MySQL and PEAP not talking

Doe Hoe doehoe at gmail.com
Tue Mar 31 00:16:44 CEST 2009


Hi.
I'm quite a newbie, so please keep it simple.
I have been fighting with this for the past 10 hours!

I am trying to do PEAP authentication (without certificates) where a
client (Windows XP/Vista) gains WPA wi-fi access with a username and
password using FreeRADIUS (v2.1.4) as the RADIUS server on Ubuntu
Linux 8.10.

I have gotten as far as compiling FreeRADIUS with SSL/TLS support and
getting a Windows client to gain WPA access where his username/pass is
in the "/etc/freeradius/users" file. I'm not interested in doing any
LDAP or Active Directory stuff (don't want to use ntlm_auth), so
obviously "MS-CHAP-Use-NTLM-Auth := No" was included with the
user/pass in the "/etc/freeradius/users" file. And as I said, the
client could gain Wi-fi WPA access using PEAP authentication.

However, I would like to manage usernames and passwords in a MySQL database.
The relevant part of the MySQL schema that I have been trying is as follows:
radcheck (id,username,attribute,op,value)
radreply (id,username,attribute,op,value)

I have configured FreeRADIUS to talk to MySQL using various tutorials
on the internet and have confirmed this works with the "radtest" shell
command (I get an accept-accept back for any users in the "radcheck"
table.

So to try do it with PEAP authentication I inserted the following in the tables.
INSERT INTO radcheck (username,attribute,op,value) VALUES
('user1','Cleartext-Password',':=','pass1')
INSERT INTO radreply (username,attribute,op,value) VALUES
('user1','MS-CHAP-Use-NTLM-Auth',':=','No')

Note how I have included  "MS-CHAP-Use-NTLM-Auth := No" as a reply
attribute. But, no matter what I do, this does not allow a client to
authenticate.

freeradius debug (with -X switch) gives me the following (I've only
included the parts which I think are relevant:

..................
[sql] 	expand: SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck           WHERE username = 'user1'           ORDER BY id
[sql] User found in radcheck table
[sql] 	expand: SELECT id, username, attribute, value, op
FROM radreply           WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply           WHERE username = 'user1'           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username
= 'user8'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
..................
	EAP-Message = 0x0108001f1a0108001a1025124f5e6a8bc7778687e657b729c16b7573657238
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x31f7332531ff293ae0350b28678bf4db
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x0108001f1a0108001a1025124f5e6a8bc7778687e657b729c16b7573657238
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x31f7332531ff293ae0350b28678bf4db
[peap] Got tunneled Access-Challenge
++[eap] returns handled
...................
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for user1 with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
..................

The parts that gives away the fact that the "MS-CHAP-Use-NTLM-Auth :=
No" is not being read from the database:
1) no users are found in the "SELECT FROM radreply" query
2) underneath "[peap] Got tunneled reply code 11" there is no
"MS-CHAP-Use-NTLM-Auth := No" as there is when a user is authenticated
from the "users" file.
3) The fact that I cannot get the client to gain access!

I really don't know what to do from this point. I haven't included any
of my freeradius configuration files because I really don't know which
ones to include. So if you want to see them just let me know which
ones you want.

Thanks in advance
Doron



More information about the Freeradius-Users mailing list