RE: PEAP/MSCHAPv2 failing with Windows 7
> One additional note: the fixes that went into 2.1.10 extract (verbatim) > the client username from the EAP-MSCHAPv2 response, and pass that > through to the rlm_mschap module as an extra attribute. You're right Phil. It's been too long since I wrote that patch. Gary: Forget what I said about comparing User-Name in inner vs outer tunnels. You would need to look at the User-Name attribute vs. the username contained in the MSCHAP response. If you have a test server, I would test it with 2.1.10 after you get Aruba not to be the termination point for PEAP.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
On 05/10/2011 03:00 PM, Garber, Neal wrote: In the PEAP properties, EAP-MSCHAP v2, if you DISABLE "automatically use my windows logon name and password" and instead enter the credentials manually it works. Look at: http://freeradius.1045715.n5.nabble.com/MSCHAP-Authentication-Issue-td2785146.html to see if this is your problem (look at the table in the post). If so and you're running a version< 2.1.10, upgrade as this problem is fixed in 2.1.10.. One additional note: the fixes that went into 2.1.10 extract (verbatim) the client username from the EAP-MSCHAPv2 response, and pass that through to the rlm_mschap module as an extra attribute. This won't work for the OP even under 2.1.10, because his Aruba kit is terminating the PEAP, and then proxying the EAP-MSCHAPv2 as plain MS-CHAPv2, so (as advised elsewhere) he'll still need to change that. You're almost certainly right about the cause/fix. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 failing with Windows 7
> I can/will upgrade, but the symptoms lead me to believe its a windows > thing. What leads you to believe an FR upgrade would fix it? I sent another response with more info. The issue I'm thinking of is one we talked about quite a while ago (I asked if you could test it). It's the one where the case (i.e., upper vs. lower) of the User-Name differs between the inner and outer tunnels. Take a look at the link I included in my last response. In it, there's a table that showed the results of tests I performed. It was with XP not Win7, but the same *may* apply. I would look in the debug output at the Access-Requests and compare the User-Name attributes for inner and outer tunnels to see if they are *exactly* the same (it's case-sensitive as it is used to construct the challenge/response. I thought of this because my testing produced different results depending upon whether credentials were passed automatically (which is a symptom you described). Look at the table in: http://freeradius.1045715.n5.nabble.com/MSCHAP-Authentication-Issue-td2785146.html to see what I mean.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 failing with Windows 7
> In the PEAP properties, EAP-MSCHAP v2, if you DISABLE > "automatically use my windows logon name and password" and > instead enter the credentials manually it works. Look at: http://freeradius.1045715.n5.nabble.com/MSCHAP-Authentication-Issue-td2785146.html to see if this is your problem (look at the table in the post). If so and you're running a version < 2.1.10, upgrade as this problem is fixed in 2.1.10.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
I think its 2.1.6, maybe 2.1.7. I can/will upgrade, but the symptoms lead me to believe its a windows thing. What leads you to believe an FR upgrade would fix it? - Original Message - From: Garber, Neal [mailto:neal.gar...@iberdrolausa.com] Sent: Tuesday, May 10, 2011 08:44 AM To: 'FreeRadius users mailing list' Subject: RE: PEAP/MSCHAPv2 failing with Windows 7 > In the PEAP properties, EAP-MSCHAP v2, if you DISABLE > "automatically use my windows logon name and password" and > instead enter the credentials manually it works. What version of FR are you running? If it's < 2.1.10, try it with 2.1.10. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 failing with Windows 7
> In the PEAP properties, EAP-MSCHAP v2, if you DISABLE > "automatically use my windows logon name and password" and > instead enter the credentials manually it works. What version of FR are you running? If it's < 2.1.10, try it with 2.1.10. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
I don't have access to the debug right now, but will post it later. I was hoping someone would pop up and say, "oh yeah - you need patch xyz on Winblows 7...". No such luck :) Thx G - Original Message - From: Phil Mayers [mailto:p.may...@imperial.ac.uk] Sent: Tuesday, May 10, 2011 07:34 AM To: freeradius-users@lists.freeradius.org Subject: Re: PEAP/MSCHAPv2 failing with Windows 7 On 05/10/2011 01:20 PM, Gary Gatten wrote: > Sorry, I trimmed because "everything" is the same between success and failure > up until the "exec program output"... Well, unfortunately "the same" didn't trigger my crystal ball, so I have no idea what it was, regardless of whether it's "the same". I want to try to help, but in the absence of the debug output I would just have to ask a long list of questions, which to be honest I'm too lazy to do ;o) > > Yes, they are domain members. FR sees only a basic MSCHAP request, no *EAP > of any kind. So the Aruba kit is fiddling quite extensively with the EAP transaction. Seriously: at least try it with the PEAP terminated on FreeRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
On 05/10/2011 01:20 PM, Gary Gatten wrote: Sorry, I trimmed because "everything" is the same between success and failure up until the "exec program output"... Well, unfortunately "the same" didn't trigger my crystal ball, so I have no idea what it was, regardless of whether it's "the same". I want to try to help, but in the absence of the debug output I would just have to ask a long list of questions, which to be honest I'm too lazy to do ;o) Yes, they are domain members. FR sees only a basic MSCHAP request, no *EAP of any kind. So the Aruba kit is fiddling quite extensively with the EAP transaction. Seriously: at least try it with the PEAP terminated on FreeRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
