freeradius+peap+mschap+AD
Hi, I have some strange problems with peap+mschap+AD I followed the howto on the wiki for AD but with no luck. When authenticating a user I'll get: Info: ++[mschap] returns ok Debug: MSCHAP Success So i assume that the auth. against AD is OK but then the inner tunnel does something } # server inner-tunnel Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled reply code 11 EAP-Message = 0x010700331a0306002e533d35454536463235384339353037434438373938303137334434424545393533373537304537393443 Message-Authenticator = 0x State = 0x55964b77549151644066a939db03f531 Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700331a0306002e533d35454536463235384339353037434438373938303137334434424545393533373537304537393443 Message-Authenticator = 0x State = 0x55964b77549151644066a939db03f531 Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 EAP-Message = 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 Message-Authenticator = 0x State = 0x3b975d133d90441898602b7c0076958a Mon Apr 26 12:32:15 2010 : Info: Finished request 6. After that nothing happens. I'm using: FreeRADIUS Version 2.1.1 I have tried both OS X 10.6 and Ubuntu 10.04 clients I have tried changing AP from CISCO to a Linksys WRT-54GL with DD-WRT with no luck. Has anyone any idea on whats wrong? -- Aniss Nazerian, IT-Department, Linnaeus University Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se O ascii ribbon campaign - stop html mail - www.asciiribbon.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+peap+mschap+AD
Hi, This is what I get. -- [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for usern...@domain.xx with NT-Password [mschap]expand: %{Stripped-User-Name} - username [mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} - --username=username [mschap] No NT-Domain was found in the User-Name. [mschap]expand: %{mschap:NT-Domain} - [mschap]expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN.XX} - --domain=LNU.SE [mschap] mschap2: 67 [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=756cc36d609e7393 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=29dbc4dc525dd28cac668e57a0d85803996301a054d782fb Exec-Program output: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480 Exec-Program-Wait: plaintext: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success --- I'm using WPA2-enterprise (tried WPA-ent to) I've tried both PEAP/MSCHAPv2 and EAP-TTLS/MSCHAPv2 and the CA-cert is used on the client. On 2010-04-26 15:37, Alan Buxey wrote: Hi, Info: ++[mschap] returns ok Debug: MSCHAP Success So i assume that the auth. against AD is OK not if you havent done the EAP inner-tunnel stuff yet - unless you mean basic authorize has completed. but then the inner tunnel does something well, it tries to Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled Sending Access-Challenge of id 0 to 194.47.88.154 port 2051 EAP-Message = 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79 Message-Authenticator = 0x State = 0x3b975d133d90441898602b7c0076958a it sends a challenge back to the NAS/AP - but nothign else is happening. so, either the NAS or the client. how have you got the AP set up? 802.1X or WPA-Enterprise? how is the client configured? to use PEAP/MSCHAPv2 or EAP-TTLS/MSCHAPv2? got the required certificate installed on the client? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Aniss Nazerian, IT-Department, Linnaeus University Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se O ascii ribbon campaign - stop html mail - www.asciiribbon.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and AD
= 0x020700481a0207004331e30f33d1e124710448204a6e25d975548df3fed6694b35de41b212cb1934fa5f3424d673bf77a35e00616e6161646d406c6e752e7365 server (null) { PEAP: Setting User-Name to x...@xxx.yy Sending tunneled request EAP-Message = 0x020700481a0207004331e30f33d1e124710448204a6e25d975548df3fed6694b35de41b212cb1934fa5f3424d673bf77a35e00616e6161646d406c6e752e7365 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = x...@xxx.yy State = 0x6d8c88d76d8b92c17ae789947f3c59f7 Calling-Station-Id = 00-21-00-d1-4b-12 Called-Station-Id = 00-27-0d-0b-73-30:e NAS-Port = 29 NAS-IP-Address = ** NAS-Identifier = WLC-03 Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 402 server inner-tunnel { +- entering group authorize {...} ++[mschap] returns noop [suffix] Looking up realm XXX.YY for User-Name = x...@xxx.yy [suffix] Found realm XXX.YY [suffix] Adding Stripped-User-Name = XXX [suffix] Adding Realm = XXX.YY [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 7 length 72 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for x...@xxx.yy with NT-Password [mschap]expand: %{Stripped-User-Name} - XXX [mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} - --username=XXX [mschap] No NT-Domain was found in the User-Name. [mschap]expand: %{mschap:NT-Domain} - [mschap]expand: --domain=%{%{mschap:NT-Domain}:-XXX.YY} - --domain=XXX.YY [mschap] mschap2: 4f [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=dfa47fd86ca54f4c [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=8df3fed6694b35de41b212cb1934fa5f3424d673bf77a35e Exec-Program output: NT_KEY: 2EBA93A16D9710267492F18DCECF976B Exec-Program-Wait: plaintext: NT_KEY: 2EBA93A16D9710267492F18DCECF976B Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800331a0307002e533d3346393846453536383339444238354239373630333137383231354144323643383837304239 Message-Authenticator = 0x State = 0x6d8c88d76c8492c17ae789947f3c59f7 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800331a0307002e533d3346393846453536383339444238354239373630333137383231354144323643383837304239 Message-Authenticator = 0x State = 0x6d8c88d76c8492c17ae789947f3c59f7 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 146 to ** port 32768 EAP-Message = 0x0108005b1900170301005059a0d3a675e31e8fc6d47fda4b7492977ebdc0452c0e942ba1b5551f62eacf262f6d53617f01affe37c82f4fc57a26b67e4b7a866ede35f70531f854cbb3ca25414eafac826012bf9f069e4d4304f358 Message-Authenticator = 0x State = 0x61d6d78867dece39fc17cc5aff936f9d Finished request 6. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 140 with timestamp +281 Cleaning up request 1 ID 141 with timestamp +281 Cleaning up request 2 ID 142 with timestamp +281 Cleaning up request 3 ID 143 with timestamp +282 Cleaning up request 4 ID 144 with timestamp +282 Cleaning up request 5 ID 145 with timestamp +282 Cleaning up request 6 ID 146 with timestamp +282 Ready to process requests. -- Aniss Nazerian, IT-Department, Linnaeus University Phone: +46-470-708183, E-mail:aniss.nazer...@vxu.se O ascii ribbon campaign - stop html mail - www.asciiribbon.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html