Hi,
I have a two nt4 trusted domain infrastructure and am trying to setup
freeradius to authenticate xp supplicants with peap. I have nmbd and winbindd
running correctly, and can run the ntlm_auth program with no problems. But
what I have found out is that my freeradius server is joined to the DOMAINA
domain. So when running /usr/bin/ntlm_auth --username=domainatestuser it
automatically validates the user against DOMAINA. But if I try to run
/usr/bin/ntlm_auth --username=domainbtestuser it will fail. I have to add the
--domain=DOMAINB for it to validate correctly.
So when I use my xp supplicant to validate my user, domainatestuser (without
typing in the DOMAINA), it works perfectly. If I put in DOMAINA in the domain
box, I get rejected. If I try to validate the domainbtestuser using nothing
for the domain box, I get rejected. If I put in DOMAINB in the domain box, I
get rejected.
I guess I am needing to setup realms for each domain. How do I setup DOMAINA
users to go to the DOMAINA domain controllers, and how do I setup DOMAINB users
to go to DOMAINB domain controllers. I shouldn't really have to setup to go do
different domain controllers, I just need freeradius to pass on the domain in
the ntlm_auth command.
Thanks for any help
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3076, id=85,
length=181
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = DOMAINB\\domainbtestuser
Calling-Station-Id = 001217a8df41
Called-Station-Id = 0001f4449c4c
NAS-Identifier = RoamAbout AP
State = 0x1ce29e6a91a9663ff39346a69f85748c
EAP-Message =
0x020800261900170301001b4ca905292ffadaa855c356acd5417b6989915df2dd32ffdc0b08d3
Message-Authenticator = 0x6dca7a93ca473745cab0f6a063b66d0e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 15
modcall[authorize]: module preprocess returns ok for request 15
modcall[authorize]: module mschap returns noop for request 15
rlm_realm: No '@' in User-Name = DOMAINB\domainbtestuser, looking up realm
NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 15
rlm_realm: Looking up realm DOMAINB for User-Name =
DOMAINB\domainbtestuser
rlm_realm: No such realm DOMAINB
modcall[authorize]: module ntdomain returns noop for request 15
rlm_eap: EAP packet type response id 8 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 15
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 15
modcall: group authorize returns updated for request 15
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 15
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module eap returns invalid for request 15
modcall: group authenticate returns invalid for request 15
auth: Failed to validate the user.
Delaying request 15 for 1 seconds
Finished request 15
Going to the next request
Jamie Crawford, MCSE RHCT Network Analyst I
Information Services
Central Missouri State University
Warrensburg, MO 64093
Phone:6605434357
Email:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html