With Samba in NT mode, i was able to enable wireless access using
machine account, and worked decently.
Now i want to try again in AD mode, but i've not found info, and i've
just hit a trouble:
Oct 1 14:31:55 vdmsv1 radiusd[13555]: rlm_ldap (ldap): Opening additional
connection (25), 1 of 31 pending slots used
Oct 1 14:31:55 vdmsv1 radiusd[13555]: (187) Login incorrect:
[host/RUFUS.ad.fvg.lnf.it] (from client unifi-sv port 0 cli B8-EE-65-B1-73-D3
via TLS tunnel)
Oct 1 14:31:55 vdmsv1 radiusd[13555]: (188) eap_peap: The users session was
previously rejected: returning reject (again.)
Oct 1 14:31:55 vdmsv1 radiusd[13555]: (188) eap_peap: This means you need to
read the PREVIOUS messages in the debug output
Oct 1 14:31:55 vdmsv1 radiusd[13555]: (188) eap_peap: to find out the reason
why the user was rejected
Oct 1 14:31:55 vdmsv1 radiusd[13555]: (188) eap_peap: Look for
"reject" or "fail". Those earlier messages will tell you
Oct 1 14:31:55 vdmsv1 radiusd[13555]: (188) eap_peap: what went wrong, and
how to fix the problem
Oct 1 14:31:55 vdmsv1 radiusd[13555]: (188) Login incorrect (eap: Failed
continuing EAP PEAP (25) session. EAP sub-module failed):
[host/RUFUS.ad.fvg.lnf.it] (from client unifi-sv port 0 cli B8-EE-65-B1-73-D3)
Client try to auth with FQDN and not username (eg RUFUS$).
Someone have some hint? Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Den 01.10.2020 14:46, skrev Marco Gaiarin via samba:> With Samba in NT mode, i was able to enable wireless access using > machine account, and worked decently. > > Now i want to try again in AD mode, but i've not found info, and i've > just hit a trouble: > > Oct 1 14:31:55 vdmsv1 radiusd[13555]: rlm_ldap (ldap): Opening additional connection (25), 1 of 31 pending slots used > Oct 1 14:31:55 vdmsv1 radiusd[13555]: (187) Login incorrect: [host/RUFUS.ad.fvg.lnf.it] (from client unifi-sv port 0 cli B8-EE-65-B1-73-D3 via TLS tunnel) > Oct 1 14:31:55 vdmsv1 radiusd[13555]: (188) eap_peap: The users session was previously rejected: returning reject (again.) > Oct 1 14:31:55 vdmsv1 radiusd[13555]: (188) eap_peap: This means you need to read the PREVIOUS messages in the debug output > Oct 1 14:31:55 vdmsv1 radiusd[13555]: (188) eap_peap: to find out the reason why the user was rejected > Oct 1 14:31:55 vdmsv1 radiusd[13555]: (188) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you > Oct 1 14:31:55 vdmsv1 radiusd[13555]: (188) eap_peap: what went wrong, and how to fix the problem > Oct 1 14:31:55 vdmsv1 radiusd[13555]: (188) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [host/RUFUS.ad.fvg.lnf.it] (from client unifi-sv port 0 cli B8-EE-65-B1-73-D3) > > Client try to auth with FQDN and not username (eg RUFUS$). > > > Someone have some hint? Thanks. > > --I can't offer any hints, but, this has been on my list of things to do for some time, could you share with us exactly what you have done so far, so other can follow and setup the same, maybe we either encounter the same problems as you, or not. -- Klaus Ade Johnstad 67E61D18B2C44F8A3DA35C6D849F9F5F 26FA477D
Mandi! Klaus Ade Johnstad via samba In chel di` si favelave...> I can't offer any hints, but, this has been on my list of things to do > for some time, could you share with us exactly what you have done so > far, so other can follow and setup the same, maybe we either encounter > the same problems as you, or not.Oh, 'pretty nothing'. All work pretty automagically because using machine account was built in winbind authenticator or ntlm_auth helper, see: https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind#compiling-and-installing-freeradius_configuring-freeradius but in this way *ALL* domain-joined machine can connect to wireless, so i use ldap module to 'filter' memberships: https://wiki.freeradius.org/modules/Rlm_ldap Oh, indeed this make me supposing that probably the connection work, i need only to setup a group and add to this group all computer that need connection... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)