e.g. Key-For-RLM-Passwd = 
"%{My-Local-User-Name:-%{Stripped-User-Name:-%{User-Name}}}"

  Where that goes, though, is a little more complex.  It has to go
after "preproces", and after "realms", but before "passwd".  Find a
module which can do that, and you're set...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-31 Thread Jim Seymour

Stefan Winter <[EMAIL PROTECTED]> wrote:
> 
[snip]
> 
> Hope you haven't given up yet. In a later message you write:

Nah, I'm not that easy ;).

> 
[snip]
> 
> Which makes me think that both "suffix" and "ntdomain" are active in=20
> rlm_realms. Try turning off suffix, because suffix operates only on names=20
> formatted like [EMAIL PROTECTED] In your case I think it tries to find a=20
> suffix, doesn't, and then uses realm NONE because no realm delimiter is=20
> found. If you turn suffix off, the delimiter \ is found and the request is=
> =20
> set to the DEFAULT realm. Hopefully.

I removed Alan's fix', commented-out "suffix" and un-commented
"ntdomain."  No joy.

Thanks for the suggestion, though.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-31 Thread Jim Seymour

"Alan DeKok" <[EMAIL PROTECTED]> wrote:
> 
> [EMAIL PROTECTED] (Jim Seymour) wrote:
[snip]
> 
>   Hmm... the reason the "hints" thing didn't work is that the regex
> function expects '\' to be escaped, too.  This works for me:
> 
> DEFAULTUser-Name =~ "(.*)$"
>My-Local-User-Name = "%{1}"

  I should've thought of that!  It's not like I haven't
been working with regexps for about a million years.  That worked!
Thanks :).

Now, if possible, is there a way to persuade FreeRADIUS to try
My-Local-User-Name, if available, Stripped-User-Name it it's not, and
User-Name if Stripped-User-Name is not available?

> 
> > What rather astonishes me is that this either hasn't come up before,
> > tho I have a private email that indicates something like it has, or
> > that nobody's pursued it to the bitter end.  One would almost think
> > that Unix/Linux + Samba + Wireless + WPA + (Free)RADIUS was an unusual
> > combination.
> 
>   No, but having the machine name in the User-Name attribute isn't
> common.

It's just plain ol' vanilla MS-WinXP Pro SP1, with updated MS support
for the wireless stuff.  The machine is *not* in a MS-Win2k domain, as
I haven't yet got the servers upgraded to support those.  So the 'doze
PCs are all in plain old MS-Win workgroups for now.  You'd have to ask
Microsoft why 'doze does what it does.  Personally, I've long- since
given up trying to understand such things, and now simply try to find
ways to work around Microsoft's brain-dead designs.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Stefan Winter

Hi,

> authorize {
> ...
> #
> #  If you are using multiple kinds of realms, you probably
> #  want to set "ignore_null = yes" for all of them.
> #  Otherwise, when the first style of realm doesn't match,
> #  the other styles won't be checked.
> #
> suffix
> #   ntdomain
> ...
> #
> #  If you are using /etc/smbpasswd, and are also doing
> #  mschap authentication, the un-comment this line, and
> #  configure the 'etc_smbpasswd' module, above.
> etc_smbpasswd
> ...
> }
>
> I un-commented "ntdomain".  No change.  The -X output can be seen at:

Hope you haven't given up yet. In a later message you write:

 modcall[authorize]: module "mschap" returns noop for request 6
Â Â rlm_realm: No '@' in User-Name = "ADMINNB\jseymour", looking up realm NULL
Â Â rlm_realm: Found realm "NULL"
Â Â rlm_realm: Adding Stripped-User-Name = "ADMINNB\jseymour"
Â Â rlm_realm: Proxying request from user ADMINNB\jseymour to realm NULL
Â Â rlm_realm: Adding Realm = "NULL"
Â Â rlm_realm: Authentication realm is LOCAL.

