Re: help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Ok, I solved the problem. The PEAP of freeRadius 1.0.1 on solaris cannot work correctly. after I upgraded the server to 1.0.5, it is working. Jie On 12/14/05, Jie Yang <[EMAIL PROTECTED]> wrote: Hi, I removed "@domain", but still the same error. I also run an AEGIS v.2.0.5 (a very old version though) with same supplicant configuration, which also gave me the same error. It seems to me there might be something wrong at the server side. But I don't know where. my freeradius version is 1.0.1. thanks for your suggestion though. Jie On 12/14/05, Phil Mayers <[EMAIL PROTECTED] > wrote: Jie Yang wrote:> Hi, All,> When I tried to develop PEAP at client side, i found I am always rejected by > the server. The following is the log. what might be wrong?You almost certainly need to strip the "@domain" off the username beforemschap sees it - the username is used in calculating the challenge response. See the "realms" module, specifically you'll want the "suffix" instancein authorize, " spirentcom.com" as a LOCAL realm in proxy.conf andproxying turned on. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hi, I removed "@domain", but still the same error. I also run an AEGIS v.2.0.5 (a very old version though) with same supplicant configuration, which also gave me the same error. It seems to me there might be something wrong at the server side. But I don't know where. my freeradius version is 1.0.1. thanks for your suggestion though. Jie On 12/14/05, Phil Mayers <[EMAIL PROTECTED]> wrote: Jie Yang wrote:> Hi, All,> When I tried to develop PEAP at client side, i found I am always rejected by > the server. The following is the log. what might be wrong?You almost certainly need to strip the "@domain" off the username beforemschap sees it - the username is used in calculating the challenge response. See the "realms" module, specifically you'll want the "suffix" instancein authorize, "spirentcom.com" as a LOCAL realm in proxy.conf andproxying turned on. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hi, All, When I tried to develop PEAP at client side, i found I am always rejected by the server. The following is the log. what might be wrong? my server config? thanks, Jie Tue Dec 13 19:17:04 2005 : Debug: users: Matched [EMAIL PROTECTED].com at 53 Tue Dec 13 19:17:04 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall[authorize]: module "files" returns ok for request 14 Tue Dec 13 19:17:04 2005 : Debug: modcall: group authorize returns updated for r equest 14Tue Dec 13 19:17:04 2005 : Debug: rad_check_password: Found Auth-Type EAPTue Dec 13 19:17:04 2005 : Debug: auth: type "EAP" Tue Dec 13 19:17:04 2005 : Debug: Processing the authenticate section of radiu sd.confTue Dec 13 19:17:04 2005 : Debug: modcall: entering group authenticate for request 14Tue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: calling eap (rlm_ea p) for request 14Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: Request found, released from the li stTue Dec 13 19:17:04 2005 : Debug: rlm_eap: EAP/mschapv2Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: processing type mschapv2 Tue Dec 13 19:17:04 2005 : Debug: Processing the authenticate section of radiu sd.confTue Dec 13 19:17:04 2005 : Debug: modcall: entering group Auth-Type for request14Tue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: calling mschap (rlm _mschap) for request 14Tue Dec 13 19:17:04 2005 : Debug: rlm_mschap: Told to do MS-CHAPv2 for supplic [EMAIL PROTECTED] with NT-PasswordTue Dec 13 19:17:04 2005 : Debug: rlm_mschap: FAILED: MS-CHAP2-Response is incorrectTue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: returned from mscha p (rlm_mschap) for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall[authenticate]: module "mschap" returns reject for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall: group Auth-Type returns reject for re quest 14Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: Freeing handler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help on rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Hi, All, When I tried to develop PEAP at client side, i found I am always rejected by the server. The following is the log. what might be wrong? my server config? thanks, Jie Tue Dec 13 19:17:04 2005 : Debug: users: Matched [EMAIL PROTECTED].com at 53Tue Dec 13 19:17:04 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall[authorize]: module "files" returns ok for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall: group authorize returns updated for r equest 14Tue Dec 13 19:17:04 2005 : Debug: rad_check_password: Found Auth-Type EAPTue Dec 13 19:17:04 2005 : Debug: auth: type "EAP"Tue Dec 13 19:17:04 2005 : Debug: Processing the authenticate section of radiu sd.confTue Dec 13 19:17:04 2005 : Debug: modcall: entering