Re: freeradius SQL + EAP + Windows client

2008-02-28 Thread Ivan Kalik 
>Hi, I've got some problem when I try to Authorize with SQL and a windows 
>client to Wireless connection.
>

No, you don't.

>
>When I make a test with the command
>Radtest guillaume passtest localhost 1645 testing123
>I've have this result
..
>Sending Access-Accept of id 204 to 127.0.0.1 port 34468
>
>So authorize with SQL working for now

Yes.

> but it's when I try to connect with the same parameter with my windows client 
> I've got a access-reject and I don't know why.
..
>+- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/mschapv2
>  rlm_eap: processing type mschapv2
>+- entering group MS-CHAP
>  rlm_mschap: Told to do MS-CHAPv2 for guillaume with NT-Password
>   expand: --username=%{mschap:User-Name:-None} -> --username=guillaume
>  rlm_mschap: No NT-Domain was found in the User-Name.
>   expand: --domain=%{mschap:NT-Domain:-intranet} -> --domain=intranet
> mschap2: c4
>   expand: --challenge=%{mschap:Challenge:-00} -> 
> --challenge=4384da4f07ddf5b1
>   expand: --nt-response=%{mschap:NT-Response:-00} -> 
> --nt-response=b4e365eb0f01c659d845bd177f80139ebbe46ada409725f1
>Exec-Program output: Logon failure (0xc06d) 
>Exec-Program-Wait: plaintext: Logon failure (0xc06d) 
>Exec-Program: returned: 1
>  rlm_mschap: External script failed.
>  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>++[mschap] returns reject

Well, you have configured it to authenticate against Active Directory.
That failed. Comment out ntlm_auth in mschap module and server will use
the password from your sql database.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius SQL + EAP + Windows client

2008-02-28 Thread Guillaume Chartrand 
Hi, I've got some problem when I try to Authorize with SQL and a windows client 
to Wireless connection.

I configure my windowx xp wireless connection to works with PEAP.

My freeradius version is 2.0.0 running on RHEL4 AS

When I make a test with the command
Radtest guillaume passtest localhost 1645 testing123
I've have this result
rad_recv: Access-Request packet from host 127.0.0.1 port 34468, id=204, 
length=61
User-Name = "guillaume"
User-Password = "passtest"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1645
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT 
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER 
BY id
query:  SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 
'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT 
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER 
BY id
query:  SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 
'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
  rad_check_password:  Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "passtest"
rlm_pap: Using clear text password "passtest"
rlm_pap: User authenticated successfully
++[pap] returns ok
Sending Access-Accept of id 204 to 127.0.0.1 port 34468
Finished request 0.





So authorize with SQL working for now but it's when I try to connect with the 
same parameter with my windows client I've got a access-reject and I don't know 
why. Here's my log when I try to connect. It's a very long log but I prefer to 
put more than less





rad_recv: Access-Request packet from host 172.20.50.202 port 1063, id=0, 
length=207
Message-Authenticator = 0xc0f8d00a3b3681c80b0404fb1071f81a
Service-Type = Framed-User
User-Name = "guillaume\000"
Framed-MTU = 1488
Called-Station-Id = "00-0F-3D-AB-1C-07:testGuillaume"
Calling-Station-Id = "00-0E-35-99-F3-E9"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020e016775696c6c61756d65
NAS-IP-Address = 172.20.50.202
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: No '@' in User-Name = "guillaume", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
expand: %{User-Name} -> guillaume
rlm_sql (sql): sql_set_user escaped user --> 'guillaume'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT 
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'guillaume' ORDER 
BY id
query:  SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 
'guillaume' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT 
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'guillaume' ORDER 
BY id
query:  SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 
'guillaume' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
  rlm_eap: EAP packet type response id 0 length 14
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 172.20.50.202 port 1063
EAP-Message = 0x01010016041092804dde8d0a06d99e5261ceb9722ac7
Message-Authenticator = 0x
State = 0x520c3ced520d38a3a459d69bfb6e15b4
Finished request 0.
Going to the next request
Waking up in 0.9 seconds. 
rad_recv: Access-Request