reply to NAS not correct
Hi,
my Enterasys-switche need the filter-id for policy enforcement. I've got
a problem with 802.1X authentication. Here is the log:
rad_recv: Access-Request packet from host 172.16.255.101 port 49169,
id=171, length=190
User-Name = DNT1\\testtom
Service-Type = Framed-User
Called-Station-Id = 00-1F-45-19-9C-68
Calling-Station-Id = 00-1C-25-9B-0E-EB
NAS-Identifier = D2_Zi31_Tom
NAS-IP-Address = 172.16.255.101
NAS-Port = 1
NAS-Port-Id = ge.1.1
Framed-MTU = 1500
NAS-Port-Type = Ethernet
State = 0x5a07edfa520df4edb36b506fccf290c2
EAP-Message =
0x020a001d1900170301001291f098b2e763cf55403eff0840390a3d3413
Message-Authenticator = 0xe6865e95c71f8c06d904dd297c05ee96
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/172.16.255.101/auth-detail-20091029
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/172.16.255.101/auth-detail-20091029
[auth_log] expand: %t - Thu Oct 29 10:37:21 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = DNT1\testtom, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] Looking up realm DNT1 for User-Name = DNT1\testtom
[ntdomain] No such realm DNT1
++[ntdomain] returns noop
[eap] EAP packet type response id 10 length 29
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020a00061a03
server {
PEAP: Setting User-Name to DNT1\testtom
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = DNT1\\testtom
State = 0xeb8ce38fea86f9b39b0a9d7efe7aaa3e
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = DNT1\testtom, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] Looking up realm DNT1 for User-Name = DNT1\testtom
[ntdomain] No such realm DNT1
++[ntdomain] returns noop
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: Entering ldap_groupcmp()
[files] expand: OU=Abt11-2,OU=Amt11,OU=Stadt
Heidelberg,DC=heidelberg,DC=bw-online,DC=de -
OU=Abt11-2,OU=Amt11,OU=Stadt Heidelberg,DC=heidelberg,DC=bw-online,DC=de
[files] expand: sAMAccountName=%{mschap:User-Name} -
sAMAccountName=testtom
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Abt11-2,OU=Amt11,OU=Stadt
Heidelberg,DC=heidelberg,DC=bw-online,DC=de, with filter
sAMAccountName=testtom
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand:
(|((objectClass=Group)(member=%{control:Ldap-UserDn}))((objectClass=Gr
oupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -
(|((objectClass=Group)(member=CN\3dTest\5c\2c
Tom\2cOU\3dAbt11-2\2cOU\3dAmt11\2cOU\3dStadt
Heidelberg\2cDC\3dheidelberg\2cDC\3dbw-online\2cDC\3dde))((objectClass=
GroupOfUniqueNames)(uniquemember=CN\3dTest\5c\2c
Tom\2cOU\3dAbt11-2\2cOU\3dAmt11\2cOU\3dStadt
Heidelberg\2cDC\3dheidelberg\2cDC\3dbw-online\2cDC\3dde)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Abt11-2,OU=Amt11,OU=Stadt
Heidelberg,DC=heidelberg,DC=bw-online,DC=de, with filter
((cn=WWW)(|((objectClass=Group)(member=CN\3dTest\5c\2c
Tom\2cOU\3dAbt11-2\2cOU\3dAmt11\2cOU\3dStadt
Heidelberg\2cDC\3dheidelberg\2cDC\3dbw-online\2cDC\3dde))((objectClass=
GroupOfUniqueNames)(uniquemember=CN\3dTest\5c\2c
Tom\2cOU\3dAbt11-2\2cOU\3dAmt11\2cOU\3dStadt
Heidelberg\2cDC\3dheidelberg\2cDC\3dbw-online\2cDC\3dde
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=Test\,
Tom,OU=Abt11-2,OU=Amt11,OU=Stadt
Heidelberg,DC=heidelberg,DC=bw-online,DC=de, with filter (objectclass=*)
rlm_ldap: performing search in
CN=WWW,CN=Users,DC=heidelberg,DC=bw-online,DC=de, with filter (cn=WWW)
rlm_ldap::ldap_groupcmp: User found in group WWW
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 215
++[files] returns ok
[ldap] performing user authorization for DNT1\testtom
[ldap] expand: sAMAccountName=%{mschap:User-Name} -
sAMAccountName=testtom
[ldap] expand:
Active Directory/freeradius/enterasys - combination
Hello,
I know there was a threat with the same subject 3 years ago, but in
addition we need mac-authentication (printers,..),too.
