Re: No EAP Start, assuming it's an on-going EAP conversation
I had just the same trouble as you. Here is my thread: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg73649.html And another here: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg78218.html Both make reference to this bug: https://bugzilla.samba.org/show_bug.cgi?id=6563 The bug is known to be solved in 3.5.16 onwards, so upgrade it. 2012/11/8 dvmp > >Maybe is that Samba bug? > > >The one that makes it apparently work: > >> [mschap] adding MS-CHAPv2 MPPE keys > >> ++[mschap] returns ok > >> MSCHAP Success > >but the client refuses to go on? > > >I can't search the archive right now, but I think it would be useful to > know the Samba version. > > Hello Alberto > > #smbd -V > > Version 3.4.0 > > ** ** > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Alberto Martínez Setién Servicio Informático Universidad de Deusto Avda. de las Universidades, 24 48007 - Bilbao (SPAIN) Phone: +34 - 94 413 90 00 Ext 2684 Fax:+34 - 94 413 91 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No EAP Start, assuming it's an on-going EAP conversation
>Maybe is that Samba bug? >The one that makes it apparently work: >> [mschap] adding MS-CHAPv2 MPPE keys >> ++[mschap] returns ok >> MSCHAP Success >but the client refuses to go on? >I can't search the archive right now, but I think it would be useful to know the Samba version. Hello Alberto #smbd -V Version 3.4.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP Start, assuming it's an on-going EAP conversation
Sending tunneled request EAP-Message = 0x0208004f1a0208004a319afcbf0d90146863dcce62e55cbf6b263213a6 67f5405fe084a9e7291e326e0f0c68ce28482c998a0053554d4f4c434f4d50414c5c53433130 31383536 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DOMAIN\\userADaccount" State = 0xc282d9b6c28ac325c2d75d655a3b20bb EAP-Message parsed: 02 Code = 2 (EAP-Response) 08 Identifier = 8 00 4f Length = 79 1a Type = 26 (EAP-MSCHAPv2) 02 Opcode = 2 (Response) 08MS-CHAP-v2-Id = 8 00 4a MS-Length = 74 31 Value-Size = 49 9a fc bf 0d 90 14 Peer-Challenge 68 63 dc ce 62 e5 5c bf 6b 26 00 00 00 00 00 00 Reserved 00 00 32 13 a6 67 f5 40 5f e0 84 a9 e7 29 1e 32 NT-Response 6e 0f 0c 68 ce 28 48 2c 99 8a 00Flags = 0 53 55 4d 4f 4c 43 4f 4d 50 41 4c 5c 53 43 31 30 31 38 35 36 Name = SUMOLCOMPAL\SC101856 [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d443646424543334344343334373542443835343334333432 3745313831384243414639333030 Message-Authenticator = 0x State = 0xc282d9b6c38bc325c2d75d655a3b20bb EAP-Message parsed: 01 Code = 1 (EAP-Request) 09 Identifier = 9 00 33 Length = 51 1a Type = 26 (EAP-MSCHAPv2) 03 Opcode = 2 (Succes) 08MS-CHAP-v2-Id = 8 00 2e MS-Length = 46 53 3d 44 36 46 42 45 43 33 43 43 33 34 34 33 34 37 35 42 44 38 35 34 33 34 33 34 32 37 45 31 38 31 38 42 43 41 46 39 33 30 30 Message = S=D6FBEC3CC3443475BD854343427E1818BCAF9300 MSCHAPv2 is a mutual authentication protocol. Supplicant has interrupted authentication process just after it receive EAP-MSCHAPv2 Success request packet. It means that Success request packet was not calculated using proper user password. In other words user password available at supplicant and at authentication server does not match. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP Start, assuming it's an on-going EAP conversation
Maybe is that Samba bug?
The one that makes it apparently work:
> [mschap] adding MS-CHAPv2 MPPE keys
> ++[mschap] returns ok
> MSCHAP Success
but the client refuses to go on?
I can't search the archive right now, but I think it would be useful to
know the Samba version.
