Hi folks,
I have unsuccessfully attempted to authenticate an XP SP2 user with PEAP MSCHAPv2. I am using Solaris 8 for the freeRADIUS server and a CISCO 1100 Access Point. I have tried numerous combinations of ".conf" settings but have not progressed further. I copied the "root.p12" certificate file from the /usr/local/etc/raddb/certs directory and applied it to the XP SP2 Trusted Root Certification Authorities repository; Is this what you are supposed to do for PEAP MSCHAPv2 to complement the "cert-srv.pem" files referenced by TLS? Because of a post that I read, I added the Service Pack 2 to Win XP PRO. I traced the debug message "rlm_mschap: FAILED: MS-CHAP2-Response is incorrect " to the test statement, after the "smbdes_mschap" function call, that returns a "-1" because the "calculated" value is not equal in length to the "response" value. The comments in the "smbdes_mschap" function, that the "do_mschap" function calls, read that the NT Password must be 16 characters long, and presumably the "calculated" and "response" values will then be equal in length. I made my password on the XP machine and the "users" file 16 characters long and I added debug statements to the "rlm_mschap" module to backtrack on the data flow to find the problem. I Included slices from "radiusd -X" output, ".conf" files "rlm_mschap" files. Thanks for any help.
John Gauntt
[EMAIL PROTECTED]
The XP SP2 authentication settings are:
"Enable IEEE 802.1x authentication" - checked
"Validate server certificate" - checked
"Connect to these servers" - identified and checked
"Trusted Root Certification Authorities" - copied file, selected
"Authentication Method" - EAP-MSCHAPV2
users
EI2F-ENDL1\\Tech_Support User-Password == "endl1_freeradius"
Framed-IP-Address = 12.1.10.20,
Framed-IP-Netmask = 255.255.255.0,
Framed-MTU = 1500,
Reply-Message = "Hello, %u",
Fall-Through = no
eap.conf
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
rlm_mschap.c (slices)
/*
* The old "mschapv2" function has been moved to
* here.
*
* MS-CHAPv2 takes some additional data to create an
* MS-CHAPv1 challenge, and then does MS-CHAPv1.
*/
challenge_hash(response->strvalue + 2, /* peer challenge */
challenge->strvalue, /* our challenge */
username_string, /* user name */
mschapv1_challenge); /* resulting challenge */
DEBUG2(" rlm_mschap: Told to do MS-CHAPv2 for %s with NT-Password",
username_string);
DEBUG2(" rlm_mschap, before do_mschap: PASSWORD \"%s\"", nt_password);
if (do_mschap(inst, request, nt_password, mschapv1_challenge,
response->strvalue + 26, nthashhash) < 0) {
DEBUG2(" rlm_mschap: FAILED: MS-CHAP2-Response is incorrect");
DEBUG2(" rlm_mschap, after do_mschap: PASSWORD \"%s\"", nt_password);
add_reply(&request->reply->vps, *response->strvalue,
"MS-CHAP-Error", "E=691 R=1", 9);
return RLM_MODULE_REJECT;
}
/*
* Do normal authentication.
*/
if (!do_ntlm_auth) {
/*
* No password: can't do authentication.
