Problems with PEAP/mschapv2
I've noticed recently that my PEAP/mschapv2 for my wireless network will randomly stop working and I have to reboot the server freeradius is running on. Don't ask me why this is working, but restarting the daemons won't fix it. Once I reboot everything works fine for a few days and then happens again. The only odd thing I can find is this in my log file: Mon Mar 8 10:21:02 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-d.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:02 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-a.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:02 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-d.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:06 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-b.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:12 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-c.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:20 2010 : Error: rlm_radutmp: Logout entry for NAS chaplin-wism-b.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:23 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-d.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:23 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-a.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:27 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-b.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:30 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-a.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:34 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-a.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:40 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-b.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:42 2010 : Error: rlm_radutmp: Logout entry for NAS chaplin-wism-a.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:43 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-a.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:44 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-c.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:45 2010 : Error: rlm_radutmp: Logout entry for NAS abbott-wism-b.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:46 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-c.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:48 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-d.wsc.ma.edu port 29 has wrong ID Mon Mar 8 10:21:48 2010 : Error: rlm_radutmp: Logout entry for NAS diller-wism-b.wsc.ma.edu port 29 has wrong ID This is constant I get tons of these messages per day. IS this anything to worry about is it normal? And is it possible this could be causing the authentication to stop working randomly? Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State College (413) 572-8245 Red Hat Certified Technician (RHCT) smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with PEAP
Hello everyone,
I know that it is something I have forgot to configure but I cant for my life
remember what it is.
What I want to do is to authenticate a user from a windows machine using PEAP.
The error I get in the output is:
rad_recv: Access-Request packet from host 192.168.118.10 port 35923, id=92,
length=230
Service-Type = Framed-User
Framed-MTU = 1400
User-Name = Jens
State = 0x99a8723d9faf6be067d44ee908d21fb0
NAS-Port-Id = wlan2
Calling-Station-Id = 00-26-BB-14-50-CF
Called-Station-Id = 02-0B-6B-33-62-35:3
EAP-Message =
0x0207005b19001703010050ff6dcfaa2e20081def82599ed160a801cb8b3e047fe0408eca8f0ed5bf985a4594dbf7056245f7ff06e823be7ba31220fb494d61db652b3f05bf75b3767bbfcce4d3c8e706312e385afb35dd2fe6f8f9
Message-Authenticator = 0x0ba6d2c1daab0232a5b4bd95fac8dc78
NAS-Identifier = MikroTik
NAS-IP-Address = 192.168.118.10
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = Jens, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 7 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x0207003f1a0207003a31f7f5bfb93119478c28430861f7428ecc06883db97ed65677dadd8058359801947d67a7f575431297004a656e73
server {
PEAP: Setting User-Name to Jens
Sending tunneled request
EAP-Message =
0x0207003f1a0207003a31f7f5bfb93119478c28430861f7428ecc06883db97ed65677dadd8058359801947d67a7f575431297004a656e73
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = Jens
State = 0xdb1b00f8db1c1ab8275dfb2a6c0e04ae
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Id = wlan2
Calling-Station-Id = 00-26-BB-14-50-CF
Called-Station-Id = 02-0B-6B-33-62-35:3
NAS-Identifier = MikroTik
NAS-IP-Address = 192.168.118.10
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = Jens, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for Jens with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = \007E=691 R=1
EAP-Message = 0x04070004
Message-Authenticator = 0x
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = \007E=691 R=1
EAP-Message = 0x04070004
Message-Authenticator = 0x
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 92 to 192.168.118.10 port 35923
EAP-Message =
0x0108002b19001703010020e9867cd0d691777dff28957e278ff9ee7618f8d26722621a3472801821e637a5
Message-Authenticator = 0x
State = 0x99a8723d9ea06be067d44ee908d21fb0
Finished request 197.
Things I´ve have configured in raddb and in raddb/modules is:
1. Added a user called Jens with Cleartext-Password := kaffe
2. Added two NAS in clients.conf
3. set default_eap_type = peap, copy_request_to_tunnel = yes and under the
peap section also default_eap_type = mschapv2 in eap.conf
4. set uncommented use_mppe = yes and set require_encryption = yes,
require_strong = yes in mschap in the directory modules.
is there anything else I need to do that I have forgot so I can use peap?
