PEAP or TTLS and Microsoft Vista.

nf-vale nf-vale at critical-links.com
Wed Jul 23 02:12:46 CEST 2008


I'm also suffering from this Vista "disease". But in my case I can
authenticate users using PEAP, from XP SP2 and SP3 clients, even with
"Validating Server Certificate" checked.

The problem is only with Vista. I've all the windows updates available
installed but I can't get it to work even with the "Validate Server
Certificate" unchecked.

The freeradius version that I'm using it's the 2.0.2, and I've tried
both with the radius "test" certificates and other, and the behavior is
exactly the same.

The radius log always shows the following:

"...
rad_recv: Access-Request packet from host 192.168.100.199 port 1024,
id=93, length=340
        Framed-MTU = 1480
        NAS-IP-Address = 192.168.100.199
        NAS-Identifier = "HP ProCurve Switch 2626-PWR"
        User-Name = "teste"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 2
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "2"
        Called-Station-Id = "00-11-85-ad-b7-c0"
        Calling-Station-Id = "00-1b-38-8f-40-aa"
        Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1"
        State = 0x2a4cc8322ac0d1b35c7650bea0308dda
        EAP-Message =
0x028c007419800000006a16030100650100006103014886730236b0840bd6df9358c1446c3e62e956de01ad320ddc04441dcf82d462000018002f00350005000ac009c00ac013c0140032003800130004010000200000000a00080000057465737465000a00080006001700180019000b00020100
        Message-Authenticator = 0xd46becf93b1bcccd0402d3496f7f5721
+- entering group authorize
++[preprocess] returns ok
    rlm_realm: No '@' in User-Name = "teste", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 140 length 116
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[mschap] returns noop
    users: Matched entry teste at line 1
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for teste
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=teste)
        expand: ou=People,dc=local,dc=loc -> ou=People,dc=local,dc=loc
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=local,dc=loc, with filter
(uid=teste)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  TLS Length 106
rlm_eap_tls:  Length Included
  eaptls_verify returned 11 
    (other): before/accept initialization 
    TLS_accept: before/accept initialization 
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0065], ClientHello  
    TLS_accept: SSLv3 read client hello A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello  
    TLS_accept: SSLv3 write server hello A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 03b0], Certificate  
    TLS_accept: SSLv3 write certificate A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
    TLS_accept: SSLv3 write server done A 
    TLS_accept: SSLv3 flush data 
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
  eaptls_process returned 13 
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 93 to 192.168.100.199 port 1024
        EAP-Message =
0x018d040019c00000040d160301004a020000460301488672c8ac900c3f88d166a948b5ea07d6e9474d14c3e025ee5b661a96ca4ae4200d2218c482a7afc626cfa166eeac452729093fe79aa43dded4adb3f63518159b002f0016030103b00b0003ac0003a90003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
        EAP-Message =
0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303732323233313734365a170d3039303732323233313734365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebb9bc08eac90bd234ec1ddeed261d2ee0a98c1fe1f2c3ef1cc9fb665496
        EAP-Message =
0x8c122c5da0678d64eaaf118463b82422c7d7ad07cd049e0a94994b4ffc9c95a6ac5ce278d16d8e9fdeac51a4cca0c8cd78b71e1b282b188798209515da8d688cea3aaef56731d96975f8f99cbdd13d71ff792aa8b44040c4fe1b90aad77057a6b8cc2c238a1319abfe9f0df37f538ef2119ac041e73b00343b1953db2193522a2dab185993a2b7f756e920a89d01f17ce7df5c482064505a102a25ff9421b8aed065f1ca0c2c38a62a616407fb06dd051dfcf00243b83074e724666a332c5baec351eb0df5c8fea22cb8db7892d59f85e0a6070a9461b23f0d568c170dc89f60a3ef0203010001a317301530130603551d25040c300a06082b06010505
        EAP-Message =
0x070301300d06092a864886f70d0101040500038201010036adc59ded5d25b5d99cf4d52fab993bab169cf0175b6503aadef2581b50f788abe5e158bed1b1d2eb3295e4aa0e39027f2903047db540be42b71d9ce76d9453fe295252c6a12f3a3d92271111686ebb308682302298c0d6f90f1f1bd3715dea86fa5a8c38a019e438a296dbc226d64e453279b0b21d8d3c46010b829e0075f7c9d267b5938c512113ff718bd462958384b1944bb2e6a17f80ed659c9065eeb40e38da88f071ab970349bf1d7c8cb259d27e7dd2782e82059d8525b01f6d577ba365679b5d107eab1cfcbaaf21c58ef73a85d7b7da9627a6d80fad0580299fca91f51acc8994
        EAP-Message = 0x8e17896898d68a07d3dbf173
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2a4cc8322bc1d1b35c7650bea0308dda
Finished request 11.
Going to the next request
Waking up in 0.9 seconds. 
Waking up in 3.9 seconds. 
Cleaning up request 10 ID 92 with timestamp +1627
Cleaning up request 11 ID 93 with timestamp +1627
Ready to process requests.
" 

Is there anything that I'm missing?



Nelson Vale


Ter, 2008-07-22 às 23:22 +0200, Lech Karol Pawłaszek escreveu:
> Hello.
> 
> I need your help. For the last few days I try to authenticate and
> authorize Microsoft Vista operating system against FreeRADIUS and 3com
> switch (as NAS) for wired authentication with no luck.
> 
> I'm using FreeRADIUS 2.0.5 from sources built on Debian Etch GNU/Linux
> and certs made by bootstrap command (so those certs should have a bit of
> magic from xpextensions afaik). I try to make little steps and change as
> less as possible - to be honest I've only added user to the users file
> and client definition to the clients.conf file.
> 
> I've tested my configuration with eapol_test command (as suggested at
> this site[1]) and it works fine. I've tested it against MacOsX 10.4 and
> MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2
> and it works fine. It doesn't work with Windows Vista and Windows XP
> SP3. Please help!
> 
> What I have spotted is that the server sends "Access Challenge" and then
> on OSX dialog pops up where I can accept server's certificate and on
> Windows it's over. So I think it's the issue mentioned on this site[2]
> however i DO have Validate Server Certificate un-checked.
> 
> One more thing. If I won't use Windows' PEAP authorization and install
> securew2 and use securew2's auth - I am able to connect. Work for a
> minute or so and then NAS reports lost carrier and the connection is lost.
> 
> I've written about this issue about a year ago however this was put
> on-hold. You might want to look at logfiles from that tests.
> 
> [1] - http://deployingradius.com/scripts/eapol_test/
> [2] - http://deployingradius.com/documents/configuration/eap-problems.html
> [3] -
> http://lists.freeradius.org/pipermail/freeradius-users/2007-July/msg00096.html
> 
> Any hints and tips much appreciated. I'm attaching two logfiles. The
> first one - freeradius.log - is the one where I'm trying to authenticate
> using system-wide PEAP. The second one, namely freeradius-securew2.log,
> is the one where switch receives Access-Accept and a few moments later
> switch sends back information that the carrier is lost.
> 
> I've compressed both logfiles. I hope it's ok here. If it's not - please 
> let me know.
> 
> Thanks in advance.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list