PEAP + XP + Freeradius 093 TLS : fatal access denied
with timestamp 403b26a1 Sending Access-Reject of id 3 to 172.20.237.238:1645 EAP-Message = 0x04050004 Message-Authenticator = 0x Reply-Message = " YSS, %u" Cleaning up request 3 ID 3 with timestamp 403b26a1 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.20.237.238:1645, id=4, length=133 User-Name = "quetwilf" Framed-MTU = 1400 Called-Station-Id = "000c.ceff.56e9" Calling-Station-Id = "0004.2372.d636" Message-Authenticator = 0xd9f4904473d3b1262b8ad5742220bb04 EAP-Message = 0x0201000d017175657477696c66 NAS-Port-Type = Virtual NAS-Port = 275 NAS-IP-Address = 172.20.237.238 NAS-Identifier = "aironet-si-2" modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "quetwilf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched DEFAULT at 152 users: Matched quetwilf at 217 modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type eap auth: type "EAP" modcall: entering group authenticate for request 4 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 4 to 172.20.237.238:1645 Reply-Message = " YSS, %u" EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x3e314e3711dd5d616c3196b87a400c83 Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 4 with timestamp 403b26a9 Nothing to do. Sleeping until we see a request. -- -- - Wilfried QUET - - Université de Technologie de Compiègne - - Service Informatique - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap + freeradius093 + Windows XP : module "eap" returns handled
nticator = 0x State = 0xf472fa125effef7991d2920547e59b63 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.2.5.6:1645, id=4, length=146 User-Name = "toto" Framed-MTU = 1400 Called-Station-Id = "000c.ceff.4fe5" Calling-Station-Id = "0004.2372.d636" Message-Authenticator = 0xb85d975559fc0b54ba218313ae94cb44 EAP-Message = 0x020600061900 NAS-Port-Type = Virtual NAS-Port = 276 State = 0xf472fa125effef7991d2920547e59b63 NAS-IP-Address = 10.2.5.6 NAS-Identifier = "borne-aironet" modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "toto", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched DEFAULT at 152 users: Matched toto at 217 modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message eaptls_verify returned 3 eaptls_process returned 3 TLS_accept:error in SSLv3 read client certificate A rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 4 to 10.2.5.6:1645 Reply-Message = " YSS, %u" EAP-Message = 0x010700061900 Message-Authenticator = 0x State = 0x3a70f7cca5b1aaeaae771d619c4946c6 Finished request 4 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 40449791 Cleaning up request 1 ID 1 with timestamp 40449791 Cleaning up request 2 ID 2 with timestamp 40449791 Cleaning up request 3 ID 3 with timestamp 40449791 Cleaning up request 4 ID 4 with timestamp 40449791 Nothing to do. Sleeping until we see a request. -- -- - Wilfried QUET - - Université de Technologie de Compiègne - - Service Informatique - - tél. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap + freeradius093 + Windows XP : module "eap" returns handled
tering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 67
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched DEFAULT at 152
users: Matched toto at 225
modcall[authorize]: module "files" returns ok for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
modcall: entering group Auth-Type for request 6
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: group Auth-Type returns reject for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
Login incorrect: [toto/] (from client
localhost port 274 cli 0004.2372.d636)
PEAP: Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\000E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 6 to 10.1.2.3:1645
EAP-Message =
0x010900261900170301001bc1bb7c7002a726471e8cbb74b84a7c6886525963f5985c6e5a3281
Message-Authenticator = 0x
State = 0x58a6a3d8726970dd2df1ec7c3f5988b1
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.1.2.3:1645, id=7, length=176
User-Name = "toto"
Framed-MTU = 1400
Called-Station-Id = "000c.ceff.56e9"
Calling-Station-Id = "0004.2372.d636"
Message-Authenticator = 0x0f649947234c0f81c1dd2aabb71eb891
EAP-Message =
0x020900261900170301001b811a5c0b714f69ce0dd7cf5fa535a786c8755ea38cb5402751a785
NAS-Port-Type = Virtual
NAS-Port = 274
State = 0x58a6a3d8726970dd2df1ec7c3f5988b1
NAS-IP-Address = 10.1.2.3
NAS-Identifier = "aironet-si-2"
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: EAP packet type response id 9 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched DEFAULT at 152
users: Matched toto at 225
modcall[authorize]: module "files" returns ok for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled
attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 7
modcall: group authenticate returns invalid for request 7
auth: Failed to validate the user.
Login incorrect: [toto/] (from client
borne-aironet port 274 cli 0004.2372.d636)
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 404842ff
Cleaning up request 1 ID 1 with timestamp 404842ff
Cleaning up request 2 ID 2 with timestamp 404842ff
Cleaning up request 3 ID 3 with timestamp 404842ff
Cleaning up request 4 ID 4 with timestamp 404842ff
Cleaning up request 5 ID 5 with timestamp 404842ff
Cleaning up request 6 ID 6 with timestamp 404842ff
Sending Access-Reject of id 7 to 10.1.2.3:1645
EAP-Message = 0x04090004
Message-Authenticator = 0x
Cleaning up request 7 ID 7 with timestamp 404842ff
Nothing to do. Sleeping until we see a request.
