Re: Some help with etc_smbpasswd auth and eap ttls
>Ok, I have upgraded to Freeradius version 2.1.3 (following the >suggestion above). I have configured and gotten everything to work >except for the domain name stripping at the front of the username (eg: >HTN/josh). If I dont supply the domain name, authentication succeeds >perfectly. I am still getting the same error that I was with Freeradius >version 1.3.1. Ive configured a HTN realm to strip off the HTN part and >in the debug, it appears to work as stripped-user=josh gets proxied >back. Then authentication failes in the same way as it did before? It is >mentioned above that there are 3-4 solutions which are trivial in 2.x. >Since I have Freeradius basically running, could someone spare some of >their valuable time with a pointer on stripping off the HTN part of the >user so authentication will succeed? .. >[ntdomain] Looking up realm "HTN" for User-Name = "HTN\josh" >[ntdomain] Found realm "HTN" >[ntdomain] Adding Stripped-User-Name = "josh" >[ntdomain] Adding Realm = "HTN" >[ntdomain] Authentication realm is LOCAL. >++[ntdomain] returns ok >++[control] returns ok >[eap] EAP packet type response id 1 length 67 >[eap] No EAP Start, assuming it's an on-going EAP conversation >++[eap] returns updated >++[files] returns noop >++[etc_smbpasswd] returns notfound You don't have entry josh in users file. Is it suposed to be in smbpasswd? Put Stripped-User-Name in the file format. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing). Alan DeKok. Ok, I have upgraded to Freeradius version 2.1.3 (following the suggestion above). I have configured and gotten everything to work except for the domain name stripping at the front of the username (eg: HTN/josh). If I dont supply the domain name, authentication succeeds perfectly. I am still getting the same error that I was with Freeradius version 1.3.1. Ive configured a HTN realm to strip off the HTN part and in the debug, it appears to work as stripped-user=josh gets proxied back. Then authentication failes in the same way as it did before? It is mentioned above that there are 3-4 solutions which are trivial in 2.x. Since I have Freeradius basically running, could someone spare some of their valuable time with a pointer on stripping off the HTN part of the user so authentication will succeed? Thanks =D. Below is the part of my debug output from Freeradius showing the authentication failure. Once again, it works perfectly if I dont supply the domain name (I can then connect perfectly via eap-ttls with mschapv2). Hopefully I am close. I can supply more of my configs if needed. Thanks -Josh Ok well once again, the answer was in the debug output. Since it was sending back Stripped-username instead of Username, I had to create a 2nd smbpasswd module. In this module I mapped stripped-user instead of username. This worked. This does work. Is this a good and acceptable solution? I'd still be interested in hearing other solutions if there are any out there. Thanks again! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Alan DeKok wrote:
Josh Hiner wrote:
Trying to configure eap ttls with mschapv2 using Freeradius version
Version 1.1.3 in Redhat enterprise Linux 5.
I suggest upgrading. It's not hard to build an RPM of the latest
version of the server.
Upgrading will get you a lot.
Ok I did upgrade, please see my post below =D.
I have configured everything and gotten free radius to authenticate off
/etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have
run into is when I switch the securew2 windows xp eap-ttls client to use
the current logged on user credentials. Then, SecureW2 sends the
username in the format of DOMAIN/user (which in this case is HTN/josh).
Authentication then fails because of this extra domain part in the user.
Ok fine, I first enable the nt_domain_hack in the mschap module then I
configured realm ntdomain and simply set a default realm in proxy.conf
to strip off the domain part. Nope, that fails (output will be included
below). I also tried nostrip but that also fails obviously. Also tried
silently stripping the domain in pre-process in radiusd.conf. Auth is
successful but finally rejected because the user doesnt match the
original HTN/josh user sent.
This is fixed in 2.x. You can have different policies for inside the
TLS tunnel and outside of it. This makes these configurations easier.
Ok I do see this now but am still getting the same error. Please see below.
Anyways, anyone know of how to get etc_smbpasswd module to work. I dont
want to use the users file (blech) even though it does work when I put
the user in there, and again, if I just supply the username and password
(and leave the domain part blank in SecureW2 ttls client) authentication
does work of /etc/samba/smbpasswd.
