FreeRadius 2.1.6 + EAP-PEAP issue

Anatoly Oreshkin Anatoly.Oreshkin at pnpi.spb.ru
Thu Jul 9 11:46:09 CEST 2009 

Hi,

I've configured modules/preprocess with

with_ntdomain_hack = yes

and tried again to authenticate Vista user but got as follows:

--------------------------------------------------------

rad_recv: Access-Request packet from host 192.168.14.240 port 3882, id=0, length=235
 	Message-Authenticator = 0x1d3ad896dc4a74ba303ea91c436eb1de
 	Service-Type = Framed-User
 	User-Name = "csd-notebook\\oreshkin"
 	Framed-MTU = 1488
 	Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
 	Calling-Station-Id = "00-16-EA-8A-DE-38"
 	NAS-Identifier = "3Com Access Point 7760"
 	NAS-Port-Type = Wireless-802.11
 	Connect-Info = "CONNECT 54Mbps 802.11g"
 	EAP-Message = 0x0200001a016373642d6e6f7465626f6f6b5c6f726573686b696e
 	NAS-IP-Address = 192.168.14.240
 	NAS-Port = 1
 	NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 159
[files] users: Matched entry DEFAULT at line 178
[files] users: Matched entry oreshkin at line 229
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> oreshkin
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 192.168.14.240 port 3882
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +7
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.14.240 port 3883, id=0, length=235
 	Message-Authenticator = 0xa3e7a7ca6dba61b4439c131be684f918
 	Service-Type = Framed-User
 	User-Name = "csd-notebook\\oreshkin"
 	Framed-MTU = 1488
 	Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
 	Calling-Station-Id = "00-16-EA-8A-DE-38"
 	NAS-Identifier = "3Com Access Point 7760"
 	NAS-Port-Type = Wireless-802.11
 	Connect-Info = "CONNECT 54Mbps 802.11g"
 	EAP-Message = 0x0200001a016373642d6e6f7465626f6f6b5c6f726573686b696e
 	NAS-IP-Address = 192.168.14.240
 	NAS-Port = 1
 	NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 159
[files] users: Matched entry DEFAULT at line 178
[files] users: Matched entry oreshkin at line 229
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> oreshkin
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 0 to 192.168.14.240 port 3883
Waking up in 4.9 seconds.
----------------------------------------------------------


Users file contains the line:

oreshkin Cleartext-Password := "some_password"


What is the cause ?



On Wed, 8 Jul 2009 A.L.M.Buxey at lboro.ac.uk wrote:

> Date: Wed, 8 Jul 2009 16:22:56 +0100
> From: A.L.M.Buxey at lboro.ac.uk
> Reply-To: FreeRadius users mailing list
>     <freeradius-users at lists.freeradius.org>
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: FreeRadius 2.1.6 + EAP-PEAP issue
> 
> Hi,
>
>> csd-notebook\user_name Cleartext-Password := "user_password"
>>
>> Where csd-notebook is notebook name.
>> This setting  is working.
>>
>> But I would like to make 2 improvements to current configuration.
>>
>> 1.  to have an ability to specify only user name in users file in order to
>> not depend on user computer name.
>>
>> I was trying to do this by changing some FR 2.1.6 configuration parameters
>> but failed.
>
> you need to ensure that the preprocess module is called and that is configured with
> the nt_domain_hack = yes
>
>> 2. To add athentication by computer MAC address
>>
>> I added Calling-Station-Id == "00-16-EA-8A-DE-38" parameter to users file
>>
>> csd-notebook\user_name Cleartext-Password := "user_password", Calling-Station-Id == "00-16-EA-8A-DE-38"
>>
>> [mschap] FAILED: MS-CHAP2-Response is incorrect
>> ++[mschap] returns reject
>
> this log is very much chewed
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list