Re: Freeradius, PEAP, Active Directory and --require-membership-of
Vieri wrote:
However, user authentication is rejected when I add the --domain parameter:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
And you didn't post the debug output as suggested in the FAQ, README,
INSTALL, and daily on this list.
Knowing WHY it was rejected, and WHAT ERROR was produced is key
information that is needed to be able to solve the problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
pal if you are using freeradius binary version as i was using before you can debug typing freeradius -X if you are using the compiled version as i did a few days ago , should work only tipping radiusd -X PD: my freeradius still does not authenticating against AD :-( --- El jue, 2/10/08, Nicolas Goutte [EMAIL PROTECTED] escribió: De: Nicolas Goutte [EMAIL PROTECTED] Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Fecha: jueves, 2 octubre, 2008 6:09 Am 02.10.2008 um 19:46 schrieb Vieri: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Don't hijack other peoples thread. BTW did you fix the users file entry so the server can start up? Ivan Kalik Kalik Informatika ISP Dana 3/10/2008, luis a [EMAIL PROTECTED] piše: pal if you are using freeradius binary version as i was using before you can debug typing freeradius -X if you are using the compiled version as i did a few days ago , should work only tipping radiusd -X PD: my freeradius still does not authenticating against AD :-( --- El jue, 2/10/08, Nicolas Goutte [EMAIL PROTECTED] escribiĂł: De: Nicolas Goutte [EMAIL PROTECTED] Asunto: Re: Freeradius, PEAP, Active Directory and --require-membership-of Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Fecha: jueves, 2 octubre, 2008 6:09 Am 02.10.2008 um 19:46 schrieb Vieri: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany GeschäftsfĂźhrer: Stephan MĂśnninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht MĂźnster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Use:
--username=%{mschap:User-Name}
and it should work.
Ivan Kalik
Kalik Informatika ISP
Dana 3/10/2008, Vieri [EMAIL PROTECTED] piše:
--- On Thu, 10/2/08, Vieri [EMAIL PROTECTED] wrote:
I'm running freeradius-2.0.5 on Linux.
My setup is as follows:
Windows Vista native client - Linksys AP - FreeRadius Linux
server (PEAP/mschapv2) - Active Directory Windows server
Everything works smoothly with the following ntlm_auth
parameters in the mschap module:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
However, user authentication is rejected when I add the
--domain parameter:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
(from the Windows Vista client I obviously set the DOMAIN
filed; besides, if I run the freeradius daemon with debug
enabled I see that it correclty reeives
'DOMAIN\username')
For starters, I don't understand why authentication
fails if I add --domain. How can I find out why?
Then, adding --require-membership-of with or without
--domain also fails.
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--require-membership-of='DOMAIN\\WIFI'
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Finally, running ntlm_auth from the command line yields:
# ntlm_auth --request-nt-key --domain=DOMAIN
--username=myuser
--require-membership-of='DOMAIN\\WIFI'
password:
NT_STATUS_OK: Success (0x0)
I found this in the radiusd debug log:
[2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID!
so I removed the '' in the ntlm_auth string like this:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN
--require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
and now it works.
So this leads me to ask how I can specify group names with spaces such as
'WIFI 1'.
Also, I had to specify the domain explicitly either via --domain=DOMAIN or
--domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication
succeeds only if the client does NOT specify a domain in the domain or user
field.
So I'm attaching some debug outputs with the hope that someone can shed some
light on this aspect which I obviously don't grasp.
Thanks,
Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, PEAP, Active Directory and --require-membership-of
Hi,
I'm running freeradius-2.0.5 on Linux.
My setup is as follows:
Windows Vista native client - Linksys AP - FreeRadius Linux server
(PEAP/mschapv2) - Active Directory Windows server
Everything works smoothly with the following ntlm_auth parameters in the mschap
module:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
However, user authentication is rejected when I add the --domain parameter:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
(from the Windows Vista client I obviously set the DOMAIN filed; besides, if I
run the freeradius daemon with debug enabled I see that it correclty reeives
'DOMAIN\username')
For starters, I don't understand why authentication fails if I add --domain.
How can I find out why?
Then, adding --require-membership-of with or without --domain also fails.
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Finally, running ntlm_auth from the command line yields:
# ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser
--require-membership-of='DOMAIN\\WIFI'
password:
NT_STATUS_OK: Success (0x0)
Could it be a bug in the freeradius version I'm running?
Can anyone please suggest how I can debug this (not a radius expert ;-) )?
Regards,
Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
As with every other freeradius problem - when it doesn't work - debug
(radiusd -X).
Ivan Kalik
Kalik Infromatika ISP
Dana 2/10/2008, Vieri [EMAIL PROTECTED] piše:
Hi,
I'm running freeradius-2.0.5 on Linux.
My setup is as follows:
Windows Vista native client - Linksys AP - FreeRadius Linux server
(PEAP/mschapv2) - Active Directory Windows server
Everything works smoothly with the following ntlm_auth parameters in the
mschap module:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
However, user authentication is rejected when I add the --domain parameter:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
(from the Windows Vista client I obviously set the DOMAIN filed; besides, if I
run the freeradius daemon with debug enabled I see that it correclty reeives
'DOMAIN\username')
For starters, I don't understand why authentication fails if I add --domain.
How can I find out why?
Then, adding --require-membership-of with or without --domain also fails.
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-D
omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
--require-membership-of='DOMAIN\\WIFI' --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Finally, running ntlm_auth from the command line yields:
# ntlm_auth --request-nt-key --domain=DOMAIN --username=myuser
--require-membership-of='DOMAIN\\WIFI'
password:
NT_STATUS_OK: Success (0x0)
Could it be a bug in the freeradius version I'm running?
Can anyone please suggest how I can debug this (not a radius expert ;-) )?
Regards,
Vieri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
--- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
I forgot to mention that I already tried: with_ntdomain_hack = yes I'll try to post the relevant radiusd -X debug lines if the ML doesn't mind. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Vieri wrote: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? You're supposed to do so! It's even in the FreeRADIUS' FAQ (however IMVHO it should be on the ML front page). http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 PS: I followed your Reply-To however I don't think that was necessary - do you really have to set it that way? Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Am 02.10.2008 um 19:46 schrieb Vieri: --- On Thu, 10/2/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As with every other freeradius problem - when it doesn't work - debug (radiusd -X). That's how I'm running it. Does the list mind if I post the debug lines? Asking for the output of radiusd -X is the most frequent answer on this mailing list and so it is not a problem to see such outputs on this mailing list. However please check first by yourself that you do not have missed an error message that would bring you in the right direction. (Because that is probably the second frequent answer.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