2012/11/7 Matthew Newton
> On Tue, Nov 06, 2012 at 10:59:45PM -, dvmp wrote:
> > [mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
> > --nt-response=3213a667f5405fe084a9e7291e326e0f0c68ce28482c998a
> > Exec-Program output: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53
> > Exec-Program-Wait: plaintext: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53
> > Exec-Program: returned: 0
> > [mschap] adding MS-CHAPv2 MPPE keys
> > ++[mschap] returns ok
> > MSCHAP Success
> > ++[eap] returns handled
>
> OK, mschap seems to succeed.
>
> > } # server inner-tunnel
> > [peap] Got tunneled reply code 11
> ...
> > [peap] Got tunneled Access-Challenge
> > ++[eap] returns handled
> > Sending Access-Challenge of id 173 to ip_AP_cisco port 1645
> > EAP-Message =
> >
> 0x0109005b190017030100505317a8177c77666155012c3211bf6b1c09ef17d29e1bb1fdcf91
> >
> ae82bf7dc5baae0e670350b67151aefb6bc5e1f18861cd55c6cdb04a829d8d59349be4ae0f68
> > a1ccd3f6714ea7a663b7c98ff3904cf9
> > Message-Authenticator = 0x
> > State = 0x2bebcbfd2de2d2392b8b84ab35544cf2
> > Finished request 386.
> > Going to the next request
> > Waking up in 4.9 seconds.
>
> Client is sent the access challenge for the user's device with the mschap
> success.
>
> > rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=174,
> > length=167
> > User-Name = "DOMAIN\\userADaccount"
> > Framed-MTU = 1400
> > Called-Station-Id = "003a.994b.fd40"
> > Calling-Station-Id = "e02a.8255.86ba"
> > Service-Type = Login-User
> > Message-Authenticator = 0xbfbafd91f0c8db0b664454958ff46920
> > EAP-Message =
> 0x020200190153554d4f4c434f4d50414c5c5343313031383536
>
> User's device sends back an EAP Identity
>
> > [eap] EAP packet type response id 2 length 25
> > [eap] No EAP Start, assuming it's an on-going EAP conversation
>
> Which is why this isn't picked up as part of the previous PEAP
> conversation, so the client isn't sent an Access-Accept
>
> ...
>
> > Exec-Program: returned: 0
> > [mschap] adding MS-CHAPv2 MPPE keys
> > ++[mschap] returns ok
> > MSCHAP Success
> > ++[eap] returns handled
> > } # server inner-tunnel
> ...
> > ++[eap] returns handled
> > Sending Access-Challenge of id 180 to ip_AP_cisco port 1645
> > EAP-Message =
> >
> 0x0109005b190017030100502f79f75d930239412dc6c2abfbbed6c6930ef8ed21bedee2d972
> >
> 9a2a1c987a285ddfd23ef4379fa1e6bf44ffa1eb1d08f8a24c50606ba462b9cbdf8c68923e52
> > 72a032112af4c2f1af939b470d00b30b
> > Message-Authenticator = 0x
> > State = 0xf9273f5cff2e268144e0f611590a6390
> > Finished request 393.
> > Going to the next request
> > Waking up in 2.4 seconds.
>
> ...
> repeat of last time.
>
>
> The client has given up (that much is certain), so check EAP logs
> on the client. If it's Windows, you probably don't stand much of a
> chance of getting much useful (easy to read) logs. Check things
> like certificates expiring (but it doesn't sound like this).
>
> But first I'd restart winbind and see if it all works again. Then
> check your domain join (net ads testjoin or similar). I've seen
> similar before when everything individually worked OK, but the
> clients didn't like something that was sent back. [0] I think
> something has broken with the domain join, or winbind - it isn't
> at all obvious, but the client doesn't like it. You could also try
> re-joining the server to the domain.
>
> Oh, and you want to upgrade FreeRADIUS to 2.2.0; there's a
> security vulnerability in anything older.
