Sorry for the long subject :-) Have spent a few days on this setup and learned a lot from your mailinglist (thank you, Alan and everybody else) but I think there is a problem not covered, yet, between Solaris and Linux compiled code (?). Long story:
We set up the following: WLAN and/or Cable Clients: WC-1. Windows 2003, DELL TrueMobile 1300 WLAN client, AEGIS client / driver for WPA WC-2. Windows XP, T-Sinus 154 Data WLAN client, WinXP SP1 and patch for WPA AccessPoints: AP-1. T-Sinus 154 DSL AP-2. Cisco Aironet 1200 FreeRadius Server: FR-1. Notebook with Suse 9.1, FreeRadius 1.0.0 FR-2. SUN Sparc E450 (64bit), Solaris 9, FreeRadius 1.0.0 and 1.0.1 Additionally, Java Enterprise System (JES) 2004 Q2, LDAP Dir.Server 5.2 Both WC-1, WC-2 can connect to either AP-x and access FR-1 and FR-2. FR-1 can use JES as backend for LDAP authentication. WLAN setup: Authentication type: PEAP Tunneled Protocol: EAP-MSCHAPv2 Server Identity: do not validate WEP managment: provide encryption key dynamically WPA mode: WPA 802.1X Encryption: TKIP Certificates built for EAP-TLS according FreeRadius Docs: /usr/local/radius/certs.sh cp -r /usr/local/radius/certs /usr/local/etc/raddb/ Verification and checks: radtest and radclient: PAM, UNIX, and LDAP for UNIX and PAM: chmod 404 /etc/passwd chmod 404 /etc/shadow All PATH mentioned below are from Solaris System (sorry): /usr/local/etc/raddb/users /usr/local/etc/raddb/clients.conf /usr/local/etc/raddb/radiusd.conf /usr/local/etc/raddb/ldap.attrmap Details can be provided ... but that is not the problem, because: I. Running WC-2 against FR-1 (Linux) "EAP with local backend" and "EAP with LDAP backend" (Solaris-JES) works fine. II. Running WC-2 against FR-2 (Solaris) "EAP with local backend" and "EAP with LDAP backend" (Solaris-JES) both fail (here the latter): --------from radiusd -X output ------------------------------------------------------------ ------- ------------------------ rlm_ldap: performing search in dc=xxxxx,dc=de, with filter (uid=yyyyy) rlm_ldap: Password header not found in password 0x075F36789B3133386FBCD952ED3FC23F for user yyyyy rlm_ldap: looking for check items in directory... rlm_ldap: Adding displayname as NT-Password, value 0x075F36789B3133386FBCD952ED3FC23F & op=21 rlm_ldap: Adding displayname as LM-Password, value 0x075F36789B3133386FBCD952ED3FC23F & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user yyyyy authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: Found LM-Password rlm_mschap: Found NT-Password rlm_mschap: Told to do MS-CHAPv2 for yyyyy with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect <<<<<<<<<<<<<<<<< modcall[authenticate]: module "mschap" returns reject for request 7 modcall: group Auth-Type returns reject for request 7 --------end of radiusd -X output --------------------------------------------------------- -------- -------------------------- This leads to the often -misleading- seen error further down the line: "Had sent TLV failure, rejecting." Ok, summary: 1. EAP on Solaris fails, EAP on Linux works. 2. Version problems with freeradius can be excluded, can we ? 3. Library problem ? Short description of possible source of trouble: Buildung FreeRadius LDAP support needs some fiddling: Download OpenLDAP Support from www.blastwave.org cp -r /opt/csw/include/* /usr/include/ to get /usr/include/ldap.h to hold all the definitions: LDAP_OPT_SUCCES .... LDAP_OPT_X_TLS_xxxx ./configure --without-rlm_sql_iodbc --without-rlm_sql_mysql --without- rlm_sql_postgresql \ --without-rlm_sql_oracle --without- rlm_sql_unixodbc \ --with-rlm-ldap-include- dir=/opt/csw/include \ --with-openssl- includes=/usr/local/ssl/include \ --with-openssl-libraries=/usr/local/ssl/lib After this make & make install works with a lot of warnings. So, maybe a library problem? Not sure. 4. Check of smbencrypt: /usr/bin/smbencrypt yyyyy LM Hash-Solaris 5EE48ABDB55D077DAAD3B435B51404EE LM Hash-Linux 5EE48ABDB55D077DAAD3B435B51404EE NT Hash-Solaris DA2798D017BDEBFD4A515999FBF0C1D3 NT Hash-Linux 075F36789B3133386FBCD952ED3FC23F Compare this to the log (see above) and it seems the Solaris hash -even different from the Linux hash- fits the submitted NT-password. Hmm, can not cross check this on the Linux FreeRadius-Server anymore. So, what is wrong? 1. Why is the Solaris smbencrypt NT-hash different from the Linux NT- hash ? 2. Why does EAP on Solaris - FreeRadius fail ? 3. Why does EAP on Solaris - FreeRadius with LDAP backend fail ? According to logs, answer 2. and 3. is the same: password do not match. But, how to fix it? Thank You! Kind regards Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html