Hi Markus and Christian, I had the same problems weeks ago...(including the same error messages) I just configured the PFSENSE CAPTIVE PORTAL and SQUID to authenticate at IAS (windows 2003), After a painfull check-up, i found that.. It was the IAS POLICY that was wrong.. Both, captive portal and SQUID, send authentication information to IAS in PAP format with no encryption at all :( So i just changed some features at IAS POLICY and it worked!
Things to check at Microsoft IAS: 1. At IAS-> RADIUS CLIENT: be sure that you have the PFSENSE IP address here! 2. at IAS, after creating the PFSENSE address, enter in the properties of it and check if the CLIENT VENDOR is set to use RADIUS STANDARD. I'm supposing that your shared-key is OK, as you said... 3. at IAS, REMOTE ACCESS POLICY, check at the AUTHENTICATION TAB if Unencrypted authentication is lit. 4. at IAS, at the ENCRYPTION TAB, check if the NO ENCRYPTION is Lit. Well, i hope it can help you guys... Sincerely, Hugs. Fabrício Guzzy. |||| Fabrício Ferreira |||| Espec. T.I. e Segurança Digital. MCP* - Microsoft Certified Professional ConnectCom - São Paulo - Brasil Tel: (011) 5095-1234 Cel: (011) 9937-6605 E-mail: [EMAIL PROTECTED] O conteúdo deste documento está restrito ao interesse das partes e não devera ser divulgado,transcrito ou modificado sem a autorização do seu emitente. The content of this document is restricted to the interest of the parts and can not be divulged,transcript or modified without the authorization of the sender -----Mensagem original----- De: Christian Veith [mailto:[EMAIL PROTECTED] Enviada em: quarta-feira, 25 de abril de 2007 15:40 Para: [email protected] Assunto: Re: [pfSense Support] RE: Using pfsense together with Microsoft IAS Hi Markus, it´s long time ago i wrote that tutorial, but maybe i could help you. Could you verify some things ? 1. Are there any checked values except PAP in the "New remote Access Profile Policy Wizard / Edit Profile" Dialog Box ? 2. Is the User allowed to do Ras Dial-in (in the User Preferences) ? 3. Could you post some of the Eventlog Entries from the Windows Server and the Syslogs from pfsense ? 4. Are you using the Active Directory in Native 2003 Mode or in Mixed Mode with pre 2000 Domain Controllers ? 5. Do you have registered the IAS in Active Directory ? Kind regards Christian Veith Strickler, Markus schrieb: > > Hello, > > We just configured pfsense as a RADIUS client for a Microsoft IAS > (Windows 2003), in order to provide some hotspot-like WLAN > environment. > > On the matching IAS access profile, we specified PAP as authentication > type, and confirmed several times that the shared secret is right. > > Authentication requests are passed on to IAS alright - but IAS event > id 2, reason code 16 (unknown username / password) are logged all the > time, even if the user/password combinations are 100% correct. > > The usernames are recognized - no matter whether entered as > <username>, <domain>\<username> or <username>@<domain> , and the > policy is matched, but the credentials are judged incorrect by IAS. > > What am I missing here? Do I have to flag the Message Authenticator, > for RADIUS? > >>> I followed the tutorial on > http://pfsense.loquefaltaba.com/tutorials/cp_config/radius_win2k3.htm > precisely, but can't find any hints on authentication/encryption... > > Thank you for your help, > > Best regards, > Markus Strickler > > ---------------------------------------------------------------------- > -- > _Legal Notice:_ > The information in this electronic transmission may contain confidential > or legally privileged information and is intended solely for the > individual(s) named above. If you are not an intended recipient or an > authorized agent, you are hereby notified that reading, distributing, or > otherwise disseminating, copying or taking any action based on the > contents of this transmission is strictly prohibited. Any unauthorized > interception of this transmission is illegal under law. If you have > received this transmission in error, please notify the sender by > telephone [at the number indicated above/on +41 44 928 0101] as soon as > possible and then destroy all copies of this transmission. > ------------------------------------------------------------------------ > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
BEGIN:VCARD VERSION:2.1 N:Ferreira;Fabricio FN:Fabricio Ferreira ORG:Connectcom;Networking TITLE:T.I. leadership TEL;WORK;VOICE:(11) 5095-1234 TEL;HOME;VOICE:5095-1234 TEL;CELL;VOICE:(11) 9937-6605 ADR;WORK;ENCODING=QUOTED-PRINTABLE:;Connectcom;R. S=EDlvia, 110 - 1=BA e 13=BA andar=0D=0ABela Vista;S=E3o Paul= o;SP;01331-010;Brazil LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Connectcom=0D=0AR. S=EDlvia, 110 - 1=BA e 13=BA andar=0D=0ABela Vista=0D=0AS= =E3o Paulo, SP 01331-010=0D=0ABrazil EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070425T174721Z END:VCARD
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
