Brooks, Kyle wrote:
Put a test user in the "users" file:
testCleartest-Password := "blah", MS-CHAP-Use-NTLM-Auth := 0
TTLS/MSCHAPV2 works!
If that still fails, then there's something wrong with the system
that breaks the server in 2.0.5.
Running Samba 3.2.0 on Fedora 9
Samba 3.0.28
>Put a test user in the "users" file:
>test Cleartest-Password := "blah", MS-CHAP-Use-NTLM-Auth := 0
TTLS/MSCHAPV2 works!
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec RADIUS packet matching with station
MS-MPPE-Send-Key (sign) - hexdump(
Perhaps try it with a Cleartext-Password in the "users" file. i.e.
*Without* using ntlm_auth. That works for me, including with
eapol_test, and TTLS/EAP-MSCHAPv2.
Can you clarify this setup/change to test? I was pretty sure I needed
to use ntlm_auth to auth against AD to test mschapv2
Put
Here we go,
TTLS/PAP works
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec RADIUS packet matching with station
MS-MPPE-Send-Key (sign) - hexdump(len=32): c5 bd 3a 25 91 1b fa 82 01 4c
d2 d3 0f 50 b9 69 57 32 5c 19 73 03 2a 02 d2 47 36 bd 0d 7
Brooks, Kyle wrote:
> I have run the test as recommended and attached the results. eapol_test
> does fail
...
> EAP-MSCHAPV2: Invalid authenticator response in success request
That's pretty definitive.
Hmm... it means that the MSCHAP-Success attribute sent by the server
is wrong.
Perhaps
Brooks, Kyle wrote:
> I copied the exact same certificates (private, certificate_file and
> cacert) from production to the new box with no change
That's a little surprising.
> I will do some more reading of what I can find then if no success I
> guess give up.
Please try 2.0.5, with the cert
>> There might be a slight miscommunication here these are two separate
>> boxes. Our production box is 1.1.7 and this new box 2.0.5
>
> That's nice.
>
> Do the clients have the certificate for the CA that signed the server
certificate? It seems not.
The clients have the certificate for the CA
Brooks, Kyle wrote:
> There might be a slight miscommunication here these are two separate
> boxes. Our production box is 1.1.7 and this new box 2.0.5
That's nice.
Do the clients have the certificate for the CA that signed the server
certificate? It seems not.
> I have created the certifica
Hi Alan,
There might be a slight miscommunication here these are two separate
boxes. Our production box is 1.1.7 and this new box 2.0.5
I have created the certificates using your scripts or openssl and have
had them signed by our Windows CA. The appropriate OID's are there
according to the certi
Brooks, Kyle wrote:
> Sorry to bother you again, but can you provide any more insight with
> reference to the conf and debug files?
Uh... what do you mean?
The eap.conf file points to the certificates. It hasn't really
changed from 1.1.7 to 2.0.5. Just make sure the eap.conf in 2.0.5
points
> If the server sends an Access-Challenge, and nothing else happens,
the
>user's machine is *choosing* to not continue the conversation.
>
> XP and Linux machines are known to work with 2.0.5. If 1.1.7 works
>for you, and 2.0.5 doesn't, it's *very* likely because the
>configurations are differen
Brooks, Kyle wrote:
>> I will debug the switch but would it be something else?
If the server sends an Access-Challenge, and nothing else happens, the
user's machine is *choosing* to not continue the conversation.
XP and Linux machines are known to work with 2.0.5. If 1.1.7 works
for you, and
>>>++[mschap] returns ok
>>>MSCHAP Success
>>>++[eap] returns handled
>>
>>Radius is doing fine. Your switch is having problems with
EAP-MSCHAPv2.
>>Debug the switch.
>>
>>Ivan Kalik
>>Kalik Informatika ISP
>
>Ok, but we are using this same switch and config for our current
>deployment of freeradiu
>you've configured inner-tunnel for EAP - but do you have the
inner-tunnel virtual server config file living >in sites-enabled/ ?
Hello Alan,
Here are the contents of the inner-tunnel file located in sites-enabled/
# -*- text -*-
##
hi,
you've configured inner-tunnel for EAP - but
do you have the inner-tunnel virtual server config file
living in sites-enabled/ ?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>++[mschap] returns ok
>>MSCHAP Success
>>++[eap] returns handled
>
>Radius is doing fine. Your switch is having problems with EAP-MSCHAPv2.
>Debug the switch.
>
>Ivan Kalik
>Kalik Informatika ISP
Ok, but we are using this same switch and config for our current
deployment of freeradius 1.1.7 with
>++[mschap] returns ok
>MSCHAP Success
>++[eap] returns handled
Radius is doing fine. Your switch is having problems with EAP-MSCHAPv2.
Debug the switch.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
In follow up to 'FreeRadius 2.0.3 setup help' on Jul 27.
We have tested using the certificate creation scripts and WinCA signed
certificates with the same result of an access challenge. We have tested
with both a Windows XP and Linux client with the same result. We are
using Cisco switches.
What a
18 matches
Mail list logo