PEAP/MSCHAPv2 problem
Stefan Winter
stefan.winter at restena.lu
Tue Apr 5 10:24:37 CEST 2011
Hello,
> rad_recv: Access-Request packet from host ... port 32769, id=219,
> length=159
> User-Name = "xy"
[...]
> EAP-Message = 0x0202000b01737461646572
It would also help not to mangle the debug output by hand, if that's
what happened here. The EAP-Message's EAP-Response/Identity says the
username is "stader", while the RADIUS User-Name attribute says "xy"?
If that is *really* what came in over the wire, your Controller is doing
dumb things. If it was manual editing, please stop doing that, it really
doesn't help us helping you. Or mangle the EAP-Response/Identity to be
consistent with your other edit, at least :-)
Greetings,
Stefan Winter
> Message-Authenticator = 0xe5b0ffbed84243bf27ac1ac9c9fcd0b5
> server eduroam {
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/eduroam
> +- entering group authorize {...}
> [suffix] No '@' in User-Name = "xy", looking up realm NULL
> [suffix] Found realm "NULL"
> [suffix] Adding Realm = "NULL"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] returns ok
> ++[mschap] returns noop
> [eap] EAP packet type response id 2 length 11
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/eduroam
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> } # server eduroam
> Sending Access-Challenge of id 219 to ... port 32769
> EAP-Message = 0x010300061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x3abc7e1c3abf6764392496688aff7b3f
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host ... port 32769, id=219,
> length=159
> Sending duplicate reply to client WLC-TUT port 32769 - ID: 219
> Sending Access-Challenge of id 219 to ... port 32769
> Waking up in 2.0 seconds.
> Cleaning up request 0 ID 219 with timestamp +3
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0x3abc7e1c3abf6764 did not finish!
> WARNING: !! Please read
> http://wiki.freeradius.org/Certificate_Compatibility
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Ready to process requests.
>
> eap.conf:
>
> eap {
> default_eap_type = peap
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
>
> md5 {
> }
>
>
> tls {
> certdir = /etc/hostcertkey
> cadir = /etc/cacert
> dh_file = ${certdir}/dh
> private_key_file = ${certdir}/roaming.key
> certificate_file = ${certdir}/roaming.pem
> CA_file = ${cadir}/chain.txt
> dh_file = ${certdir}/dh
> random_file = /dev/urandom
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> }
>
> ttls {
> default_eap_type = mschapv2
> copy_request_to_tunnel = yes
> #use_tunneled_reply = yes
> virtual_server = "eduroam-inner-tunnel"
> }
>
> peap {
> default_eap_type = mschapv2
> copy_request_to_tunnel = yes
> #use_tunneled_reply = yes
> #proxy_tunneled_request_as_eap = yes
> virtual_server = "eduroam-inner-tunnel"
> }
>
> mschapv2 {
> }
> }
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110405/12cb6463/attachment.pgp>
More information about the Freeradius-Users
mailing list