Best regards/ Peter Carlstedt
_
Windows Live Hotmail: Your friends can get your Facebook updates, right from
Hotmail®.
Re: Problems with PEAP
hi, the request gets sent to inner-tunnel (as per standard EAP configuration) but then inner-tunnel cant authenticate the user - ie no authentication method in which your user 'Jens' can be found. check that the requires method is in inner-tunnel alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP
Hello everyone, I know that it is something I have forgot to configure but I cant for my life remember what it is. What I want to do is to authenticate a user from a windows machine using PEAP. Things I´ve have configured in raddb and in raddb/modules is: 1. Added a user called Jens with Cleartext-Password := kaffe No, you haven't: ++[files] returns noop There is no entry for that user in users file. At least not the one server is using. If you have multiple installations make sure that you are configuring fioles belonging to the instance you are running. Have a look at the debug of the server startup - it will tell you where users file is (when files module is instantiated). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: Problems with PEAP
Message: 6 Date: Mon, 7 Dec 2009 23:00:02 - (UTC) From: t...@kalik.net Subject: Re: Problems with PEAP To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 50214.87.194.16.13.1260226802.squir...@www.kalik.net Content-Type: text/plain;charset=iso-8859-1 Hello everyone, I know that it is something I have forgot to configure but I cant for my life remember what it is. What I want to do is to authenticate a user from a windows machine using PEAP. Things I?ve have configured in raddb and in raddb/modules is: 1. Added a user called Jens with Cleartext-Password := kaffe No, you haven't: ++[files] returns noop There is no entry for that user in users file. At least not the one server is using. If you have multiple installations make sure that you are configuring fioles belonging to the instance you are running. Have a look at the debug of the server startup - it will tell you where users file is (when files module is instantiated). Ivan Kalik Hi Ivan Kalik, Yes I do have an input for Jens with Cleartext-Password := kaffe in the users file. Also I do not have several installations of Freeradius on the same installation of Ubuntu Desktop 9.04. This one was newly installed yesterday so there is only one installation. Also I could login using a different user which was a row above the user Jens. My users file have two users: peter Cleartext-Password := kaffe jens Cleartext-Password := kaffe After I logged in with the user peter I could login using jens. Best regards/ Peter Carlstedt _ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with PEAP
hi, i use freeradius with eap -peap and MySQL...but the freeradius don't send an access-accept at the end of authentication ...the server send an access-challenge,i don't know what's the problem... i'use a hp 2650 switch client,and a win xp supplicant, this is the the result of the debug mode.. Wed May 9 17:51:58 2007 : Info: Starting - reading configuration files ... Wed May 9 17:51:58 2007 : Debug: reread_config: reading radiusd.conf Wed May 9 17:51:58 2007 : Debug: Config: including file: /etc/freeradius/proxy.conf Wed May 9 17:51:58 2007 : Debug: Config: including file: /etc/freeradius/clients.conf Wed May 9 17:51:58 2007 : Debug: Config: including file: /etc/freeradius/snmp.conf Wed May 9 17:51:58 2007 : Debug: Config: including file: /etc/freeradius/eap.conf Wed May 9 17:51:58 2007 : Debug: Config: including file: /etc/freeradius/sql.conf Wed May 9 17:51:58 2007 : Debug: main: prefix = /usr Wed May 9 17:51:58 2007 : Debug: main: localstatedir = /var Wed May 9 17:51:58 2007 : Debug: main: logdir = /var/log/freeradius Wed May 9 17:51:58 2007 : Debug: main: libdir = /usr/lib/freeradius Wed May 9 17:51:58 2007 : Debug: main: radacctdir = /var/log/freeradius/radacct Wed May 9 17:51:58 2007 : Debug: main: hostname_lookups = no Wed May 9 17:51:58 2007 : Debug: main: max_request_time = 30 Wed May 9 17:51:58 2007 : Debug: main: cleanup_delay = 5 Wed May 9 17:51:58 2007 : Debug: main: max_requests = 1024 Wed May 9 17:51:58 2007 : Debug: main: delete_blocked_requests = 0 Wed May 9 17:51:58 2007 : Debug: main: port = 0 Wed May 9 17:51:58 2007 : Debug: main: allow_core_dumps = no Wed May 9 17:51:58 2007 : Debug: main: log_stripped_names = no Wed May 9 17:51:58 2007 : Debug: main: log_file = /var/log/freeradius/radius.log Wed May 9 17:51:58 2007 : Debug: main: log_auth = no Wed May 9 17:51:58 2007 : Debug: main: log_auth_badpass = no Wed May 9 17:51:58 2007 : Debug: main: log_auth_goodpass = no Wed May 9 17:51:58 2007 : Debug: main: pidfile = /var/run/freeradius/freeradius.pid Wed May 9 17:51:58 2007 : Debug: main: bind_address = 192.168.0.1 IP address [192.168.0.1] Wed May 9 17:51:58 2007 : Debug: main: user = freerad Wed May 9 17:51:58 2007 : Debug: main: group = freerad Wed May 9 17:51:58 2007 : Debug: main: usercollide = no Wed May 9 17:51:58 2007 : Debug: main: lower_user = no Wed May 9 17:51:58 2007 : Debug: main: lower_pass = no Wed May 9 17:51:58 2007 : Debug: main: nospace_user = no Wed May 9 17:51:58 2007 : Debug: main: nospace_pass = no Wed May 9 17:51:58 2007 : Debug: main: checkrad = /usr/sbin/checkrad Wed May 9 17:51:58 2007 : Debug: main: proxy_requests = yes Wed May 9 17:51:58 2007 : Debug: proxy: retry_delay = 5 Wed May 9 17:51:58 2007 : Debug: proxy: retry_count = 3 Wed May 9 17:51:58 2007 : Debug: proxy: synchronous = no Wed May 9 17:51:58 2007 : Debug: proxy: default_fallback = yes Wed May 9 17:51:58 2007 : Debug: proxy: dead_time = 120 Wed May 9 17:51:58 2007 : Debug: proxy: post_proxy_authorize = no Wed May 9 17:51:58 2007 : Debug: proxy: wake_all_if_all_dead = no Wed May 9 17:51:58 2007 : Debug: security: max_attributes = 200 Wed May 9 17:51:58 2007 : Debug: security: reject_delay = 1 Wed May 9 17:51:58 2007 : Debug: security: status_server = no Wed May 9 17:51:58 2007 : Debug: main: debug_level = 0 Wed May 9 17:51:58 2007 : Debug: read_config_files: reading dictionary Wed May 9 17:51:58 2007 : Debug: read_config_files: reading naslist Wed May 9 17:51:58 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Wed May 9 17:51:58 2007 : Debug: read_config_files: reading clients Wed May 9 17:51:58 2007 : Debug: read_config_files: reading realms Wed May 9 17:51:58 2007 : Debug: radiusd: entering modules setup Wed May 9 17:51:58 2007 : Debug: Module: Library search path is /usr/lib/freeradius Wed May 9 17:51:58 2007 : Debug: Module: Loaded exec Wed May 9 17:51:58 2007 : Debug: exec: wait = yes Wed May 9 17:51:58 2007 : Debug: exec: program = (null) Wed May 9 17:51:58 2007 : Debug: exec: input_pairs = request Wed May 9 17:51:58 2007 : Debug: exec: output_pairs = (null) Wed May 9 17:51:58 2007 : Debug: exec: packet_type = (null) Wed May 9 17:51:58 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed May 9 17:51:58 2007 : Debug: Module: Instantiated exec (exec) Wed May 9 17:51:58 2007 : Debug: Module: Loaded expr Wed May 9 17:51:58 2007 : Debug: Module: Instantiated expr (expr) Wed May 9 17:51:58 2007 : Debug: Module: Loaded PAP Wed May 9 17:51:58 2007 : Debug: pap: encryption_scheme = crypt Wed May 9 17:51:58 2007 : Debug: Module: Instantiated pap (pap) Wed May 9 17:51:58 2007 : Debug: Module: Loaded CHAP Wed May 9 17:51:58 2007 : Debug: Module: Instantiated chap (chap) Wed May 9 17:51:58 2007 : Debug: Module: Loaded MS-CHAP Wed May 9 17:51:58 2007 : Debug: mschap: use_mppe = yes Wed May 9
Re: Problems with PEAP
pippo metallaro wrote: i use freeradius with eap -peap and MySQL...but the freeradius don't send an access-accept at the end of authentication ...the server send an access-challenge,i don't know what's the problem... Perhaps you could try reading eap.conf, or the FAQ, or other documentation that comes with the server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok wrote: pippo metallaro wrote: i use freeradius with eap -peap and MySQL...but the freeradius don't send an access-accept at the end of authentication ...the server send an access-challenge,i don't know what's the problem... Perhaps you could try reading eap.conf, or the FAQ, or other documentation that comes with the server. What Alan points to is in the default eap.conf from the disto: ## # # ! WARNINGS for Windows compatibility ! # ## # # If you see the server send an Access-Challenge, # and the client never sends another Access-Request, # then # # STOP! # # The server certificate has to have special OID's # in it, or else the Microsoft clients will silently # fail. See the scripts/xpextensions file for # details, and the following page: # # http://support.microsoft.com/kb/814394/en-us # # For additional Windows XP SP2 issues, see: # # http://support.microsoft.com/kb/885453/en-us # # Note that we do not necessarily agree with their # explanation... but the fix does appear to work. # ## RTFM! - -- == +-+ Martin Gadbois | Please answer by yes or no.| Sr. SW Designer| Uncooperative user waste precious CPU time | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGQyvZ9Y3/iTTCEDkRAkAmAJ9A7Fk22hZNBtliHlb2dMYs49nYawCgiFxk EQ/1vhPi3RL0h1wuC/vAATc= =Rc9S -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with PEAP/MSCHAPv2 and LDAP Server
