RE: Error: User-Name is not the same as MS-CHAP name
If the User-Name is being rewritten it is not intentional. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm freeradius:/etc # diff -qr raddb raddefault Files raddb/clients.conf and raddefault/clients.conf differ Files raddb/modules/attr_rewrite and raddefault/modules/attr_rewrite differ Files raddb/modules/ldap and raddefault/modules/ldap differ Files raddb/modules/mschap and raddefault/modules/mschap differ Files raddb/sites-available/inner-tunnel and raddefault/sites-available/inner-tunnel differ Files raddb/sites-enabled/inner-tunnel and raddefault/sites-enabled/inner-tunnel differ - freeradius:/etc # diff raddb/clients.conf raddefault/clients.conf 206,209d205 client 10.0.0.0/8 { secret = testing123 shortname = net1 } freeradius:/etc # diff raddb/modules/attr_rewrite raddefault/modules/attr_rewrite 32,65d31 attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = searchin = packet replacewith = %{User-Name} } attr_rewrite remove-domain-name { attribute = Stripped-User-Name searchfor = (\.test\.local) searchin = packet new_attribute = no replacewith = } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = ^(host/.*) searchin = packet new_attribute = no replacewith = %{1}$ } attr_rewrite strip-realm-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = ^(.*[\\/]+) replacewith = max_matches = 1 } -- freeradius:/etc # diff raddb/modules/ldap raddefault/modules/ldap 33,36c33,36 server = 10.220.7.7 identity = cn=tics,o=test password = ldappass basedn = o=test --- server = ldap.your.domain #identity = cn=admin,o=My Org,c=UA #password = mypass basedn = o=My Org,c=UA 77,79c77,78 #start_tls = no start_tls = yes port=636 --- start_tls = no 118c117 password_attribute = nspmPassword --- 124c123 edir_account_policy_check = yes --- edir_account_policy_check = no -- freeradius:/etc # diff raddb/modules/mschap raddefault/modules/mschap 37c37 with_ntdomain_hack = yes --- 65,66c65 #ntlm_auth = /path/to/nitlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NW2} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --- #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} freeradius:/etc # diff raddb/sites-available/inner-tunnel raddefault/sites-available/inner-tunnel 48,52d47 if (User-Name !~ /^host\//) { update control { MS-CHAP-Use-NTLM-Auth := no } } 97,101c92 copy.user-name remove-domain-name add-dollar-sign strip-realm-name ntdomain --- # ntdomain 151c142 ldap --- # ldap 239,241c230,232 Auth-Type LDAP { ldap } --- # Auth-Type LDAP { # ldap # } 299c290 ldap --- # ldap 311d301 ldap Robert Mc Cready wrote: I do not rewrite the User-name attribute I rewrite only the Stripped-User-Name attribute with these: No. Go READ the debug log you posted. The inner-tunnel virtual server gets: Sending tunneled request EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202
RE: Error: User-Name is not the same as MS-CHAP name
The host name are not domain names, there are computers account name, and we have hundreds of them . We only use the MS Domain to authenticate the computers account, not the users. -Message d'origine- De : freeradius-users-bounces+robert-mccready=cspi.qc...@lists.freeradius.org [mailto:freeradius-users-bounces+robert-mccready=cspi.qc.ca@lists.freeradius .org] De la part de Alan DeKok Envoyé : 10 mai 2011 10:49 À : FreeRadius users mailing list Objet : Re: Error: User-Name is not the same as MS-CHAP name Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Well... it's obviously someone you've changed, because it doesn't happen in the default configuration. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. You're stripping the domain. Why? It's just not necessary. The way you're doing it is wrong, and is breaking the server. Instead, set up CAD08862 as a LOCAL realm. See proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
seconds. Packet 9 rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=180, length=212 User-Name = CAD08862\\ldapuser NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = 58-16-26-AA-F7-B1:WIRELESS Calling-Station-Id = 00-16-EA-C5-78-9C Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11g EAP-Message = 0x021400261900170301001b7a27bfb0b0524f3a9afbf1b1f407 ... State = 0xa5fe4130adea583a08d7b8b3e893ab3f Message-Authenticator = 0xe8c786bb73038b5f6172a3637d73a61d # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = CAD08862\ldapuser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 20 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for reject or fail. Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - CAD08862\ldapuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 238 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 238 Sending Access-Reject of id 180 to 10.220.30.5 port 29002 EAP-Message = 0x04140004 Message-Authenticator = 0x Waking up in 3.8 seconds. Cleaning up request 229 ID 171 with timestamp +857 Cleaning up request 230 ID 172 with timestamp +857 Cleaning up request 231 ID 173 with timestamp +857 Cleaning up request 232 ID 174 with timestamp +857 Cleaning up request 233 ID 175 with timestamp +857 Cleaning up request 234 ID 176 with timestamp +857 Cleaning up request 235 ID 177 with timestamp +857 Cleaning up request 236 ID 178 with timestamp +857 Cleaning up request 237 ID 179 with timestamp +857 Waking up in 1.0 seconds. --- On 05/10/2011 03:35 PM, Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm I presume there's a debug at this URL, but I have no reachability to it from where I am (tried from a couple of different source networks): 17 Vlan1999.icore1.MTT-Montreal.as6453.net (216.6.115.54) 90.786 ms 90.770 ms 90.740 ms 18 Vlan50.icore1.MTT-Montreal.as6453.net (206.82.135.10) 90.800 ms 90.918 ms 91.056 ms 19 tge-1-3.ar1.mtl2.mtotelecom.net (64.254.224.165) 91.241 ms 90.598 ms 90.634 ms 20 tge-1-2.ar1.mtrlpq07.mtotelecom.net (64.254.224.198) 79.405 ms 79.282 ms 79.230 ms 21 * * * 22 * * * 23 * * * __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a ete verifie par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
