PEAP/MS-CHAPv2 authentication to active directory

Mitchell, Mark mgmitch at sandia.gov
Fri Apr 11 23:46:27 CEST 2008 

Hello,

I'm trying to get 802.1x authentication going using PEAP/MS-CHAPv2 but cant quite get it going (I think I'm pretty cloise though) so I'm hoping someone here can take a look at my debug output below and perhaps offer some helpful advice. Here's the specifics:  Ubuntu 7.10, freeRADIUS 1.1.7, Samba 3.0.  Note that there are calls to a freeNAC perl module called check_mac that performs mac-auth-bypass vlan assignment for non-802.1x compliant devices.

I've followed the freeNAC instructions and tried some slight variations that I've found posted elsewhere but still not gettting it. I've gotten to the point where I can issue the ntlm_auth command "manually" and authenticate to AD so Samba, Winbind, and Kerberos seem to be OK. When I attempt to get freeRADIUS to do the ntlm_auth for me as described in the freeNAC docs and other web resources like deployingradius.com and the freeradius wiki, I keep getting logon failures. See attached radius debug output below. I'm just attaching the last part of the debug because for one it's quite large and two, it seems to be going well up to a certain point. My EAP-TLS tunnel appears to be getting setup fine but it just act as if my password is wrong. I'm using a Windows XP SP2 client with a recent PEAP patch added and have tried entering username/password/domain both manually and automatically. I am not validating the server cert at this point. Following is the end of the radius debug:

.
.
.
rad_recv: Access-Request packet from host 111.111.28.101:1645, id=245, length=264
User-Name = "SANDIA\\mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-05-74-43-BD-3F"
Calling-Station-Id = "00-0A-E4-23-CD-16"
EAP-Message = 0x020800601900170301005590558ffa6f1d6b8a4bad64a0b8958aa4c140f2c145163dc92ee5b73ae341713f0466627a1454f0ad3f787b9ab756c8e07050b693f28f17f721c200525f544119a36d2d30e31ae5db2f44f8636bdc03c4f71a422436
Message-Authenticator = 0xb7b52cd2660e4b2695c96dc035368275
Cisco-NAS-Port = "GigabitEthernet1/4"
NAS-Port = 50104
NAS-Port-Type = Ethernet
State = 0x5a5253d83424d1e321022fa6ebfd1ece
NAS-IP-Address = 111.111.28.101
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
perl_pool: item 0x8062e8a0 asigned new request. Handled so far: 3
found interpetator at address 0x8062e8a0
perl_pool total/active/spare [3/0/3]
Unreserve perl at address 0x8062e8a0
modcall[authorize]: module "check_mac" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "SANDIA\mgmitch", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 96
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020800491a020800443191a4d2d65459406cb3e67baa8f903a120000000000000000fde26c946d2f343603ffe6e34f2ad40987f990c82eeecf550053414e4449415c6d676d69746368
PEAP: Setting User-Name to SANDIA\mgmitch
PEAP: Adding old state with 56 ed
PEAP: Sending tunneled request
EAP-Message = 0x020800491a020800443191a4d2d65459406cb3e67baa8f903a120000000000000000fde26c946d2f343603ffe6e34f2ad40987f990c82eeecf550053414e4449415c6d676d69746368
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "SANDIA\\mgmitch"
State = 0x56ed3aacd660b70c9a6a4fde3b0858f9
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
perl_pool: item 0x809a4090 asigned new request. Handled so far: 3
found interpetator at address 0x809a4090
perl_pool total/active/spare [3/0/3]
Unreserve perl at address 0x809a4090
modcall[authorize]: module "check_mac" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "SANDIA\mgmitch", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 73
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for mgmitch with NT-Password
radius_xlat: Running registered xlat function of module mschap for string 'User-Name'
radius_xlat: '--username=mgmitch'
radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain'
radius_xlat: '--domain=SANDIA'
radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
mschap2: 8c
radius_xlat: '--challenge=3f6d14e36675d931'
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
radius_xlat: '--nt-response=fde26c946d2f343603ffe6e34f2ad40987f990c82eeecf55'
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: leaving group authenticate (returns reject) for request 6
auth: Failed to validate the user.
PEAP: Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x80674b80 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 245 to 111.111.28.101 port 1645
EAP-Message = 0x010900261900170301001b05fb2b4d0b7732c23c08f5b0c933d75f9c6e7c894c6f5eb0b85242
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x975785863b043e267c2ca1d79c291dde
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 111.111.28.101:1645, id=246, length=206
User-Name = "SANDIA\\mgmitch"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-05-74-43-BD-3F"
Calling-Station-Id = "00-0A-E4-23-CD-16"
EAP-Message = 0x020900261900170301001be11c8a187a3a255b0ded0e8a021d224bce90335e6c02dac30ab5e8
Message-Authenticator = 0xa2889de2b2358293a5d30fd95541b61b
Cisco-NAS-Port = "GigabitEthernet1/4"
NAS-Port = 50104
NAS-Port-Type = Ethernet
State = 0x975785863b043e267c2ca1d79c291dde
NAS-IP-Address = 111.111.28.101
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
perl_pool: item 0x8012eae0 asigned new request. Handled so far: 4
found interpetator at address 0x8012eae0
perl_pool total/active/spare [3/0/3]
Unreserve perl at address 0x8012eae0
modcall[authorize]: module "check_mac" returns ok for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "SANDIA\mgmitch", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: EAP packet type response id 9 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
modcall: leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 7
modcall: leaving group authenticate (returns invalid) for request 7
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 246 to 111.111.28.101 port 1645
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3 seconds...




If anyone can help shed light on this, I would sure appreciate it.

Thanks,

Mark


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080411/9a3dd472/attachment.html>

More information about the Freeradius-Users mailing list