802.1x: PEAP + MS-CHAPv2

[Christian Richter]

Hi freeradius mailing list,

i set up a freeradius server (suse 9.0 freeradius-snapshot-20040119 + 
openssl-0.9.7c),  to authenticate wireless windows (Windows 2000, XP) 
based clients with 802.1x. On my AccessPoint (a WLAN Router with DHCP, 
NAT) SMC2804WBR v2 802.1x Authentication is supported and is set up to 
use the radius server with the specified secret. To test all things, i 
use a WinXP laptop (SP1) with D-Link DWL G650+ inserted.
In programming language, the paket from the AP to Radius will 
encapsulated like:

  RADIUS ( EAP ( MSCHAPv2 ) )

where EAP will be "Secure EAP" PEAP. Please tell me if i'm wrong!!!!!!!!
My setup of the RADIUS is oriented on this, i used only the things where 
i think that i need them to eliminate other error-sources.
I have read all relevant mails about these topicand experimented with 
many snapshots before, but found none to help at this last step. TLS is 
running, but authentication will not work:

My problem (full logs listed below):

rlm_mschap: No MS-CHAP-Challenge in the request

My setup:

XP-Laptop:
-[WEP] activated
-[Networkauthentication (common mode)] deactivated
-[key automatically provided] activated
-[IEEE 802.1x Authentivation activate] set with EAP (PEAP) --> [test 
Servercertificate] deactivated, [Secure password MSCHAPv2] activated

On the AccessPoint, the NAS-Identifier was set tp "port", beacause a 
value must be entered. The other Options (secret, ports and ip) was set 
as required.

RADIUS [freeradius-snapshot-20040119] + [openssl-0.9.7c]:
-set up EAP-TLS with help of     
http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm    wich works fine.
-set up the testuser
-commented out "not needed" modules
---> played with options
mschap: use_mppe
mschap: require_encryption
mschap: require_strong

If anyone have set up this authentication method completely working, 
please post all relevant stuff, you will help me verry much! But please 
quote only the relevant text from my mail, i know what i have written

Greatest Thanks for replies and to the complete list, your help is 
unpayable!



The Files and Logs (comments deleted):
#### radiusd.conf ####
prefix = /usr/local/radius
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions    = yes
extended_expressions    = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
  max_attributes = 200
  reject_delay = 1
  status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf

snmp    = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
  start_servers = 5
  max_servers = 32
  min_spare_servers = 3
  max_spare_servers = 10
  max_requests_per_server = 0
}
modules {
  eap {
      default_eap_type = peap
      timer_expire     = 60
      ignore_unknown_eap_types = yes
      tls {
          private_key_password = whatever
          private_key_file = /etc/1x/Radius.pem
          certificate_file = /etc/1x/Radius.pem
          CA_file = /etc/1x/root.pem
          dh_file = /etc/1x/DH
          random_file = /etc/1x/random
          fragment_size = 1024
          include_length = yes
      }
      peap {
          default_eap_type = mschapv2
      }
      mschapv2 {
      }
  }

  mschap {
      authtype = MS-CHAP
  }
  preprocess {
      huntgroups = ${confdir}/huntgroups
      hints = ${confdir}/hints
      with_ascend_hack = no
      ascend_channels_per_line = 23
      with_ntdomain_hack = no
      with_specialix_jetstream_hack = no
      with_cisco_vsa_hack = no
  }
  files {
      usersfile = ${confdir}/users
      acctusersfile = ${confdir}/acct_users
      compat = no
  }
  detail {
      detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
      detailperm = 0600
  }
  acct_unique {
      key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-
Address, NAS-Port"
  }
  radutmp {
      filename = ${logdir}/radutmp
      username = %{User-Name}
      case_sensitive = yes
      check_with_nas = yes              perm = 0600
      callerid = "yes"
  }
  radutmp sradutmp {
      filename = ${logdir}/sradutmp
      perm = 0644
      callerid = "no"
  }
  attr_filter {
      attrsfile = ${confdir}/attrs
  }
}
instantiate {
}
authorize {
  preprocess
  eap
  files
}
authenticate {
  Auth-Type MS-CHAP {
      mschap
  }
}
preacct {
  preprocess
}
accounting {
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
#######################

#### users #####

"tester"       Auth-Type :=MS-CHAP, User-Password == "test"

DEFAULT    Auth-Type = System
  Fall-Through = 1
DEFAULT    Service-Type == Framed-User
  Framed-IP-Address = 255.255.255.254,
  Framed-MTU = 576,
  Service-Type = Framed-User,
  Fall-Through = Yes
DEFAULT    Framed-Protocol == PPP
  Framed-Protocol = PPP,
  Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT    Hint == "CSLIP"
  Framed-Protocol = SLIP,
  Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT    Hint == "SLIP"
  Framed-Protocol = SLIP
###############################

##### Start of radius ######

linux:/usr/local/radius # sh run-radius -X -A -f
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/radius/etc/raddb/proxy.conf
Config:   including file: /usr/local/radius/etc/raddb/clients.conf
Config:   including file: /usr/local/radius/etc/raddb/snmp.conf
main: prefix = "/usr/local/radius"
main: localstatedir = "/usr/local/radius/var"
main: logdir = "/usr/local/radius/var/log/radius"
main: libdir = "/usr/local/radius/lib"
main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/radius/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/radius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
Using deprecated clients file.  Support for this will go away soon.
read_config_files:  reading realms
Using deprecated realms file.  Support for this will go away soon.
radiusd:  entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/radius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = yes
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/1x/Radius.pem"
tls: certificate_file = "/etc/1x/Radius.pem"
tls: CA_file = "/etc/1x/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/1x/DH"
tls: random_file = "/etc/1x/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
rlm_eap: Loaded and initialized type peap
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded files
files: usersfile = "/usr/local/radius/etc/raddb/users"
files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 
1814/udp.
Ready to process requests.

###########################

###### The request ###########

rad_recv: Access-Request packet from host [The Access Point], id=92, 
length=95
      User-Name = "tester"
      NAS-IP-Address = [IP]
      NAS-Identifier = "port"
      NAS-Port = 29
      Service-Type = Framed-User
      Framed-MTU = 1400
      NAS-Port-Type = Wireless-802.11
      EAP-Message = 0x025c000b01746573746572
      Message-Authenticator = 0x0c004aee29dc8c69026755e5c71f3a05
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_eap: EAP packet type response id 92 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
  users: Matched tester at 143
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password:  Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group Auth-Type for request 0
rlm_mschap: No MS-CHAP-Challenge in the request
modcall[authenticate]: module "mschap" returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 92 to [IP]
Waking up in 4 seconds...

#############################



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html