Honestly... there are 3-4 solutions which are trivial in 2.x. Any
solution is hard in 1.1.3. I don't even recall what feature set it has
(or is missing).
Alan DeKok.
Ok, I have upgraded to Freeradius version 2.1.3 (following the
suggestion above). I have configured and gotten everything to work
except for the domain name stripping at the front of the username (eg:
HTN/josh). If I dont supply the domain name, authentication succeeds
perfectly. I am still getting the same error that I was with Freeradius
version 1.3.1. Ive configured a HTN realm to strip off the HTN part and
in the debug, it appears to work as stripped-user=josh gets proxied
back. Then authentication failes in the same way as it did before? It is
mentioned above that there are 3-4 solutions which are trivial in 2.x.
Since I have Freeradius basically running, could someone spare some of
their valuable time with a pointer on stripping off the HTN part of the
user so authentication will succeed? Thanks =D. Below is the part of my
debug output from Freeradius showing the authentication failure. Once
again, it works perfectly if I dont supply the domain name (I can then
connect perfectly via eap-ttls with mschapv2). Hopefully I am close. I
can supply more of my configs if needed.
Thanks -Josh
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "HTN\josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "HTN" for User-Name = "HTN\josh"
[ntdomain] Found realm "HTN"
[ntdomain] Adding Stripped-User-Name = "josh"
[ntdomain] Adding Realm = "HTN"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 1 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[etc_smbpasswd] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for josh with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
MS-CHAP-Error = "\001E=691 R=1"
EAP-Message = 0x04010004
Message-Authenticator = 0x
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user HTN\josh
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Alan DeKok wrote: I suggest upgrading. It's not hard to build an RPM of the latest version of the server. Information on this wiki page will be helpful to you: http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Hi, > I have configured everything and gotten free radius to authenticate off > /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have > run into is when I switch the securew2 windows xp eap-ttls client to use > the current logged on user credentials. Then, SecureW2 sends the > username in the format of DOMAIN/user (which in this case is HTN/josh). > Authentication then fails because of this extra domain part in the user. > Ok fine, I first enable the nt_domain_hack in the mschap module then I > configured realm ntdomain and simply set a default realm in proxy.conf > to strip off the domain part. Nope, that fails (output will be included > below). I also tried nostrip but that also fails obviously. Also tried > silently stripping the domain in pre-process in radiusd.conf. Auth is > successful but finally rejected because the user doesnt match the > original HTN/josh user sent. you need to look at using the Sripped-User-Name rather than just the User-Name (because that contains the REALM/ stuff). alternatively, you can specify in proxy.conf to proxy anything with REALM/ to your RADIUS server with realm stripping on - this should send the request back to your server with just User-Name plain.. but its not clean. As Alan DeKok states, this sort of thing is very nice in 2.x FreeRADIUS, it just works(tm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Josh Hiner wrote: > Trying to configure eap ttls with mschapv2 using Freeradius version > Version 1.1.3 in Redhat enterprise Linux 5. I suggest upgrading. It's not hard to build an RPM of the latest version of the server. Upgrading will get you a lot. > I have configured everything and gotten free radius to authenticate off > /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have > run into is when I switch the securew2 windows xp eap-ttls client to use > the current logged on user credentials. Then, SecureW2 sends the > username in the format of DOMAIN/user (which in this case is HTN/josh). > Authentication then fails because of this extra domain part in the user. > Ok fine, I first enable the nt_domain_hack in the mschap module then I > configured realm ntdomain and simply set a default realm in proxy.conf > to strip off the domain part. Nope, that fails (output will be included > below). I also tried nostrip but that also fails obviously. Also tried > silently stripping the domain in pre-process in radiusd.conf. Auth is > successful but finally rejected because the user doesnt match the > original HTN/josh user sent. This is fixed in 2.x. You can have different policies for inside the TLS tunnel and outside of it. This makes these configurations easier. > Anyways, anyone know of how to get etc_smbpasswd module to work. I dont > want to use the users file (blech) even though it does work when I put > the user in there, and again, if I just supply the username and password > (and leave the domain part blank in SecureW2 ttls client) authentication > does work of /etc/samba/smbpasswd. Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
