Hi,
I've been thinking about this and have another question: I noticed that in
the authorize sections there are a lot of SQL activity, but in the
authenticate section, none. That's where mschap should compare the password
from the network with the password in the SQL . Where can I tell mschap go
read the sql for the password? I planned to use dialupadmin to store
everything in mysql, so shouldnt mschap ask for the password from it?
I looked at rlm_mschap.c and found in mschap_authenticate() :
* We will try to find out password in configuration
* or in configured passwd file.
So it seems I will have to store the password in the users file. But what's
the point of dialupadmin storing User-Password := password in Mysql?
What's the idea of dialupadmin? How do I have to setup FreeRADIUS in order to
use dialupadmin to create the users? Or was it thought to make only one part
of the users' creation?
Sorry for my english.
Thanks in advance,
-- Diego
-- Forwarded Message --
Subject: NT domain names and SQL authentication
Date: Monday 11 April 2005 22:59
From: Diego M. Vadell [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
Hi,
I've been fighting my ignorance for a week now. I'm trying to setup
FreeRadius with a Windows XP SP2 supplicant with mschap2 thru an
Orinocco access point.
I would like to use the username and password of the NT domain, but the
only way I can get logged in is making XP ask me for the credentials.
So to make it work, I add a line un users:
--8---8--
pirulo User-Password == chicos
--8---8--
I also edited radiusd.conf and uncommented the sql lines. User pirulo
does not exists in SQL. With this setup, I can get
authenticated/authorized.
But, If I add a line like my NT username in users, I cant log in. The line
looks like this:
--8---8--
DOMAIN\\username User-Password == my_nt_domain_password
--8---8--
I write down, exactly as I did with user pirulo, DOMAIN\\username and then
the password, and it doesnt work!
Also I tried asking windows to send my login credentials automatically,
but It didnt work.
Running radiusd in debug mode (-X) I get:
Processing the authorize section of radiusd.conf
(all the modules return either noop or ok)
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module eap returns handled for request 19
modcall: group authenticate returns handled for request 19
(everything looks fine)
Processing the authorize section of radiusd.conf (again - everyting ok )
And so it goes, processing authorize and authenticate sections, untill it
gives this error:
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 25
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 25
rlm_mschap: NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
rlm_mschap: Told to do MS-CHAPv2 for DOMAIN\username with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module mschap returns reject for request 25
modcall: group Auth-Type returns reject for request 25
rlm_eap: Freeing handler
modcall[authenticate]: module eap returns reject for request 25
modcall: group authenticate returns reject for request 25
auth: Failed to validate the user.
Login incorrect: [DOMAIN\\username] (from client localhost port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
And thus ends.
So, my question is: should I set an NT-Password attribute in the users file?
Thanks,
-- Diego.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
