Sorry for the long subject :-)
Have spent a few days on this setup and learned a lot from your mailinglist
(thank you, Alan and everybody else) but I think there is a problem not
covered, yet, between Solaris and Linux compiled code (?). Long story:
We set up the following:
WLAN and/or Cable Clients:
WC-1. Windows 2003, DELL TrueMobile 1300 WLAN client, AEGIS
client / driver for WPA
WC-2. Windows XP, T-Sinus 154 Data WLAN client, WinXP SP1 and
patch for WPA
AccessPoints:
AP-1. T-Sinus 154 DSL
AP-2. Cisco Aironet 1200
FreeRadius Server:
FR-1. Notebook with Suse 9.1, FreeRadius 1.0.0
FR-2. SUN Sparc E450 (64bit), Solaris 9, FreeRadius 1.0.0 and 1.0.1
Additionally, Java Enterprise System (JES) 2004 Q2, LDAP Dir.Server 5.2
Both WC-1, WC-2 can connect to either AP-x and access FR-1 and FR-2.
FR-1 can use JES as backend for LDAP authentication.
WLAN setup:
Authentication type: PEAP
Tunneled Protocol: EAP-MSCHAPv2
Server Identity: do not validate
WEP managment: provide encryption key dynamically
WPA mode: WPA 802.1X
Encryption: TKIP
Certificates built for EAP-TLS according FreeRadius Docs:
/usr/local/radius/certs.sh
cp -r /usr/local/radius/certs /usr/local/etc/raddb/
Verification and checks:
radtest and radclient: PAM, UNIX, and LDAP
for UNIX and PAM:
chmod 404 /etc/passwd
chmod 404 /etc/shadow
All PATH mentioned below are from Solaris System (sorry):
/usr/local/etc/raddb/users
/usr/local/etc/raddb/clients.conf
/usr/local/etc/raddb/radiusd.conf
/usr/local/etc/raddb/ldap.attrmap
Details can be provided ... but that is not the problem, because:
I. Running WC-2 against FR-1 (Linux) "EAP with local backend"
and "EAP with LDAP backend" (Solaris-JES) works fine.
II. Running WC-2 against FR-2 (Solaris) "EAP with local backend"
and "EAP with LDAP backend" (Solaris-JES) both fail (here the latter):
--------from radiusd -X output
------------------------------------------------------------
-------
------------------------
rlm_ldap: performing search in dc=xxxxx,dc=de, with filter (uid=yyyyy)
rlm_ldap: Password header not found in password
0x075F36789B3133386FBCD952ED3FC23F for user yyyyy
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding displayname as NT-Password, value
0x075F36789B3133386FBCD952ED3FC23F & op=21
rlm_ldap: Adding displayname as LM-Password, value
0x075F36789B3133386FBCD952ED3FC23F & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user yyyyy authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 7
rlm_mschap: Found LM-Password
rlm_mschap: Found NT-Password
rlm_mschap: Told to do MS-CHAPv2 for yyyyy with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
<<<<<<<<<<<<<<<<<
modcall[authenticate]: module "mschap" returns reject for request 7
modcall: group Auth-Type returns reject for request 7
--------end of radiusd -X output
---------------------------------------------------------
--------
--------------------------
This leads to the often -misleading- seen error further down the line:
"Had sent TLV failure, rejecting."
Ok, summary:
1. EAP on Solaris fails, EAP on Linux works.
2. Version problems with freeradius can be excluded, can we ?
3. Library problem ?
Short description of possible source of trouble:
Buildung FreeRadius LDAP support needs some fiddling:
Download OpenLDAP Support from www.blastwave.org
cp -r /opt/csw/include/* /usr/include/
to get /usr/include/ldap.h to hold all the definitions:
LDAP_OPT_SUCCES .... LDAP_OPT_X_TLS_xxxx
./configure --without-rlm_sql_iodbc --without-rlm_sql_mysql --without-
rlm_sql_postgresql \
--without-rlm_sql_oracle --without-
rlm_sql_unixodbc \
--with-rlm-ldap-include-
dir=/opt/csw/include \
--with-openssl-
includes=/usr/local/ssl/include \
--with-openssl-libraries=/usr/local/ssl/lib
After this make & make install works with a lot of warnings.
So, maybe a library problem? Not sure.
4. Check of smbencrypt:
/usr/bin/smbencrypt yyyyy
LM Hash-Solaris 5EE48ABDB55D077DAAD3B435B51404EE
LM Hash-Linux 5EE48ABDB55D077DAAD3B435B51404EE
NT Hash-Solaris DA2798D017BDEBFD4A515999FBF0C1D3
NT Hash-Linux 075F36789B3133386FBCD952ED3FC23F
Compare this to the log (see above) and it seems the Solaris hash
-even different from the Linux hash- fits the submitted NT-password.
Hmm, can not cross check this on the Linux FreeRadius-Server anymore.
So, what is wrong?
1. Why is the Solaris smbencrypt NT-hash different from the Linux NT-
hash ?
2. Why does EAP on Solaris - FreeRadius fail ?
3. Why does EAP on Solaris - FreeRadius with LDAP backend fail ?
According to logs, answer 2. and 3. is the same: password do not match.
But, how to fix it?
Thank You! Kind regards
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
