Re: Problem with freeradius 2.0 pre1 and realms
Hi Alan, Yes, i'am using the Stripped-User-Name and/or the Username. I tried the with_nt_domain hack = yes, but it did not work :-( .. But i read the radiusd.conf file and i could not find the mschap:User-Name thing. Where do i have to use mschap:Username ? My understanding of how it should work is: 1. PEAP with mschapv2 is used 2. Freeradius gets the username and Password from my windows box. 3. The username is test\cfra 4. Freeradius finds my realm test and proxies to local, stripping of the domain part. 5. Authorization is done withh the username test. 6. Then authentication is done with test\cfra ??? And here is the point i do not understand it any more :-( .. Why is the stripped of username only used in authorization ? I thought if i use freeradius my way, then authorization would be done with ldap, authentication with eap ? Is that correct ? What should i do to get this setup working ? I'm really out of ideas now. Cause i tried a similar setup with 1.1.7 and ntlm_auth (instead of ldap) and it works like expected there. Thanks for your help in advance, Best regards, Christian [EMAIL PROTECTED] schrieb: hi, you are using the Stripped-User-Name and/or the User-Name. however, the method you are attempting to use goes through the MSCHAP module...so you want to look at using mschap:User-Name attribute. or use unlang to regexp the domain. have you also got with_ntdomain_hack = yes ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited. E-mail messages are not necessarily secure. Renesas does not accept responsibility for any changes made to this message after it was sent. Please note that this email message has been swept by Renesas for the presence of computer viruses. Renesas Semiconductor Europe (Landshut) GmbH Jenaer Strasse 1, 84034 Landshut Tel.: +49-(0)871-684-0, Fax: +49-(0)871-684-150 www.rsel.renesas.com GESCHAEFTSFUEHRER: Dipl.-Ing. YOSHIHARU KAKUI GESCHAEFTSFUEHRER: Dipl.-Phys. STEFAN SAUER Registergericht Landshut HRB 1464 Ust-ldNr.: DE 128953054 Steuer-Nr.: 132/136/30347 HypoVereinsbank, Landshut, Kto.-Nr. 3704 700 (BLZ 743 200 73) Mizuho Corporate Bank (Germany) AG, Frankfurt, Kto.-Nr. 200 733 (BLZ 503 308 00) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with freeradius 2.0 pre1 and realms
Hi Guys, I'm trying to use freeradius with peap+mschapv2+ldap+realms. If i don't use realms, everything works fine. But the problem is that i need to stripp of the domain part of the username, cause windows sends TEST\cfra . But i have only cfra in my ldap . So i di the follwing: radius.conf: realm ntdomain { format = prefix delimiter = \\ } and enabled ntdomain under authorisation . My proxy.conf: realm test { type= radius authhost= LOCAL accthost= LOCAL } But when i want to login, it does not work. Seems like the domain is stripped of correctly for authorisation, but not for authentication. But what could be wrong ? Here is the output of radius: Config: including file: ../etc/raddb//radiusd.conf Config: including file: /usr/local/freeradius2/etc/raddb/proxy.conf Config: including file: /usr/local/freeradius2/etc/raddb/clients.conf Config: including file: /usr/local/freeradius2/etc/raddb/snmp.conf Config: including file: /usr/local/freeradius2/etc/raddb/eap.conf Config: including file: /usr/local/freeradius2/etc/raddb/sql.conf Config: including file: /usr/local/freeradius2/etc/raddb/sql/mysql-dialup.conf FreeRADIUS Version 2.0.0-pre1, for host i686-pc-linux-gnu, built on Aug 16 2007 at 13:45:55 Starting - reading configuration files ... read_config_files: reading dictionary main { prefix = /usr/local/freeradius2 localstatedir = /usr/local/freeradius2/var logdir = /usr/local/freeradius2/var/log/radius libdir = /usr/local/freeradius2/lib radacctdir = /usr/local/freeradius2/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no log_stripped_names = no log_file = /usr/local/freeradius2/var/log/radius/radius.log log_auth = no log_auth_badpass = no log_auth_goodpass = no pidfile = /usr/local/freeradius2/var/run/radiusd/radiusd.pid user = radiusd group = radiusd checkrad = /usr/local/freeradius2/sbin/checkrad debug_level = 0 proxy_requests = yes log { syslog_facility = daemon } proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } home_server localhost { ipaddr = 127.0.0.1 IP address [127.0.0.1] port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_check = none ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } server_pool my_auth_failover { type = my_auth_failover home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { ldflag = fail_over } realm test { ldflag = fail_over } port = 1812 listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } client 127.0.0.1 { secret = testing123 shortname = localhost nastype = other } client 150.150.40.0/16 { secret = ciscotest1 shortname = private-network-1 nastype = cisco } radiusd: entering modules setup radiusd: Library search path is /usr/local/freeradius2/lib instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } rlm_exec: wait=yes but no output defined. Did you mean output=none? Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } modules { Module: Instantiating section authenticate Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp =
Re: Problem with freeradius 2.0 pre1 and realms
hi, you are using the Stripped-User-Name and/or the User-Name. however, the method you are attempting to use goes through the MSCHAP module...so you want to look at using mschap:User-Name attribute. or use unlang to regexp the domain. have you also got with_ntdomain_hack = yes ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html