Hi, I am trying to use ldap + eap/peap (mschapv2).
using the 'nt_domain_hack = yes' results in successful ldap authentication, however it causes eap/peap to fail. using 'nt_domain_hack = no' causes ldap to fail, but eap/peap to work. others have seen this problem a little while back (http://lists.cistron.nl/pipermail/freeradius-devel/2004-January/006657.html), which resulted in a source patch which removed the in-state (eap) check of the username. is there a fix for this? a work around? the realm filters dont seem to help either ... i tested using yesterdays cvs snap and 1.0.0-rc1. below is the output.. NT_DOMAIN_HACK = YES rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded LDAP ... ... ... rlm_ldap: performing search in dc=removed, with filter (SamAccountName=USERNAMEHERE) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user USERNAMEHERE authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 48 to 10.0.0.1:6001 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 48 with timestamp 402965a0 Nothing to do. Sleeping until we see a request. NT_DOMAIN_HACK = NO rad_recv: Access-Request packet from host 10.0.0.1:6001, id=43, length=139 User-Name = "MYDOMAIN\\USERNAMEHERE" NAS-IP-Address = 10.0.0.1 Called-Station-Id = "0000a63bb8ed" Calling-Station-Id = "0000a63c53a7" NAS-Identifier = "ORiNOCO-AP" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0xremoved Message-Authenticator = 0xremoved Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: Looking up realm "MYDOMAIN" for User-Name = "MYDOMAIN\\USERNAMEHERE" rlm_realm: No such realm "MYDOMAIN" modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: EAP packet type response id 11 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for MYDOMAIN\\USERNAMEHERE radius_xlat: '(SamAccountName=MYDOMAIN\\USERNAMEHERE)' radius_xlat: 'dc=removed' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.0.50:389, authentication 0 rlm_ldap: bind as ou=removed to 10.0.0.50:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=removed, with filter (SamAccountName=MYDOMAIN\\USERNAMEHERE) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 43 to 10.0.0.1:6001 EAP-Message = 0xremoved Message-Authenticator = 0x00000000000000000000000000000000 State = 0xremoved Finished request 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
