I have installed PF 2.2.0 on a Centos 5.6 server to test wireless
authentication against Active Directory. I have installed Samba and
Winbind, and can manually enter the ntlm_auth command to verify users. I
have configured FreeRadius per the Admin guide, but authentication
fails. I temporarily removed the PF settings from FreeRadius and it will
successfully authenticate users. Starting radiusd in debug mode, it
seems like the username is getting mangled when passed to EAP. I've
copied the pertinent part of the log, but can provide more if needed.
Can anyone help me?
+- entering group authorize {...}
[ntdomain] Looking up realm "OG" for User-Name = "OG\tom"
[ntdomain] Found realm "OG"
[ntdomain] Adding Realm = "OG"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
++[preprocess] returns ok
[eap] EAP packet type response id 2 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Calling-Station-Id = 0090.4b78.9270
rlm_perl: Added pair Called-Station-Id = 0022.90b3.9501
rlm_perl: Added pair Message-Authenticator =
0x4ee87ab12cc6ae6f53c0cb6c7ee93d5b
rlm_perl: Added pair User-Name = OG\\tom
rlm_perl: Added pair NAS-Identifier = ap
rlm_perl: Added pair EAP-Message = 0x0202000b014f475c746f6d
rlm_perl: Added pair Realm = OG
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = x.x.x.x
rlm_perl: Added pair NAS-Port = 79397
rlm_perl: Added pair NAS-Port-Id = 79397
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [OG\\\tom/<via Auth-Type = EAP>] (from client Cisco
port 79397 cli 0090.4b78.9270)
} # server packetfence
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> OG\ omm
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at: http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
