I am trying to help a customer configure FreeRADIUS to use PEAP to authenticate their Cisco 1200 AP. FreeRADIUS was working using their SunONE directory server to authenticate their RAS devices already. I'm using the snapshot from 1/27 and we are using a Windows XP SP1 supplicant. I would appreciate any ideas as to what to try next.
After making sure that the LDAP authentication worked, I changed the default_eap_type to peap (tried tls also) in the eap module section, uncommented the tls module section (except the check_crl line), and uncommented the peap module section. I also uncommented the require_encryption and require_strong lines in the mschap section. When we try to authenticate, it seems to get as far as establishing the tunnel and then the MS-CHAPv2 part fails with:
Thu Jan 29 14:50:29 2004 : Info: rlm_eap_mschapv2: Issuing Challenge
Thu Jan 29 14:50:29 2004 : Auth: rlm_mschap: We require a User-Name for MS-CHAPv2
Thu Jan 29 14:50:29 2004 : Auth: Login incorrect: [nds/<no User-Password attribute>] (from client localhost port 0)
Thu Jan 29 14:50:29 2004 : Auth: Login incorrect: [nds/<no User-Password attribute>] (from client vpn port 417 cli 0090.41bb.f382)
Thu Jan 29 14:51:55 2004 : Auth: rlm_ldap: Attribute "User-Password" is required for authentication.
Any help or suggestions as to what to look at next would be appreciated. I also added the user to the users file along with a password, like so:
nds Auth-Type := EAP, User-Password == "mypassword"
to see if that would help, but it didn't. Here is some debug output, if anyone would like to see it all, I can send that as well. Thanks.
rad_recv: Access-Request packet from host 23.45.66.1:10343, id=155, length=160
Waking up in 5 seconds...
Thread 5 got semaphore
Thread 5 handling request 5, (6 handled so far)
User-Name = "nds"
Framed-MTU = 1400
Called-Station-Id = "000e.3f8c.0b90"
Calling-Station-Id = "0090.41bb.f382"
Message-Authenticator = 0xb73ac0bb68f32a5bb3af54c599d73765
EAP-Message = 0x0207001f190017030100148edf629daaed99b8b4c74a9978c097f5ba2e7cef
NAS-Port-Type = Wireless-802.11
NAS-Port = 259
State = 0x3289f11fbaf940fc31961aa58774b4ae
Service-Type = Framed-User
NAS-IP-Address = 172.16.0.138
NAS-Identifier = "ap"
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "nds", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 7 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched DEFAULT at 152
users: Matched nds at 219
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled attributes.
rlm_eap_peap: Identity - nds
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x02070008016e6473
PEAP: Got tunneled identity of nds
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Sending tunneled request
EAP-Message = 0x02070008016e6473
Freeradius-Proxied-To = 127.0.0.1
User-Name = "nds"
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "nds", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 7 length 8
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched DEFAULT at 152
users: Matched nds at 219
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 5
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
PEAP: Got tunneled reply RADIUS code 11
EAP-Message = 0x0108001d1a0108001810d2be9d43c835acc83ef6d3499047825e6e6473
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf20b85c0c97274cca8ce89e1c9c2452
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 155 to 23.45.66.1:10343
EAP-Message = 0x0108003419001703010029188f17129653ab06d4694309ed7a26b3a2deeae44948e2cfb87c52416372e287819acf4287865e3783
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb0e7dd3ef6e054908a939b5272efd9a0
Finished request 5
Going to the next request
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 23.45.66.1:10343, id=156, length=214
Waking up in 5 seconds...
Thread 5 got semaphore
Thread 5 handling request 6, (7 handled so far)
User-Name = "nds"
Framed-MTU = 1400
Called-Station-Id = "000e.3f8c.0b90"
Calling-Station-Id = "0090.41bb.f382"
Message-Authenticator = 0x9c6efa9546653b5de99178fa627c3161
EAP-Message = 0x020800551900170301004a7b626d5c5625d8fe1a5c71e2d4ede364ac0091f9e3417ff4549b616cacc3c9e5b2df87ef713cc549d51db076fcfa7c81eb717a41716f5b499b45e588188e7bc557c19894fb3e5316e5f2
NAS-Port-Type = Wireless-802.11
NAS-Port = 259
State = 0xb0e7dd3ef6e054908a939b5272efd9a0
Service-Type = Framed-User
NAS-IP-Address = 172.16.0.138
NAS-Identifier = "ap"
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "nds", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 85
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched DEFAULT at 152
users: Matched nds at 219
modcall[authorize]: module "files" returns ok for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled attributes.
rlm_eap_peap: EAP type 26
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0208003e1a0208003931561d2b90746d57a443c25e6eb99106cf0000000000000000c02c36e48a89d86a7fcd412dadaca2a230cfa15c900bc9ad006e6473
PEAP: Adding old state with df 20
PEAP: Sending tunneled request
EAP-Message = 0x0208003e1a0208003931561d2b90746d57a443c25e6eb99106cf0000000000000000c02c36e48a89d86a7fcd412dadaca2a230cfa15c900bc9ad006e6473
Freeradius-Proxied-To = 127.0.0.1
User-Name = "nds"
State = 0xdf20b85c0c97274cca8ce89e1c9c2452
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "nds", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 62
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched DEFAULT at 152
users: Matched nds at 219
modcall[authorize]: module "files" returns ok for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
modcall: entering group Auth-Type for request 6
rlm_mschap: We require a User-Name for MS-CHAPv2
modcall[authenticate]: module "mschap" returns invalid for request 6
modcall: group Auth-Type returns invalid for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
Login incorrect: [nds/<no User-Password attribute>] (from client localhost port 0)
PEAP: Got tunneled reply RADIUS code 3
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 156 to 23.45.66.1:10343
EAP-Message = 0x010900261900170301001b0e8c8b6e443a92596c57f3301008fa1b0136c6ea26484f241858e9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf778eba8859e6cffee7855af623e73b1
Finished request 6
Going to the next request
Thread 5 waiting to be assigned a request
-- Paul Whittenburg
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
