RE: Error: User-Name is not the same as MS-CHAP name
If the User-Name is being rewritten it is not intentional.
Now, I reinstalled from scratch, save the default configuration, join the
server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and
inner-tunnel and ran diff. I can see in the debug output of the server that
User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong.
http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm
freeradius:/etc # diff -qr raddb raddefault
Files raddb/clients.conf and raddefault/clients.conf differ
Files raddb/modules/attr_rewrite and raddefault/modules/attr_rewrite differ
Files raddb/modules/ldap and raddefault/modules/ldap differ
Files raddb/modules/mschap and raddefault/modules/mschap differ
Files raddb/sites-available/inner-tunnel and
raddefault/sites-available/inner-tunnel differ
Files raddb/sites-enabled/inner-tunnel and
raddefault/sites-enabled/inner-tunnel differ
-
freeradius:/etc # diff raddb/clients.conf raddefault/clients.conf
206,209d205
client 10.0.0.0/8 {
secret = testing123
shortname = net1
}
freeradius:/etc # diff raddb/modules/attr_rewrite
raddefault/modules/attr_rewrite
32,65d31
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor =
searchin = packet
replacewith = %{User-Name}
}
attr_rewrite remove-domain-name {
attribute = Stripped-User-Name
searchfor = (\.test\.local)
searchin = packet
new_attribute = no
replacewith =
}
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = ^(host/.*)
searchin = packet
new_attribute = no
replacewith = %{1}$
}
attr_rewrite strip-realm-name {
attribute = Stripped-User-Name
new_attribute = no
searchin = packet
searchfor = ^(.*[\\/]+)
replacewith =
max_matches = 1
}
--
freeradius:/etc # diff raddb/modules/ldap raddefault/modules/ldap
33,36c33,36
server = 10.220.7.7
identity = cn=tics,o=test
password = ldappass
basedn = o=test
---
server = ldap.your.domain
#identity = cn=admin,o=My Org,c=UA
#password = mypass
basedn = o=My Org,c=UA
77,79c77,78
#start_tls = no
start_tls = yes
port=636
---
start_tls = no
118c117
password_attribute = nspmPassword
---
124c123
edir_account_policy_check = yes
---
edir_account_policy_check = no
--
freeradius:/etc # diff raddb/modules/mschap raddefault/modules/mschap
37c37
with_ntdomain_hack = yes
---
65,66c65
#ntlm_auth = /path/to/nitlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NW2}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
---
#ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
freeradius:/etc # diff raddb/sites-available/inner-tunnel
raddefault/sites-available/inner-tunnel
48,52d47
if (User-Name !~ /^host\//) {
update control {
MS-CHAP-Use-NTLM-Auth := no
}
}
97,101c92
copy.user-name
remove-domain-name
add-dollar-sign
strip-realm-name
ntdomain
---
# ntdomain
151c142
ldap
---
# ldap
239,241c230,232
Auth-Type LDAP {
ldap
}
---
# Auth-Type LDAP {
# ldap
# }
299c290
ldap
---
# ldap
311d301
ldap
Robert Mc Cready wrote:
I do not rewrite the User-name attribute I rewrite only the
Stripped-User-Name attribute with these:
No. Go READ the debug log you posted. The inner-tunnel virtual
server gets:
Sending tunneled request
EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202
RE: Error: User-Name is not the same as MS-CHAP name
The host name are not domain names, there are computers account name, and we have hundreds of them . We only use the MS Domain to authenticate the computers account, not the users. -Message d'origine- De : freeradius-users-bounces+robert-mccready=cspi.qc...@lists.freeradius.org [mailto:freeradius-users-bounces+robert-mccready=cspi.qc.ca@lists.freeradius .org] De la part de Alan DeKok Envoyé : 10 mai 2011 10:49 À : FreeRadius users mailing list Objet : Re: Error: User-Name is not the same as MS-CHAP name Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Well... it's obviously someone you've changed, because it doesn't happen in the default configuration. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. You're stripping the domain. Why? It's just not necessary. The way you're doing it is wrong, and is breaking the server. Instead, set up CAD08862 as a LOCAL realm. See proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
seconds.
Packet 9
rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=180,
length=212
User-Name = CAD08862\\ldapuser
NAS-IP-Address = 10.220.30.5
NAS-Port = 0
Called-Station-Id = 58-16-26-AA-F7-B1:WIRELESS
Calling-Station-Id = 00-16-EA-C5-78-9C
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11g
EAP-Message = 0x021400261900170301001b7a27bfb0b0524f3a9afbf1b1f407 ...
