Re: VLAN Mapping with MS-CHAP

Mon, 08 May 2006 10:58:54 -0700 

[EMAIL PROTECTED] wrote:


robiwan: Okay, here is the complete output from my radiusd, when user roka do a 
request:
sorry, it's huge

rad_recv: Access-Request packet from host 10.187.0.15:1645, id=231, length=137
        NAS-IP-Address = 10.187.0.15
        NAS-Port = 50103
        NAS-Port-Type = Ethernet
        User-Name = "WINLAB\\roka"
        Called-Station-Id = "00-14-69-5B-8B-03"
        Calling-Station-Id = "00-0B-5D-84-AE-CA"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x020000100157494e4c41425c726f6b61
        Message-Authenticator = 0x58539e67c56f220589cf69d3485c493d
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: EAP packet type response id 0 length 16
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched entry DEFAULT at line 185
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0



It should be obvious what's happening here. The "files" module is only 
matching a DEFAULT entry. This is because your username is DOMAIN\user. 
DOMAIN\user != user


Either do this to break the user into realm+user:

authorize {
  preprocess
  ntdomain
  mschap
  eap
  files
}

...and this in proxy.conf:

realm WINLAB {
  type = radius
  authhost = LOCAL
  accthost = LOCAL
  strip
}

OR edit your "users" to read:

WINLAB\\roka The-Stuff-Here := whatever>


peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
                }




You may not in fact need these if this was the problem, though I always 
enable them since if you later on start matching on other attributes 
(e.g. SSID, etc.) they need to be copied to/from the inner tunnel.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to