Re: Having trouble with MSCHAP

2011-12-05 Thread Alan Buxey 
Hi,

>I configured Freeradius 2.1.10 Debian 6.0.2 using EAP-TLS authentication.
>I generated the client and server certificated with XP extention. I
>created my certificated in the freeradius server, is that ok? or I have to
>create it in a different machine?  I am validating my client (Windows XP)
>with the server and I get this error:

the answers are in the debug output you posted.just go through
the 'PEAP ping/pong' until the inner-tunnel ahs been established
and the actual auth is doneits near the bottom..

>[mschapv2] +- entering group MS-CHAP {...}
>[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
>[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
>[mschap] NT Domain delimeter found, should we have enabled
>with_ntdomain_hack?
>[mschap] Creating challenge hash with username: PDVSA2000\TORREALBAW
>[mschap] Told to do MS-CHAPv2 for PDVSA2000\TORREALBAW with NT-Password
>[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
>[mschap] FAILED: MS-CHAP2-Response is incorrect

have you set with_ntdomain_hack = yes  ?   have you configured the RADIUS
so that the realm PDVSA2000 is known (add it to proxy.conf like

realm PDVSA2000 {
}


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Having trouble with MSCHAP

2011-12-05 Thread Alan DeKok 
Erick Rojas Bastidas wrote:
> I configured Freeradius 2.1.10 Debian 6.0.2 using EAP-TLS
> authentication. I generated the client and server certificated with XP
> extention. I created my certificated in the freeradius server, is that
> ok? or I have to create it in a different machine?  I am validating my
> client (Windows XP) with the server and I get this error:

  You didn't tell FreeRADIUS the users "known good" password.

  Follow the instructions on my web page: http://deployingradius.com/

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Having trouble with MSCHAP

2011-12-05 Thread Erick Rojas Bastidas 

Hi everybody.

I configured Freeradius 2.1.10 Debian 6.0.2 using EAP-TLS authentication. I 
generated the client and server certificated with XP extention. I created my 
certificated in the freeradius server, is that ok? or I have to create it in a 
different machine?  I am validating my client (Windows XP) with the server and 
I get this error:

I wouls appreciate any help. I would Like to know if this is a certificated 
error or a configuration error on my freeradius server.

  [peap] TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 178 to 129.90.74.5 port 1645
EAP-Message = 
0x0104040019c0064f1603010031022d03014edce8c088d0ccb9d81d6bc20a71c020036346ce7536b0670cb3fc0b5ba5a2710405ff01000100160301060b0b0006070006040002a5308202a13082020aa003020102020900bc739ec037c017e3300d06092a864886f70d0101050500307b310b30090603550406130256453110300e060355040813074d6972616e646131163014060355040a130d504456534120496e7465766570310c300a060355040b13034149543111300f06035504031408776c616e5f696e743121301f06092a864886f70d0109011612726f6a61736561744070647673612e636f6d301e170d313131313233
EAP-Message = 
0x3133343534395a170d3132313132323133343534395a308190310b30090603550406130256453110300e060355040813074d6972616e6461311330110603550407130a4c6f732054657175657331163014060355040a130d504456534120496e7465766570310c300a060355040b13034149543111300f06035504031408776c616e5f696e743121301f06092a864886f70d0109011612726f6a61736561744070647673612e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b89ad76da34ead041ec970badbb7a7ca1ae79575e990334c8b07277382ee708fe979d9e81c68e3439b19550798765c9a2c8257bde11863
EAP-Message = 
0xb692e457954e4b3a6f746de7062d880b3a00972ec949feb87186db83cfa36fd4642926fb5c7bafe39cc51992ae51522d364dcd7e81576ff13e5905de29db0dacd1e0c39ecf4cb595150203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100510f0594c5466e9a995ef0cf85ff7195b9c726a530e5915ed8c1105822811dbd920599981a1cfd3940b06af9d315838ff2ddd10d12ba542c3c899ff699c1d177e4618d7e3782ba5782313eaca2488167865d8cd4d865b8fdd011ad56a8f3723d0f17a6aed65546b2cc622c3d3817e410dcb65f3eefaf45eb90288346602e5939000359
EAP-Message = 
0x30820355308202bea003020102020900bc739ec037c017e2300d06092a864886f70d0101050500307b310b30090603550406130256453110300e060355040813074d6972616e646131163014060355040a130d504456534120496e7465766570310c300a060355040b13034149543111300f06035504031408776c616e5f696e743121301f06092a864886f70d0109011612726f6a61736561744070647673612e636f6d301e170d3131313132333133313431315a170d3134313132323133313431315a307b310b30090603550406130256453110300e060355040813074d6972616e646131163014060355040a130d504456534120496e7465766570
EAP-Message = 0x310c300a060355040b130341
Message-Authenticator = 0x
State = 0xf5ff3d38f4fb24f2be48500aba47bfca
Finished request 17.
Going to the next request
Waking up in 2.5 seconds.
rad_recv: Access-Request packet from host 129.90.74.5 port 1645, id=179, 
length=164
User-Name = "PDVSA2000\\torrealbaw"
Framed-MTU = 1400
Called-Station-Id = "0011.92ea.0800"
Calling-Station-Id = "0021.917e.09cd"
Service-Type = Login-User
Message-Authenticator = 0x6961ce4663c1662815347ab4a19f4ef7
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 328
State = 0xf5ff3d38f4fb24f2be48500aba47bfca
NAS-IP-Address = 129.90.74.5
NAS-Identifier = "mw-ltqN3-P2-01"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PDVSA2000\torrealbaw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 179 to 129.90.74.5 port 1645
EAP-Message = 
0x0105025f190049543111300f06035504031408776c616e5f696e743121301f06092a864886f70d0109011612726f6a61736561744070647673612e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100aa6f9c699adcab8d163da107a7a1b20c4cddf0c57a85fa78c2fcfa6b697421ea874506930ba8b278d4709fc055b54a00a93ef84a816d2ca34ebf14876fe836dab07c09202f354da91a14a38d7cad27089b478a569be38a72287d93476bceea425c55d314a5d488b01ab56e5a31c1cd72abef98fcea39f06889dbc1ab7c9708170203010001a381e03081dd301d06