Re: Removing domain prefix from login

2011-11-14 Thread Alejandro Gandara 
Hi list,

thanks for the help. Ive fix the problem changing the following parameters:
/etc/freeradius/sites-enabled/inner-tunnel:authorize: ntdomain
/etc/freeradius/modules/mschap:with_ntdomain_hack = yes

Now everythings is OK.

Thanks for all.

Regards
Alejandro Gándara
Junior System Administrator
OptareSolutions

2011/11/11 Phil Mayers 

> On 11/11/11 09:52, Alejandro Gandara wrote:
>
>>
>> this is the short view:
>>
>
>  [peap] The users session was previously rejected: returning reject
>> (again.)
>> [peap] *** This means you need to read the PREVIOUS messages in the
>>
>
> Sigh.
>
> Read this line.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-11 Thread Phil Mayers 

On 11/11/11 09:52, Alejandro Gandara wrote:


this is the short view:



[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the


Sigh.

Read this line.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-11 Thread Alejandro Gandara 
2011/11/11 Phil Mayers 

> On 11/11/2011 07:46 AM, Alejandro Gandara wrote:
>
>  I got erros anyways. I've attached debug output
>>
>
> The debug output didn't make it through; I guess it was too big. Use a
> pastebin, or put it inline in the email?
>
> this is the short view:
++[preprocess] returns ok
[ntdomain] Looking up realm "OPTARE" for User-Name = "OPTARE\brouco"
[ntdomain] Found realm "OPTARE"
[ntdomain] Adding Stripped-User-Name = "brouco"
[ntdomain] Adding Realm = "OPTARE"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[mschap] returns noop
++[digest] returns noop
[ldap] performing user authorization for brouco
[ldap]  expand: %{Stripped-User-Name} -> brouco
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=brouco)
[ldap]  expand: dc=optare,dc=loc -> dc=optare,dc=loc
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=optare,dc=loc, with filter (uid=brouco)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] roomNumber -> Pool-Name == "infraestructuras"
  [ldap] sambaNtPassword -> NT-Password ==
0x3245334230434533423046383434414238374145393237384141453730393331
[ldap] looking for reply items in directory...
  [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "01"
  [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] radiusFramedIPAddress -> Framed-IP-Address = 192.45.51.9
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] user brouco authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[eap] EAP packet type response id 45 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug
output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell
you.
[peap]  *** what went wrong, and how to fix the problem.
  SSL: Removing session
1390126992ccf15f6eca58514ff74975f8661cc927bbe3a5f0e0a52b9a310e4a from the
cache
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [OPTARE\\brouco/] (from client
privradius port 29 cli f0-4d-a2-bc-77-cd)
Using Post-Auth-Type Reject
  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform
requested action.
# Executing group from file /etc/freeradius/sites-enabled/default
Delaying reject of request 6 for 1 seconds


Thanks for the help

> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-11 Thread Phil Mayers 

On 11/11/2011 07:46 AM, Alejandro Gandara wrote:


I got erros anyways. I've attached debug output


The debug output didn't make it through; I guess it was too big. Use a 
pastebin, or put it inline in the email?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-10 Thread Phil Mayers 

On 11/10/2011 10:06 PM, Alan Buxey wrote:

Hi,


As per the docs. This config item should not be used, and is causing
things to break.


umm, wasnt there a discussion recently in which

with_ntdomain_hack = yes

was going to be set by default in FR 3.x ?


That was the option on the mschap module. That option does not modify 
the packet, and only controls the string that is input into the mschap 
challenge/response calculation. Since the RFC says that input string 
should always be the username without leading DOMAIN\, it seems sensible 
to change that default and rename the option to something like 
"challenge_ignore_ntdomain" or something.


*This* option, unfortunately named the same thing, does something 
different - it modifies the username in the packet to remove the DOMAIN\ 
which is almost never a good thing, and definitely not if you're using 
EAP. It should probably just be removed - people can use unlang if they 
really want to hack away at the username.


There's also a with_ntdomain_hack on rlm_eap_mschapv2 which again does 
something different - it strips the DOMAIN\ when proxying the mschap to 
a remote server. It should probably be renamed to "proxy_send_domain" or 
something.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-10 Thread Alan Buxey 
Hi,

> As per the docs. This config item should not be used, and is causing 
> things to break.

umm, wasnt there a discussion recently in which 

with_ntdomain_hack = yes

was going to be set by default in FR 3.x ?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-10 Thread Phil Mayers 

On 10/11/11 16:53, Alejandro Gandara wrote:


# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = yes


^^^

As per the docs. This config item should not be used, and is causing 
things to break.


