On 05/20/2011 10:33 PM, Mark Jones wrote:
Here is the latest debug...Im not sure what to try next.
Latest debug... ok, what has changed?
rad_recv: Access-Request packet from host 10.152.0.100 port 32819,
id=186, length=216
NAS-IP-Address = 10.152.0.100
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
User-Name = "host/TEST-11501.hpsd48.ab.ca"
Calling-Station-Id = "00265EE9B2CA"
Called-Station-Id = "000B86611894"
MS-CHAP-Challenge = 0xa389f8f8a19c2761c3f31128115bac7f
MS-CHAP2-Response =
0x0800afc6531b8f43785e186a0578c795c13b00000000000000005f4828b8f016c112e3e453505d0c203f7172ad8a40f17c02
Service-Type = Login-User
Aruba-Essid-Name = "HPSD_RAD2"
Aruba-Location-Id = "Tech 01"
This is still a plain MSCHAP request, indicating that the Aruba
equipment is still terminating the PEAP itself, and translating the
EAP-MSCHAP to plain MSCHAP. As per my previous emails, I recommend you
change this.
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' <mailto:'@'> in User-Name =
"host/TEST-11501.hpsd48.ab.ca", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for host/TEST-11501.hpsd48.ab.ca
So this is a full host/name.domain.com now - what did you change?
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TEST-11501$)
[ldap] expand: o=hpsd_48 -> o=hpsd_48
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 172.17.152.4:636, authentication 0
[ldap] setting TLS mode to 1
[ldap] bind as cn=admin,o=hpsd_48/xxxxxx to 172.17.152.4:636
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in o=hpsd_48, with filter (uid=TEST-11501$)
[ldap] Added the eDirectory password xxxxxx in check items as
Cleartext-Password
Ok, you're using Novell eDir here? Are you using DSFW?
I know almost nothing about Novell, but a recent poster to the list was
using eDir and DFSW, and he suggested that you need to:
1. use LDAP/eDir for users
2. use Samba/ntlm_auth for machines
See here:
https://lists.freeradius.org/pipermail/freeradius-users/2011-May/msg00069.html
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user host/TEST-11501.hpsd48.ab.ca authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: host/TEST-11501.hpsd48.ab.ca
[mschap] Told to do MS-CHAPv2 for host/TEST-11501.hpsd48.ab.ca with
NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
Again, only three possible choices:
1. The client is sending the wrong data (i.e password - unlikely)
2. The server is using the wrong data (i.e. password from LDAP is
incorrect)
3. Something is fiddling with the data in-flight (e.g. Aruba messing
with the EAP)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
