I've upgraded FreeRadius to 2.1.10 and Samba to 3.5.6. I've got right through (again) to the final "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" stage but the command 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123' fails.
The 'radiusd -X' output finishes with : WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x89fe3c9f81f72525 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! http://wiki.freeradius.org/Certificate_Compatibility refers to a problem when the client is a Windows machine, but I'm running the 'eapol_test' command on the FreeRadius server which is Linux (CentOS). The following lines from the output of the 'eapol_test' command seem to indicate a problem with the root certificate.: OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0) OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate I created the certificates using the method decsribed in http://deployingradius.com/documents/configuration/certificates.html I can supply the full output from the 'eapol_test' command and from 'radiusd -X' but they're too big to include in this email. Can anyone tell me what I'm doing wrong? Thanks Martin. ================================================================ Here are the errors/warnings section from the output of the 'eapol_test' command and from 'radiusd -X', and the full contents of peap-mschapv2-cert-ntlm_auth.conf, the ca.cnf, server.cnf & client.cnf files & eap.conf: 'eapol_test' errors/warnings ============================ : RADIUS packet matching with station decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=2 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP) TLS: Phase2 EAP types - hexdump(len=40): 00 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00 TLS: using phase1 config options OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0) OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected EAP: EAP entering state METHOD SSL: Received packet(len=6) - Flags 0x20 EAP-PEAP: Start (server ver=0, own ver=1) EAP-PEAP: Using PEAP version 0 SSL: (where=0x10 ret=0x1) SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:before/connect initialization SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write client hello A SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server hello A SSL: SSL_connect - want more data SSL: 112 bytes pending from ssl_out SSL: 112 bytes left to be sent out (of total 112 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=122) : 'radiusd -X' errors/warnings ============================ : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: USERNAME [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=USERNAME [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-CAMPUS} -> --domain=CAMPUS [mschap] mschap2: 8a [mschap] Creating challenge hash with username: USERNAME [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ee9182b1015b8ded [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=69c37f86d6f44237a66d979b71072d9b874e0fd822ad f858 Exec-Program output: NT_KEY: 4600A59AAB67436A4D937233DEED28B7 Exec-Program-Wait: plaintext: NT_KEY: 4600A59AAB67436A4D937233DEED28B7 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333 0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9197308e909e2a67190d1c1ddd88b035 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333 0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9197308e909e2a67190d1c1ddd88b035 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 8 to 127.0.0.1 port 50462 EAP-Message = 0x0109005b19001703010050ad7b5774ef100e1dd3a5c7a83b174202511c51378dc9f1932cf39dc92db9b588fa9f336d1aeb825 807e62e2cc34dd162d02aa28c9104381f52a86933e2b9e0f65927f00c2fb64b78a078cc5e8e79457b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x20754327287c5ad31b57225dabc8b87e Finished request 8. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +76 Cleaning up request 1 ID 1 with timestamp +76 Cleaning up request 2 ID 2 with timestamp +76 Cleaning up request 3 ID 3 with timestamp +76 Cleaning up request 4 ID 4 with timestamp +76 Cleaning up request 5 ID 5 with timestamp +76 Cleaning up request 6 ID 6 with timestamp +76 Cleaning up request 7 ID 7 with timestamp +76 Cleaning up request 8 ID 8 with timestamp +76 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x20754327287c5ad3 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. peap-mschapv2-cert-ntlm_auth.conf ================================= # # eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123 # # eapol_version=1 # fast_reauth=0 network={ key_mgmt=WPA-EAP eap=PEAP identity="USERNAME" password="PASSWORD" phase2="autheap=MSCHAPV2" # priority=10 ca_cert="/etc/raddb/certs/ca.der" } ca.cnf ====== [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/ca.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/ca.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 3650 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = certificate_authority default_bits = 2048 input_password = inpass output_password = outpass x509_extensions = v3_ca [certificate_authority] countryName = UK stateOrProvinceName = United Kingdom localityName = Bristol organizationName = UWE emailAddress = em...@uwe.ac.uk commonName = "UWE Certificate Authority" [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true ================================================================ server.cnf ========== [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 730 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = server default_bits = 2048 input_password = inpass output_password = outpass [server] countryName = UK stateOrProvinceName = United Kingdom localityName = Bristol organizationName = UWE emailAddress = em...@uwe.ac.uk commonName = "UWE Server Certificate" ================================================================ client.cnf ========== [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 730 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = client default_bits = 2048 input_password = inpass output_password = outpass [client] countryName = UK stateOrProvinceName = United Kingdom localityName = Bristol organizationName = UWE emailAddress = em...@uwe.ac.uk commonName = "UWE Client Certificate" eap.conf ======== eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = outpass private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" cache { enable = no max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