Set this back to "no". Edit the "proxy.conf" file and add:

realm OPTARE {
}

Then edit raddb/sites-enabled/ and add:

authorize {
  preprocess
  ntdomain
   rest of config
}

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-10 Thread Alejandro Gandara 
2011/11/10 Phil Mayers 

> Ok, your debug says:
>
> rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21,
> length=218
>Framed-MTU = 1480
>NAS-IP-Address = 172.20.40.11
>NAS-Identifier = "SW-Priv-1-1"
>
>User-Name = "OPTARE\\brouco"
> 
> # Executing section authorize from file /etc/freeradius/sites-enabled/**
> default
> +- entering group authorize {...}
> ++[preprocess] returns ok
>
> Why is preprocess returning "ok".
>
this is preprocess
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints

# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the "+" works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23

# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = yes

# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a "/"
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no

# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
#   H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out.  The result is:
#
#  H323-Attribute = "value"
#
# If you're not running a Cisco or Quintum NAS, you don't


 }

>
> What are you doing in the hints module?
>
> Are you modifying the username field? A few lines later it says:
>
> [ldap]  expand: %{User-Name} -> brouco
>
>
> If you're modifying the username, you can't do that. It will break EAP,
> which is why it says:
>
> [eap] Identity does not match User-Name, setting from EAP Identity.
>
> ...then fails.
>
> I assume you want to strip "DOMAIN\" so that you can do LDAP? You CANNOT
> modify the User-Name field. You MUST used the Stripped-User-Name field, and
> leave the User-Name field alone.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-10 Thread Phil Mayers 

Ok, your debug says:

rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21, 
length=218

Framed-MTU = 1480
NAS-IP-Address = 172.20.40.11
NAS-Identifier = "SW-Priv-1-1"
User-Name = "OPTARE\\brouco"

# Executing section authorize from file 
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}
++[preprocess] returns ok

Why is preprocess returning "ok".

What are you doing in the hints module?

Are you modifying the username field? A few lines later it says:

[ldap]  expand: %{User-Name} -> brouco

If you're modifying the username, you can't do that. It will break EAP, 
which is why it says:


[eap] Identity does not match User-Name, setting from EAP Identity.

...then fails.

I assume you want to strip "DOMAIN\" so that you can do LDAP? You CANNOT 
modify the User-Name field. You MUST used the Stripped-User-Name field, 
and leave the User-Name field alone.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-10 Thread Alejandro Gandara 
2011/11/10 Alan Buxey 

> Hi,
>
> > rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21,
> length=218
>
> 
> >   User-Name = "OPTARE\\brouco"
>
> I know this, thats why i need try to remove this prefix. At first i
thought i could do with module/realm. But I didnt get good results.

> 
>
> all okaybut then:
>
> > # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> > +- entering group authorize {...}
> > ++[preprocess] returns ok
> > ++[mschap] returns noop
> > ++[digest] returns noop
> > [ldap] performing user authorization for brouco
> > [ldap]expand: %{Stripped-User-Name} ->
>
> no stripped-user-name
>
I think the problem is eap is looking for User-name and i need it looks for
stripped

>
> and User-Name is brouco  - but thats not what the client sent. they sent
> OPTARE\\brouco -
> so your reply reference something they didnt send.
>
>
> have you got 'ntdomain' module enabled in your virtual servers - just
> after the 'preprocess'
> is called?
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

Regards,

Alejandro
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-10 Thread Alan Buxey 
Hi,

> rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21, 
> length=218


>   User-Name = "OPTARE\\brouco"



all okaybut then:

> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[mschap] returns noop
> ++[digest] returns noop
> [ldap] performing user authorization for brouco
> [ldap]expand: %{Stripped-User-Name} -> 

no stripped-user-name

and User-Name is brouco  - but thats not what the client sent. they sent 
OPTARE\\brouco -
so your reply reference something they didnt send.


have you got 'ntdomain' module enabled in your virtual servers - just after the 
'preprocess'
is called?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-10 Thread Alejandro Gandara 
2011/11/10 Phil Mayers 

