Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not

Jean-Yves Avenard jyavenard at gmail.com
Fri Aug 27 10:34:44 CEST 2010 

Hi

On 26 August 2010 23:35, Alan DeKok <aland at deployingradius.com> wrote:
> Jean-Yves Avenard wrote:
>> I am running freeradius that comes installed and configured with MacOS
>> 10.6 server.
>>
>> A Windows XP can connect just fine using Microsoft Protected EAP.
>> iPhone, mac os client connect just fine using EAP-TTLS
>>
>> Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but
>> not with the default build-in PEAP.
>
>  The log you posted shows a clear issue:
>
>> When connecting with Windows 7, I would read:
>>
>> Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the
>> user's uuid.
>> Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef():
>> dsGetRecordList() status = 0, recCount=0
>>
>>
>> Any hint about what I should be looking at?
>
>  Run the server in debugging mode (radiusd -X).  Look for the above
> errors, and *read* the lines of text around them.
>
>  Then use the information from the debug output to look the user up in
> OpenDirectory.  Odds are that the user doesn't exist, which is why it
> can't get the UUID.
>
>> Mind new, I'm a complete noob when it comes to radius, I only started
>> playing with it 2 days ago.
>
>  This isn't much of a RADIUS error.  The user lookup in OpenDirectory
> fails, and the UUID wasn't found.  The only issue is *who* was being
> looked up, and *why* the UUID wasn't found.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

Allright...

Here are some logs...

rad_recv: Access-Request packet from host 192.168.0.20 port 65513,
id=51, length=163
	User-Name = "host/ramon"
	NAS-IP-Address = 192.168.0.20
	NAS-Port = 0
	Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
	Calling-Station-Id = "C4-46-19-25-31-52"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 0Mbps 802.11"
	EAP-Message = 0x027e000f01686f73742f72616d6f6e
	Message-Authenticator = 0x4f4536256e97a2b596511e8560ef07ca
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 126 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_opendirectory: The host 192.168.0.20 does not have an access group.
rlm_opendirectory: Could not get the user's uuid.
++[opendirectory] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[snip]

By default it tries to connect with the computer name rather than the
user name..
Going into the Advanced option, I can force the type of authentication
use to "User  Authentication"...

>From there it worked ...

More information about the Freeradius-Users mailing list