*/
if (!password) {
DEBUG2(" rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.");
return -1;
}
DEBUG2("rlm_mschap: Authenticate password: \"%s\"",password->strvalue);
DEBUG2("rlm_mschap: Authenticate password: \"%s\"",password);
smbdes_mschap(password->strvalue, challenge, calculated);
if (memcmp(response, calculated, 24) != 0) {
return -1;
}
radiusd -X
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 12.1.10.16:21651, id=54, length=254
User-Name = "EI2F-ENDL1\\Tech_Support"
Framed-MTU = 1400
Called-Station-Id = "0011.5c81.b2e0"
Calling-Station-Id = "000f.f736.3068"
Message-Authenticator = 0x9a3b62825c10a7dad40ec98b640eeb8c
EAP-Message = 0x0207005e19001703010053ca62e53f8f7676ccc3f82955de55cbc59fd458311ecc96b59091aeba187701a864d9c3c957674def8a36cb0094554ef73894aa81ed4c14dba38fa25c84f55b25e69a46649b29ab74d61c491aa8b6773c0d2101
NAS-Port-Type = Wireless-802.11
NAS-Port = 309
State = 0x49f3f0933b3261089252bf1917e3d386
Service-Type = Framed-User
NAS-IP-Address = 12.1.10.16
NAS-Identifier = "EI2F_ENDL_AP1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
radius_xlat: '/usr/local/var/log/radius/radacct/12.1.10.16/auth-detail-20050119'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/12.1.10.16/auth-detail-20050119
modcall[authorize]: module "auth_log" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "EI2F-ENDL1\Tech_Support", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 7 length 94
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched EI2F-ENDL1\Tech_Support at 94
radius_xlat: 'Hello, EI2F-ENDL1\\Tech_Support'
modcall[authorize]: module "files" returns ok for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020700471a0207004231921e8aec74dee8d62c0b6e9c27dab98200000000000000009ae3285270901081c627bbbf3068c7587e5befbc0b7fc65b00546563685f537570706f7274
PEAP: Setting User-Name to EI2F-ENDL1\Tech_Support
PEAP: Adding old state with 57 11
PEAP: Sending tunneled request
EAP-Message = 0x020700471a0207004231921e8aec74dee8d62c0b6e9c27dab98200000000000000009ae3285270901081c627bbbf3068c7587e5befbc0b7fc65b00546563685f537570706f7274
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "EI2F-ENDL1\\Tech_Support"
State = 0x57115b6120fc639f28fc7b3b838d4198
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20050119'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20050119
modcall[authorize]: module "auth_log" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "EI2F-ENDL1\Tech_Support", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 7 length 71
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched EI2F-ENDL1\Tech_Support at 94
radius_xlat: 'Hello, EI2F-ENDL1\\Tech_Support'
modcall[authorize]: module "files" returns ok for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6
rlm_mschap: Told to do MS-CHAPv2 for Tech_Support with NT-Password
rlm_mschap, before do_mschap: PASSWORD "NT-Password"
rlm_mschap: Authenticate password: ":?!?~%å+??ö?±?¦?"
rlm_mschap: Authenticate password: "NT-Password"
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
rlm_mschap, after do_mschap: PASSWORD "NT-Password"
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: group Auth-Type returns reject for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
Login incorrect: [EI2F-ENDL1\\Tech_Support/<no User-Password attribute>] (from client localhost port 0)
PEAP: Got tunneled reply RADIUS code 3
Framed-IP-Address = 12.1.10.20
Framed-IP-Netmask = 255.255.255.0
Framed-MTU = 1500
Reply-Message = "Hello, EI2F-ENDL1\\\\Tech_Support"
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 1dcfb8 3
Framed-IP-Address = 12.1.10.20
Framed-IP-Netmask = 255.255.255.0
Framed-MTU = 1500
Reply-Message = "Hello, EI2F-ENDL1\\\\Tech_Support"
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 54 to 12.1.10.16:21651
Framed-IP-Address = 12.1.10.20
Framed-IP-Netmask = 255.255.255.0
Framed-MTU = 1500
Reply-Message = "Hello, EI2F-ENDL1\\\\Tech_Support"
EAP-Message = 0x010800261900170301001bfd1cd8e5e6333dfb79a2ede4a71be51214eada430438e56dacfa0c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3cb3639a44d56de4885ebd3c2755da09
Finished request 6
Going to the next request
- Re: rlm_mschap: FAILED: MSCHAP2 -Response is incorrect john . ctr . gauntt
- Re: rlm_mschap: FAILED: MSCHAP2 -Response is inco... Stefan . Neis