group authenticate for request 14Tue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 14Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: Request found, released from the li stTue Dec 13 19:17:04 2005 : Debug: rlm_eap: EAP/mschapv2Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: processing type mschapv2Tue Dec 13 19:17:04 2005 : Debug: Processing the authenticate section of radiu sd.confTue Dec 13 19:17:04 2005 : Debug: modcall: entering group Auth-Type for request14Tue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 14Tue Dec 13 19:17:04 2005 : Debug: rlm_mschap: Told to do MS-CHAPv2 for supplic [EMAIL PROTECTED] with NT-PasswordTue Dec 13 19:17:04 2005 : Debug: rlm_mschap: FAILED: MS-CHAP2-Response is incorrectTue Dec 13 19:17:04 2005 : Debug: modsingle[authenticate]: returned from mscha p (rlm_mschap) for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall[authenticate]: module "mschap" returns reject for request 14Tue Dec 13 19:17:04 2005 : Debug: modcall: group Auth-Type returns reject for re quest 14Tue Dec 13 19:17:04 2005 : Debug: rlm_eap: Freeing handler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius PEAP/MS-CHAPv2 and aegis client setup
Hi, All, I am setting up a freeradius server to do PEAP authentication with MS-CHAPv2. My freeradius version is 1.0.1. The supplicant is a PC running aegis client version 2.0.5. The authenticator is a Cisco Switch with dot1x enabled. When trying to authenticate the client, I always received the following debugging messages with the authentication failure: .. for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP packet type response id 6 lengt h 107 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: No EAP Start, assuming it's an on-g oing EAP conversation Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from eap (rlm _eap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module "eap" returns upd ated for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling files (rlm_fil es) for request 6 Tue Apr 12 15:21:36 2005 : Debug: users: Matched supplicant_cts at 55 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module "files" returns o k for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall: group authorize returns updated for r equest 6 Tue Apr 12 15:21:36 2005 : Debug: rad_check_password: Found Auth-Type EAP Tue Apr 12 15:21:36 2005 : Debug: auth: type "EAP" Tue Apr 12 15:21:36 2005 : Debug: Processing the authenticate section of radiu sd.conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authenticate for reque st 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authenticate]: calling eap (rlm_ea p) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: Request found, released from the li st Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP/peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: processing type peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Authenticate Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: processing TLS Tue Apr 12 15:21:36 2005 : Debug: eaptls_verify returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: Done initial handshake Tue Apr 12 15:21:36 2005 : Debug: eaptls_process returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAPTLS_OK Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. PEAP tunnel data in : 1a 02 06 00 44 31 9f 11 f4 59 4e c9 74 2b dd 1b PEAP tunnel data in 0010: a2 c0 bf 28 fa ea 00 00 00 00 00 00 00 00 c8 3c PEAP tunnel data in 0020: 75 64 f3 38 a5 42 35 96 e8 c2 84 5a 74 0e ec 42 PEAP tunnel data in 0030: d9 2e 69 41 4e a3 00 73 75 70 70 6c 69 63 61 6e PEAP tunnel data in 0040: 74 5f 63 74 73 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAP type mschapv2 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 Tue Apr 12 15:21:36 2005 : Debug: PEAP: Setting User-Name to supplicant_cts Tue Apr 12 15:21:36 2005 : Debug: PEAP: Adding old state with 9c 22 PEAP: Sending tunneled request EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "supplicant_cts" State = 0x9c22748acfa58b214fe3d20fac288a7a Tue Apr 12 15:21:36 2005 : Debug: Processing the authorize section of radiusd. conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authorize for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling preprocess (rl m_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from preproce ss (rlm_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module "preprocess" retu rns ok for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap ) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from chap (rl m_chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module "chap" returns no op for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling mschap (rlm_ms chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from mschap ( rlm_mschap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module "mschap" returns noop for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling suffix (rlm_re alm) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No '@' in User-Name = "supplica nt_cts", looking up realm NULL Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No such realm "NULL" Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from suffix ( rlm_realm) for request 6 Tue Apr 12 15:21