State = 0xa5fe4130adea583a08d7b8b3e893ab3f
Message-Authenticator = 0xe8c786bb73038b5f6172a3637d73a61d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = CAD08862\ldapuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 20 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for reject or fail. Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - CAD08862\ldapuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 238 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 238
Sending Access-Reject of id 180 to 10.220.30.5 port 29002
EAP-Message = 0x04140004
Message-Authenticator = 0x
Waking up in 3.8 seconds.
Cleaning up request 229 ID 171 with timestamp +857
Cleaning up request 230 ID 172 with timestamp +857
Cleaning up request 231 ID 173 with timestamp +857
Cleaning up request 232 ID 174 with timestamp +857
Cleaning up request 233 ID 175 with timestamp +857
Cleaning up request 234 ID 176 with timestamp +857
Cleaning up request 235 ID 177 with timestamp +857
Cleaning up request 236 ID 178 with timestamp +857
Cleaning up request 237 ID 179 with timestamp +857
Waking up in 1.0 seconds.
---
On 05/10/2011 03:35 PM, Robert Mc Cready wrote:
If the User-Name is being rewritten it is not intentional.
Now, I reinstalled from scratch, save the default configuration, join the
server to the domain, modified clients.conf, attr_rewrite, ldap, mschap
and
inner-tunnel and ran diff. I can see in the debug output of the server
that
User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong.
http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm
I presume there's a debug at this URL, but I have no reachability to it
from where I am (tried from a couple of different source networks):
17 Vlan1999.icore1.MTT-Montreal.as6453.net (216.6.115.54) 90.786 ms
90.770 ms 90.740 ms
18 Vlan50.icore1.MTT-Montreal.as6453.net (206.82.135.10) 90.800 ms
90.918 ms 91.056 ms
19 tge-1-3.ar1.mtl2.mtotelecom.net (64.254.224.165) 91.241 ms 90.598
ms 90.634 ms
20 tge-1-2.ar1.mtrlpq07.mtotelecom.net (64.254.224.198) 79.405 ms
79.282 ms 79.230 ms
21 * * *
22 * * *
23 * * *
__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6110 (20110510) __
Le message a ete verifie par ESET NOD32 Antivirus.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
I do not rewrite the User-name attribute I rewrite only the
Stripped-User-Name attribute with these:
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor =
searchin = packet
replacewith = %{User-Name}
}
attr_rewrite remove-domain-name {
attribute = Stripped-User-Name
searchfor = (\.nw2\.test\.local)
searchin = packet
new_attribute = no
replacewith =
}
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = ^(host/.*)
searchin = packet
new_attribute = no
replacewith = %{1}$
}
attr_rewrite strip-realm-name {
attribute = Stripped-User-Name
new_attribute = no
searchin = packet
searchfor = ^(.*[\\/]+)
replacewith =
max_matches = 1
}
This is where I use Stripped-User-Name:
freeradius:/etc/raddb # grep -ir Stripped-User-Name * | grep -v \#
modules/attr_rewrite:attribute = Stripped-User-Name
modules/attr_rewrite:attribute = Stripped-User-Name
modules/attr_rewrite:attribute = Stripped-User-Name
modules/attr_rewrite:attribute = Stripped-User-Name
modules/ldap: filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
The User-Name attribute is untouch.
[mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP
Name (ldapuser) from EAP-MSCHAPv2
As I mentionned before the host name (CAD08862) is not a domain name it's a
computer account name.
I tried with_ntdomain_hack, no luck.
freeradius:/etc/raddb # grep -ir with_ntdomain_hack * | grep -v \#
modules/preprocess: with_ntdomain_hack = no
modules/mschap: with_ntdomain_hack = yes
Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm
Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm
On 05/07/2011 07:50 PM, Robert Mc Cready wrote:
The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one
problem with Windows XP clients, I get a [mschap] ERROR: User-Name
(CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
EAP-MSCHAPv2. Users log on locally, the host name is not a domain name.
Windows 7 clients work fine because they send only the username. I do
some rewrites so I can get the username for the LDAP authentication and
the computers name for computer account authentication (I'm not familiar
with unlang yet). We use FR 2.1.10.
Any idea how to fix this ?
You CANNOT rewrite the User-Name attribute, or you will have this problem.
