Re: Some help with etc_smbpasswd auth and eap ttls
>Ok, I have upgraded to Freeradius version 2.1.3 (following the >suggestion above). I have configured and gotten everything to work >except for the domain name stripping at the front of the username (eg: >HTN/josh). If I dont supply the domain name, authentication succeeds >perfectly. I am still getting the same error that I was with Freeradius >version 1.3.1. Ive configured a HTN realm to strip off the HTN part and >in the debug, it appears to work as stripped-user=josh gets proxied >back. Then authentication failes in the same way as it did before? It is >mentioned above that there are 3-4 solutions which are trivial in 2.x. >Since I have Freeradius basically running, could someone spare some of >their valuable time with a pointer on stripping off the HTN part of the >user so authentication will succeed? .. >[ntdomain] Looking up realm "HTN" for User-Name = "HTN\josh" >[ntdomain] Found realm "HTN" >[ntdomain] Adding Stripped-User-Name = "josh" >[ntdomain] Adding Realm = "HTN" >[ntdomain] Authentication realm is LOCAL. >++[ntdomain] returns ok >++[control] returns ok >[eap] EAP packet type response id 1 length 67 >[eap] No EAP Start, assuming it's an on-going EAP conversation >++[eap] returns updated >++[files] returns noop >++[etc_smbpasswd] returns notfound You don't have entry josh in users file. Is it suposed to be in smbpasswd? Put Stripped-User-Name in the file format. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing). Alan DeKok. Ok, I have upgraded to Freeradius version 2.1.3 (following the suggestion above). I have configured and gotten everything to work except for the domain name stripping at the front of the username (eg: HTN/josh). If I dont supply the domain name, authentication succeeds perfectly. I am still getting the same error that I was with Freeradius version 1.3.1. Ive configured a HTN realm to strip off the HTN part and in the debug, it appears to work as stripped-user=josh gets proxied back. Then authentication failes in the same way as it did before? It is mentioned above that there are 3-4 solutions which are trivial in 2.x. Since I have Freeradius basically running, could someone spare some of their valuable time with a pointer on stripping off the HTN part of the user so authentication will succeed? Thanks =D. Below is the part of my debug output from Freeradius showing the authentication failure. Once again, it works perfectly if I dont supply the domain name (I can then connect perfectly via eap-ttls with mschapv2). Hopefully I am close. I can supply more of my configs if needed. Thanks -Josh Ok well once again, the answer was in the debug output. Since it was sending back Stripped-username instead of Username, I had to create a 2nd smbpasswd module. In this module I mapped stripped-user instead of username. This worked. This does work. Is this a good and acceptable solution? I'd still be interested in hearing other solutions if there are any out there. Thanks again! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Alan DeKok wrote: Josh Hiner wrote: Trying to configure eap ttls with mschapv2 using Freeradius version Version 1.1.3 in Redhat enterprise Linux 5. I suggest upgrading. It's not hard to build an RPM of the latest version of the server. Upgrading will get you a lot. Ok I did upgrade, please see my post below =D. I have configured everything and gotten free radius to authenticate off /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have run into is when I switch the securew2 windows xp eap-ttls client to use the current logged on user credentials. Then, SecureW2 sends the username in the format of DOMAIN/user (which in this case is HTN/josh). Authentication then fails because of this extra domain part in the user. Ok fine, I first enable the nt_domain_hack in the mschap module then I configured realm ntdomain and simply set a default realm in proxy.conf to strip off the domain part. Nope, that fails (output will be included below). I also tried nostrip but that also fails obviously. Also tried silently stripping the domain in pre-process in radiusd.conf. Auth is successful but finally rejected because the user doesnt match the original HTN/josh user sent. This is fixed in 2.x. You can have different policies for inside the TLS tunnel and outside of it. This makes these configurations easier. Ok I do see this now but am still getting the same error. Please see below. Anyways, anyone know of how to get etc_smbpasswd module to work. I dont want to use the users file (blech) even though it does work when I put the user in there, and again, if I just supply the username and password (and leave the domain part blank in SecureW2 ttls client) authentication does work of /etc/samba/smbpasswd. Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing). Alan DeKok. Ok, I have upgraded to Freeradius version 2.1.3 (following the suggestion above). I have configured and gotten everything to work except for the domain name stripping at the front of the username (eg: HTN/josh). If I dont supply the domain name, authentication succeeds perfectly. I am still getting the same error that I was with Freeradius version 1.3.1. Ive configured a HTN realm to strip off the HTN part and in the debug, it appears to work as stripped-user=josh gets proxied back. Then authentication failes in the same way as it did before? It is mentioned above that there are 3-4 solutions which are trivial in 2.x. Since I have Freeradius basically running, could someone spare some of their valuable time with a pointer on stripping off the HTN part of the user so authentication will succeed? Thanks =D. Below is the part of my debug output from Freeradius showing the authentication failure. Once again, it works perfectly if I dont supply the domain name (I can then connect perfectly via eap-ttls with mschapv2). Hopefully I am close. I can supply more of my configs if needed. Thanks -Josh server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "HTN\josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "HTN" for User-Name = "HTN\josh" [ntdomain] Found realm "HTN" [ntdomain] Adding Stripped-User-Name = "josh" [ntdomain] Adding Realm = "HTN" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 1 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[etc_smbpasswd] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for josh with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 MS-CHAP-Error = "\001E=691 R=1" EAP-Message = 0x04010004 Message-Authenticator = 0x [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user HTN\josh [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Alan DeKok wrote: I suggest upgrading. It's not hard to build an RPM of the latest version of the server. Information on this wiki page will be helpful to you: http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Hi, > I have configured everything and gotten free radius to authenticate off > /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have > run into is when I switch the securew2 windows xp eap-ttls client to use > the current logged on user credentials. Then, SecureW2 sends the > username in the format of DOMAIN/user (which in this case is HTN/josh). > Authentication then fails because of this extra domain part in the user. > Ok fine, I first enable the nt_domain_hack in the mschap module then I > configured realm ntdomain and simply set a default realm in proxy.conf > to strip off the domain part. Nope, that fails (output will be included > below). I also tried nostrip but that also fails obviously. Also tried > silently stripping the domain in pre-process in radiusd.conf. Auth is > successful but finally rejected because the user doesnt match the > original HTN/josh user sent. you need to look at using the Sripped-User-Name rather than just the User-Name (because that contains the REALM/ stuff). alternatively, you can specify in proxy.conf to proxy anything with REALM/ to your RADIUS server with realm stripping on - this should send the request back to your server with just User-Name plain.. but its not clean. As Alan DeKok states, this sort of thing is very nice in 2.x FreeRADIUS, it just works(tm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Josh Hiner wrote: > Trying to configure eap ttls with mschapv2 using Freeradius version > Version 1.1.3 in Redhat enterprise Linux 5. I suggest upgrading. It's not hard to build an RPM of the latest version of the server. Upgrading will get you a lot. > I have configured everything and gotten free radius to authenticate off > /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have > run into is when I switch the securew2 windows xp eap-ttls client to use > the current logged on user credentials. Then, SecureW2 sends the > username in the format of DOMAIN/user (which in this case is HTN/josh). > Authentication then fails because of this extra domain part in the user. > Ok fine, I first enable the nt_domain_hack in the mschap module then I > configured realm ntdomain and simply set a default realm in proxy.conf > to strip off the domain part. Nope, that fails (output will be included > below). I also tried nostrip but that also fails obviously. Also tried > silently stripping the domain in pre-process in radiusd.conf. Auth is > successful but finally rejected because the user doesnt match the > original HTN/josh user sent. This is fixed in 2.x. You can have different policies for inside the TLS tunnel and outside of it. This makes these configurations easier. > Anyways, anyone know of how to get etc_smbpasswd module to work. I dont > want to use the users file (blech) even though it does work when I put > the user in there, and again, if I just supply the username and password > (and leave the domain part blank in SecureW2 ttls client) authentication > does work of /etc/samba/smbpasswd. Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html