PEAP EAP-TLS not replying with Access-Accept message

Alan DeKok aland at deployingradius.com
Fri May 22 22:13:07 CEST 2009


Chris Studt wrote:
> I've been debugging this for awhile and I still can't find a solution to
> the problems I'm having. I'm running freeradius in this pattern:
> 
> Active Directory <-> MS-CHAP <-> Freeradius <-> Cisco Switch <-> Windows
> XP SP3

  And Samba.  Don't forget Samba.

  And it's not that the server "doesn't reply with Access-Accept".  It
replies with a challenge, and the client never sends the next packet.

> The output of freeradius -X when I attempt a connection is like this:
...
> [mschapv2] +- entering group MS-CHAP {...}
...
> 	expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4e97ec9325450dea
> 	expand: --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=35b488c0131cea6672253fe5e9a3b8e54aacc0c341fae031
> Exec-Program output: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207
> Exec-Program-Wait: plaintext: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207
> Exec-Program: returned: 0
> ++[mschap] returns ok
> MSCHAP Success
...
> Sending Access-Challenge of id 83 to 10.10.10.15 port 1645
> 	EAP-Message =
> 0x0109004a1900170301003f9831a816e378081f830ef42917053a509f826145b1c94885404f81f6f05985fbdaed9e0e6a5002ea5d72b9dba9
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	State = 0x99671c669e6e0575d57e32307d8902b7
> Finished request 43.
> Going to the next request
> Waking up in 4.8 seconds.
> Cleaning up request 36 ID 76 with timestamp +422

  OK.  That problem is becoming more common.

> Any help you guys can give me would be very appreciated. I know this issue
> has been posted here before, but it seems like the results I'm getting
> from all the solutions I've seen aren't fixing my problem.

  Please post:

  1) OS you're using to run RADIUS.
  2) version of Active Directory
  3) version of Samba

  Then, try *downgrading* samba to an earlier version.  Keep going
backwards until it works.  Then, post the version of Samba where it
starts working.

  I've asked the Samba people if they know anything more about this, but
have seen no response.  If this is common, I'll open a bug with them,
and see if it can get larger attention.

  Alan DeKok.



More information about the Freeradius-Users mailing list