EAP-TLS OK - EAP-PEAP KO!! why that?

Reveal MAP revealmapp at yahoo.fr
Sat Jul 19 19:13:55 CEST 2008


Re hello:

Now i am trying to authenticate via PEAP a user existing onmy sql database:

the output is too long, mailing list parameters won't accept it. i post part of the output that seem to give the point of misconfiguration. if it is not sufficient, please let me know, and i will find a way to put somewher the whole output of RADIUD -X. thank you.



----------------------------------------
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
+- entering group MS-CHAP
  rlm_mschap: Told to do MS-CHAPv2 for maman with NT-Password
        expand: --username=%{mschap:User-Name} -> --username=maman
 mschap2: dc
        expand: --challenge=%{mschap:Challenge:-00} -> --challenge=42199e911fc846b6
        expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=f597ba61948e2ca2d0d108962a8d4d933e2eceba92acfe27
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
  rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [maman/<via Auth-Type = EAP>] (from client Ap8500 port 2 cli 00-12-F0-0C-97-61 via TLS tunnel)
} # server (null)
  PEAP: Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\007E=691 R=1"
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Processing from tunneled session code 0x81da268 3
        MS-CHAP-Error = "\007E=691 R=1"
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
++[eap] returns handled
Sending Access-Challenge of id 32 to 10.10.44.246 port 1030
        EAP-Message = 0x010800261900170301001b87ea6c21d531f819e4f7aa4107a0597deda9fd0e2abda3a5196a2d
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x15d6165412de0f4c4e5f14457cfcd56a
Finished request 237.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.44.246 port 1030, id=33, length=194
        User-Name = "maman"
        NAS-IP-Address = 10.10.44.246
        NAS-Port = 2
        Called-Station-Id = "00-1C-F0-08-FB-FA:PEAP"
        Calling-Station-Id = "00-12-F0-0C-97-61"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message = 0x020800261900170301001b7f8d9a1114a91aa324b023d74676e1d5613e1824df38b29b776f9a
        State = 0x15d6165412de0f4c4e5f14457cfcd56a
        Message-Authenticator = 0x05c147f8e161153a89766257956164c0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "maman", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 8 length 38
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap:  Had sent TLV failure.  User was rejected earlier in this session.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [maman/<via Auth-Type = EAP>] (from client Ap8500 port 2 cli 00-12-F0-0C-97-61)
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> maman
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 33 to 10.10.44.246 port 1030
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
Finished request 238.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 230 ID 25 with timestamp +80150
Cleaning up request 231 ID 26 with timestamp +80150
Cleaning up request 232 ID 27 with timestamp +80150
Cleaning up request 233 ID 28 with timestamp +80150
Cleaning up request 234 ID 29 with timestamp +80150
Cleaning up request 235 ID 30 with timestamp +80150
Cleaning up request 236 ID 31 with timestamp +80150
Cleaning up request 237 ID 32 with timestamp +80150
Cleaning up request 238 ID 33 with timestamp +80150
Ready to process requests.
                                                      
--------------------------------------



      _____________________________________________________________________________ 
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080719/baee92f8/attachment.html>


More information about the Freeradius-Users mailing list