--
--
- Wilfried QUET -
- Université de Technologie de Compiègne -
- Service Informatique -
- tél. : 03 44 23 49 90 -
- port.: 06 22 20 59 83 -
- fax : 03 44 23 46 77 -
- mail : [EMAIL PROTECTED] -
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP : FAILED: MS-CHAP2-Response is incorrect
, looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 8 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched DEFAULT at 152 users: Matched toto at 225 modcall[authorize]: module "files" returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type eap auth: type "EAP" modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 modcall: entering group Auth-Type for request 6 rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. Login incorrect: [toto/] (from client localhost port 274 cli 0004.2372.d636) PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\000E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 6 to 10.1.2.3:1645 EAP-Message = 0x010900261900170301001bc1bb7c7002a726471e8cbb74b84a7c6886525963f5985c6e5a3281 Message-Authenticator = 0x State = 0x58a6a3d8726970dd2df1ec7c3f5988b1 Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.1.2.3:1645, id=7, length=176 User-Name = "toto" Framed-MTU = 1400 Called-Station-Id = "000c.ceff.56e9" Calling-Station-Id = "0004.2372.d636" Message-Authenticator = 0x0f649947234c0f81c1dd2aabb71eb891 EAP-Message = 0x020900261900170301001b811a5c0b714f69ce0dd7cf5fa535a786c8755ea38cb5402751a785 NAS-Port-Type = Virtual NAS-Port = 274 State = 0x58a6a3d8726970dd2df1ec7c3f5988b1 NAS-IP-Address = 10.1.2.3 NAS-Identifier = "aironet-si-2" modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "toto", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched DEFAULT at 152 users: Matched toto at 225 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type eap auth: type "EAP" modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. Login incorrect: [toto/] (from client borne-aironet port 274 cli 0004.2372.d636) Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 404842ff Cleaning up request 1 ID 1 with timestamp 404842ff Cleaning up request 2 ID 2 with timestamp 404842ff Cleaning up request 3 ID 3 with timestamp 404842ff Cleaning up request 4 ID 4 with timestamp 404842ff Cleaning up request 5 ID 5 with timestamp 404842ff Cleaning up request 6 ID 6 with timestamp 404842ff Sending Access-Reject of id 7 to 10.1.2.3:1645 EAP-Message = 0x04090004 Message-Authenticator = 0x Cleaning up request 7 ID 7 with timestamp 404842ff Nothing to do. Sleeping until we see a request. -- -- - Wilfried QUET - - Université de Technologie de Compiègne - - Service Informatique - - tél. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP : FAILED: MS-CHAP2-Response is incorrect
I've tested with NT-Hash password, clear Password and unix crypt password and it's the same. That's to say : rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect What's wrong? Alan DeKok wrote: Wilfried QUET <[EMAIL PROTECTED]> wrote: In users file : totoAuth-Type :=3D EAP, User-Password === "0x7666F0D93535E6C2F6A3DDAD29A7EF55" Are you *sure* that's the user's password? It looks like something else to me, like a hashed password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ------ - Wilfried QUET - - Université de Technologie de Compiègne - - Service Informatique - - tél. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP : FAILED: MS-CHAP2-Response is incorrect
It's OK with the CVS snapshot of Friday 5 March 2004 with a clear password in the users file. I want to use only unix crypt password with peap-mschapv2. Is it possible and how? Thanks you very much Thank Alan DeKok wrote: Wilfried QUET <[EMAIL PROTECTED]> wrote: In users file : totoAuth-Type :=3D EAP, User-Password === "0x7666F0D93535E6C2F6A3DDAD29A7EF55" Are you *sure* that's the user's password? It looks like something else to me, like a hashed password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ------ - Wilfried QUET - - Université de Technologie de Compiègne - - Service Informatique - - tél. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP : FAILED: MS-CHAP2-Response is incorrect
and with a NT-Hash password? With the Nt-User-Password attribute in the users file perhaps? Is it possible to proxy the mschpv2 challenge to a PAP challenge to solve the problem (perhaps via the realms)? Thanks a lot Alan DeKok wrote: Wilfried QUET <[EMAIL PROTECTED]> wrote: I want to use only unix crypt password with peap-mschapv2. Is it possible and how? It's impossible. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- - Wilfried QUET - - Université de Technologie de Compiègne - - Service Informatique - - tél. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP : FAILED: MS-CHAP2-Response is incorrect
It doesn't work with NT-Password = "0xxx" in users file. Alan DeKok wrote: Wilfried QUET <[EMAIL PROTECTED]> wrote: and with a NT-Hash password? With the Nt-User-Password attribute in the users file perhaps? That should work. Is it possible to proxy the mschpv2 challenge to a PAP challenge to solve the problem (perhaps via the realms)? No. It's impossible. There is no PAP password in an MS-CHAP string. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ------ - Wilfried QUET - - Université de Technologie de Compiègne - - Service Informatique - - tél. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP,TTLS + crypt UNIX password
Hello, I want to know how it's possible to authenticate user with a unix like crypt password (in a file or in ldap) through a peap or ttls authentication? -- -- - Wilfried QUET - - Université de Technologie de Compiègne - - Service Informatique - - tél. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP,TTLS + crypt UNIX password
Hello, What the inner protocol that permit to use unix crypt password in ttls? Thanks for your response. Kostas Kalevras wrote: On Thu, 27 May 2004, Wilfried QUET wrote: Hello, I want to know how it's possible to authenticate user with a unix like crypt password (in a file or in ldap) through a peap or ttls authentication? Through peap no, clear text passwords are required as far as i know. With ttls yes. -- -- - Wilfried QUET - - Universit? de Technologie de Compi?gne - - Service Informatique - - t?l. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ------ - Wilfried QUET - - Université de Technologie de Compiègne - - Service Informatique - - tél. : 03 44 23 49 90 - - port.: 06 22 20 59 83 - - fax : 03 44 23 46 77 - - mail : [EMAIL PROTECTED] - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