Which makes me think that both "suffix" and "ntdomain" are active in 
rlm_realms. Try turning off suffix, because suffix operates only on names 
formatted like [EMAIL PROTECTED] In your case I think it tries to find a 
suffix, doesn't, and then uses realm NONE because no realm delimiter is 
found. If you turn suffix off, the delimiter \ is found and the request is 
set to the DEFAULT realm. Hopefully.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - RÃseau TÃlÃinformatique de l'Education Nationale et de 
la Recherche
IngÃnieur rÃseau et systÃme

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED] Â Â tÃl.: Â Â Â+352 424409-33
http://www.restena.lu Â Â Â Â Â Â Â Â Â Â fax: Â Â Â+352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Alan DeKok

[EMAIL PROTECTED] (Jim Seymour) wrote:
> The NULL realm caught it, but the Stripped-User-Name is not stripped of
> the stupid 'doze garbage pre-pended to it :(.  Observe:

  The DEFAULT realm *should* do this.  The NULL realm is "don't do
realms", which isn't what you want.

  Hmm... the reason the "hints" thing didn't work is that the regex
function expects '\' to be escaped, too.  This works for me:

DEFAULT  User-Name =~ "(.*)$"
 My-Local-User-Name = "%{1}"

> What rather astonishes me is that this either hasn't come up before,
> tho I have a private email that indicates something like it has, or
> that nobody's pursued it to the bitter end.  One would almost think
> that Unix/Linux + Samba + Wireless + WPA + (Free)RADIUS was an unusual
> combination.

  No, but having the machine name in the User-Name attribute isn't
common.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Jim Seymour

Michael Griego <[EMAIL PROTECTED]> wrote:
> 
> Or you could make sure your DEFAULT realm is set up.  

Actually, a NULL realm was what I think you meant.

>   Your current 
> configuration should work if you have a DEFAULT realm in your 
> proxy.conf.  If it doesn't work using the default realm, change your 
> etc_smbpasswd line to use the Stripped-User-Name, but I think it should 
> already attempt to use it if its present.  It's not present, though, 
> because no realm is found.  The DEFAULT realm will catch all realm 
> instances that aren't specifically set up.

The NULL realm caught it, but the Stripped-User-Name is not stripped of
the stupid 'doze garbage pre-pended to it :(.  Observe:

  modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "ADMINNB\jseymour", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "ADMINNB\jseymour"
rlm_realm: Proxying request from user ADMINNB\jseymour to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.

*sigh*

I hate 'doze.

What rather astonishes me is that this either hasn't come up before,
tho I have a private email that indicates something like it has, or
that nobody's pursued it to the bitter end.  One would almost think
that Unix/Linux + Samba + Wireless + WPA + (Free)RADIUS was an unusual
combination.

Or maybe it is...  (That might explain a *lot*.)

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Jim Seymour

Michael Griego <[EMAIL PROTECTED]> wrote:
> 
> Or you could make sure your DEFAULT realm is set up.  Your current 
> configuration should work if you have a DEFAULT realm in your 
> proxy.conf.  If it doesn't work using the default realm, change your 
> etc_smbpasswd line to use the Stripped-User-Name, but I think it should 
> already attempt to use it if its present.  It's not present, though, 
> because no realm is found.  The DEFAULT realm will catch all realm 
> instances that aren't specifically set up.

I did this in proxy.conf:

#
#  This realm is for ALL OTHER requests.
#
realm DEFAULT {
type= radius
authhost= LOCAL
accthost= LOCAL
}

I did this in radiusd.conf:

passwd etc_smbpasswd {
filename = /usr/local/samba/private/smbpasswd
format = "*Stripped-User-Name::LM-Password:...

No joy.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Jim Seymour

"Alan DeKok" <[EMAIL PROTECTED]> wrote:
> 
> [EMAIL PROTECTED] (Jim Seymour) wrote:
> > >   a) adding "ADMINNB\jseymour" as a user in the smb passwd file
> > 
> > That's not practical.  "ADMINNB" is that specific laptops NETBIOS
> > name.
> 
>   testing != deployment
> 
>   First, get it to work.  Then, get it to work in a real deployment.

Valid point :).  Okay, if I pre-pend "ADMINNB\" to my username in
smbpasswd, it works like a champ.

