rlm_eap: Handler failed in EAP/peap

Laker Netman laker_netman at yahoo.com
Tue Feb 28 00:18:46 CET 2006 

SEE BELOW:

--- Agus Supriyadi <sorcerershell at gmail.com> wrote:

> Dear All,
> 
> I've got a problem with my freeradius. I've
> installed freeradius 1.1.0. I'm
> gonna using EAP/PEAP and MSCHAPv2. The radius
> returned Access-Reject message
> when I try to authenicate user.
> 
> This is the debug message from freeradius:
> ------------------- BEGIN DEBUG
> -----------------------
> rad_recv: Access-Request packet from host
> 128.16.100.2:21645, id=112,
> length=219
>         User-Name = "agus"
>         Framed-MTU = 1400
>         Called-Station-Id = "0012.43f9.07f0"
>         Calling-Station-Id = "0040.96a6.0915"
>         Service-Type = Login-User
>         Message-Authenticator =
> 0x035385584153738e930ae5647bba4e77
>         EAP-Message =
>
0x020900561900170301004bbeba44dea711ccc50b11d2b66d81c5ee2f2254128135c4bfbc0c8f56c11d93419377cb9061b873416e21389346112ea96d1078b7ad8db16c64b70d812a071923b02819bd681a5902ead889
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 208
>         State = 0xbe8af775ecd2998b486819e32c8c5eb3
>         NAS-IP-Address = 128.16.100.2
>         NAS-Identifier = "iSpot"
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 7
>   modcall[authorize]: module "preprocess" returns ok
> for request 7
>   modcall[authorize]: module "chap" returns noop for
> request 7
>   modcall[authorize]: module "mschap" returns noop
> for request 7
>     rlm_realm: No '@' in User-Name = "agus", looking
> up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop
> for request 7
>   rlm_eap: EAP packet type response id 9 length 86
>   rlm_eap: No EAP Start, assuming it's an on-going
> EAP conversation
>   modcall[authorize]: module "eap" returns updated
> for request 7
>     users: Matched entry DEFAULT at line 152
>   modcall[authorize]: module "files" returns ok for
> request 7
> rlm_passwd: Added LM-Password:
> 'B736D7A84FBDE543AAD3B435B51404EE' to
> config_items
> rlm_passwd: Added NT-Password:
> 'AA4348E74FCFE5BB2061F2FF5C085304' to
> config_items
> rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U        
>  ]' to config_items
> rlm_passwd: Adding "Auth-Type = MS-CHAP"
>   modcall[authorize]: module "etc_smbpasswd" returns
> ok for request 7
> modcall: leaving group authorize (returns updated)
> for request 7
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of
> radiusd.conf
> modcall: entering group authenticate for request 7
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/peap
>   rlm_eap: processing type peap
>   rlm_eap_peap: Authenticate
>   rlm_eap_tls: processing TLS
>   eaptls_verify returned 7
>   rlm_eap_tls: Done initial handshake
>   eaptls_process returned 7
>   rlm_eap_peap: EAPTLS_OK
>   rlm_eap_peap: Session established.  Decoding
> tunneled attributes.
>   rlm_eap_peap: EAP type mschapv2
>   rlm_eap_peap: Tunneled data is valid.
>   PEAP: Setting User-Name to agus
>   PEAP: Adding old state with e5 7c
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 7
>   modcall[authorize]: module "preprocess" returns ok
> for request 7
>   modcall[authorize]: module "chap" returns noop for
> request 7
>   modcall[authorize]: module "mschap" returns noop
> for request 7
>     rlm_realm: No '@' in User-Name = "agus", looking
> up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop
> for request 7
>   rlm_eap: EAP packet type response id 9 length 63
>   rlm_eap: No EAP Start, assuming it's an on-going
> EAP conversation
>   modcall[authorize]: module "eap" returns updated
> for request 7
>     users: Matched entry DEFAULT at line 152
>   modcall[authorize]: module "files" returns ok for
> request 7
> rlm_passwd: Added LM-Password:
> 'B736D7A84FBDE543AAD3B435B51404EE' to
> config_items
> rlm_passwd: Added NT-Password:
> 'AA4348E74FCFE5BB2061F2FF5C085304' to
> config_items
> rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U        
>  ]' to config_items
> rlm_passwd: Adding "Auth-Type = MS-CHAP"
>   modcall[authorize]: module "etc_smbpasswd" returns
> ok for request 7
> modcall: leaving group authorize (returns updated)
> for request 7
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of
> radiusd.conf
> modcall: entering group authenticate for request 7
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/mschapv2
>   rlm_eap: processing type mschapv2
>   Processing the authenticate section of
> radiusd.conf
> modcall: entering group MS-CHAP for request 7
>   rlm_mschap: Found LM-Password
>   rlm_mschap: Found NT-Password
>   rlm_mschap: Told to do MS-CHAPv2 for agus with
> NT-Password
> radius_xlat: Running registered xlat function of
> module mschap for string
> 'Challenge'
>  mschap2: 60
> radius_xlat: Running registered xlat function of
> module mschap for string
> 'NT-Response'
> radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key
> --username=agus
> --challenge=b7bc51d8fa48dfc5
>

