Re: Problem with freeradius 2.0 pre1 and realms
Hi Alan, Yes, i'am using the Stripped-User-Name and/or the Username. I tried the with_nt_domain hack = yes, but it did not work :-( .. But i read the radiusd.conf file and i could not find the mschap:User-Name thing. Where do i have to use mschap:Username ? My understanding of how it should work is: 1. PEAP with mschapv2 is used 2. Freeradius gets the username and Password from my windows box. 3. The username is test\cfra 4. Freeradius finds my realm test and proxies to local, stripping of the domain part. 5. Authorization is done withh the username test. 6. Then authentication is done with test\cfra ??? And here is the point i do not understand it any more :-( .. Why is the stripped of username only used in authorization ? I thought if i use freeradius my way, then authorization would be done with ldap, authentication with eap ? Is that correct ? What should i do to get this setup working ? I'm really out of ideas now. Cause i tried a similar setup with 1.1.7 and ntlm_auth (instead of ldap) and it works like expected there. Thanks for your help in advance, Best regards, Christian [EMAIL PROTECTED] schrieb: hi, you are using the Stripped-User-Name and/or the User-Name. however, the method you are attempting to use goes through the MSCHAP module...so you want to look at using mschap:User-Name attribute. or use unlang to regexp the domain. have you also got with_ntdomain_hack = yes ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited. E-mail messages are not necessarily secure. Renesas does not accept responsibility for any changes made to this message after it was sent. Please note that this email message has been swept by Renesas for the presence of computer viruses. Renesas Semiconductor Europe (Landshut) GmbH Jenaer Strasse 1, 84034 Landshut Tel.: +49-(0)871-684-0, Fax: +49-(0)871-684-150 www.rsel.renesas.com GESCHAEFTSFUEHRER: Dipl.-Ing. YOSHIHARU KAKUI GESCHAEFTSFUEHRER: Dipl.-Phys. STEFAN SAUER Registergericht Landshut HRB 1464 Ust-ldNr.: DE 128953054 Steuer-Nr.: 132/136/30347 HypoVereinsbank, Landshut, Kto.-Nr. 3704 700 (BLZ 743 200 73) Mizuho Corporate Bank (Germany) AG, Frankfurt, Kto.-Nr. 200 733 (BLZ 503 308 00) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with freeradius 2.0 pre1 and realms
Hi Guys,
I'm trying to use freeradius with peap+mschapv2+ldap+realms.
If i don't use realms, everything works fine.
But the problem is that i need to stripp of the domain part of the username,
cause windows sends TEST\cfra .
But i have only cfra in my ldap .
So i di the follwing:
radius.conf:
realm ntdomain {
format = prefix
delimiter = \\
}
and enabled ntdomain under authorisation .
My proxy.conf:
realm test {
type= radius
authhost= LOCAL
accthost= LOCAL
}
But when i want to login, it does not work.
Seems like the domain is stripped of correctly for authorisation, but not for
authentication.
But what could be wrong ?
Here is the output of radius:
Config: including file: ../etc/raddb//radiusd.conf
Config: including file: /usr/local/freeradius2/etc/raddb/proxy.conf
Config: including file: /usr/local/freeradius2/etc/raddb/clients.conf
Config: including file: /usr/local/freeradius2/etc/raddb/snmp.conf
Config: including file: /usr/local/freeradius2/etc/raddb/eap.conf
Config: including file: /usr/local/freeradius2/etc/raddb/sql.conf
Config: including file: /usr/local/freeradius2/etc/raddb/sql/mysql-dialup.conf
FreeRADIUS Version 2.0.0-pre1, for host i686-pc-linux-gnu, built on Aug 16 2007
at 13:45:55
Starting - reading configuration files ...
read_config_files: reading dictionary
main {
prefix = /usr/local/freeradius2
localstatedir = /usr/local/freeradius2/var
logdir = /usr/local/freeradius2/var/log/radius
libdir = /usr/local/freeradius2/lib
radacctdir = /usr/local/freeradius2/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
log_stripped_names = no
log_file = /usr/local/freeradius2/var/log/radius/radius.log
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
pidfile = /usr/local/freeradius2/var/run/radiusd/radiusd.pid
user = radiusd
group = radiusd
checkrad = /usr/local/freeradius2/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
syslog_facility = daemon
}
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
home_server localhost {
ipaddr = 127.0.0.1 IP address [127.0.0.1]
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
server_pool my_auth_failover {
type = my_auth_failover
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
ldflag = fail_over
}
realm test {
ldflag = fail_over
}
port = 1812
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}
client 150.150.40.0/16 {
secret = ciscotest1
shortname = private-network-1
nastype = cisco
}
radiusd: entering modules setup
radiusd: Library search path is /usr/local/freeradius2/lib
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
rlm_exec: wait=yes but no output defined. Did you mean output=none?
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
modules {
Module: Instantiating section authenticate
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp =
Re: Problem with freeradius 2.0 pre1 and realms
hi, you are using the Stripped-User-Name and/or the User-Name. however, the method you are attempting to use goes through the MSCHAP module...so you want to look at using mschap:User-Name attribute. or use unlang to regexp the domain. have you also got with_ntdomain_hack = yes ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
