Hi all, I'd like to use EAP-TTLS with MS-CHAP(v2), so I can use SecureW2 with Freeradius. To be more exact, I'd be using ntlm_auth, so that wireless users will be able to get on the wireless network using their usual windows username / password. I'm using FreeRadius 2.0.3. I've seen several tutorials regarding Freeradius 1, which help, but they are a bit outdated, and are often using a different authentication method or protocol (like PEAP).
I'm stuck getting it to work, and it isn't even at the point of calling ntlm_auth yet (except for the first initial test, described later). I've verified ntlm_auth works on the command line. I've been following (among others) http://deployingradius.com/documents/configuration/active_directory.html which suggested to verify ntlm_auth in radius via this: exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN --username=%{mschap:User-Name } --password=%{User-Password}" } And adding this to the users file: Auth-Type := ntlm_auth Once this passed (i tested with radtest), I commented out both, because it was only for testing. Side note..I had set 'wait = no' previously, due to the tutorial mentioning that, but then the password was always correct even if I provided an incorrect one. I've also been reading http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO by the way, and while it did help they use PEAP (w/mschapv2) so hmm. Anyway, back on track: I've taken the default radius configuration files (as of v2.0.3), and editted them.. I hope I've pasted all relevant parts here, if not.. let me know: radiusd.conf: $INCLUDE eap.conf mschap { require_encryption = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challe nge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } I should also note that I have with_ntdomain_hack set to 'no' in preprocess{} (but to yes in mschap as pasted above), as I'll be using the realms module for that (or at least I try to). then the eap.conf: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no ... ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } and sites-enabled/default: authorize { preprocess chap mschap ntdomain eap { ok = return } unix files expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } And proxy.conf entry: realm DOMAIN { } This is what I get using the 'rad_eap_test' tool.. since i'm working remotely I cannot use securew2 at the moment (if someone has another suggestion on how to check eap ttls w/mschapv2, let me know.. it seems the radclient and radtest utils won't suffice because they don't do mschapv2): ./rad_eap_test -H 127.0.0.1 -P 1812 -S xxx -u 'DOMAIN\myuser' -p xxx -m WPA-EAP -e TTLS -v access-reject; 1 Radius log was a bit too large.. uploaded to: http://www.vulnscan.org/tmp/radius_log.txt I think this is the most relevant part: Wed May 21 15:09:43 2008 : Debug: +- entering group authorize Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 5 Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 5 Wed May 21 15:09:43 2008 : Debug: ++[preprocess] returns ok Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 5 Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 5 Wed May 21 15:09:43 2008 : Debug: ++[chap] returns noop Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 5 Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 5 Wed May 21 15:09:43 2008 : Debug: ++[mschap] returns noop Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: calling ntdomain (rlm_realm) for request 5 Wed May 21 15:09:43 2008 : Debug: rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN\myuser" Wed May 21 15:09:43 2008 : Debug: rlm_realm: Found realm "DOMAIN" Wed May 21 15:09:43 2008 : Debug: rlm_realm: Adding Stripped-User-Name = "myuser" Wed May 21 15:09:43 2008 : Debug: rlm_realm: Proxying request from user myuser to realm DOMAIN Wed May 21 15:09:43 2008 : Debug: rlm_realm: Adding Realm = "DOMAIN" Wed May 21 15:09:43 2008 : Debug: rlm_realm: Authentication realm is LOCAL. Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: returned from ntdomain (rlm_realm) for request 5 Wed May 21 15:09:43 2008 : Debug: ++[ntdomain] returns noop Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 5 Wed May 21 15:09:43 2008 : Debug: rlm_eap: EAP packet type response id 5 length 192 Wed May 21 15:09:43 2008 : Debug: rlm_eap: Continuing tunnel setup. Wed May 21 15:09:43 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 5 Wed May 21 15:09:43 2008 : Debug: ++[eap] returns ok Wed May 21 15:09:43 2008 : Debug: rad_check_password: Found Auth-Type EAP Wed May 21 15:09:43 2008 : Debug: auth: type "EAP" Wed May 21 15:09:43 2008 : Debug: +- entering group authenticate Wed May 21 15:09:43 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 5 Wed May 21 15:09:43 2008 : Debug: rlm_eap: Request found, released from the list Wed May 21 15:09:43 2008 : Debug: rlm_eap: EAP/ttls Wed May 21 15:09:43 2008 : Debug: rlm_eap: processing type ttls Wed May 21 15:09:43 2008 : Debug: rlm_eap_ttls: Authenticate Wed May 21 15:09:43 2008 : Debug: rlm_eap_tls: processing TLS Wed May 21 15:09:43 2008 : Debug: eaptls_verify returned 7 Wed May 21 15:09:43 2008 : Debug: rlm_eap_tls: Done initial handshake Wed May 21 15:09:43 2008 : Debug: eaptls_process returned 7 Wed May 21 15:09:43 2008 : Debug: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. Wed May 21 15:09:43 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Wed May 21 15:09:43 2008 : Debug: auth: Failed to validate the user. Wed May 21 15:09:43 2008 : Auth: Login incorrect: [DOMAIN\\myuser/<no User-Password attribute>] (from client localhost port 0 cli 70-6F-6C-69-73-68) Wed May 21 15:09:43 2008 : Debug: TTLS: Got tunneled Access-Reject Wed May 21 15:09:43 2008 : Debug: rlm_eap: Handler failed in EAP/ttls Wed May 21 15:09:43 2008 : Debug: rlm_eap: Failed in EAP select Wed May 21 15:09:43 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 5 Wed May 21 15:09:43 2008 : Debug: ++[eap] returns invalid Wed May 21 15:09:43 2008 : Debug: auth: Failed to validate the user. Wed May 21 15:09:43 2008 : Auth: Login incorrect: [DOMAIN\\myuser/<via Auth-Type = EAP>] (from client localhost port 0 cli 70-6F-6C-69-73-68) Any help is very much welcomed :) Regards, Bram. -- Bram Matthys Software developer/IT consultant [EMAIL PROTECTED] PGP key: www.vulnscan.org/pubkey.asc PGP fp: 8DD4 437E 9BA8 09AA 0A8D 1811 E1C3 D65F E6ED 2AA2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html