I'm just trying different combinations at this point. But if I set with_ntdomain_hack=yes in preprocess, it still fails the EAP, but the user name is tom instead of OG\ omm. Does that mean that preprocess is mangling the username?
________________________________ From: Francois Gaudreault [mailto:[email protected]] Sent: Tuesday, August 16, 2011 2:43 PM To: [email protected] Subject: Re: [Packetfence-users] 802.1x wireless username corruption Tom, Is the with_ntdomain_hack is set to no in your preprocess module? Is the with_ntdomain_hack is set to yes in the mschap module? On 11-08-16 11:00 AM, Tom Fischer wrote: I've attached the log. I made sure that the realm is commented out as well as ntdomain. ________________________________ From: Francois Gaudreault [mailto:[email protected]] Sent: Tuesday, August 16, 2011 7:49 AM To: [email protected] Subject: Re: [Packetfence-users] 802.1x wireless username corruption Tom, The error you are seeing is because the User-Name attribute changes between the authorize and the authenticate section, and EAP does not like that at all. Normally, without a realm, FR should NOT touch the username and leave it OG\\tom . With a realm, it should strip the User-Name to tom and have a variable Realm set to OG, unless you have nostrip in the realm configuration. I diffed the default versus the packetfence virtual server, and the only thing that changes is the ntdomain beeing commented in the default virtual server (and pages of comments). Can you give me the entire RADIUS debug log? I am wandering if I am looking at the wrong place. Thanks. On 11-08-15 8:29 PM, Tom Fischer wrote: Sorry, lost my remote connection. Won't be able to test until tomorrow. But I had started off with no realm. I thought the Freeradius was broke. I could see that FR was only trying suffix for the username check, so I added ntdomain to get it to resolve correctly. In troubleshooting I also tried nostrip on and off. Finally tried FR as standalone and that worked fine. Tried uninstall and re-install of packetfence complete package without success. Any other files I can attach for review in the meantime? ________________________________ From: Francois Gaudreault [mailto:[email protected]] Sent: Monday, August 15, 2011 6:06 PM To: [email protected] Subject: Re: [Packetfence-users] 802.1x wireless username corruption Tom, And if you uncomment the nostrip? If you remove the realm definition? Our configuration has been tested against AD usernames, so it should work. On 11-08-15 6:42 PM, Tom Fischer wrote: Sorry, still the same. Thanks for the help so far, BTW. ________________________________ From: Francois Gaudreault [mailto:[email protected]] Sent: Monday, August 15, 2011 5:37 PM To: [email protected] Subject: Re: [Packetfence-users] 802.1x wireless username corruption And what if you comment ntdomain in the packetfence and packetfence-tunnel virtual servers? On 11-08-15 6:27 PM, Tom Fischer wrote: I did have an OG realm set to LOCAL. I comented out the LOCAL and it still fails the same way. realm OG { # authhost = LOCAL # accthost = LOCAL # nostrip } ________________________________ From: Francois Gaudreault [mailto:[email protected]] Sent: Monday, August 15, 2011 5:19 PM To: [email protected] Subject: Re: [Packetfence-users] 802.1x wireless username corruption Tom, Can you add your realm to proxy.conf like the following : realm OG { } Let me know if it fixes the issue. On 11-08-15 3:09 PM, Tom Fischer wrote: I have installed PF 2.2.0 on a Centos 5.6 server to test wireless authentication against Active Directory. I have installed Samba and Winbind, and can manually enter the ntlm_auth command to verify users. I have configured FreeRadius per the Admin guide, but authentication fails. I temporarily removed the PF settings from FreeRadius and it will successfully authenticate users. Starting radiusd in debug mode, it seems like the username is getting mangled when passed to EAP. I've copied the pertinent part of the log, but can provide more if needed. Can anyone help me? +- entering group authorize {...} [ntdomain] Looking up realm "OG" for User-Name = "OG\tom" [ntdomain] Found realm "OG" [ntdomain] Adding Realm = "OG" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [suffix] Request already proxied. Ignoring. ++[suffix] returns ok ++[preprocess] returns ok [eap] EAP packet type response id 2 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Calling-Station-Id = 0090.4b78.9270 rlm_perl: Added pair Called-Station-Id = 0022.90b3.9501 rlm_perl: Added pair Message-Authenticator = 0x4ee87ab12cc6ae6f53c0cb6c7ee93d5b rlm_perl: Added pair User-Name = OG\\tom rlm_perl: Added pair NAS-Identifier = ap rlm_perl: Added pair EAP-Message = 0x0202000b014f475c746f6d rlm_perl: Added pair Realm = OG rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = x.x.x.x rlm_perl: Added pair NAS-Port = 79397 rlm_perl: Added pair NAS-Port-Id = 79397 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [OG\\\tom/<via Auth-Type = EAP>] (from client Cisco port 79397 cli 0090.4b78.9270) } # server packetfence Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> OG\ omm attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated ------------------------------------------------------------------------ ------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------ ------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------ ------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------ ------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------ ------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
