PEAP EAP-TLS not replying with Access-Accept message

Chris Studt chris at mythdragon.com
Fri May 22 22:24:00 CEST 2009 

> Chris Studt wrote:
>> I've been debugging this for awhile and I still can't find a solution to
>> the problems I'm having. I'm running freeradius in this pattern:
>>
>> Active Directory <-> MS-CHAP <-> Freeradius <-> Cisco Switch <-> Windows
>> XP SP3
>
>   And Samba.  Don't forget Samba.
>
>   And it's not that the server "doesn't reply with Access-Accept".  It
> replies with a challenge, and the client never sends the next packet.
>
>> The output of freeradius -X when I attempt a connection is like this:
> ...
>> [mschapv2] +- entering group MS-CHAP {...}
> ...
>> 	expand: --challenge=%{mschap:Challenge:-00} ->
>> --challenge=4e97ec9325450dea
>> 	expand: --nt-response=%{mschap:NT-Response:-00} ->
>> --nt-response=35b488c0131cea6672253fe5e9a3b8e54aacc0c341fae031
>> Exec-Program output: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207
>> Exec-Program-Wait: plaintext: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207
>> Exec-Program: returned: 0
>> ++[mschap] returns ok
>> MSCHAP Success
> ...
>> Sending Access-Challenge of id 83 to 10.10.10.15 port 1645
>> 	EAP-Message =
>> 0x0109004a1900170301003f9831a816e378081f830ef42917053a509f826145b1c94885404f81f6f05985fbdaed9e0e6a5002ea5d72b9dba9
>> 	Message-Authenticator = 0x00000000000000000000000000000000
>> 	State = 0x99671c669e6e0575d57e32307d8902b7
>> Finished request 43.
>> Going to the next request
>> Waking up in 4.8 seconds.
>> Cleaning up request 36 ID 76 with timestamp +422
>
>   OK.  That problem is becoming more common.
>
>> Any help you guys can give me would be very appreciated. I know this
>> issue
>> has been posted here before, but it seems like the results I'm getting
>> from all the solutions I've seen aren't fixing my problem.
>
>   Please post:
>
>   1) OS you're using to run RADIUS.
>   2) version of Active Directory
>   3) version of Samba
>
>   Then, try *downgrading* samba to an earlier version.  Keep going
> backwards until it works.  Then, post the version of Samba where it
> starts working.
>
>   I've asked the Samba people if they know anything more about this, but
> have seen no response.  If this is common, I'll open a bug with them,
> and see if it can get larger attention.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

Thanks for the help, yes I am using Samba between AD and Freeradius.

The OS I'm running on the Freeradius server is Ubuntu 8.10.
I'm running a OpenSSL patched package of Freeradius 2.1.0+dfsg-0ubuntu2.
The Active Directory server is Windows Server 2003.
The version of Samba (and winbind) running is 3.2.3-1ubuntu3.4.

I will begin downgrading my Samba and see if that changes anything.

Chris Studt

More information about the Freeradius-Users mailing list