I have a strange problem where the initial 802.1X authentication is successful, but then fails subsequent auth attempts. This is using Windows XP sp3 PEAP/MS-Chapv2, FreeRADIUS 2.1.3, with Active Directory running on a Windows2003 server.
I noticed the following discrepency in the RADIUS logs. The two auth attempts are identical until this part: Successful Info: Found Auth-type = EAP Info: +- entering group authenticate (...) Info: [eap] Request found,released from list Info: [eap] EAP/peap* *Info: [eap] processing type peap Info: [peap] processing EAP-TLS Info: [peap] eaptls_verify returned 7 Info: [peap] Done initial handshake Info: [peap] eaptls_process returned 7 Info: [peap] EAPTLS_OK Info: [peap] Session established. Decoding tunneled attributes. Info: [peap] Received EAP-TLV response. Info: [peap] Success Info: [peap] Using saved attributes from the original Access-Accept Unsuccessful Info: Found Auth-type = EAP Info: +- entering group authenticate (...) Info: [eap] Request found,released from list Info: [eap] EAP/mschapv2* *Info: [eap] processing type mschapv2 Info: [mschapv2] +-entering group MS-CHAP (...) Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password. Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password. Info: [mschap] Told to do MS-CHAPv2 for seth with NT-Password ... Info: Debug: Exec-Program output: Logon failure (0xxc000006d) Info: Debug: Exec-Program-Wait: plaintext: Logon failure (0xxc000006d) Info: Debug: Exec-Program: returned 1 Info: [mschap] External script failed. Info: [mschap] FAILED: MS-CHAP2-Response is incorrect Info: ++[mschap] returns reject Info: [eap] Freeing handler Info: ++[eap] returns reject Info: Failed to authenticate the user. Why is one auth request using the mschapv2 group and the other PEAP? Both are from the same client on the same switchport. Has anyone else run into this type of problem? Is there a configuration on the supplicant or Active Directory that could cause this? More information if necessary: from modules.conf eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = ${raddbdir}/cert_privkey.key certificate_file = ${raddbdir}/cert_certificate. pem CA_file = ${raddbdir}/cert_ca_cert.pem dh_file = /etc/raddb/certs/dh random_file = /etc/raddb/certs/random fragment_size = 1024 include_length = yes check_crl = no check_cert_cn = %{Stripped-User-Name:-%{User-Name}} peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes } mschapv2 { } } Thanks, /Seth
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html