Problems with XPsp3 and FreeRADIUS

Seth seth at kuci.org
Mon Jan 11 18:22:39 CET 2010 

I have a strange problem where the initial 802.1X authentication is
successful, but then fails subsequent auth attempts.  This is using Windows
XP sp3 PEAP/MS-Chapv2, FreeRADIUS 2.1.3, with Active Directory running on a
Windows2003 server.

I noticed the following discrepency in the RADIUS logs.  The two auth
attempts are identical until this part:

Successful
Info: Found Auth-type = EAP
Info: +- entering group authenticate (...)
Info: [eap] Request found,released from list
Info: [eap] EAP/peap*
*Info: [eap] processing type peap
Info: [peap] processing EAP-TLS
Info: [peap] eaptls_verify returned 7
Info: [peap] Done initial handshake
Info: [peap] eaptls_process returned 7
Info: [peap] EAPTLS_OK
Info: [peap] Session established.  Decoding tunneled attributes.
Info: [peap] Received EAP-TLV response.
Info: [peap] Success
Info: [peap] Using saved attributes from the original Access-Accept

Unsuccessful
Info: Found Auth-type = EAP
Info: +- entering group authenticate (...)
Info: [eap] Request found,released from list
Info: [eap] EAP/mschapv2*
*Info: [eap] processing type mschapv2
Info: [mschapv2] +-entering group MS-CHAP (...)
 Info: [mschap] No Cleartext-Password configured.  Cannot create
LM-Password.
Info: [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
Info: [mschap] Told to do MS-CHAPv2 for seth with NT-Password
...
Info: Debug: Exec-Program output: Logon failure (0xxc000006d)
Info: Debug: Exec-Program-Wait: plaintext: Logon failure (0xxc000006d)
Info: Debug: Exec-Program: returned 1
Info: [mschap] External script failed.
Info: [mschap] FAILED: MS-CHAP2-Response is incorrect
Info: ++[mschap] returns reject
Info: [eap] Freeing handler
Info: ++[eap] returns reject
Info: Failed to authenticate the user.

Why is one auth request using the mschapv2 group and the other PEAP?  Both
are from the same client on the same switchport.  Has anyone else run into
this type of problem?  Is there a configuration on the supplicant or Active
Directory that could cause this?

More information if necessary:

from modules.conf

  eap {
    default_eap_type = md5
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    tls {
      private_key_password = whatever
      private_key_file = ${raddbdir}/cert_privkey.key
      certificate_file = ${raddbdir}/cert_certificate.
pem
      CA_file = ${raddbdir}/cert_ca_cert.pem
      dh_file = /etc/raddb/certs/dh
      random_file = /etc/raddb/certs/random
      fragment_size = 1024
      include_length = yes
      check_crl = no
      check_cert_cn = %{Stripped-User-Name:-%{User-Name}}
    peap {
      default_eap_type = mschapv2
      copy_request_to_tunnel = yes
      use_tunneled_reply = yes
      proxy_tunneled_request_as_eap = yes
    }
    mschapv2 {
    }
}


Thanks,

/Seth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100111/46a4199e/attachment.html>

More information about the Freeradius-Users mailing list