Re: No EAP Start, assuming it's an on-going EAP conversation
I had just the same trouble as you. Here is my thread: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg73649.html And another here: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg78218.html Both make reference to this bug: https://bugzilla.samba.org/show_bug.cgi?id=6563 The bug is known to be solved in 3.5.16 onwards, so upgrade it. 2012/11/8 dvmp > >Maybe is that Samba bug? > > >The one that makes it apparently work: > >> [mschap] adding MS-CHAPv2 MPPE keys > >> ++[mschap] returns ok > >> MSCHAP Success > >but the client refuses to go on? > > >I can't search the archive right now, but I think it would be useful to > know the Samba version. > > Hello Alberto > > #smbd -V > > Version 3.4.0 > > ** ** > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No EAP Start, assuming it's an on-going EAP conversation
>Maybe is that Samba bug? >The one that makes it apparently work: >> [mschap] adding MS-CHAPv2 MPPE keys >> ++[mschap] returns ok >> MSCHAP Success >but the client refuses to go on? >I can't search the archive right now, but I think it would be useful to know the Samba version. Hello Alberto #smbd -V Version 3.4.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP Start, assuming it's an on-going EAP conversation
Sending tunneled request EAP-Message = 0x0208004f1a0208004a319afcbf0d90146863dcce62e55cbf6b263213a6 67f5405fe084a9e7291e326e0f0c68ce28482c998a0053554d4f4c434f4d50414c5c53433130 31383536 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DOMAIN\\userADaccount" State = 0xc282d9b6c28ac325c2d75d655a3b20bb EAP-Message parsed: 02 Code = 2 (EAP-Response) 08 Identifier = 8 00 4f Length = 79 1a Type = 26 (EAP-MSCHAPv2) 02 Opcode = 2 (Response) 08MS-CHAP-v2-Id = 8 00 4a MS-Length = 74 31 Value-Size = 49 9a fc bf 0d 90 14 Peer-Challenge 68 63 dc ce 62 e5 5c bf 6b 26 00 00 00 00 00 00 Reserved 00 00 32 13 a6 67 f5 40 5f e0 84 a9 e7 29 1e 32 NT-Response 6e 0f 0c 68 ce 28 48 2c 99 8a 00Flags = 0 53 55 4d 4f 4c 43 4f 4d 50 41 4c 5c 53 43 31 30 31 38 35 36 Name = SUMOLCOMPAL\SC101856 [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d443646424543334344343334373542443835343334333432 3745313831384243414639333030 Message-Authenticator = 0x State = 0xc282d9b6c38bc325c2d75d655a3b20bb EAP-Message parsed: 01 Code = 1 (EAP-Request) 09 Identifier = 9 00 33 Length = 51 1a Type = 26 (EAP-MSCHAPv2) 03 Opcode = 2 (Succes) 08MS-CHAP-v2-Id = 8 00 2e MS-Length = 46 53 3d 44 36 46 42 45 43 33 43 43 33 34 34 33 34 37 35 42 44 38 35 34 33 34 33 34 32 37 45 31 38 31 38 42 43 41 46 39 33 30 30 Message = S=D6FBEC3CC3443475BD854343427E1818BCAF9300 MSCHAPv2 is a mutual authentication protocol. Supplicant has interrupted authentication process just after it receive EAP-MSCHAPv2 Success request packet. It means that Success request packet was not calculated using proper user password. In other words user password available at supplicant and at authentication server does not match. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP Start, assuming it's an on-going EAP conversation
Maybe is that Samba bug? The one that makes it apparently work: > [mschap] adding MS-CHAPv2 MPPE keys > ++[mschap] returns ok > MSCHAP Success but the client refuses to go on? I can't search the archive right now, but I think it would be useful to know the Samba version. 