Sorry, I trimmed because "everything" is the same between success and failure up until the "exec program output"... Yes, they are domain members. FR sees only a basic MSCHAP request, no *EAP of any kind. - Original Message - From: Phil Mayers [mailto:p.may...@imperial.ac.uk] Sent: Tuesday, May 10, 2011 03:55 AM To: freeradius-users@lists.freeradius.org Subject: Re: PEAP/MSCHAPv2 failing with Windows 7 On 05/09/2011 10:55 PM, Gary Gatten wrote: > > Exec-Program output: Logon failure (0xc06d) > > Exec-Program-Wait: plaintext: Logon failure (0xc06d) > > Exec-Program: returned: 1 > > [mschap] External script failed. > > [mschap] FAILED: MS-CHAP2-Response is incorrect > > ++[mschap] returns reject You've trimmed the debug output, so we can't see what the problem is. Don't do that. > In the PEAP properties, EAP-MSCHAP v2, if you DISABLE “automatically use > my windows logon name and password” and instead enter the credentials > manually it works. Are the machines domain members? > I should note, it appears the Aruba gear is terminating the PEAP – FR > only sees an MSCHAP request. DEFINITELY don't do that! Is it passing the PEAP inner as EAP-MSCHAPv2 or plain MS-CHAPv2? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
The same FR instance works perfectly using the same Aruba controller and user creds if the client OS is XP. As noted, everything also works with Windows 7 if you don't select "use windows login info". - Original Message - From: ironr...@yahoo.com [mailto:ironr...@yahoo.com] Sent: Tuesday, May 10, 2011 06:40 AM To: FreeRadius users mailing list Subject: Re: PEAP/MSCHAPv2 failing with Windows 7 Check some basic stuff too. Make sure your radius user can run ntlm_auth. Sent from Verizon Wireless -Original Message- From: Phil Mayers Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Tue, 10 May 2011 09:55:54 To: Reply-To: FreeRadius users mailing list Subject: Re: PEAP/MSCHAPv2 failing with Windows 7 On 05/09/2011 10:55 PM, Gary Gatten wrote: > > Exec-Program output: Logon failure (0xc06d) > > Exec-Program-Wait: plaintext: Logon failure (0xc06d) > > Exec-Program: returned: 1 > > [mschap] External script failed. > > [mschap] FAILED: MS-CHAP2-Response is incorrect > > ++[mschap] returns reject You've trimmed the debug output, so we can't see what the problem is. Don't do that. > In the PEAP properties, EAP-MSCHAP v2, if you DISABLE “automatically use > my windows logon name and password” and instead enter the credentials > manually it works. Are the machines domain members? > I should note, it appears the Aruba gear is terminating the PEAP – FR > only sees an MSCHAP request. DEFINITELY don't do that! Is it passing the PEAP inner as EAP-MSCHAPv2 or plain MS-CHAPv2? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
Check some basic stuff too. Make sure your radius user can run ntlm_auth. Sent from Verizon Wireless -Original Message- From: Phil Mayers Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Tue, 10 May 2011 09:55:54 To: Reply-To: FreeRadius users mailing list Subject: Re: PEAP/MSCHAPv2 failing with Windows 7 On 05/09/2011 10:55 PM, Gary Gatten wrote: > > Exec-Program output: Logon failure (0xc06d) > > Exec-Program-Wait: plaintext: Logon failure (0xc06d) > > Exec-Program: returned: 1 > > [mschap] External script failed. > > [mschap] FAILED: MS-CHAP2-Response is incorrect > > ++[mschap] returns reject You've trimmed the debug output, so we can't see what the problem is. Don't do that. > In the PEAP properties, EAP-MSCHAP v2, if you DISABLE “automatically use > my windows logon name and password” and instead enter the credentials > manually it works. Are the machines domain members? > I should note, it appears the Aruba gear is terminating the PEAP – FR > only sees an MSCHAP request. DEFINITELY don't do that! Is it passing the PEAP inner as EAP-MSCHAPv2 or plain MS-CHAPv2? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
On 05/09/2011 10:55 PM, Gary Gatten wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject You've trimmed the debug output, so we can't see what the problem is. Don't do that. In the PEAP properties, EAP-MSCHAP v2, if you DISABLE “automatically use my windows logon name and password” and instead enter the credentials manually it works. Are the machines domain members? I should note, it appears the Aruba gear is terminating the PEAP – FR only sees an MSCHAP request. DEFINITELY don't do that! Is it passing the PEAP inner as EAP-MSCHAPv2 or plain MS-CHAPv2? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 failing with Windows 7
I may be misunderstanding you, but FR still auths against a centralized AD (ntlm_auth). I will look into this further though, because it obviously won't honor any DVLAN assignments we have in AD if it's not asking for / expecting them. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Monday, May 09, 2011 5:11 PM To: FreeRadius users mailing list Subject: Re: PEAP/MSCHAPv2 failing with Windows 7 Hi, >I should note, it appears the Aruba gear is terminating the PEAP - FR only >sees an MSCHAP request. I would change that behaviour with a quick reconfig - its possible because we have sites in the UK using Aruba kit with 'eduroam' - and 'eduroam' would break if the remote client was presented with the local sites RADIUS server or EAP termination. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
Hi, >I should note, it appears the Aruba gear is terminating the PEAP – FR only >sees an MSCHAP request. I would change that behaviour with a quick reconfig - its possible because we have sites in the UK using Aruba kit with 'eduroam' - and 'eduroam' would break if the remote client was presented with the local sites RADIUS server or EAP termination. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html