Hi everybody!
I´m doing a Bachelor-thesis about setting up a secure WLAN Access with a
Freeradius Server for my University.
Because i have to give away my thesis at 1. of March this is urgent.
Now description of my problem:
Clients sends Username/Password through PEAP/MSCHAPv2 to Radiusserver, which
uses an LDAP Server for authentication.
If i understood it right, the Radius Server should do a bind to LDAP Server
with DN and Password provided.
The success answer from LDAP tells the Radius Server authentication successful
finished.
The point is, i got a successful authentication with the programm radtest by a
bind to LDAP Server. And i get success with PEAP/MSCHAPv2 using a Testuser on
local configfile users
But the whole chain does not work. I cant figure out what error message(see
end) means and how to stop?
Is it basicaly possible with PEAP/MSCHAPv2 to authenticate at an LDAP
directory?
Here is my log that is successful in authorize with LDAP, but fails to
authenticate with LDAP:
(private information replaced with X)
Ready to process requests.
rad_recv: Access-Request packet from host XXX:1301, id=211,
length=126
NAS-IP-Address = xxx
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = xx
Calling-Station-Id = 000fb5377adc
Called-Station-Id = 0001f47afc19
NAS-Identifier = RoamAbout3000
EAP-Message = 0x0201000b016e6639353532
Message-Authenticator = 0xffc4a4fa474a2827dad8ad1e2bf4905e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius/radacct/xx/auth-detail-20050203'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/x/auth-detail-20050203
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = xx, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 1 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
users: Matched DEFAULT at 162
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for xx
radius_xlat: '(uid=xx)'
radius_xlat: 'cn=xxx,ou=xxx,o=x,c=DE'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to :389, authentication 0
rlm_ldap: bind as / to xx
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in cn=x,ou=xx,o=x,c=DE,
with filter (uid=xx)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user XX authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 211 to :1301
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0x8119cf34fdc7ff9e112a9d51a6e9f6a9
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host :1302, id=212, length=213
NAS-IP-Address =
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = XX
Calling-Station-Id = 000fb5377adc
Called-Station-Id = 0001f47afc19
NAS-Identifier = RoamAbout3000
State = 0x8119cf34fdc7ff9e112a9d51a6e9f6a9
EAP-Message =
0x02020050198000461603010041013d030142024afc6b844c3a22d283c0711eb96c19d0f873e2d8d4dd360ac87fa54beed31600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x7da7d638953289e044980cebbf3fa253
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
Re: Problems with PEAP/MSCHAPv2 and LDAP Server
[EMAIL PROTECTED] wrote: If i understood it right, the Radius Server should do a bind to LDAP Server with DN and Password provided. What password? There's no password in MSCHAPv2, and LDAP doesn't do MSCHAPv2. The success answer from LDAP tells the Radius Server authentication successful finished. LDAP servers are not authentication servers. RADIUS servers are authentication servers. That's the root cause of your confusion. Is it basicaly possible with PEAP/MSCHAPv2 to authenticate at an LDAP directory? No. See any number of posts on this list about this topic. LDAP has to provide a clear-text, or NT password to FreeRADIUS. FreeRADIUS will then do the work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP/MSCHAPv2 and LDAP Server
Thanks for the fast answer!