>
> Cheers
>
> Matthew
>
>
>
> [0]
> http://notes.asd.me.uk/2011/01/11/freeradius-and-ntlm_auth-reminder-from-a-silent-failure/
>
>
> --
> Matthew Newton, Ph.D.
>
> Systems Architect (UNIX and Networks), Network Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253,
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Alberto Martínez Setién
Servicio Informático
Universidad de Deusto
Avda. de las Universidades, 24
48007 - Bilbao (SPAIN)
Phone: +34 - 94 413 90 00 Ext 2684
Fax:+34 - 94 413 91 01
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP Start, assuming it's an on-going EAP conversation
On Tue, Nov 06, 2012 at 10:59:45PM -, dvmp wrote:
> [mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=3213a667f5405fe084a9e7291e326e0f0c68ce28482c998a
> Exec-Program output: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53
> Exec-Program-Wait: plaintext: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53
> Exec-Program: returned: 0
> [mschap] adding MS-CHAPv2 MPPE keys
> ++[mschap] returns ok
> MSCHAP Success
> ++[eap] returns handled
OK, mschap seems to succeed.
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
...
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 173 to ip_AP_cisco port 1645
> EAP-Message =
> 0x0109005b190017030100505317a8177c77666155012c3211bf6b1c09ef17d29e1bb1fdcf91
> ae82bf7dc5baae0e670350b67151aefb6bc5e1f18861cd55c6cdb04a829d8d59349be4ae0f68
> a1ccd3f6714ea7a663b7c98ff3904cf9
> Message-Authenticator = 0x
> State = 0x2bebcbfd2de2d2392b8b84ab35544cf2
> Finished request 386.
> Going to the next request
> Waking up in 4.9 seconds.
Client is sent the access challenge for the user's device with the mschap
success.
> rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=174,
> length=167
> User-Name = "DOMAIN\\userADaccount"
> Framed-MTU = 1400
> Called-Station-Id = "003a.994b.fd40"
> Calling-Station-Id = "e02a.8255.86ba"
> Service-Type = Login-User
> Message-Authenticator = 0xbfbafd91f0c8db0b664454958ff46920
> EAP-Message = 0x020200190153554d4f4c434f4d50414c5c5343313031383536
User's device sends back an EAP Identity
> [eap] EAP packet type response id 2 length 25
> [eap] No EAP Start, assuming it's an on-going EAP conversation
Which is why this isn't picked up as part of the previous PEAP
conversation, so the client isn't sent an Access-Accept
...
> Exec-Program: returned: 0
> [mschap] adding MS-CHAPv2 MPPE keys
> ++[mschap] returns ok
> MSCHAP Success
> ++[eap] returns handled
> } # server inner-tunnel
...
> ++[eap] returns handled
> Sending Access-Challenge of id 180 to ip_AP_cisco port 1645
> EAP-Message =
> 0x0109005b190017030100502f79f75d930239412dc6c2abfbbed6c6930ef8ed21bedee2d972
> 9a2a1c987a285ddfd23ef4379fa1e6bf44ffa1eb1d08f8a24c50606ba462b9cbdf8c68923e52
> 72a032112af4c2f1af939b470d00b30b
> Message-Authenticator = 0x
> State = 0xf9273f5cff2e268144e0f611590a6390
> Finished request 393.
> Going to the next request
> Waking up in 2.4 seconds.
...
repeat of last time.
The client has given up (that much is certain), so check EAP logs
on the client. If it's Windows, you probably don't stand much of a
chance of getting much useful (easy to read) logs. Check things
like certificates expiring (but it doesn't sound like this).
But first I'd restart winbind and see if it all works again. Then
check your domain join (net ads testjoin or similar). I've seen
similar before when everything individually worked OK, but the
clients didn't like something that was sent back. [0] I think
something has broken with the domain join, or winbind - it isn't
at all obvious, but the client doesn't like it. You could also try
re-joining the server to the domain.
Oh, and you want to upgrade FreeRADIUS to 2.2.0; there's a
security vulnerability in anything older.
