PEAP problem when using domain suffix

Graham Marsh graham at netmarsh.com
Fri Jun 6 05:07:51 CEST 2008 

Hi

Have set up freeradius on a SLES10SP1 box in order to do 802.1X
authentication. All is fine if the client submits a request using just
the user name e.g. test05 in the case below:

  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
  rlm_mschap: Told to do MS-CHAPv2 for test05 with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
  modcall[authenticate]: module "mschap" returns ok for request 6
modcall: leaving group MS-CHAP (returns ok) for request 6
MSCHAP Success
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
  PEAP: Got tunneled Access-Challenge
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6

However, if the user submits a request with the domain name appended
such as @xyz.edu.hk, then the request fails at the same point in the
process as shown:

  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
  rlm_mschap: Told to do MS-CHAPv2 for test08 at xyz.edu.hk with NT-Password
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 6
modcall: leaving group authenticate (returns reject) for request 6
auth: Failed to validate the user.
  Found Post-Auth-Type
  Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 6

I defined the domain suffix in the proxy conf file and set it to LOCAL
because the local server should process the requests no matter whether
the suffix is there or not.

I also tried rewriting the User-Name attribute to remove the suffix
(which is already done by Stripped-User-Name) but that caused another
problem.

So I'm at the point where just scratching my head...any hints most appreciated.
Graham Marsh
Hong Kong

More information about the Freeradius-Users mailing list