> On 10/11/11 08:15, Alejandro Gandara wrote:
>
>> Hi Alan,
>>
>> Thanks for your answers and excuse me for my english fill of mistakes.
>>
>> 2011/11/10 Alan DeKok > >
>>
>>
>>Alejandro Gandara wrote:
>> > I'm authenticating users in RADIUS against LDAP, if I login from
>> > computer with 802.1x configured and users and password taken from
>>domain
>> > automatic. Im getting wrong authenticated because the login has the
>> > following chain.
>> >
>> > DOMAIN\\Users
>> >
>> > How can i avoid that radius read the prefix?
>>
>>You should be able to authenticate using just the user name, using
>>ntlm_auth. See the examples in raddb/modules/ntlm_auth
>>
>>
>> Im reading about it. Thanks for this information.
>>
>>
>> > I've tried to introduce the option prefix in
>>/etc/sites-enable/default ,
>> > but its getting me back errors because of wrong way to introduce
>>that line.
>>
>>Yes. Don't define a realm. It won't work.
>>
>>Post the debug output. That helps, too.
>>
>>
>> This is my debug output:
>>
>> rad_recv: Access-Request packet from host 172.20.40.28 port 1025,
>> id=112, length=218
>> Framed-MTU = 1480
>> NAS-IP-Address = 172.20.40.28
>> NAS-Identifier = "SW-INT-1-3"
>> User-Name = "PRIVATE\\usertest"
>>
>
> Have you edited this debug?
>
>
>  Service-Type = Framed-User
>> Framed-Protocol = PPP
>> NAS-Port = 32
>> NAS-Port-Type = Ethernet
>> NAS-Port-Id = "32"
>> Called-Station-Id = "f0-62-81-05-33-40"
>> Calling-Station-Id = "f0-4d-a2-bc-77-cd"
>> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
>> Tunnel-Type:0 = VLAN
>> Tunnel-Medium-Type:0 = IEEE-802
>> Tunnel-Private-Group-Id:0 = "1"
>> EAP-Message = 0x020a0012014f50544152455c6272**6f75636f
>>
>
> This decodes as:
>
> \x02\n\x00\x12\x01OPTARE\\**brouco
>
>  Message-Authenticator = 0x055981a2c542df52f4c292042c89**a019
>>
>> Found Auth-Type = EAP
>> # Executing group from file /etc/freeradius/sites-enabled/**default
>> +- entering group authenticate {...}
>> *[eap] Identity does not match User-Name, setting from EAP Identity.*
>>
>
> This claims MSCHAP and Radius username don't match.
>
> Did you edit the debug?
>
> Don't do that.
>
Ok sorry

>
> Please provide a full debug, like so:
>
> radiusd -X | tee log.txt
> # run a test auth
> # ctrl+c
> # email log.txt
>
> I've attached it



> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 
20:41:03
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/counter
including configu

Re: Removing domain prefix from login

2011-11-10 Thread Phil Mayers 

On 10/11/11 08:15, Alejandro Gandara wrote:

Hi Alan,

Thanks for your answers and excuse me for my english fill of mistakes.

2011/11/10 Alan DeKok mailto:al...@deployingradius.com>>

Alejandro Gandara wrote:
 > I'm authenticating users in RADIUS against LDAP, if I login from
 > computer with 802.1x configured and users and password taken from
domain
 > automatic. Im getting wrong authenticated because the login has the
 > following chain.
 >
 > DOMAIN\\Users
 >
 > How can i avoid that radius read the prefix?

You should be able to authenticate using just the user name, using
ntlm_auth. See the examples in raddb/modules/ntlm_auth


Im reading about it. Thanks for this information.


 > I've tried to introduce the option prefix in
/etc/sites-enable/default ,
 > but its getting me back errors because of wrong way to introduce
that line.

Yes. Don't define a realm. It won't work.

Post the debug output. That helps, too.


This is my debug output:

rad_recv: Access-Request packet from host 172.20.40.28 port 1025,
id=112, length=218
Framed-MTU = 1480
NAS-IP-Address = 172.20.40.28
NAS-Identifier = "SW-INT-1-3"
User-Name = "PRIVATE\\usertest"


Have you edited this debug?


Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 32
NAS-Port-Type = Ethernet
NAS-Port-Id = "32"
Called-Station-Id = "f0-62-81-05-33-40"
Calling-Station-Id = "f0-4d-a2-bc-77-cd"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x020a0012014f50544152455c62726f75636f


This decodes as:

\x02\n\x00\x12\x01OPTARE\\brouco


Message-Authenticator = 0x055981a2c542df52f4c292042c89a019
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
*[eap] Identity does not match User-Name, setting from EAP Identity.*


This claims MSCHAP and Radius username don't match.

Did you edit the debug?

Don't do that.

Please provide a full debug, like so:

radiusd -X | tee log.txt
# run a test auth
# ctrl+c
# email log.txt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-10 Thread Alejandro Gandara 
Thanks for your answer. I think I've changed the following things to try to
remove DOMAIN:

./modules/preprocess:   with_ntdomain_hack = yes
./modules/mschap:with_ntdomain_hack = yes
./eap.conf: with_ntdomain_hack = yes

I hope this could help, If you know more information I could give. Tell me.


2011/11/10 Alan DeKok 

> Alejandro Gandara wrote:
> > This is my debug  output:
>
>   Well... you deleted a lot of the default configuration.  It now
> doesn't work.  I'm not sure why.
>
>  Use the default configuration.  It works.  Change as little as possible.
>

Il try once more, If i do not get results, I will reinstall freeradius
changing only the necessary.

