Tom,
The error you are seeing is because the User-Name attribute changes
between the authorize and the authenticate section, and EAP does not
like that at all. Normally, without a realm, FR should NOT touch the
username and leave it OG\\tom . With a realm, it should strip the
User-Name to tom and have a variable Realm set to OG, unless you have
nostrip in the realm configuration.
I diffed the default versus the packetfence virtual server, and the only
thing that changes is the ntdomain beeing commented in the default
virtual server (and pages of comments).
Can you give me the entire RADIUS debug log? I am wandering if I am
looking at the wrong place.
Thanks.
On 11-08-15 8:29 PM, Tom Fischer wrote:
Sorry, lost my remote connection. Won't be able to test until
tomorrow. But I had started off with no realm. I thought the
Freeradius was broke. I could see that FR was only trying suffix for
the username check, so I added ntdomain to get it to resolve
correctly. In troubleshooting I also tried nostrip on and off. Finally
tried FR as standalone and that worked fine. Tried uninstall and
re-install of packetfence complete package without success. Any other
files I can attach for review in the meantime?
------------------------------------------------------------------------
*From:* Francois Gaudreault [mailto:[email protected]]
*Sent:* Monday, August 15, 2011 6:06 PM
*To:* [email protected]
*Subject:* Re: [Packetfence-users] 802.1x wireless username corruption
Tom,
And if you uncomment the nostrip? If you remove the realm
definition? Our configuration has been tested against AD usernames,
so it should work.
On 11-08-15 6:42 PM, Tom Fischer wrote:
Sorry, still the same. Thanks for the help so far, BTW.
------------------------------------------------------------------------
*From:* Francois Gaudreault [mailto:[email protected]]
*Sent:* Monday, August 15, 2011 5:37 PM
*To:* [email protected]
*Subject:* Re: [Packetfence-users] 802.1x wireless username corruption
And what if you comment ntdomain in the packetfence and
packetfence-tunnel virtual servers?
On 11-08-15 6:27 PM, Tom Fischer wrote:
I did have an OG realm set to LOCAL. I comented out the LOCAL and it
still fails the same way.
realm OG {
#authhost = LOCAL
#accthost = LOCAL
#nostrip
}
------------------------------------------------------------------------
*From:* Francois Gaudreault [mailto:[email protected]]
*Sent:* Monday, August 15, 2011 5:19 PM
*To:* [email protected]
*Subject:* Re: [Packetfence-users] 802.1x wireless username corruption
Tom,
Can you add your realm to proxy.conf like the following :
realm OG {
}
Let me know if it fixes the issue.
On 11-08-15 3:09 PM, Tom Fischer wrote:
I have installed PF 2.2.0 on a Centos 5.6 server to test
wireless authentication against Active Directory. I have installed
Samba and Winbind, and can manually enter the ntlm_auth command to
verify users. I have configured FreeRadius per the Admin guide, but
authentication fails. I temporarily removed the PF settings from
FreeRadius and it will successfully authenticate users. Starting
radiusd in debug mode, it seems like the username is getting
mangled when passed to EAP. I've copied the pertinent part of the
log, but can provide more if needed.
Can anyone help me?
+- entering group authorize {...}
[ntdomain] Looking up realm "OG" for User-Name = "OG\tom"
[ntdomain] Found realm "OG"
[ntdomain] Adding Realm = "OG"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
++[preprocess] returns ok
[eap] EAP packet type response id 2 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Calling-Station-Id = 0090.4b78.9270
rlm_perl: Added pair Called-Station-Id = 0022.90b3.9501
rlm_perl: Added pair Message-Authenticator =
0x4ee87ab12cc6ae6f53c0cb6c7ee93d5b
rlm_perl: Added pair User-Name = OG\\tom
rlm_perl: Added pair NAS-Identifier = ap
rlm_perl: Added pair EAP-Message = 0x0202000b014f475c746f6d
rlm_perl: Added pair Realm = OG
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = x.x.x.x
rlm_perl: Added pair NAS-Port = 79397
rlm_perl: Added pair NAS-Port-Id = 79397
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [OG\\\tom/<via Auth-Type = EAP>] (from client
Cisco port 79397 cli 0090.4b78.9270)
} # server packetfence
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> OG\ omm
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at:http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at:http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at:http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at: http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at: http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
