Re: Help with PEAP

[Israel Fabio Alves]

Hi,
Someone have idea about this problem??
Thanks for help me,
Israel.
Israel Fabio Alves wrote:
Hi,
If I do tests without domain, the authentication run OK.
If I do tests with user + password + domain, occur the information bellow:
 tcpdump -n -i eth0 -vv -s 0 -X udp and \( port 1812 or port 1813 \)
19:41:06.403013 172.22.2.32.2064 > 172.22.2.150.1812:  [udp sum ok] 
rad-access-req 98 [id 99] Attr[  [EMAIL PROTECTED] EAP_msg{..} 
NAS_ipaddr{172.22.2.32} Service_type{Login} Calling_station{0.0.0.0} 
NAS_port_type{Ethernet} Message_auth{Y[....ZLFIb..'.<} ] (ttl 30, id 
38919, len 126)
0x0000   4500 007e 9807 0000 1e11 a785 ac16 0220        E..~............
0x0010   ac16 0296 0810 0714 006a 1477 0163 0062        .........j.w.c.b
0x0020   0000 0ce1 0000 0e32 0000 7afc 0000 2694        .......2..z...&.
0x0030   010e 6973 7261 656c 4054 4553 5445 4f13        [EMAIL PROTECTED]
0x0040   0206 0011 0154 4553 5445 5c69 7372 6165        .....TESTE\israe
0x0050   6c04 06ac 1602 2006 0600 0000 011f 0930        l..............0
0x0060   2e30 2e30 2e30 3d06 0000 000f 5012 595b        .0.0.0=.....P.Y[
0x0070   dea3 eef7 5a4c 4649 62ef 8327 083c             ....ZLFIb..'.<
19:41:06.410197 172.22.2.150.1812 > 172.22.2.32.2064:  [udp sum ok] 
rad-access-reject 20 [id 99] (DF) (ttl 64, id 0, len 48)
0x0000   4500 0030 0000 4000 4011 ddda ac16 0296        [EMAIL PROTECTED]@.......
0x0010   ac16 0220 0714 0810 001c 446d 0363 0014        ..........Dm.c..
0x0020   8e98 4517 d1fc ace0 55b2 f401 e0da ceae        ..E.....U.......


/usr/local/radius/sbin/radiusd -X -A
Ready to process requests.
rad_recv: Access-Request packet from host 172.22.2.32:2065, id=86, 
length=98
        User-Name = "[EMAIL PROTECTED]"
        EAP-Message = 0x020700110154455354455c69737261656c
        NAS-IP-Address = 172.22.2.32
        Service-Type = Login-User
        Calling-Station-Id = "0.0.0.0"
        NAS-Port-Type = Ethernet
        Message-Authenticator = 0x7b08967cac1e313a1c8f7b19dd4932dc
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: Looking up realm "TESTE" for User-Name = "[EMAIL PROTECTED]"
    rlm_realm: Found realm "TESTE"
    rlm_realm: Adding Stripped-User-Name = "israel"
    rlm_realm: Proxying request from user israel to realm TESTE
    rlm_realm: Adding Realm = "TESTE"
    rlm_realm: Preparing to proxy authentication request to realm "TESTE"
  modcall[authorize]: module "TESTE" returns updated for request 0
  rlm_eap: Request is supposed to be proxied to Realm TESTE.  Not doing 
EAP.
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry israel at line 216
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
  Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 0
radius_xlat: 
'/usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314' 

rlm_detail: 
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d 
expands to 
/usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314 

  modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 0
modcall: group pre-proxy returns ok for request 0
Sending Access-Request of id 0 to 127.0.0.1:1812
        User-Name = "israel"
        EAP-Message = 0x020700110154455354455c69737261656c
        NAS-IP-Address = 172.22.2.32
        Service-Type = Login-User
        Calling-Station-Id = "0.0.0.0"
        NAS-Port-Type = Ethernet
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x3836
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1814, id=0, length=96
        User-Name = "israel"
        EAP-Message = 0x020700110154455354455c69737261656c
        NAS-IP-Address = 172.22.2.32
        Service-Type = Login-User
        Calling-Station-Id = "0.0.0.0"
        NAS-Port-Type = Ethernet
        Message-Authenticator = 0xb8f016bb4a4bdd82c395a5f43d058bb1
        Proxy-State = 0x3836
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "israel", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "TESTE" returns noop for request 1
  rlm_eap: EAP packet type response id 7 length 17
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry israel at line 216
  modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
  rlm_eap: Failed in handler
  modcall[authenticate]: module "eap" returns invalid for request 1
modcall: group authenticate returns invalid for request 1
auth: Failed to validate the user.
Login incorrect: [israel/<no User-Password attribute>] (from client 
localhost port 0 cli 0.0.0.0)
Sending Access-Reject of id 0 to 127.0.0.1:1814
        Proxy-State = 0x3836
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=0, length=24
        Proxy-State = 0x3836
  Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
radius_xlat: 
'/usr/local/radius/var/log/radius/radacct/172.22.2.32/post-proxy-detail-20050314' 

rlm_detail: 
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d 
expands to 
/usr/local/radius/var/log/radius/radacct/172.22.2.32/post-proxy-detail-20050314 

  modcall[post-proxy]: module "post_proxy_log" returns ok for request 0
  modcall[post-proxy]: module "eap" returns noop for request 0
modcall: group post-proxy returns ok for request 0
Login incorrect (Home Server says so): [israel/<no User-Password 
attribute>] (from client extreme port 0 cli 0.0.0.0)
Sending Access-Reject of id 86 to 172.22.2.32:2065
Finished request 0
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 0 with timestamp 4236135b
Cleaning up request 0 ID 86 with timestamp 4236135b
Nothing to do.  Sleeping until we see a request.


cat 
/usr/local/radius/var/log/radius/radacct/172.22.2.32/post-proxy-detail-20050314 

Packet-Type = Access-Reject
Mon Mar 14 19:42:35 2005
        Proxy-State = 0x3836
cat 
/usr/local/radius/var/log/radius/radacct/172.22.2.32/pre-proxy-detail-20050314 

Packet-Type = Access-Request
Mon Mar 14 19:42:35 2005
        User-Name = "israel"
        EAP-Message = 0x020700110154455354455c69737261656c
        NAS-IP-Address = 172.22.2.32
        Service-Type = Login-User
        Calling-Station-Id = "0.0.0.0"
        NAS-Port-Type = Ethernet
        Message-Authenticator = 0x7b08967cac1e313a1c8f7b19dd4932dc
        Client-IP-Address = 172.22.2.32
        Stripped-User-Name = "israel"
        Realm = "TESTE"
        EAP-Type = Identity
        Realm = "TESTE"
        Proxy-State = 0x3836
Israel Fabio Alves wrote:
Hi,
I need help to configure Freeradius to authenticate Windows XP users
with PEAP + MSCHAPV2.
I need authenticate users using the "username + password + domain".
There is someone that run this that can help me??
Very thanks,
Israel.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html