2012/11/7 Matthew Newton > On Tue, Nov 06, 2012 at 10:59:45PM -, dvmp wrote: > > [mschap]expand: --nt-response=%{mschap:NT-Response:-00} -> > > --nt-response=3213a667f5405fe084a9e7291e326e0f0c68ce28482c998a > > Exec-Program output: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53 > > Exec-Program-Wait: plaintext: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53 > > Exec-Program: returned: 0 > > [mschap] adding MS-CHAPv2 MPPE keys > > ++[mschap] returns ok > > MSCHAP Success > > ++[eap] returns handled > > OK, mschap seems to succeed. > > > } # server inner-tunnel > > [peap] Got tunneled reply code 11 > ... > > [peap] Got tunneled Access-Challenge > > ++[eap] returns handled > > Sending Access-Challenge of id 173 to ip_AP_cisco port 1645 > > EAP-Message = > > > 0x0109005b190017030100505317a8177c77666155012c3211bf6b1c09ef17d29e1bb1fdcf91 > > > ae82bf7dc5baae0e670350b67151aefb6bc5e1f18861cd55c6cdb04a829d8d59349be4ae0f68 > > a1ccd3f6714ea7a663b7c98ff3904cf9 > > Message-Authenticator = 0x > > State = 0x2bebcbfd2de2d2392b8b84ab35544cf2 > > Finished request 386. > > Going to the next request > > Waking up in 4.9 seconds. > > Client is sent the access challenge for the user's device with the mschap > success. > > > rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=174, > > length=167 > > User-Name = "DOMAIN\\userADaccount" > > Framed-MTU = 1400 > > Called-Station-Id = "003a.994b.fd40" > > Calling-Station-Id = "e02a.8255.86ba" > > Service-Type = Login-User > > Message-Authenticator = 0xbfbafd91f0c8db0b664454958ff46920 > > EAP-Message = > 0x020200190153554d4f4c434f4d50414c5c5343313031383536 > > User's device sends back an EAP Identity > > > [eap] EAP packet type response id 2 length 25 > > [eap] No EAP Start, assuming it's an on-going EAP conversation > > Which is why this isn't picked up as part of the previous PEAP > conversation, so the client isn't sent an Access-Accept > > ... > > > Exec-Program: returned: 0 > > [mschap] adding MS-CHAPv2 MPPE keys > > ++[mschap] returns ok > > MSCHAP Success > > ++[eap] returns handled > > } # server inner-tunnel > ... > > ++[eap] returns handled > > Sending Access-Challenge of id 180 to ip_AP_cisco port 1645 > > EAP-Message = > > > 0x0109005b190017030100502f79f75d930239412dc6c2abfbbed6c6930ef8ed21bedee2d972 > > > 9a2a1c987a285ddfd23ef4379fa1e6bf44ffa1eb1d08f8a24c50606ba462b9cbdf8c68923e52 > > 72a032112af4c2f1af939b470d00b30b > > Message-Authenticator = 0x > > State = 0xf9273f5cff2e268144e0f611590a6390 > > Finished request 393. > > Going to the next request > > Waking up in 2.4 seconds. > > ... > repeat of last time. > > > The client has given up (that much is certain), so check EAP logs > on the client. If it's Windows, you probably don't stand much of a > chance of getting much useful (easy to read) logs. Check things > like certificates expiring (but it doesn't sound like this). > > But first I'd restart winbind and see if it all works again. Then > check your domain join (net ads testjoin or similar). I've seen > similar before when everything individually worked OK, but the > clients didn't like something that was sent back. [0] I think > something has broken with the domain join, or winbind - it isn't > at all obvious, but the client doesn't like it. You could also try > re-joining the server to the domain. > > Oh, and you want to upgrade FreeRADIUS to 2.2.0; there's a > security vulnerability in anything older. > > Cheers > > Matthew > > > > [0] > http://notes.asd.me.uk/2011/01/11/freeradius-and-ntlm_auth-reminder-from-a-silent-failure/ > > > -- > Matthew Newton, Ph.D. > > Systems Architect (UNIX and Networks), Network Services, > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom > > For IT help contact helpdesk extn. 2253, > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP Start, assuming it's an on-going EAP conversation