> 
> > >   If you want to use "jseymour" as a key for the smb passwd file,
> > > convince the server to use that string, and not any other.
> > 
> > Is there a way I can do it irrespective of the supposed "domain?"
> 
>   In "hints":
> 
> DEFAULT   User-Name =~ "\\(.*)$"
>   My-Local-User-Name = "%{1}"
> 
>   Then, in smb_passwd, use My-Local-User-Name as the key.  You will
> have to define it in the dictionaries, too.
> 
>   That should work, I think.

Nope.  Failure mode identical.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Michael Griego

Or you could make sure your DEFAULT realm is set up.  Your current 
configuration should work if you have a DEFAULT realm in your 
proxy.conf.  If it doesn't work using the default realm, change your 
etc_smbpasswd line to use the Stripped-User-Name, but I think it should 
already attempt to use it if its present.  It's not present, though, 
because no realm is found.  The DEFAULT realm will catch all realm 
instances that aren't specifically set up.

--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas

Alan DeKok wrote:
[EMAIL PROTECTED] (Jim Seymour) wrote:
 a) adding "ADMINNB\jseymour" as a user in the smb passwd file
That's not practical.  "ADMINNB" is that specific laptops NETBIOS
name.

  testing != deployment
  First, get it to work.  Then, get it to work in a real deployment.

 If you want to use "jseymour" as a key for the smb passwd file,
convince the server to use that string, and not any other.
Is there a way I can do it irrespective of the supposed "domain?"

  In "hints":
DEFAULT User-Name =~ "\\(.*)$"
My-Local-User-Name = "%{1}"
  Then, in smb_passwd, use My-Local-User-Name as the key.  You will
have to define it in the dictionaries, too.
  That should work, I think.
  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Alan DeKok

[EMAIL PROTECTED] (Jim Seymour) wrote:
> >   a) adding "ADMINNB\jseymour" as a user in the smb passwd file
> 
> That's not practical.  "ADMINNB" is that specific laptops NETBIOS
> name.

  testing != deployment

  First, get it to work.  Then, get it to work in a real deployment.

> >   If you want to use "jseymour" as a key for the smb passwd file,
> > convince the server to use that string, and not any other.
> 
> Is there a way I can do it irrespective of the supposed "domain?"

  In "hints":

DEFAULT User-Name =~ "\\(.*)$"
My-Local-User-Name = "%{1}"

  Then, in smb_passwd, use My-Local-User-Name as the key.  You will
have to define it in the dictionaries, too.

  That should work, I think.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Jim Seymour

"Alan DeKok" <[EMAIL PROTECTED]> wrote:
> 
> [EMAIL PROTECTED] (Jim Seymour) wrote:
> > 
> > http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack+ntdomain_realm.txt
> ...
> >   modcall[authorize]: module "etc_smbpasswd" returns notfound for request 0
> 
>   The password isn't being added because the user "ADMINNB\jseymour"
> isn't being found in the smb passwd file.  That's the root cause of
> the problem.

I rather figured that.

> 
>   I suggest:
> 
>   a) adding "ADMINNB\jseymour" as a user in the smb passwd file

That's not practical.  "ADMINNB" is that specific laptops NETBIOS
name.  I'd have to have duplicated smbpasswd entries for every laptop
each user might choose to use--for every user.  Be far easier to do
what people seem to always do in my situation: Tell the end-users
they'll have to auth to the WLAN separately.

> 
>  or
> 
>   b) setting up realms, and using Stripped-User-Name as the key to
> smb_passwd.
> 
> ...
> >rlm_realm: Looking up realm "ADMINNB" for User-Name = "ADMINNB\jseymour"
> >rlm_realm: No such realm "ADMINNB"
> 
>   And therefore no Stripped-User-Name.

Separate realms for every laptop in the building would likewise be
impractical.

> 
>   If you want to use "jseymour" as a key for the smb passwd file,
> convince the server to use that string, and not any other.

Is there a way I can do it irrespective of the supposed "domain?"

Thanks for the follow-up, Alan.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Alan DeKok

[EMAIL PROTECTED] (Jim Seymour) wrote:
> 
> http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack+ntdomain_realm.txt
...
>   modcall[authorize]: module "etc_smbpasswd" returns notfound for request 0

  The password isn't being added because the user "ADMINNB\jseymour"
isn't being found in the smb passwd file.  That's the root cause of
the problem.

