Alan,
.-- My secret spy satellite informs me that at 6-12-2004 21:06 Alan DeKok wrote:
Well I'm not stripping it on the first radius server, the second radius server is doing this.rlm_realm: Looking up realm "test.nl" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "test.nl"
rlm_realm: Adding Stripped-User-Name = "test"
Why are you stripping the username AGAIN? I thought you said you
weren't stripping it.
supplicant > radiusserver1 > radius-server2
The username arives as [EMAIL PROTECTED] at radius-server2.
It then sees the realm test.nl is local and strips the username. which I think is good, because the user localy is know as test. Right?
on radius server2 the user file en proxy.conf look like this::
<users file> test User-Password == "test" Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-Id:1 = 207 </users file>
<proxy.conf> realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL }
realm NULL { type = radius authhost = LOCAL accthost = LOCAL
} realm test.nl { type = radius authhost = LOCAL accthost = LOCAL } <proxy.conf/>
Don't strip the username. Doing so will break EAP, and MS-CHAP, as
you are discovering.
But how should I fix this? User are know as "test" and not as [EMAIL PROTECTED]
I found out ttls with ms-chap-v2 also fails. ttls with PAP or MS-CHAP v1 does work.
Also with radtest, on radius-server1 it dows work:
achilles:/home/andree/freeradius/etc/raddb# ../../bin/radtest [EMAIL PROTECTED] test localhost 0 testing123
Sending Access-Request of id 168 to 127.0.0.1:1812
User-Name = "[EMAIL PROTECTED]"
User-Password = "test"
NAS-IP-Address = achilles
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=168, length=38
Tunnel-Type:1 = VLAN
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 = "207"
So it seems a MS-CHAP-v2 specific problem. Log: rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 1 rlm_realm: Looking up realm "test.nl" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "test.nl" rlm_realm: Adding Stripped-User-Name = "test" rlm_realm: Proxying request from user test to realm test.nl rlm_realm: Adding Realm = "test.nl" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched test at 1 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 1 modcall: group Auth-Type returns reject for request 1 auth: Failed to validate the user.
Why do other authentication methods work and how can I make peap work?
Thanks, - Andree
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html