Ah - do I need to be authenticating against something like AD that does MS-CHAP?
I have AD here and that is the eventual goal, but trying to change as little as possible and keep it simple to begin with... Mark -----Original Message----- From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Mark Holmes Sent: 08 February 2011 12:45 To: FreeRadius users mailing list Subject: PEAP MSCHAPv2 error.. Tested with PAP and radtest, as per http://deployingradius.com/documents/configuration/pap.html All works OK Now I want to test from a Windows 7 wireless client using PEAP (MSCHAPv2). The page seems to indicate this should pretty much work with default config. So:- I added wireless AP to clients.conf --------------- client 163.1.40.141 { secret = testing } ---------------- Disabled 'Validate server certificate' on the client Entered bob as username, testing123 as password I get No such realm 'NULL' So added --------------------- realm test { authhost = LOCAL accthost = LOCAL } To proxy.conf - not sure this is the correct way of resolving a null realm, though..... ---------------- And this time entered bob@test as the username, testing123 as password Now I get rejected - the following from the debug output looks relevant [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for bob@test with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE I posted the full debug output at http://www.nuffield.ox.ac.uk/scratch2/test-peap.log - as I wasn't sure posting all 900+ lines to this list would be appreciated - or is that OK in future? The MSCHAP errors are line 901 onwards. I'm doing something silly, no doubt - but what? Should this config just work out of the box? Appreciate any help. Cheers Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
