Re: freeradius, windows 2003 ADS - authentication fails
Jacob Jarick wrote: Hi I have recently setup freeradius on fedora 6 and I need it to authenticate against windows ADS. Currently the requests come through the AP but are rejected by freeradius. The reason is in the logs. [EMAIL PROTECTED] raddb]# radtest Administrator tfxsol 127.0.0.1:1812 10 testing123 Sending Access-Request of id 40 to 127.0.0.1 port 1812 User-Name = Administrator User-Password = tfxsol NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=40, length=20 Unfortunately, you've showed radtest giving a reject, but have NOT shown the corresponding debugging output from radtest. Instead, the debugging output is from a login via the AP: ... rad_recv: Access-Request packet from host 10.1.1.110:1645, id=117, length=164 User-Name = TFXSCHOOL\\Administrator Which is not the radtest packet you quoted above. rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler Read eap.conf. Also, see which module is mangling the User-Name attribute. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, windows 2003 ADS - authentication fails
Thanks for your prompt reply Alan, My 1st post so forgive the omission, I will clear the logs then post radtest and the log info tomorrow once at work. On 4/12/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Hi I have recently setup freeradius on fedora 6 and I need it to authenticate against windows ADS. Currently the requests come through the AP but are rejected by freeradius. The reason is in the logs. [EMAIL PROTECTED] raddb]# radtest Administrator tfxsol 127.0.0.1:1812 10 testing123 Sending Access-Request of id 40 to 127.0.0.1 port 1812 User-Name = Administrator User-Password = tfxsol NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=40, length=20 Unfortunately, you've showed radtest giving a reject, but have NOT shown the corresponding debugging output from radtest. Instead, the debugging output is from a login via the AP: ... rad_recv: Access-Request packet from host 10.1.1.110:1645, id=117, length=164 User-Name = TFXSCHOOL\\Administrator Which is not the radtest packet you quoted above. rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler Read eap.conf. Also, see which module is mangling the User-Name attribute. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, windows 2003 ADS - authentication fails
OK,
1st off here is the document I have been following:
http://www.swami.se/swami/space/Categories/EduRoam/Workshop+about+eduroam+implementation/freeRadius_AD_tutorial.pdf
I have managed to get all tests and commands working except for
radtest (which i found out via google) and having an xpro client login
via wireless (as per the guide).
Sorry about only posting the debug info from the wireless session and
only the results from radtest, as I said earlier I will retest
tomorrow and repost correctly.
I definitely need to find out what is mangling the user name, the
document also mentions something about it (which I did follow).
Make sure that the following lines are uncommented and that the
value is the same as indicated here.
authtype = MS-CHAP
with_ntdomain_hack = yes
Ntdomain_hack is necessary to correct an error due to the
challenge/response and the format in which the user information is
sent.
I just re read the erd.conf I included, all seems fine (but dont take
my word on that) the only bit Im curious about is :
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
}
}
Its inside the peap { backets. Should mschapv2 brackets have any
configuration options ?
Ive been doing some more looking @ the config files (I can only read
the attached ones atm).
Thanks again for the help :)
On 4/12/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Thanks for your prompt reply Alan,
My 1st post so forgive the omission, I will clear the logs then post
radtest and the log info tomorrow once at work.
On 4/12/07, Alan DeKok [EMAIL PROTECTED] wrote:
Jacob Jarick wrote:
Hi I have recently setup freeradius on fedora 6 and I need it to
authenticate against windows ADS. Currently the requests come through
the AP but are rejected by freeradius.
The reason is in the logs.
[EMAIL PROTECTED] raddb]# radtest Administrator tfxsol 127.0.0.1:1812 10
testing123
Sending Access-Request of id 40 to 127.0.0.1 port 1812
User-Name = Administrator
User-Password = tfxsol
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=40, length=20
Unfortunately, you've showed radtest giving a reject, but have NOT
shown the corresponding debugging output from radtest. Instead, the
debugging output is from a login via the AP:
...
rad_recv: Access-Request packet from host 10.1.1.110:1645, id=117,
length=164
User-Name = TFXSCHOOL\\Administrator
Which is not the radtest packet you quoted above.
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
Read eap.conf. Also, see which module is mangling the User-Name
attribute.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
