Re: Betr.: Re: Question about differences between possibilities of authentication
Bas Penris wrote: > The reason I didn't post the debugs and config files was because I > thought there might be an easy explanation which one of you would be > able to spoon up without any trouble. We need certain information to answer questions. One piece of which is the debug output. That's why we ask for it DAILY on this list. There is NO excuse for not posting it when you're trying to debug a problem. > Especially because nothing is > broken and everything works as it's supposed to. So you said it didn't do what you wanted, but that it works? > I'll get back with a debug log and the config after the weekend. Did I ask for the configuration? No. I asked for the debug output. That's what I want. I don't want copies of your configuration. If I had wanted copies of the configuration, I would have asked for them. Please follow instructions. A MAJOR reason why people have trouble is that they refuse to follow instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Betr.: Re: Question about differences between possibilities of authentication
Hi Alan,
The reason I didn't post the debugs and config files was because I thought
there might be an easy explanation which one of you would be able to spoon up
without any trouble. Especially because nothing is broken and everything works
as it's supposed to.
I'll get back with a debug log and the config after the weekend.
Regards,
Bas
>>> Alan DeKok 12-04-13 15:52 >>>
Bas Penris wrote:
> Everything is working as it should so no worries there, but I'm curious
> about something. I configured the proxies and the local realm. When I
> did a radtest like this:
> radtest che...@localdomain.nl password 127.0.0.1 1 secret
> I would get an Accept-Accept.
That's the easy part.
> The debug output would show that first a
> bind and then an LDAP search is performed in our eDirectory. Okay! Fun
> times I thought, let's try it on my mobile phone because a test account
> I got from an academic institution in the UK worked so local
> authentication should work as well! I entered the credentials but now
> comes the difference. Using a Wifi device made the LDAP search fail
> because it tried to authenticate the u...@domain.nl
> in stead of stripping the suffix.
Don't test from a mobile device until you've done complete EAP testing
yourself. You'll get a LOT more useful information.
See my web page: http://deployingradius.com
> I've been staring at the config files to see if I got the LDAP-filter
> defined two times somewhere but that doesn't seem to be the case. Now,
> this wasn't a really big problem because users can be pretty stupid and
> we decided to let them authenticate using their email address in stead
> of their username@domain which would to too much confusion for them.
It's usually best to use the full email address. It simplifies a lot
of issues.
> The LDAP filter was:
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> Is now:
> filter = "(|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))"
> The proxy.conf lines right before it's defaulted to eduroam:
> realm ettyhillesumlyceum.nl {
> }
So.. you're posting tiny pieces of the config. But not the debug
output as suggested in the FAQ, README, "man" page, web pages, and daily
on this list?
> Anyone has an idea why radtest would behave differently from an 802.1x
> login?
Because it's doing different searches. See the debug output for more
information. It's all in there. Really. That's why we tell people to
read it, and to post it here.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about differences between possibilities of authentication
Bas Penris wrote:
> Everything is working as it should so no worries there, but I'm curious
> about something. I configured the proxies and the local realm. When I
> did a radtest like this:
> radtest che...@localdomain.nl password 127.0.0.1 1 secret
> I would get an Accept-Accept.
That's the easy part.
> The debug output would show that first a
> bind and then an LDAP search is performed in our eDirectory. Okay! Fun
> times I thought, let's try it on my mobile phone because a test account
> I got from an academic institution in the UK worked so local
> authentication should work as well! I entered the credentials but now
> comes the difference. Using a Wifi device made the LDAP search fail
> because it tried to authenticate the u...@domain.nl
> in stead of stripping the suffix.
Don't test from a mobile device until you've done complete EAP testing
yourself. You'll get a LOT more useful information.
See my web page: http://deployingradius.com
> I've been staring at the config files to see if I got the LDAP-filter
> defined two times somewhere but that doesn't seem to be the case. Now,
> this wasn't a really big problem because users can be pretty stupid and
> we decided to let them authenticate using their email address in stead
> of their username@domain which would to too much confusion for them.
It's usually best to use the full email address. It simplifies a lot
of issues.
> The LDAP filter was:
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> Is now:
> filter = "(|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))"
> The proxy.conf lines right before it's defaulted to eduroam:
> realm ettyhillesumlyceum.nl {
> }
So.. you're posting tiny pieces of the config. But not the debug
output as suggested in the FAQ, README, "man" page, web pages, and daily
on this list?
> Anyone has an idea why radtest would behave differently from an 802.1x
> login?
Because it's doing different searches. See the debug output for more
information. It's all in there. Really. That's why we tell people to
read it, and to post it here.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about differences between possibilities of authentication
Hi All,
The last week I've had my first encounter with FreeRADIUS as we were supposed
to deploy eduroam. I had a lot of fun doing it although I have dreamt about the
config files after a couple of days :)
Everything is working as it should so no worries there, but I'm curious about
something. I configured the proxies and the local realm. When I did a radtest
like this:
radtest che...@localdomain.nl password 127.0.0.1 1 secret
I would get an Accept-Accept. The debug output would show that first a bind and
then an LDAP search is performed in our eDirectory. Okay! Fun times I thought,
let's try it on my mobile phone because a test account I got from an academic
institution in the UK worked so local authentication should work as well! I
entered the credentials but now comes the difference. Using a Wifi device made
the LDAP search fail because it tried to authenticate the u...@domain.nl in
stead of stripping the suffix.
I've been staring at the config files to see if I got the LDAP-filter defined
two times somewhere but that doesn't seem to be the case. Now, this wasn't a
really big problem because users can be pretty stupid and we decided to let
them authenticate using their email address in stead of their username@domain
which would to too much confusion for them.
The LDAP filter was:
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
Is now:
filter = "(|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))"
The proxy.conf lines right before it's defaulted to eduroam:
realm ettyhillesumlyceum.nl {
}
Anyone has an idea why radtest would behave differently from an 802.1x login?
Regards,
Bas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
