mschap/peap question

Wegener, Norbert Norbert.Wegener at siemens.com
Fri Jul 2 17:07:34 CEST 2010 

With 2.1.8 and the configuration from
http://deployingradius.com/scripts/eapol_test/peap-mschapv2.conf
I want to test a radius configuration. The linux server running radius is member 
of the AD domain, mschap succeeds but finally the authentication fails.
freeradius sends Challenges to which eapol_test will not respond. 
This should not be the behaviour mentioned in eap.conf regarding windows compatibility
as eapol_test says:

...
EAP-MSCHAPV2: RX identifier 11 mschapv2_id 10
EAP-MSCHAPV2: Received success
EAP-MSCHAPV2: Invalid authenticator response in success request
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
and finally fails.

What is going wrong when freeradius says:
++[mschap] returns ok^M
MSCHAP Success 
while eapol_test declares:

EAP-MSCHAPV2: Invalid authenticator response in success request ?
Thie result is the same whether eapol_test and radius run on the same host or on different machines.

Below an extract from radius debug and eapol_test output.
The complete logs are at http://tinyurl.com/36wn5lz

...
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for ZZZZZ1EC-TST with NT-Password
[mschap] 	expand: --username=%{mschap:User-Name} -> --username=ZZZZZ1EC-TST
[mschap]  mschap2: c9
[mschap] 	expand: --challenge=%{mschap:Challenge:-00} -> --challenge=8dcf3f854091b5b0
[mschap] 	expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=32025f3e02109f45a23b3468721d538944af5d633f31afe2
Exec-Program output: NT_KEY: F2203599C0AD93B00507898A198A3698 
Exec-Program-Wait: plaintext: NT_KEY: F2203599C0AD93B00507898A198A3698 
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success 
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message = 0x010b00331a030a002e533d35423746314132333037313436343646314439373138453036333834454238383541454432384246
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x6aef51466be44b4f70ee0c4182d406d0
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x010b00331a030a002e533d35423746314132333037313436343646314439373138453036333834454238383541454432384246
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x6aef51466be44b4f70ee0c4182d406d0
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 10 to 127.0.0.1 port 58631
	EAP-Message = 0x010b005b19001703010050de110c863ab2d5e21f07b010fc9adbfcda106b35f8cee8549fde8851ad1ba75da7bd114c1481cf7d9edb8adc3b2e4d8d2b5f7e62ba0fcea0b7e8e7e6e3edf45c2a1847d9195e7a0421a854d5ce12a3cf
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x3cecf09536e7e9bedf3400a6b087488e
Finished request 10.
Going to the next request
Waking up in 4.5 seconds.


eapol_test :
...
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=10 length=149
   Attribute 79 (EAP-Message) length=93
      Value: 01 0b 00 5b 19 00 17 03 01 00 50 31 9a b2 e5 49 18 04 ab eb 62 5c cc 03 11 93 ba e9 60 5d 66 bc 6b fb 67 97 92 75 f3 cd d7 d7 1b 5b ae bc aa 12 1f c1 a2 a5 41 2a e7 10 11 c1 b9 6f 3d 39 87 04 6e f8 b8 a5 0a a7 9d f8 79 91 cd 6d 3f 32 e1 2e fc df 43 4b 4c 96 99 fc 14 07 2c
   Attribute 80 (Message-Authenticator) length=18
      Value: b0 cf e3 2a 75 f5 18 48 50 99 4b b4 e3 c8 50 70
   Attribute 24 (State) length=18
      Value: 65 71 c9 7b 6f 7a d0 fc 26 6f 03 8b 5c fc f1 85
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.09 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=11 len=91) from RADIUS server: EAP-Request-PEAP (25)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=11 method=25 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=91) - Flags 0x00
EAP-PEAP: received 85 bytes encrypted data for Phase 2
EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=47): 1a 03 0a 00 2e 53 3d 35 33 36 46 30 44 42 30 36 42 43 45 36 42 43 37 32 31 34 33 33 37 39 46 39 38 33 35 46 33 41 31 37 38 41 43 46 44 43 39
EAP-PEAP: received Phase 2: code=1 identifier=11 length=51
EAP-PEAP: Phase 2 Request: type=26
EAP-MSCHAPV2: RX identifier 11 mschapv2_id 10
EAP-MSCHAPV2: Received success
EAP-MSCHAPV2: Invalid authenticator response in success request
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: startWhen --> 0
EAPOL test timed out
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE

Thanks
Norbert Wegener


With best regards,
Norbert Wegener
Siemens AG
Siemens IT Solutions and Services
SIS GO NW PSU SDC AS&INS
Bruchstraße 5
45883 Gelsenkirchen, Germany
Tel.: +49 (209) 94565716
Fax: +49 (201) 8165581284
mailto:norbert.wegener at siemens.com
 
Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer; Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt, Siegfried Russwurm, Peter Y. Solmssen; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

More information about the Freeradius-Users mailing list