  I suggest:

  a) adding "ADMINNB\jseymour" as a user in the smb passwd file

 or

  b) setting up realms, and using Stripped-User-Name as the key to
smb_passwd.

...
>rlm_realm: Looking up realm "ADMINNB" for User-Name = "ADMINNB\jseymour"
>rlm_realm: No such realm "ADMINNB"

  And therefore no Stripped-User-Name.

  If you want to use "jseymour" as a key for the smb passwd file,
convince the server to use that string, and not any other.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Jim Seymour

Michael Griego <[EMAIL PROTECTED]> wrote:
> 
> I think I see what your problem is...
> 
> You need to reenable the ntdomain realm module that is preconfigured in 
> the server and be sure its called before your etc_smbpasswd module in 
> your authorize section.  You seem to have removed it, and, because of 
> that, it can't find the correct username in your smbpasswd file.

Nope.  I removed nothing.  I neither disabled not de-configured
anything.

I'm guessing that maybe what was "missing" was this bit?

authorize {
...
#
#  If you are using multiple kinds of realms, you probably
#  want to set "ignore_null = yes" for all of them.
#  Otherwise, when the first style of realm doesn't match,
#  the other styles won't be checked.
#
suffix
#   ntdomain
...
#
#  If you are using /etc/smbpasswd, and are also doing
#  mschap authentication, the un-comment this line, and
#  configure the 'etc_smbpasswd' module, above.
etc_smbpasswd
...
}

I un-commented "ntdomain".  No change.  The -X output can be seen at:

http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack+ntdomain_realm.txt

I even tried "ignore_null = yes" in the "realm ntdomain" config.  No
difference, either.

(And yes: I'm saving the config file(s) and starting radiusd anew for
each test :).)

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Michael Griego

I think I see what your problem is...
You need to reenable the ntdomain realm module that is preconfigured in 
the server and be sure its called before your etc_smbpasswd module in 
your authorize section.  You seem to have removed it, and, because of 
that, it can't find the correct username in your smbpasswd file.

--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas

Jim Seymour wrote:
Michael Griego <[EMAIL PROTECTED]> wrote:
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for jseymour with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6
Above is where you're failing.  It looks like you had the passwd module 
called in your authorize block in one of your previous emails and 
removed it before you ran this debug, 
[snip]
Nope.  The only differences are:
1. Changed 'doze config back to "use login stuff"
2. Un-commented the "ntdomain hack" in mschap
Jim
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Jim Seymour

Michael Griego <[EMAIL PROTECTED]> wrote:
> 
>rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>rlm_mschap: Told to do MS-CHAPv2 for jseymour with NT-Password
>rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
>rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>modcall[authenticate]: module "mschap" returns reject for request 6
> 
> Above is where you're failing.  It looks like you had the passwd module 
> called in your authorize block in one of your previous emails and 
> removed it before you ran this debug, 
[snip]

Nope.  The only differences are:

1. Changed 'doze config back to "use login stuff"
2. Un-commented the "ntdomain hack" in mschap

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Michael Griego

  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for jseymour with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6
Above is where you're failing.  It looks like you had the passwd module 
called in your authorize block in one of your previous emails and 
removed it before you ran this debug, so it's no longer finding your 
users and adding their passwords to the request.  You need to add this 
back in then grab another debug output to if the problem continues and 
where it is.

--Mike
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Jim Seymour

Michael Griego <[EMAIL PROTECTED]> wrote:
> 
> Jim Seymour wrote:
> 
>  > So clearly that output indicates a successful username match, and
>  > just as clearly, setting "with_ntdomain_hack = yes" in the mschap
>  > module does not strip the leading "GARBAGE\" stuff.
> 
> You'll have to look quite a bit further down in the debugging output to 
> see that.  Please set "with_ntodomain_hack" in the mschap module to 
> "yes", then post the FULL debugging output.  It's too hard to guess what 
> you've got your server setup to do.

Okay, here you go:

http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack.txt

"ADMINNB" is the laptop's "Windows" name.  The username should be
pretty apparent ;).