Cheers
Matthew
[0]
http://notes.asd.me.uk/2011/01/11/freeradius-and-ntlm_auth-reminder-from-a-silent-failure/
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No EAP Start, assuming it's an on-going EAP conversation
>> Follow, all the radiusd -X when start:
> That doesn't help, either.
> You need to post the FULL LOGS from WHEN IT FAILS.
> I have no idea why this is a difficult concept.
Hello Alan, follow the FULL LOGS from WHEN IT FAILS:
Ready to process requests.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=167,
length=167
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0xbe734e6d92fd8666df3d4be010ee9302
EAP-Message = 0x020200190153554d4f4c434f4d50414c5c5343313031383536
NAS-Port-Type = Wireless-802.11
NAS-Port = 33391
NAS-Port-Id = "33391"
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> DOMAIN\userADaccount
[sql] sql_set_user escaped user --> 'DOMAIN\userADaccount'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'DOMAIN=5CuserADaccount' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'DOMAIN=5CuserADaccount' ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
[sql] User DOMAIN\userADaccount not found
++[sql] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 167 to ip_AP_cisco port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0x2bebcbfd2be8d2392b8b84ab35544cf2
Finished request 380.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=168,
length=265
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0xe9675777fbc46a829f9242cb4a9c570e
EAP-Message =
0x020300691980005f160301005a0156030150917f3c269f39337bdde42e0cd4e09c
18a51faeeeaf74407f2fb85e72af0d9d18002f00350005000ac013c014c009c00a003200
38001300040115ff0100010a0006000400170018000b00020100
NAS-Port-Type = Wireless-802.11
NAS-Port = 33391
NAS-Port-Id = "33391"
State = 0x2bebcbfd2be8d2392b8b84ab35544cf2
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0791], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challeng
Re: No EAP Start, assuming it's an on-going EAP conversation
dvmp wrote: > mschap validation occur with success but wireless client can't authenticate. So... read the entire debug log. > On several tests when run radiusd -X and force join to Active Directory, > during the next 2 ou 3 minutes clients can authenticate with success. I'm not sure what that means. > Difference between logs: > > *Not Authenticate:* > > [eap] EAP packet type response id 2 length 25 > > [eap] No EAP Start, assuming it's an on-going EAP conversation I don't think that matters. > EAP isn't happening ? No idea. You posted the logs when it works. That doesn't help. > Follow, all the radiusd -X when start: That doesn't help, either. You need to post the FULL LOGS from WHEN IT FAILS. I have no idea why this is a difficult concept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP Start, assuming it's an on-going EAP conversation
hi, post the full debug log. that would help. you arent doing something crazy in eg users file such as a plain Access-Accept are you? as for addresses - the laptop would get its address via DHCP - you're running a dhcp server on that network the client gets put on? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No EAP Start, assuming it's an on-going EAP conversation
Hello,
- I will look into that book you recommended Alan - "OReilly book
on OpenSSLL" thanks!
- But for right now do you have any clues on what I could/do test,
look at to fix this:
- I have a Linux client trying to connect to the Free Radius, and
on the client side I am getting this error message: "CTRL-EVENT-EAP-FAILURE
EAP authentication failed"
- And on the Free radius console I have this information is shown:
Called-Station-Id = "00-20-a6-64-c3-b1:MVG-Personal"
Calling-Station-Id = "00-0f-cb-f9-3b-f9;MVG-Personal"
NAS-Identifier = "MVG-1"
State = 0x73e4f46973e6f0393091c54faaf880fd
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200060315
Message-Authenticator = 0x330b306447495e1a49cd5c7cfe5c1c6d
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "easy", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry easy at line 90
expand: Hello, %{User-Name} -> Hello, easy
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Reply-Message = "Hello, easy"
EAP-Message = 0x010300061520
Message-Authenticator = 0x
State = 0x73e4f46972e7e1393091c54faaf880fd
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 153 with timestamp +279 Cleaning up request 1 ID
154 with timestamp +279 Ready to process requests.
- And the client don't get/receive an IP address, guessing it has something
to do with EAP authentication "No EAP Start".
Thanks for help,
Best regards,
Johan Nyman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