On Tue, Nov 06, 2012 at 10:59:45PM -, dvmp wrote: > [mschap]expand: --nt-response=%{mschap:NT-Response:-00} -> > --nt-response=3213a667f5405fe084a9e7291e326e0f0c68ce28482c998a > Exec-Program output: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53 > Exec-Program-Wait: plaintext: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53 > Exec-Program: returned: 0 > [mschap] adding MS-CHAPv2 MPPE keys > ++[mschap] returns ok > MSCHAP Success > ++[eap] returns handled OK, mschap seems to succeed. > } # server inner-tunnel > [peap] Got tunneled reply code 11 ... > [peap] Got tunneled Access-Challenge > ++[eap] returns handled > Sending Access-Challenge of id 173 to ip_AP_cisco port 1645 > EAP-Message = > 0x0109005b190017030100505317a8177c77666155012c3211bf6b1c09ef17d29e1bb1fdcf91 > ae82bf7dc5baae0e670350b67151aefb6bc5e1f18861cd55c6cdb04a829d8d59349be4ae0f68 > a1ccd3f6714ea7a663b7c98ff3904cf9 > Message-Authenticator = 0x > State = 0x2bebcbfd2de2d2392b8b84ab35544cf2 > Finished request 386. > Going to the next request > Waking up in 4.9 seconds. Client is sent the access challenge for the user's device with the mschap success. > rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=174, > length=167 > User-Name = "DOMAIN\\userADaccount" > Framed-MTU = 1400 > Called-Station-Id = "003a.994b.fd40" > Calling-Station-Id = "e02a.8255.86ba" > Service-Type = Login-User > Message-Authenticator = 0xbfbafd91f0c8db0b664454958ff46920 > EAP-Message = 0x020200190153554d4f4c434f4d50414c5c5343313031383536 User's device sends back an EAP Identity > [eap] EAP packet type response id 2 length 25 > [eap] No EAP Start, assuming it's an on-going EAP conversation Which is why this isn't picked up as part of the previous PEAP conversation, so the client isn't sent an Access-Accept ... > Exec-Program: returned: 0 > [mschap] adding MS-CHAPv2 MPPE keys > ++[mschap] returns ok > MSCHAP Success > ++[eap] returns handled > } # server inner-tunnel ... > ++[eap] returns handled > Sending Access-Challenge of id 180 to ip_AP_cisco port 1645 > EAP-Message = > 0x0109005b190017030100502f79f75d930239412dc6c2abfbbed6c6930ef8ed21bedee2d972 > 9a2a1c987a285ddfd23ef4379fa1e6bf44ffa1eb1d08f8a24c50606ba462b9cbdf8c68923e52 > 72a032112af4c2f1af939b470d00b30b > Message-Authenticator = 0x > State = 0xf9273f5cff2e268144e0f611590a6390 > Finished request 393. > Going to the next request > Waking up in 2.4 seconds. ... repeat of last time. The client has given up (that much is certain), so check EAP logs on the client. If it's Windows, you probably don't stand much of a chance of getting much useful (easy to read) logs. Check things like certificates expiring (but it doesn't sound like this). But first I'd restart winbind and see if it all works again. Then check your domain join (net ads testjoin or similar). I've seen similar before when everything individually worked OK, but the clients didn't like something that was sent back. [0] I think something has broken with the domain join, or winbind - it isn't at all obvious, but the client doesn't like it. You could also try re-joining the server to the domain. Oh, and you want to upgrade FreeRADIUS to 2.2.0; there's a security vulnerability in anything older. Cheers Matthew [0] http://notes.asd.me.uk/2011/01/11/freeradius-and-ntlm_auth-reminder-from-a-silent-failure/ -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No EAP Start, assuming it's an on-going EAP conversation
>> Follow, all the radiusd -X when start: > That doesn't help, either. > You need to post the FULL LOGS from WHEN IT FAILS. > I have no idea why this is a difficult concept. Hello Alan, follow the FULL LOGS from WHEN IT FAILS: Ready to process requests. rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=167, length=167 User-Name = "DOMAIN\\userADaccount" Framed-MTU = 1400 Called-Station-Id = "003a.994b.fd40" Calling-Station-Id = "e02a.8255.86ba" Service-Type = Login-User Message-Authenticator = 0xbe734e6d92fd8666df3d4be010ee9302 EAP-Message = 0x020200190153554d4f4c434f4d50414c5c5343313031383536 NAS-Port-Type = Wireless-802.11 NAS-Port = 33391 NAS-Port-Id = "33391" NAS-IP-Address = ip_AP_cisco NAS-Identifier = "SC_APSI01" +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> DOMAIN\userADaccount [sql] sql_set_user escaped user --> 'DOMAIN\userADaccount' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'DOMAIN=5CuserADaccount' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'DOMAIN=5CuserADaccount' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 [sql] User DOMAIN\userADaccount not found ++[sql] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 167 to ip_AP_cisco port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x2bebcbfd2be8d2392b8b84ab35544cf2 Finished request 380. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=168, length=265 User-Name = "DOMAIN\\userADaccount" Framed-MTU = 1400 Called-Station-Id = "003a.994b.fd40" Calling-Station-Id = "e02a.8255.86ba" Service-Type = Login-User Message-Authenticator = 0xe9675777fbc46a829f9242cb4a9c570e EAP-Message = 0x020300691980005f160301005a0156030150917f3c269f39337bdde42e0cd4e09c 18a51faeeeaf74407f2fb85e72af0d9d18002f00350005000ac013c014c009c00a003200 38001300040115ff0100010a0006000400170018000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 33391 NAS-Port-Id = "33391" State = 0x2bebcbfd2be8d2392b8b84ab35544cf2 NAS-IP-Address = ip_AP_cisco NAS-Identifier = "SC_APSI01" +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0791], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challeng
Re: No EAP Start, assuming it's an on-going EAP conversation
dvmp wrote: > mschap validation occur with success but wireless client can't authenticate. So... read the entire debug log. > On several tests when run radiusd -X and force join to Active Directory, > during the next 2 ou 3 minutes clients can authenticate with success. I'm not sure what that means. > Difference between logs: > > *Not Authenticate:* > > [eap] EAP packet type response id 2 length 25 > > [eap] No EAP Start, assuming it's an on-going EAP conversation I don't think that matters. > EAP isn't happening ? No idea. You posted the logs when it works. That doesn't help. > Follow, all the radiusd -X when start: That doesn't help, either. You need to post the FULL LOGS from WHEN IT FAILS. I have no idea why this is a difficult concept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP Start, assuming it's an on-going EAP conversation
hi, post the full debug log. that would help. you arent doing something crazy in eg users file such as a plain Access-Accept are you? as for addresses - the laptop would get its address via DHCP - you're running a dhcp server on that network the client gets put on? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No EAP Start, assuming it's an on-going EAP conversation
Hello, - I will look into that book you recommended Alan - "OReilly book on OpenSSLL" thanks! - But for right now do you have any clues on what I could/do test, look at to fix this: - I have a Linux client trying to connect to the Free Radius, and on the client side I am getting this error message: "CTRL-EVENT-EAP-FAILURE EAP authentication failed" - And on the Free radius console I have this information is shown: Called-Station-Id = "00-20-a6-64-c3-b1:MVG-Personal" Calling-Station-Id = "00-0f-cb-f9-3b-f9;MVG-Personal" NAS-Identifier = "MVG-1" State = 0x73e4f46973e6f0393091c54faaf880fd Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060315 Message-Authenticator = 0x330b306447495e1a49cd5c7cfe5c1c6d +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "easy", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry easy at line 90 expand: Hello, %{User-Name} -> Hello, easy ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Reply-Message = "Hello, easy" EAP-Message = 0x010300061520 Message-Authenticator = 0x State = 0x73e4f46972e7e1393091c54faaf880fd Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 153 with timestamp +279 Cleaning up request 1 ID 154 with timestamp +279 Ready to process requests. - And the client don't get/receive an IP address, guessing it has something to do with EAP authentication "No EAP Start". Thanks for help, Best regards, Johan Nyman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html