freeradius+peap+mschap+AD

Aniss Nazerian aniss.nazerian at vxu.se
Mon Apr 26 16:49:27 CEST 2010


Hi,

This is what I get.
----------
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for username at domain.xx with NT-Password
[mschap]        expand: %{Stripped-User-Name} -> username
[mschap]        expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->
--username=username
[mschap] No NT-Domain was found in the User-Name.
[mschap]        expand: %{mschap:NT-Domain} ->
[mschap]        expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN.XX} ->
--domain=LNU.SE
[mschap]  mschap2: 67
[mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=756cc36d609e7393
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=29dbc4dc525dd28cac668e57a0d85803996301a054d782fb
Exec-Program output: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480
Exec-Program-Wait: plaintext: NT_KEY: A67F6D31D2596CD536AD173AE3DBD480
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
-----------

I'm using WPA2-enterprise (tried WPA-ent to)
I've tried both PEAP/MSCHAPv2 and EAP-TTLS/MSCHAPv2 and the CA-cert is
used on the client.


On 2010-04-26 15:37, Alan Buxey wrote:
> Hi,
> 
>> Info: ++[mschap] returns ok
>> Debug: MSCHAP Success
>> ----
>> So i assume that the auth. against AD is OK
> 
> not if you havent done the EAP inner-tunnel stuff yet - unless you mean
> basic authorize has completed.
> 
>> but then the inner tunnel does something....
> 
> well, it tries to
> 
>> Mon Apr 26 12:32:15 2010 : Info: [peap] Got tunneled Access-Challenge
>> Mon Apr 26 12:32:15 2010 : Info: ++[eap] returns handled
>> Sending Access-Challenge of id 0 to 194.47.88.154 port 2051
>>         EAP-Message =
>> 0x0107005b19001703010050154c3b195ed5a3fa88fd21477529cf86ee7d1d98cf8eb918036ac8aa14cd6f8c66a1836e9ab27087ad7df766d20447dbce1247b6a9ccf6b4376d854978db210db60f9b3578592123a4c5d43a205e8f79
>>         Message-Authenticator = 0x00000000000000000000000000000000
>>         State = 0x3b975d133d90441898602b7c0076958a
> 
> it sends a challenge back to the NAS/AP - but nothign else is happening.....
> so, either the NAS or the client.  how have you got the AP set up? 802.1X or
> WPA-Enterprise? how is the client configured?  to use PEAP/MSCHAPv2 or EAP-TTLS/MSCHAPv2?
> got the required certificate installed on the client?
> 
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Aniss Nazerian, IT-Department, Linnaeus University
Phone: +46-470-708183, E-mail:aniss.nazerian at vxu.se

O< ascii ribbon campaign - stop html mail - www.asciiribbon.org



More information about the Freeradius-Users mailing list