freeradius PEAP/MS-CHAPv2 and aegis client
Hi, All, I am setting up a freeradius server to do PEAP authentication with MS-CHAPv2. My freeradius version is 1.0.1. The supplicant is a PC running aegis client version 2.0.5. The authenticator is a Cisco Switch with dot1x enabled. When trying to authenticate the client, I always received the following debugging messages with the authentication failure: .. for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP packet type response id 6 lengt h 107 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: No EAP Start, assuming it's an on-g oing EAP conversation Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from eap (rlm _eap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module "eap" returns upd ated for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling files (rlm_fil es) for request 6 Tue Apr 12 15:21:36 2005 : Debug: users: Matched supplicant_cts at 55 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from files (r lm_files) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module "files" returns o k for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall: group authorize returns updated for r equest 6 Tue Apr 12 15:21:36 2005 : Debug: rad_check_password: Found Auth-Type EAP Tue Apr 12 15:21:36 2005 : Debug: auth: type "EAP" Tue Apr 12 15:21:36 2005 : Debug: Processing the authenticate section of radiu sd.conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authenticate for reque st 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authenticate]: calling eap (rlm_ea p) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: Request found, released from the li st Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: EAP/peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap: processing type peap Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Authenticate Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: processing TLS Tue Apr 12 15:21:36 2005 : Debug: eaptls_verify returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_tls: Done initial handshake Tue Apr 12 15:21:36 2005 : Debug: eaptls_process returned 7 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAPTLS_OK Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. PEAP tunnel data in : 1a 02 06 00 44 31 9f 11 f4 59 4e c9 74 2b dd 1b PEAP tunnel data in 0010: a2 c0 bf 28 fa ea 00 00 00 00 00 00 00 00 c8 3c PEAP tunnel data in 0020: 75 64 f3 38 a5 42 35 96 e8 c2 84 5a 74 0e ec 42 PEAP tunnel data in 0030: d9 2e 69 41 4e a3 00 73 75 70 70 6c 69 63 61 6e PEAP tunnel data in 0040: 74 5f 63 74 73 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: EAP type mschapv2 Tue Apr 12 15:21:36 2005 : Debug: rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 Tue Apr 12 15:21:36 2005 : Debug: PEAP: Setting User-Name to supplicant_cts Tue Apr 12 15:21:36 2005 : Debug: PEAP: Adding old state with 9c 22 PEAP: Sending tunneled request EAP-Message = 0x020600491a02060044319f11f4594ec9742bdd1ba2c0bf28faea c83c7564f338a5423596e8c2845a740eec42d92e69414ea300737570706c6963616e 745f637473 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "supplicant_cts" State = 0x9c22748acfa58b214fe3d20fac288a7a Tue Apr 12 15:21:36 2005 : Debug: Processing the authorize section of radiusd. conf Tue Apr 12 15:21:36 2005 : Debug: modcall: entering group authorize for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling preprocess (rl m_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from preproce ss (rlm_preprocess) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module "preprocess" retu rns ok for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap ) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from chap (rl m_chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module "chap" returns no op for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling mschap (rlm_ms chap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from mschap ( rlm_mschap) for request 6 Tue Apr 12 15:21:36 2005 : Debug: modcall[authorize]: module "mschap" returns noop for request 6 Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: calling suffix (rlm_re alm) for request 6 Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No '@' in User-Name = "supplica nt_cts", looking up realm NULL Tue Apr 12 15:21:36 2005 : Debug: rlm_realm: No such realm "NULL" Tue Apr 12 15:21:36 2005 : Debug: modsingle[authorize]: returned from suffix ( rlm_realm) for request 6 T