It looks like you didn't include the domain info by
having --domain=%{mschap:NT-Domain} in your
"ntlm_auth" command line in the mschap section of your
radius.conf file.

--nt-response=09d697e7c477017b27c969c52b93deb49200295bda22bf6b'
> Exec-Program: /usr/bin/ntlm_auth --request-nt-key
> --username=agus
> --challenge=b7bc51d8fa48dfc5
>
--nt-response=09d697e7c477017b27c969c52b93deb49200295bda22bf6b
> [2006/02/28 05:41:41, 0]
> utils/ntlm_auth.c:get_winbind_domain(140)
>   could not obtain winbind domain name!
> Exec-Program output: Reading winbind reply failed!
> (0xc0000001)
> Exec-Program-Wait: plaintext: Reading winbind reply
> failed! (0xc0000001)
> Exec-Program: returned: 1
>   rlm_mschap: External script failed.
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>   modcall[authenticate]: module "mschap" returns
> reject for request 7
> modcall: leaving group MS-CHAP (returns reject) for
> request 7
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns reject
> for request 7
> modcall: leaving group authenticate (returns reject)
> for request 7
> auth: Failed to validate the user.
>   PEAP: Tunneled authentication was rejected.
>   rlm_eap_peap: FAILURE
>   modcall[authenticate]: module "eap" returns
> handled for request 7
> modcall: leaving group authenticate (returns
> handled) for request 7
> Sending Access-Challenge of id 112 to 128.16.100.2
> port 21645
>         EAP-Message =
>
0x010a00261900170301001bce70eaa23461d24fc4ce2a1d288dd015b9c4c3640a8a4edb8bae92
>         Message-Authenticator =
> 0x00000000000000000000000000000000
>         State = 0x475bad5b4f387d108835cc1a2cf108f0
> Finished request 7
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 2 seconds...
> rad_recv: Access-Request packet from host
> 128.16.100.2:21645, id=113,
> length=171
>         User-Name = "agus"
>         Framed-MTU = 1400
>         Called-Station-Id = "0012.43f9.07f0"
>         Calling-Station-Id = "0040.96a6.0915"
>         Service-Type = Login-User
>         Message-Authenticator =
> 0xc2617d78095ef05b9cac0310eb5d1793
>         EAP-Message =
>
0x020a00261900170301001bd67b9a87e9d765a68d39d4c7315696e06a111f82effe74aca9e9c0
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 208
>         State = 0x475bad5b4f387d108835cc1a2cf108f0
>         NAS-IP-Address = 128.16.100.2
>         NAS-Identifier = "iSpot"
>   Processing the authorize section of radiusd.conf
> 
=== message truncated ===> - 
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Freeradius-Users mailing list