I do not rewrite the User-name attribute I rewrite only the Stripped-User-Name attribute with these: attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = searchin = packet replacewith = %{User-Name} } attr_rewrite remove-domain-name { attribute = Stripped-User-Name searchfor = (\.nw2\.test\.local) searchin = packet new_attribute = no replacewith = } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = ^(host/.*) searchin = packet new_attribute = no replacewith = %{1}$ } attr_rewrite strip-realm-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = ^(.*[\\/]+) replacewith = max_matches = 1 } This is where I use Stripped-User-Name: freeradius:/etc/raddb # grep -ir Stripped-User-Name * | grep -v \# modules/attr_rewrite:attribute = Stripped-User-Name modules/attr_rewrite:attribute = Stripped-User-Name modules/attr_rewrite:attribute = Stripped-User-Name modules/attr_rewrite:attribute = Stripped-User-Name modules/ldap: filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) The User-Name attribute is untouch. [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2 As I mentionned before the host name (CAD08862) is not a domain name it's a computer account name. I tried with_ntdomain_hack, no luck. freeradius:/etc/raddb # grep -ir with_ntdomain_hack * | grep -v \# modules/preprocess: with_ntdomain_hack = no modules/mschap: with_ntdomain_hack = yes Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm On 05/07/2011 07:50 PM, Robert Mc Cready wrote: The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one problem with Windows XP clients, I get a [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2. Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10. Any idea how to fix this ? You CANNOT rewrite the User-Name attribute, or you will have this problem. If you want to manipulate the username, you must do so in a separate attribute, like so: if (User-Name =~ /^(.+)\\(.+)/) { update request { Stripped-User-Name := %{2} } } An easier alternative is to not mangle the username at all, and instead update any string expansions to use: %{mschap:User-Name} ...including your LDAP filters. This will just work - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6106 (20110509) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6107 (20110509) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6107 (20110509) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: User-Name is not the same as MS-CHAP name
The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one problem with Windows XP clients, I get a [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2. Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10. Any idea how to fix this ? Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm On 05/05/11 15:17, Robert Mc Cready wrote: We use Novell eDirectory and DSFW (Directory Services for Windows) which is kind of a Windows domain inside an OU in eDirectory. I want to authenticate users using LDAP and Windows computers account using ntlm_auth. There is only computers accounts in the Windows domain. The computer authentication is working fine but the users authentication with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the users authentication works. Is there a way to have both of them working together? Yes. Something like this: authorize { ... if (User-Name !~ /^host\//) { update control { MS-CHAP-Use-NTLM-Auth := no } } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html We use Novell eDirectory and DSFW (Directory Services for Windows) which is kind of a Windows domain inside an OU in eDirectory. I want to authenticate users using LDAP and Windows computers account using ntlm_auth. There is only computers accounts in the Windows domain. The computer authentication is working fine but the users authentication with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the users authentication works. Is there a way to have both of them working together? We use PEAP. Working user authentication with LDAP debug (ntlm_auth not configured): http://www.cspi.qc.ca/sinfrmc/ldap_only.htm Working Windows computer account authentication: http://www.cspi.qc.ca/sinfrmc/mschap_only.htm User account getting rejected debug (with ntlm_auth configured): http://www.cspi.qc.ca/sinfrmc/mschap_and_ldap.htm Thanks, Robert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with LDAP and ntlm_auth
We use Novell eDirectory and DSFW (Directory Services for Windows) which is kind of a Windows domain inside an OU in eDirectory. I want to authenticate users using LDAP and Windows computers account using ntlm_auth. There is only computers accounts in the Windows domain. The computer authentication is working fine but the users authentication with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the users authentication works. Is there a way to have both of them working together? We use PEAP. Working user authentication with LDAP debug (ntlm_auth not configured): http://www.cspi.qc.ca/sinfrmc/ldap_only.htm Working Windows computer account authentication: http://www.cspi.qc.ca/sinfrmc/mschap_only.htm User account getting rejected debug (with ntlm_auth configured): http://www.cspi.qc.ca/sinfrmc/mschap_and_ldap.htm Thanks, Robert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with LDAP and ntlm_auth
It's working now. Thanks for the help. -Message d'origine- De : freeradius-users-bounces+robert-mccready=cspi.qc...@lists.freeradius.org [mailto:freeradius-users-bounces+robert-mccready=cspi.qc.ca@lists.freeradius .org] De la part de Phil Mayers Envoyé : 5 mai 2011 11:03 À : freeradius-users@lists.freeradius.org Objet : Re: Problem with LDAP and ntlm_auth On 05/05/11 15:17, Robert Mc Cready wrote: We use Novell eDirectory and DSFW (Directory Services for Windows) which is kind of a Windows domain inside an OU in eDirectory. I want to authenticate users using LDAP and Windows computers account using ntlm_auth. There is only computers accounts in the Windows domain. The computer authentication is working fine but the users authentication with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the users authentication works. Is there a way to have both of them working together? Yes. Something like this: authorize { ... if (User-Name !~ /^host\//) { update control { MS-CHAP-Use-NTLM-Auth := no } } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6097 (20110505) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6097 (20110505) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6097 (20110505) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html