freeradius+peap+mschap+AD
Hi, I have some strange problems with peap+mschap+AD I followed the howto on the wiki for AD but with no luck. When authenticating a user I'll get: Info: ++[mschap] returns ok Debug: MSCHAP Success So i assume that the auth. against AD is OK but then the inner tunnel does something } # server inner-tunnel Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled reply code 11 EAP-Message = 0x010700331a0306002e533d35454536463235384339353037434438373938303137334434424545393533373537304537393443 Message-Authenticator = 0x State = 0x55964b77549151644066a939db03f531 Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700331a0306002e533d35454536463235384339353037434438373938303137334434424545393533373537304537393443 Message-Authenticator = 0x State = 0x55964b77549151644066a939db03f531 Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 EAP-Message = 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 Message-Authenticator = 0x State = 0x3b975d133d90441898602b7c0076958a Mon Apr 26 12:32:15 2010 : Info: Finished request 6. After that nothing happens. I'm using: FreeRADIUS Version 2.1.1 I have tried both OS X 10.6 and Ubuntu 10.04 clients I have tried changing AP from CISCO to a Linksys WRT-54GL with DD-WRT with no luck. Has anyone any idea on whats wrong? -- Aniss Nazerian, IT-Department, Linnaeus University Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se O ascii ribbon campaign - stop html mail - www.asciiribbon.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+peap+mschap+AD
Hi,
This is what I get.
--
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for usern...@domain.xx with NT-Password
[mschap]expand: %{Stripped-User-Name} - username
[mschap]expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -
--username=username
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: %{mschap:NT-Domain} -
[mschap]expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN.XX} -
--domain=LNU.SE
[mschap] mschap2: 67
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=756cc36d609e7393
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=29dbc4dc525dd28cac668e57a0d85803996301a054d782fb
Exec-Program output: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480
Exec-Program-Wait: plaintext: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
---
I'm using WPA2-enterprise (tried WPA-ent to)
I've tried both PEAP/MSCHAPv2 and EAP-TTLS/MSCHAPv2 and the CA-cert is
used on the client.
On 2010-04-26 15:37, Alan Buxey wrote:
Hi,
Info: ++[mschap] returns ok
Debug: MSCHAP Success
So i assume that the auth. against AD is OK
not if you havent done the EAP inner-tunnel stuff yet - unless you mean
basic authorize has completed.
but then the inner tunnel does something
well, it tries to
Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge
Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 0 to 194.47.88.154 port 2051
EAP-Message =
0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79
Message-Authenticator = 0x
State = 0x3b975d133d90441898602b7c0076958a
it sends a challenge back to the NAS/AP - but nothign else is happening.
so, either the NAS or the client. how have you got the AP set up? 802.1X or
WPA-Enterprise? how is the client configured? to use PEAP/MSCHAPv2 or
EAP-TTLS/MSCHAPv2?
got the required certificate installed on the client?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Aniss Nazerian, IT-Department, Linnaeus University
Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se
O ascii ribbon campaign - stop html mail - www.asciiribbon.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and AD
=
0x020700481a0207004331e30f33d1e124710448204a6e25d975548df3fed6694b35de41b212cb1934fa5f3424d673bf77a35e00616e6161646d406c6e752e7365
server (null) {
PEAP: Setting User-Name to x...@xxx.yy
Sending tunneled request
EAP-Message =
0x020700481a0207004331e30f33d1e124710448204a6e25d975548df3fed6694b35de41b212cb1934fa5f3424d673bf77a35e00616e6161646d406c6e752e7365
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = x...@xxx.yy
State = 0x6d8c88d76d8b92c17ae789947f3c59f7
Calling-Station-Id = 00-21-00-d1-4b-12
Called-Station-Id = 00-27-0d-0b-73-30:e
NAS-Port = 29
NAS-IP-Address = **
NAS-Identifier = WLC-03
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 402
server inner-tunnel {
+- entering group authorize {...}
++[mschap] returns noop
[suffix] Looking up realm XXX.YY for User-Name = x...@xxx.yy
[suffix] Found realm XXX.YY
[suffix] Adding Stripped-User-Name = XXX
[suffix] Adding Realm = XXX.YY
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 7 length 72
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for x...@xxx.yy with NT-Password
[mschap]expand: %{Stripped-User-Name} - XXX
[mschap]expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} - --username=XXX
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: %{mschap:NT-Domain} -
[mschap]expand: --domain=%{%{mschap:NT-Domain}:-XXX.YY} -
--domain=XXX.YY
[mschap] mschap2: 4f
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=dfa47fd86ca54f4c
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=8df3fed6694b35de41b212cb1934fa5f3424d673bf77a35e
Exec-Program output: NT_KEY: 2EBA93A16D9710267492F18DCECF976B
Exec-Program-Wait: plaintext: NT_KEY: 2EBA93A16D9710267492F18DCECF976B
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010800331a0307002e533d3346393846453536383339444238354239373630333137383231354144323643383837304239
Message-Authenticator = 0x
State = 0x6d8c88d76c8492c17ae789947f3c59f7
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010800331a0307002e533d3346393846453536383339444238354239373630333137383231354144323643383837304239
Message-Authenticator = 0x
State = 0x6d8c88d76c8492c17ae789947f3c59f7
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 146 to ** port 32768
EAP-Message =
0x0108005b1900170301005059a0d3a675e31e8fc6d47fda4b7492977ebdc0452c0e942ba1b5551f62eacf262f6d53617f01affe37c82f4fc57a26b67e4b7a866ede35f70531f854cbb3ca25414eafac826012bf9f069e4d4304f358
Message-Authenticator = 0x
State = 0x61d6d78867dece39fc17cc5aff936f9d
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 140 with timestamp +281
Cleaning up request 1 ID 141 with timestamp +281
Cleaning up request 2 ID 142 with timestamp +281
Cleaning up request 3 ID 143 with timestamp +282
Cleaning up request 4 ID 144 with timestamp +282
Cleaning up request 5 ID 145 with timestamp +282
Cleaning up request 6 ID 146 with timestamp +282
Ready to process requests.
--
Aniss Nazerian, IT-Department, Linnaeus University
Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se
O ascii ribbon campaign - stop html mail - www.asciiribbon.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