The Mac-auth is ok:
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.255.101 port 49169,
id=98, length=158
User-Name = 00-13-20-73-D0-45
Service-Type = Framed-User
Called-Station-Id = 00-1F-45-19-9C-68
Calling-Station-Id = 00-13-20-73-D0-45
NAS-Identifier = D2_Zi31_Tom
NAS-IP-Address = 172.16.255.101
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = ge.1.1
User-Password = hdpasswd
Message-Authenticator = 0xc2baf30d011d595efa42357331abcc6c
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/172.16.255.101/auth-detail-20091013
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/172.16.255.101/auth-detail-20091013
[auth_log] expand: %t - Tue Oct 13 11:59:35 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = 00-13-20-73-D0-45, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] No '\' in User-Name = 00-13-20-73-D0-45, looking up realm
NULL
[ntdomain] No such realm NULL
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 213
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password hdpasswd
[pap] Using clear text password hdpasswd
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [00-13-20-73-D0-45/hdpasswd] (from client 172.16.255.101 port
1 cli 00-13-20-73-D0-45)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 98 to 172.16.255.101 port 49169
Framed-Filter-Id = Enterasys:version=1:policy=Mitarbeiter
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 98 with timestamp +31
Ready to process requests.
Now I need a username/password auth against AD.
Ntlm-auth works very well.
If I activate ldap in /etc/raddb/modules:
rad_recv: Access-Request packet from host 172.16.255.101 port 49169,
id=191, length=167
User-Name = DNT1\\testtom
Service-Type = Framed-User
Called-Station-Id = 00-1F-45-19-9C-68
Calling-Station-Id = 00-13-20-73-D0-45
NAS-Identifier = D2_Zi31_Tom
NAS-IP-Address = 172.16.255.101
NAS-Port = 1
NAS-Port-Id = ge.1.1
Framed-MTU = 1500
NAS-Port-Type = Ethernet
State = 0x113208ad123411cced08469153aa8038
EAP-Message = 0x020600061900
Message-Authenticator = 0x27fe716e0b83c7d08f295275043550f4
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/172.16.255.101/auth-detail-20091013
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/172.16.255.101/auth-detail-20091013
[auth_log] expand: %t - Tue Oct 13 13:16:13 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = DNT1\testtom, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] Looking up realm DNT1 for User-Name = DNT1\testtom
[ntdomain] Found realm DNT1
[ntdomain] Adding Stripped-User-Name = testtom
[ntdomain] Adding Realm = DNT1
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 191 to 172.16.255.101 port 49169
EAP-Message =
0x010700b519003082a52b18d9963104cec8ab3f3ddc453b55e1519bcf57d5178ca7fbc8
1d20727b3d75c92c438dbafd9a5544e5443ad544f16869af57ef84883eebc730362387c9
e6357c18fcb15a8e862e2b6c2ea1871b8756414a7ba875ff9416143a5baf78b6a9f7c93d
c023f5edd6c8da55e646513482e5a39f9ccb7c480d68b7e965247b4accf8c1fa07b08368
80301de9e7058a5b891fd8f9e8443517e0eb83847723441ae98c447e7416030100040e00
Message-Authenticator = 0x
State = 0x113208ad153511cced08469153aa8038
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 187 with timestamp +63
Cleaning up request 2 ID 188 with
