Problem:
You cannot login via radius, caused by login incorrect.
Auth: Login incorrect (mschap: External script says ): [cscheini/<via Auth-Type = EAP>] (from client wifi port 0 via TLS tunnel)
Auth: Login incorrect: [cscheini/<via Auth-Type = EAP>] (from client wifi port 0 cli 02-42-af-58-38-52)
Freeradius with debug shows the following traceback:
Traceback (most recent call last):
File "/usr/bin/univention-radius-ntlm-auth", line 87, in <module>
sys.exit(main())
File "/usr/bin/univention-radius-ntlm-auth", line 74, in main
ldapConnection = univention.uldap.getMachineConnection(ldap_master=False, reconnect=False)
File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 94, in getMachineConnection
bindpw=open(secret_file).read()
IOError: [Errno 13] Permission denied: '/etc/machine.secret'
Investigation:
- Check your radius configuration
ntlm_auth
is set to/usr/bin/univention-radius-ntlm-auth-suidwrapper
- Check file permission of
/usr/bin/univention-radius-ntlm-auth-suidwrapper
-rwxr-xr-x 1 root DC Backup Hosts 4792 Jan 15 2018 /usr/bin/univention-radius-ntlm-auth-suidwrapper
Solution:
Correct the file permission. The sticky bit needs to be set:
chmod u+s /usr/bin/univention-radius-ntlm-auth-suidwrapper
-rwsr-xr-x 1 root DC Backup Hosts 4792 Jan 15 2018 /usr/bin/univention-radius-ntlm-auth-suidwrapper