Thanks for your help!

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Michael Griego

Jim Seymour wrote:
> So clearly that output indicates a successful username match, and
> just as clearly, setting "with_ntdomain_hack = yes" in the mschap
> module does not strip the leading "GARBAGE\" stuff.
You'll have to look quite a bit further down in the debugging output to 
see that.  Please set "with_ntodomain_hack" in the mschap module to 
"yes", then post the FULL debugging output.  It's too hard to guess what 
you've got your server setup to do.

--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Jim Seymour


Michael Griego <[EMAIL PROTECTED]> wrote:
> 
> You should be
> 
> Jim Seymour wrote:
> > Willem Eradus <[EMAIL PROTECTED]> wrote:
> >>
> >>#
> >>#with_ntdomain_hack = no
> > 
> > 
> > I tried that.  Made no discernable difference.
> 
> Be sure you're using the with_ntdomain_hack in the mschap module 
> configuration, NOT the one in the preprocess module configuration.

Tried one, the other, and both.

Using separate creds in 'doze, I get this in the -X output:

rlm_passwd: Added LM-Password: 'users LM password' to config_items
rlm_passwd: Added NT-Password: 'users NT password' to config_items
rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U  ]' to config_items
rlm_passwd: Adding "Auth-Type = MS-CHAP"
  modcall[authorize]: module "etc_smbpasswd" returns ok for request 0

Using WinXP's login info, I see none of that.  Instead I get:

  modcall[authorize]: module "etc_smbpasswd" returns notfound for request 0

Next test: I reconfigured the XP box for separate, manually-entered
creds again, entered a correct username, but invalid password.  Again
I got:

rlm_passwd: Added LM-Password: 'users LM password' to config_items
rlm_passwd: Added NT-Password: 'users NT password' to config_items
rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U  ]' to config_items
rlm_passwd: Adding "Auth-Type = MS-CHAP"
  modcall[authorize]: module "etc_smbpasswd" returns ok for request 0

So clearly that output indicates a successful username match, and
just as clearly, setting "with_ntdomain_hack = yes" in the mschap
module does not strip the leading "GARBAGE\" stuff.

Ghod I just love 'doze :/

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Michael Griego

You should be
Jim Seymour wrote:
Willem Eradus <[EMAIL PROTECTED]> wrote:
#
#with_ntdomain_hack = no

I tried that.  Made no discernable difference.

Be sure you're using the with_ntdomain_hack in the mschap module 
configuration, NOT the one in the preprocess module configuration.

--Mike
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Jim Seymour

Willem Eradus <[EMAIL PROTECTED]> wrote:
> 
> On Wed, 30 Mar 2005 06:50:37 -0500 (EST), Jim Seymour
> <[EMAIL PROTECTED]> wrote:
> > 
[snip]
> > 
> > One thing I notice is the client PC sending WINNAME\username, instead
> > of just username, if I tell it to use the Windows login info.
> > 
> > > [At least I think so; someone please correct me if I'm wrong]
> 
> I get [WI-1\\Willem Eradus/]
> 
> # Windows sends us a username in the form of
> # DOMAIN\user, but sends the challenge response
> # based on only the user portion.  This hack
> # corrects for that incorrect behavior.
> #
> #with_ntdomain_hack = no

I tried that.  Made no discernable difference.

Note, further down, in "preprocess," this:

# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no

I'm not at all clear on "realms" or what I should be doing in that
respect, if anything.

> 
> I believe the above should take care of the "domain" part, and some
> other attribute may hold a hash with the password. Did you try with -X
> enabled to see what attributes are being provided?

I've been running it in the foreground with -X.  That *is* what the
install docs say to do for testing, after all, and I do RTFM.  Well...
usually.  I'm not yet grokking much of what I'm seeing.

I'll keep plugging away.  Hopefully, sooner-or-later, either I'll trip
across the solution or somebody here will mention it.

