cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)

Sergio sergioyebenes at alumnos.upm.es
Sun Jul 27 10:46:13 CEST 2008


Anders Holm escribió:
>
>     [snip]
>
>     rlm_pap: WARNING! No "known good" password found for the user.
>     Authentication may fail because of this. //Normal, i am not
>     willing to do PAP but mschapv2
>
>     <me> If you’re not using a module, disable it. All it’ll do is add
>     latency, delays and unnecessary log messages. Comment it out ...
>
>     ++[pap] returns noop
>     rad_check_password: Found Auth-Type EAP
>     auth: type "EAP"
>     +- entering group authenticate
>     rlm_eap: Request found, released from the list
>     rlm_eap: EAP/mschapv2
>     rlm_eap: processing type mschapv2
>     +- entering group MS-CHAP
>     rlm_mschap: No Cleartext-Password configured. Cannot create
>     LM-Password.
>     rlm_mschap: No Cleartext-Password configured. Cannot create
>     NT-Password.
>     rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
>     //does the 3 previous lines means there is an error? what does "No
>     Cleartext-Password configured means?
>
>     <me> it means, it cannot find a clear text password in the backend
>     data store, which it expects to do ..
>
>     // what does LM-Password means? and if it's error, how could i
>     correct it?
>
>     <me> Check your configuration. All depends on so many things ..
>
>     // ithought it was normal, as I am surewindows never sends
>     "cleartext-Password"
>
>     Oh, Windows sure has been using clear text passwords, so it then
>     also has a need to be backwards compatible with itself, right?
>
>
>     expand: --username=%{mschap:User-Name}-> --username=glouglou
>     //...???...
>
>     mschap2: d1
>     expand: --challenge=%{mschap:Challenge:-00} ->
>     --challenge=4a2a69e7929b2c03 //...???...
>     expand: --nt-response=%{mschap:NT-Response:-00}} ->
>     --nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6}
>     //...???...
>     Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1
>     //...???...
>     Exec-Program-Wait: plaintext: NT_KEY:
>     067F1C60B6DDB9D2802A458C4EFE22C1 //...???...
>     //negociation that is out of the range of my brain till now, but i
>     think ity's normal security negociation in windows system, and
>     there is no error here.
>
>     Exec-Program: returned: 0 //...???...
>     rlm_mschap: adding MS-CHAPv2 MPPE keys
>     ++[mschap] returns ok
>     MSCHAP Success //...???... if MSCHAP Success, where is the matter
>     with this module???
>
>     <me> what makes you believe there is a problem at this stage?
>
>     ++[eap] returns handled
>     } # server (null) //...???...
>     PEAP: Got tunneled reply RADIUS code 11
>     EAP-Message =
>     0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
>     Message-Authenticator = 0x00000000000000000000000000000000
>     State = 0x95b92b9094ab31501a0a30daea5106ca
>     PEAP: Processing from tunneled session code 0x81b78d8 11
>     EAP-Message =
>     0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
>     Message-Authenticator = 0x00000000000000000000000000000000
>     State = 0x95b92b9094ab31501a0a30daea5106ca
>     PEAP: Got tunneled Access-Challenge
>     ++[eap] returns handled
>     Sending Access-Challenge of id 164 to 10.10.44.246 port 1042
>     EAP-Message =
>     0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3
>     Message-Authenticator = 0x00000000000000000000000000000000
>     State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then
>     What? and why its stops..???...
>
>     <me> why do I get the feeling that if Message-Authenticator is all
>     zeros, it is a “nope, not going to happen mate” type return,
>     effectively stopping any further processing. Why I have no idea ..
>     Alan??
>
>     [cut out bits that are not relevant, nor commented, nor anything.
>     Let’s trim messages folks. If it’s not used or relevant, get rid
>     of it.. It only takes space]
>
>
>
I'm agree, a good begining would be comment out all modules you're not 
using. The instances of the modules are in sites-enabled/default and 
sites-enabled/inner-tunnel (for peap and ttls).




More information about the Freeradius-Users mailing list