>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

Regards,

Alejandro Gándara
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-10 Thread Alan DeKok 
Alejandro Gandara wrote:
> This is my debug  output:

  Well... you deleted a lot of the default configuration.  It now
doesn't work.  I'm not sure why.

  Use the default configuration.  It works.  Change as little as possible.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-10 Thread Alejandro Gandara 
Hi Alan,

Thanks for your answers and excuse me for my english fill of mistakes.

2011/11/10 Alan DeKok 

> Alejandro Gandara wrote:
> > I'm authenticating users in RADIUS against LDAP, if I login from
> > computer with 802.1x configured and users and password taken from domain
> > automatic. Im getting wrong authenticated because the login has the
> > following chain.
> >
> > DOMAIN\\Users
> >
> > How can i avoid that radius read the prefix?
>
>   You should be able to authenticate using just the user name, using
> ntlm_auth.  See the examples in raddb/modules/ntlm_auth
>

Im reading about it. Thanks for this information.

>
> > I've tried to introduce the option prefix in /etc/sites-enable/default ,
> > but its getting me back errors because of wrong way to introduce that
> line.
>
>   Yes.  Don't define a realm.  It won't work.
>
>  Post the debug output.  That helps, too.
>

This is my debug  output:

rad_recv: Access-Request packet from host 172.20.40.28 port 1025, id=112,
length=218
Framed-MTU = 1480
NAS-IP-Address = 172.20.40.28
NAS-Identifier = "SW-INT-1-3"
User-Name = "PRIVATE\\usertest"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 32
NAS-Port-Type = Ethernet
NAS-Port-Id = "32"
Called-Station-Id = "f0-62-81-05-33-40"
Calling-Station-Id = "f0-4d-a2-bc-77-cd"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x020a0012014f50544152455c62726f75636f
Message-Authenticator = 0x055981a2c542df52f4c292042c89a019
[ldap] performing user authorization for usertest
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> usertest
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=usertest)
[ldap]  expand: dc=private,dc=loc -> dc=private,dc=loc
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to 172.20.52.206:389, authentication 0
  [ldap] bind as cn=raddbuser,dc=private,dc=loc/password to
172.20.52.206:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in dc=pruebas,dc=loc, with filter (uid=usertest)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] sambaNtPassword -> NT-Password ==
0x3245334230434533423046383434414238374145393237384141453730393331
[ldap] looking for reply items in directory...
  [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "01"
  [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] radiusFramedIPAddress -> Framed-IP-Address = 192.45.51.9
[ldap] user brouco authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[eap] EAP packet type response id 10 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
*[eap] Identity does not match User-Name, setting from EAP Identity.*
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [usertest/] (from client privradius
port 32 cli f0-4d-a2-bc-77-cd)
Using Post-Auth-Type Reject
  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform
requested action.
# Executing group from file /etc/freeradius/sites-enabled/default


Thanks for all Alan.


Regards,

Alejandro Gándara



>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-09 Thread Alan DeKok 
Alejandro Gandara wrote:
> I'm authenticating users in RADIUS against LDAP, if I login from
> computer with 802.1x configured and users and password taken from domain
> automatic. Im getting wrong authenticated because the login has the
> following chain.
> 
> DOMAIN\\Users
> 
> How can i avoid that radius read the prefix?

  You should be able to authenticate using just the user name, using
ntlm_auth.  See the examples in raddb/modules/ntlm_auth

> I've tried to introduce the option prefix in /etc/sites-enable/default ,
> but its getting me back errors because of wrong way to introduce that line.

  Yes.  Don't define a realm.  It won't work.

  Post the debug output.  That helps, too.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Removing domain prefix from login

2011-11-09 Thread Alan Buxey 
Hi,
>I'm authenticating users in RADIUS against LDAP, if I login from computer
>with 802.1x configured and users and password taken from domain automatic.
>Im getting wrong authenticated because the login has the following chain.
> 
>DOMAIN\\Users
> 
>How can i avoid that radius read the prefix?

ntdomain with the 'hack' option set to yes - Stripped-User-Name
is then properly created - use that variable in the LDAP

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Removing domain prefix from login

2011-11-09 Thread Alejandro Gandara 
I'm authenticating users in RADIUS against LDAP, if I login from computer
with 802.1x configured and users and password taken from domain automatic.
Im getting wrong authenticated because the login has the following chain.

DOMAIN\\Users

How can i avoid that radius read the prefix?

I've tried to introduce the option prefix in /etc/sites-enable/default ,
but its getting me back errors because of wrong way to introduce that line.

Can any help me?

Thanks very much
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html