Thanks for the follow-up.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Willem Eradus

On Wed, 30 Mar 2005 06:50:37 -0500 (EST), Jim Seymour
<[EMAIL PROTECTED]> wrote:
> 
> Stefan Winter <[EMAIL PROTECTED]> wrote:
> >
> > Hello!
> >
> > > I've searched and searched, and tried every hint I could find, and
> > > cannot seem to make it work using the "Windows login name and
> > > password."  Is it possible?
> >
> > Make your users set a password for their login on the XP machine. That is 
> > the
> > username/password combination XP will use for authentication when you check
> > the box.
> 
> Yes, I knew this.  Users have been using Samba shares on my Unix/Linux
> servers for a number of years.
> 
> > Then list these users with the appropriate passwords in your radiusd backend
> > (smbpasswd in your case).
> 
> They're *all* aleady in there.  (See above.)
> 
> >   Then it should work.
> 
> Not so far.  I'm wondering if I'm missing something in FreeRADIUS'
> configuration?
> 
> One thing I notice is the client PC sending WINNAME\username, instead
> of just username, if I tell it to use the Windows login info.
> 
> > [At least I think so; someone please correct me if I'm wrong]

I get [WI-1\\Willem Eradus/]

# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion.  This hack
# corrects for that incorrect behavior.
#
#with_ntdomain_hack = no

I believe the above should take care of the "domain" part, and some
other attribute may hold a hash with the password. Did you try with -X
enabled to see what attributes are being provided?

> Who am I to say you're wrong?  I've no idea what I'm doing ;).  But
> it doesn't appear to be working.
> 
> Thanks for the follow-up.
> 
> Jim
> --
> Note: My mail server employs *very* aggressive anti-spam
> filtering.  If you reply to this email and your email is
> rejected, please accept my apologies and let me know via my
> web form at .
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-30 Thread Jim Seymour

Stefan Winter <[EMAIL PROTECTED]> wrote:
> 
> Hello!
> 
> > I've searched and searched, and tried every hint I could find, and
> > cannot seem to make it work using the "Windows login name and
> > password."  Is it possible?
> 
> Make your users set a password for their login on the XP machine. That is the 
> username/password combination XP will use for authentication when you check 
> the box.

Yes, I knew this.  Users have been using Samba shares on my Unix/Linux
servers for a number of years.

> Then list these users with the appropriate passwords in your radiusd backend 
> (smbpasswd in your case). 

They're *all* aleady in there.  (See above.)

>   Then it should work.

Not so far.  I'm wondering if I'm missing something in FreeRADIUS'
configuration?

One thing I notice is the client PC sending WINNAME\username, instead
of just username, if I tell it to use the Windows login info.

> [At least I think so; someone please correct me if I'm wrong]

Who am I to say you're wrong?  I've no idea what I'm doing ;).  But
it doesn't appear to be working.

Thanks for the follow-up.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-29 Thread Stefan Winter

Hello!

> I've searched and searched, and tried every hint I could find, and
> cannot seem to make it work using the "Windows login name and
> password."  Is it possible?

Make your users set a password for their login on the XP machine. That is the 
username/password combination XP will use for authentication when you check 
the box.
Then list these users with the appropriate passwords in your radiusd backend 
(smbpasswd in your case). Then it should work.
[At least I think so; someone please correct me if I'm wrong]

Greetings,

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - RÃseau TÃlÃinformatique de l'Education Nationale et de 
la Recherche
IngÃnieur rÃseau et systÃme

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED] Â Â tÃl.: Â Â Â+352 424409-33
http://www.restena.lu Â Â Â Â Â Â Â Â Â Â fax: Â Â Â+352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

2005-03-29 Thread Jim Seymour

Hi,

Environment:

FreeRADIUS 1.0.2
WinXP Pro (patched)

I'm >almost< there.  I've got FreeRADIUS authenticating the WinXP Pro
client (Intel PRO/Wireless 2915 and NetGear FWAG114, btw) using the
smbpasswd file on the server *if* I configure XP *not* to use my
"Windows login name and password," which gets it to ask for username
and password the first time it sees the WLAN.  I'd prefer to let users
avoid (mucking-up) the additional step.

I've searched and searched, and tried every hint I could find, and
cannot seem to make it work using the "Windows login name and
password."  Is it possible?

Thanks,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

31 matches

Site Navigation

Mail list logo

Footer information