If you want to manipulate the username, you must do so in a separate
attribute, like so:
if (User-Name =~ /^(.+)\\(.+)/) {
update request {
Stripped-User-Name := %{2}
}
}
An easier alternative is to not mangle the username at all, and instead
update any string expansions to use:
%{mschap:User-Name}
...including your LDAP filters. This will just work
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6106 (20110509) __
Le message a été vérifié par ESET NOD32 Antivirus.
http://www.eset.com
__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6107 (20110509) __
Le message a été vérifié par ESET NOD32 Antivirus.
http://www.eset.com
__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6107 (20110509) __
Le message a été vérifié par ESET NOD32 Antivirus.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: User-Name is not the same as MS-CHAP name
The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one problem
with Windows XP clients, I get a [mschap] ERROR: User-Name
(CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
EAP-MSCHAPv2. Users log on locally, the host name is not a domain name.
Windows 7 clients work fine because they send only the username. I do some
rewrites so I can get the username for the LDAP authentication and the
computers name for computer account authentication (I'm not familiar with
unlang yet). We use FR 2.1.10.
Any idea how to fix this ?
Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm
Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm
On 05/05/11 15:17, Robert Mc Cready wrote:
We use Novell eDirectory and DSFW (Directory Services for Windows)
which is kind of a Windows domain inside an OU in eDirectory. I want
to authenticate users using LDAP and Windows computers account using
ntlm_auth. There is only computers accounts in the Windows domain.
The computer authentication is working fine but the users
authentication with LDAP fails if ntlm_auth is configured. If I don't
use ntlm_auth the users authentication works. Is there a way to have
both of them working together?
Yes. Something like this:
authorize {
...
if (User-Name !~ /^host\//) {
update control {
MS-CHAP-Use-NTLM-Auth := no
}
}
...
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
We use Novell eDirectory and DSFW (Directory Services for Windows) which is
kind of a Windows domain inside an OU in eDirectory. I want to authenticate
users using LDAP and Windows computers account using ntlm_auth. There is
only computers accounts in the Windows domain.
The computer authentication is working fine but the users authentication
with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the
users authentication works. Is there a way to have both of them working
together?
We use PEAP.
Working user authentication with LDAP debug (ntlm_auth not configured):
http://www.cspi.qc.ca/sinfrmc/ldap_only.htm
Working Windows computer account authentication:
http://www.cspi.qc.ca/sinfrmc/mschap_only.htm
User account getting rejected debug (with ntlm_auth configured):
http://www.cspi.qc.ca/sinfrmc/mschap_and_ldap.htm
Thanks,
Robert.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with LDAP and ntlm_auth
We use Novell eDirectory and DSFW (Directory Services for Windows) which is kind of a Windows domain inside an OU in eDirectory. I want to authenticate users using LDAP and Windows computers account using ntlm_auth. There is only computers accounts in the Windows domain. The computer authentication is working fine but the users authentication with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the users authentication works. Is there a way to have both of them working together? We use PEAP. Working user authentication with LDAP debug (ntlm_auth not configured): http://www.cspi.qc.ca/sinfrmc/ldap_only.htm Working Windows computer account authentication: http://www.cspi.qc.ca/sinfrmc/mschap_only.htm User account getting rejected debug (with ntlm_auth configured): http://www.cspi.qc.ca/sinfrmc/mschap_and_ldap.htm Thanks, Robert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with LDAP and ntlm_auth
It's working now.
Thanks for the help.
-Message d'origine-
De :
freeradius-users-bounces+robert-mccready=cspi.qc...@lists.freeradius.org
[mailto:freeradius-users-bounces+robert-mccready=cspi.qc.ca@lists.freeradius
.org] De la part de Phil Mayers
Envoyé : 5 mai 2011 11:03
À : freeradius-users@lists.freeradius.org
Objet : Re: Problem with LDAP and ntlm_auth
On 05/05/11 15:17, Robert Mc Cready wrote:
We use Novell eDirectory and DSFW (Directory Services for Windows) which
is kind of a Windows domain inside an OU in eDirectory. I want to
authenticate users using LDAP and Windows computers account using
ntlm_auth. There is only computers accounts in the Windows domain.
The computer authentication is working fine but the users authentication
with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the
users authentication works. Is there a way to have both of them working
together?
Yes. Something like this:
authorize {
...
if (User-Name !~ /^host\//) {
update control {
MS-CHAP-Use-NTLM-Auth := no
}
}
...
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6097 (20110505) __
Le message a été vérifié par ESET NOD32 Antivirus.
http://www.eset.com
__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6097 (20110505) __
Le message a été vérifié par ESET NOD32 Antivirus.
http://www.eset.com
__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6097 (20110505) __
Le message a été vérifié par ESET NOD32 Antivirus.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
