Hey everyone ! I'm trying to configure a FreeRadius server that authenticates with MSCHAPv2 with an Active Directory 2008. It's my fisrt radius install so go easy with me, I'm a noob :)
I've followed the following howto : http://deployingradius.com/documents/configuration/active_directory.html and everything goes fine with the radtest, wbinfo, ntlm_auth and my user is correctly authentified. I'm no trying to connect a Windows 7 supplicant using that radius server. (That client is configured to use "Microsoft : Protected EAP (PEAP)", "validate server certificate" is unchecked and the authentication is on "secured password (EAP-MSCHAPv2)". The problem seems to be that my client stops answering after 4-5 Access-Challenge. I saw the remarks about the xpextensions of the certificats and make sure that the included makefile correctly uses the xpextensions wich it seems to be doing. The full debug is here : http://pastebin.com/B86AgN1N It's seems that mschap correctly authentifies the user : Fri Mar 18 09:51:31 2011 : Info: +- entering group authenticate {...} Fri Mar 18 09:51:31 2011 : Info: [eap] Request found, released from the list Fri Mar 18 09:51:31 2011 : Info: [eap] EAP/mschapv2 Fri Mar 18 09:51:31 2011 : Info: [eap] processing type mschapv2 Fri Mar 18 09:51:31 2011 : Info: [mschapv2] +- entering group MS-CHAP {...} Fri Mar 18 09:51:31 2011 : Info: [mschap] Told to do MS-CHAPv2 for gchavepeyer with NT-Password Fri Mar 18 09:51:31 2011 : Info: [mschap] No NT-Domain was found in the User-Name. Fri Mar 18 09:51:31 2011 : Info: [mschap] expand: --domain=%{mschap:NT-Domain:-EUROPE} -> --domain=EUROPE Fri Mar 18 09:51:31 2011 : Info: [mschap] expand: --username=%{mschap:User-Name} -> --username=gchavepeyer Fri Mar 18 09:51:31 2011 : Info: [mschap] mschap2: 5c Fri Mar 18 09:51:31 2011 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=82d538878ea2db35 Fri Mar 18 09:51:31 2011 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=555bd723d3058e951670b77a443550a83f4eab5af5124f1f Fri Mar 18 09:51:31 2011 : Debug: Exec-Program output: NT_KEY: 99DC7FD7D0C603D05D96779E61DF89AF Fri Mar 18 09:51:31 2011 : Debug: Exec-Program-Wait: plaintext: NT_KEY: 99DC7FD7D0C603D05D96779E61DF89AF Fri Mar 18 09:51:31 2011 : Debug: Exec-Program: returned: 0 Fri Mar 18 09:51:31 2011 : Info: [mschap] adding MS-CHAPv2 MPPE keys Fri Mar 18 09:51:31 2011 : Info: ++[mschap] returns ok Fri Mar 18 09:51:31 2011 : Debug: MSCHAP Success Fri Mar 18 09:51:31 2011 : Info: ++[eap] returns handled } # server inner-tunnel Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled reply code 11 EAP-Message = 0x011400331a0313002e533d46443545363236453946453838393330423230313643394537314632313231464433373038344446 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3cafd11f3dbbcb7c3aaaafe5efc8d331 Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x011400331a0313002e533d46443545363236453946453838393330423230313643394537314632313231464433373038344446 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3cafd11f3dbbcb7c3aaaafe5efc8d331 Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled Access-Challenge Fri Mar 18 09:51:31 2011 : Info: ++[eap] returns handled Sending Access-Challenge of id 29 to 10.32.25.204 port 32768 EAP-Message = 0x0114005b19001703010050efa71e4179b8bba7065b53e5c07cc774ffa8494adc0cd61c810e10ea5af21f52ac755a7f7a908b1c6898ac8039096320bf270f4ff208b22559eb7111f6c2e4412eaad47c33a4e151d5ad626af368c991 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x11c1c21a16d5dba84c633101b1a44bc3 Fri Mar 18 09:51:31 2011 : Info: Finished request 7. Fri Mar 18 09:51:31 2011 : Debug: Going to the next request Fri Mar 18 09:51:31 2011 : Debug: Waking up in 4.8 seconds. Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 0 ID 22 with timestamp +27 Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 1 ID 23 with timestamp +27 Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 2 ID 24 with timestamp +27 Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 3 ID 25 with timestamp +27 Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 4 ID 26 with timestamp +27 Fri Mar 18 09:51:36 2011 : Debug: Waking up in 0.1 seconds. Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 5 ID 27 with timestamp +27 Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 6 ID 28 with timestamp +27 Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 7 ID 29 with timestamp +27 Fri Mar 18 09:51:36 2011 : Debug: Ready to process requests. The server send an Access-Challenge (instead of a Access-Accept ?) again but the client never answers back and the client gets a "unable to connect to xxxx...." Can someone please help me with this ? (All my configuration is visible in the first debug lines but if needed i can post the content of any file.) Thanks a lot !!! Geoffrey.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html