problems authenticating

jck-freeradius at southwestern.edu jck-freeradius at southwestern.edu
Mon Jul 11 23:01:05 CEST 2005 

I am trying to do EAP-PEAP, using FreeRadius 1.0.4.  Here are the debug logs,
at the breaking points:

rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 8
modcall: group authorize returns updated for request 8
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 8
  rlm_mschap: Told to do MS-CHAPv2 for johnk with NT-Password
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 8
modcall: group Auth-Type returns reject for request 8
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 8
modcall: group authenticate returns reject for request 8
auth: Failed to validate the user.
Login incorrect: [johnk/<no User-Password attribute>] (from client localhost port 0)
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE

and again later on...

  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap:  Had sent TLV failure, rejecting.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 9
modcall: group authenticate returns invalid for request 9
auth: Failed to validate the user.
Login incorrect: [johnk/<no User-Password attribute>] (from client xXxXx1100 port 821 cli 000e.35b5.eb8f)


Here is how my two auth sections look:

radiusd.conf:

authorize {
	preprocess
	auth_log
	mschap
	eap
	sql }

authenticate {
        Auth-Type CHAP {
                chap 
        } 
        Auth-Type MS-CHAP {
                mschap
        }
	mschap
	eap }


Here are a few excerpts from

eap.conf:

       eap {
                #  Invoke the default supported EAP type when
                #  EAP-Identity response is received.
                #
                #  The incoming EAP messages DO NOT specify which EAP
                #  type they will be using, so it MUST be set here.
                #
                #  For now, only one default EAP type may be used at a time.
                #
                #  If the EAP-Type attribute is set by another module,
                #  then that EAP type takes precedence over the
                #  default type configured here.
                #
                default_eap_type = mschapv2

	....

                peap { 
                        #  The tunneled EAP session needs a default
                        #  EAP type which is separate from the one for
                        #  the non-tunneled EAP module.  Inside of the
                        #  PEAP tunnel, we recommend using MS-CHAPv2,
                        #  as that is the default type supported by
                        #  Windows clients.
                        default_eap_type = mschapv2
                }       



My thoughts are that SQL and MSCHAP should be in the authorization section,
and MSCHAP and EAP should be in authentication.  I have tried this, and
it does not work for me.  I really have no idea of what I am doing, although
I have read the documentation.

I am storing NTLM passwords in my SQL server.

mysql> select * from radcheck where UserName = "johnk";
+------+----------+---------------+----+-------------------------------------------------------------------+
| id   | UserName | Attribute     | op | Value                                                             |
+------+----------+---------------+----+-------------------------------------------------------------------+
| 1490 | johnk    | User-Password | == | 0393A990E3426721695109AB020K4E1C:FBFR81520C5BDDENOTREALPASSWORD33 |
+------+----------+---------------+----+-------------------------------------------------------------------+
1 row in set (0.00 sec)
(The password above has been assigned a false value)

mysql> select * from usergroup where UserName = "johnk";
+------+----------+------------+
| id   | UserName | GroupName  |
+------+----------+------------+
| 2502 | johnk    | pirate     |
+------+----------+------------+
1 row in set (0.01 sec)

mysql> select * from radgroupreply;                         
+----+------------+---------------------------+----+----------+------+
| id | GroupName  | Attribute                 | op | Value    | prio |
+----+------------+---------------------------+----+----------+------+
| 39 | pirate     | Tunnel-Medium-Type:0      | =  | IEEE-802 |    0 |
| 40 | pirate     | Tunnel-Type:0             | =  | VLAN     |    0 |
| 41 | pirate     | Tunnel-Private-Group-ID:0 | =  | 111      |    0 |
+----+------------+---------------------------+----+----------+------+
3 rows in set (0.00 sec)

What can be suggested, so that my authentication phase goes as well as my
authorization phase?

--johnk

More information about the Freeradius-Users mailing list