On Sun, 2008-11-23 at 02:59 -0600, Alan DeKok wrote: > Craig White wrote: > > OK - that quiets the notification but I still can't figure out the issue > > where I can authenticate RRAS, Macintosh and iPod clients against radius > > via LDAP using mschapv2 but even with the certificates on Windows XP > > clients, with the 'xpextensions' they always try to authenticate as > > 'uid=anonymous' and never ask me for name/password credentials to supply > > for authentication. > > Then the supplicant is misconfigured. > > > While I probably would agree that the certificates should be enough and > > not need the user/password authentication, I can't figure out how to > > tell radiusd to accept those with the certificates. > > No. PEAP does MS-CHAP for username/passwd authentication. If you > want authentication via client certs, use TLS. > > > Either way I would be happy...getting windows clients to provide > > username/password or getting radius to accept a client with the > > certificate. > > There's something else in your windows configuration that is making it > *not* ask you for the username/password. Maybe it's cached in the registry. ---- HLCU\Software\Microsoft doesn't even have an EAPOL entry at all.
fixed the cert issue but still it's trying to authenticate as anonymous ;-( I realize that freeradius has little control over the supplicant but I'm wondering if it's something in my setup of tls that the authentication should/shouldn't be part of the tunnel because it just assumes a login of anonymous instead of the Windows User/Password or never asks me for a User/Password... rad_recv: Access-Request packet from host 192.168.1.250:2054, id=168, length=161 User-Name = "anonymous" NAS-IP-Address = 192.168.1.250 NAS-Port = 0 Called-Station-Id = "00-21-29-E3-D1-84" Calling-Station-Id = "00-04-23-62-BD-3D" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x026300061900 State = 0x7de5407f2f55958f61578bc598c219a9 Message-Authenticator = 0x0682bd2213fba7b19656a91ac1454267 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 46 modcall[authorize]: module "preprocess" returns ok for request 46 modcall[authorize]: module "chap" returns noop for request 46 modcall[authorize]: module "mschap" returns noop for request 46 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 46 rlm_eap: EAP packet type response id 99 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 46 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 46 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'ou=People,ou=Accounts,o=MyOrg' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 46 modcall: leaving group authorize (returns updated) for request 46 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 46 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 46 modcall: leaving group authenticate (returns handled) for request 46 Sending Access-Challenge of id 168 to 192.168.1.250 port 2054 EAP-Message = 0x0164040619400355040b130b4d61696e204f6666696365311a3018060355040313117777772e6d756c6c656e6164762e636f6d3121301f06092a864886f70d01090116126372616967406d756c6c656e70722e636f6d301e170d3038313132333030333435375a170d3138313132313030333435375a3081b8310b30090603550406130255533110300e060355040813074172697a6f6e613110300e0603550407130750686f656e69783130302e060355040a13274d756c6c656e204164766572746973696e6720616e64205075626c69632052656c6174696f6e7331143012060355040b130b4d61696e204f6666696365311a301806035504031311 EAP-Message = 0x7777772e6d756c6c656e6164762e636f6d3121301f06092a864886f70d01090116126372616967406d756c6c656e70722e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100dbda8f2450e25378824b7184fd522e7bd89605a45bd721b4bb16b0d7dc11d400ffa95b3e42cb4f561e99889ccc81b680084d3d6384d4db7157422627750cecd3ec4df2237bf1ca639680ea420bdfe578e63c14e7a840086771b3b5f5e7669b16d89adead0b5a5be27df7b75a91e4767f47c395b1aaddbb592427ed1998fbbb590203010001a382011930820115301d0603551d0e0416041481223bdff5d466a37f81d26e04deec9fe039fbe2 EAP-Message = 0x3081e50603551d230481dd3081da801481223bdff5d466a37f81d26e04deec9fe039fbe2a181bea481bb3081b8310b30090603550406130255533110300e060355040813074172697a6f6e613110300e0603550407130750686f656e69783130302e060355040a13274d756c6c656e204164766572746973696e6720616e64205075626c69632052656c6174696f6e7331143012060355040b130b4d61696e204f6666696365311a3018060355040313117777772e6d756c6c656e6164762e636f6d3121301f06092a864886f70d01090116126372616967406d756c6c656e70722e636f6d820100300c0603551d13040530030101ff300d06092a8648 EAP-Message = 0x86f70d010104050003818100768e3a090efeb6defd2310b970964f5b50dd48dd7d740d5f90784cc29688818dd3df60d71a7c06cd9a6c08ac0690df4102b1168ad2c73433558b66f96f1fcee9fd465028e75309c207400f6f7628de7917667c71472930176924b2078cf0b9e007698319fa93199d76c5c69f25936a232a3258e01f99a23798297dfd196ef37b160301010d0c0001090040bcd70764bd8eeff9e536574ff3b2f404043cc23d501c99a5b93d5edd5a8330c40b6e1bb3b2418f455d6511b978ae7e142b35bbf17e9dde8ae088b6bd5770253f00010500409f8a29eea3c97af2ee158cbabf6f536272a84e548678d53c4711c721cedda7c143 EAP-Message = 0x7f47f869ba7025d999bf4a37469dd40ec3cc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x28ab70e596615ccdfa8d83b1787bc31e - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html