The person who is responsible for the LDAP Server told me that our LDAP does
not send a Password out, for security reasons, but accepts bindings with
password (see log with radtest,down).
That means if the LDAP Server would be somehow configured to send out the
Attribute UserPassword in cleartext, it would work with MSCHAP?
Is there definitely at use of MSCHAP no chance to get it work by Radius Server
sends a bind message to LDAP Directory like i did successful in the log with
radtest?
rad_recv: Access-Request packet from host X:32768, id=71, length=58
User-Name = XX
User-Password = XXX
NAS-IP-Address = 255.255.255.255
NAS-Port =
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module preprocess returns ok for request 8
radius_xlat: '/var/log/radius/radacct/X/auth-detail-20050125'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct//auth-detail-20050125
modcall[authorize]: module auth_log returns ok for request 8
modcall[authorize]: module chap returns noop for request 8
modcall[authorize]: module mschap returns noop for request 8
rlm_realm: No '@' in User-Name = XX, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 8
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 8
users: Matched DEFAULT at 158
users: Matched DEFAULT at 160
modcall[authorize]: module files returns ok for request 8
rlm_ldap: - authorize
rlm_ldap: performing user authorization for XXX
radius_xlat: '(cn=XX)'
radius_xlat: 'cn=X,dc=XXX,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=X,dc=,dc=de, with filter
(cn=XX)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user XX authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 8
modcall: group authorize returns ok for request 8
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 8
rlm_ldap: - authenticate
rlm_ldap: login attempt by XX with password XX
rlm_ldap: user DN: cn=XX,cn=X, dc=,dc=de
rlm_ldap: (re)connect to .X.XX.de:389, authentication 1
rlm_ldap: bind as cn=XXX,cn=XXX, dc=XXX,dc=de/XPasswordX to
XX.X..de:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user XX authenticated succesfully
modcall[authenticate]: module ldap returns ok for request 8
modcall: group Auth-Type returns ok for request 8
Sending Access-Accept of id 71 to :32768
Finished request 8
[EMAIL PROTECTED] wrote:
If i understood it right, the Radius Server should do a bind to LDAP Server
with DN and Password provided.
What password? There's no password in MSCHAPv2, and LDAP doesn't do
MSCHAPv2.
The success answer from LDAP tells the Radius Server authentication
successful finished.
LDAP servers are not authentication servers. RADIUS servers are
authentication servers. That's the root cause of your confusion.
Is it basicaly possible with PEAP/MSCHAPv2 to authenticate at an LDAP
directory?
No. See any number of posts on this list about this topic.
LDAP has to provide a clear-text, or NT password to FreeRADIUS.
FreeRADIUS will then do the work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP/MSCHAPv2 and LDAP Server
[EMAIL PROTECTED] schrieb: That means if the LDAP Server would be somehow configured to send out the Attribute UserPassword in cleartext, it would work with MSCHAP? Yes. If Radius gets the cleartext password from somewhere, it can check if the MSCHAP stuff which the user did send is correct. If it doesn't get the cleartext password, no check is possible. Is there definitely at use of MSCHAP no chance to get it work by Radius Server sends a bind message to LDAP Directory like i did successful in the log with radtest? Binding to LDAP requires that the person/program sending the bind message knows the cleartext password. You can't obtain that from MSCHAP information, so there's no way this can work. HTH, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with PEAP/MSCHAPv2 and LDAP Server
You need to check the archives. But I'll answer anyway. Here's an explanation from one of Novell's forums. It's talking about Novells' Edirectory, but would apply to any other LDAP server. quote You are correct that the FreeRADIUS LDAP module cannot authenticate a MS-CHAP password against eDirectory. This is because the RADIUS server receives only a hash of the password from the client. To verify the password, the server must lookup a clear-text version of the password, then compute a hash using the clear-text password with a nonce provided in the access-request packet. If the server generated hash matches the hash provided by the client, then authentication is accepted. unquote The password is not sent, therefore is not available to the Radius server to use for a bind against the LDAP server. Mearl [EMAIL PROTECTED] 02/03 11:53 AM Thanks for the fast answer! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
