Hi all, I installed two freeradius, one for home server(x.x.x.239/24) and one for proxy purpose, the home server is working normally with LEAP with mschapv1, WPA2 and PEAP with mschapv2.
For other purpose, I need to established one more freeradius and work as proxy radius server(x.x.x.238/24) to proxy all request to other home radius that including the existing home freeradius server mention above, but after test, PAP and LEAP are proxyed successfully but PEAP/WPA2 with mschapv2 always get fail, the following is the debug log from these two freeradius 2.1.4 Freeradius (home server) x.x.x.239 rad_recv: Access-Request packet from host x.x.x.238 port 1814, id=58, length=179 NAS-IP-Address = x.x.x.21 (NAS for testing) NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "test33" Calling-Station-Id = "000000000000" Called-Station-Id = "000B86611110" MS-CHAP-Challenge = 0x09a864e7160039f4a3947f3b856feb68 MS-CHAP2-Response = 0x00004b0a36e235cca75db5e5d5664eae3cde0000000000000000f2b3d55d43419bcb905569ef7e9c5ea6467e4633eeb10993 Service-Type = Login-User Aruba-Location-Id = "N/A" Proxy-State = 0x3134 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "test33", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry test33 at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for test33 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Login incorrect: [test33/<via Auth-Type = mschap>] (from client fd-1 port 0 cli 000000000000) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test33 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 58 to x.x.x.238 port 1814 Proxy-State = 0x3134 Waking up in 4.9 seconds. Cleaning up request 0 ID 58 with timestamp +13 Ready to process requests. Freeradius (proxy server) x.x.x.238 rad_recv: Access-Request packet from host x.x.x.21 port 32846, id=14, length=191 NAS-IP-Address = x.x.x.21 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "tes...@aaa.com" Calling-Station-Id = "000000000000" Called-Station-Id = "000B86611110" MS-CHAP-Challenge = 0x09a864e7160039f4a3947f3b856feb68 MS-CHAP2-Response = 0x00004b0a36e235cca75db5e5d5664eae3cde0000000000000000f2b3d55d43419bcb905569ef7e9c5ea6467e4633eeb10993 Service-Type = Login-User Aruba-Location-Id = "N/A" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] Looking up realm "aaa.com" for User-Name = "tes...@aaa.com" [suffix] Found realm "aaa.com" [suffix] Adding Stripped-User-Name = "test33" [suffix] Adding Realm = "aaa.com" [suffix] Proxying request from user test33 to realm aaa.com [suffix] Preparing to proxy authentication request to realm "aaa.com" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 58 to x.x.x.239 port 1812 NAS-IP-Address = x.x.x.21 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "test33" Calling-Station-Id = "000000000000" Called-Station-Id = "000B86611110" MS-CHAP-Challenge = 0x09a864e7160039f4a3947f3b856feb68 MS-CHAP2-Response = 0x00004b0a36e235cca75db5e5d5664eae3cde0000000000000000f2b3d55d43419bcb905569ef7e9c5ea6467e4633eeb10993 Service-Type = Login-User Aruba-Location-Id = "N/A" Proxy-State = 0x3134 Proxying request 10 to home server x.x.x.239 port 1812 Sending Access-Request of id 58 to x.x.x.239 port 1812 NAS-IP-Address = x.x.x.21 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "test33" Calling-Station-Id = "000000000000" Called-Station-Id = "000B86611110" MS-CHAP-Challenge = 0x09a864e7160039f4a3947f3b856feb68 MS-CHAP2-Response = 0x00004b0a36e235cca75db5e5d5664eae3cde0000000000000000f2b3d55d43419bcb905569ef7e9c5ea6467e4633eeb10993 Service-Type = Login-User Aruba-Location-Id = "N/A" Proxy-State = 0x3134 Going to the next request Waking up in 0.9 seconds. Waking up in 18.9 seconds. rad_recv: Access-Reject packet from host x.x.x.239 port 1812, id=58, length=24 Proxy-State = 0x3134 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Login incorrect (Home Server says so): [tes...@aaa.com/<via Auth-Type = mschap>] (from client Controller-1 port 0 cli 000000000000) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> tes...@aaa.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 14 to x.x.x.21 port 32846 Finished request 10. Going to the next request Waking up in 4.9 seconds. Cleaning up request 10 ID 14 with timestamp +9947 Waking up in 17.2 seconds. Sending Status-Server of id 70 to 127.0.0.1 port 1812 Message-Authenticator := 0x00000000000000000000000000000000 NAS-Identifier := "Status Check. Are you alive?" You can see that the MS-CHAP-Challenge and the MS-CHAP2-Response are same within two server, but why home server said that the password is wrong? Can anyone help me to check whether there are something wrong in my configuration, thanks. The following is the EAP and the mschap module of these two server: mschap { use_mppe = no require_encryption = no require_strong = no with_ntdomain_hack = no } eap { default_eap_type = "mschapv2" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } -- View this message in context: http://www.nabble.com/Get-fail--MS-CHAP2-Response-is-incorrect--while-proxy-the-mschapv2-between-two-Freeradius-2.1.4-tp22697072p22697072.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html