Freeradius + PEAP/EAP-MSCHAPv2 + AD 2008

Geoffrey Chavepeyer geoffrey at chavepeyer.be
Fri Mar 18 10:12:23 CET 2011 

Hey everyone !

I'm trying to configure a FreeRadius server that authenticates with MSCHAPv2
with an Active Directory 2008.
It's my fisrt radius install so go easy with me, I'm a noob :)

I've followed the following howto :
http://deployingradius.com/documents/configuration/active_directory.html
and everything goes fine with the radtest, wbinfo, ntlm_auth and my user is
correctly authentified.

I'm no trying to connect a Windows 7 supplicant using that radius server.
(That client is configured to use "Microsoft : Protected EAP (PEAP)",
"validate server certificate" is unchecked and the authentication is on
"secured password (EAP-MSCHAPv2)".

The problem seems to be that my client stops answering after 4-5
Access-Challenge. I saw the remarks about the xpextensions of the
certificats and make sure that the included makefile correctly uses the
xpextensions wich it seems to be doing.

The full debug is here : http://pastebin.com/B86AgN1N

It's seems that mschap correctly authentifies the user :

Fri Mar 18 09:51:31 2011 : Info: +- entering group authenticate {...}
Fri Mar 18 09:51:31 2011 : Info: [eap] Request found, released from the list
Fri Mar 18 09:51:31 2011 : Info: [eap] EAP/mschapv2
Fri Mar 18 09:51:31 2011 : Info: [eap] processing type mschapv2
Fri Mar 18 09:51:31 2011 : Info: [mschapv2] +- entering group MS-CHAP {...}
Fri Mar 18 09:51:31 2011 : Info: [mschap] Told to do MS-CHAPv2 for
gchavepeyer with NT-Password
Fri Mar 18 09:51:31 2011 : Info: [mschap] No NT-Domain was found in the
User-Name.
Fri Mar 18 09:51:31 2011 : Info: [mschap]       expand:
--domain=%{mschap:NT-Domain:-EUROPE} -> --domain=EUROPE
Fri Mar 18 09:51:31 2011 : Info: [mschap]       expand:
--username=%{mschap:User-Name} -> --username=gchavepeyer
Fri Mar 18 09:51:31 2011 : Info: [mschap]  mschap2: 5c
Fri Mar 18 09:51:31 2011 : Info: [mschap]       expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=82d538878ea2db35
Fri Mar 18 09:51:31 2011 : Info: [mschap]       expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=555bd723d3058e951670b77a443550a83f4eab5af5124f1f
Fri Mar 18 09:51:31 2011 : Debug: Exec-Program output: NT_KEY:
99DC7FD7D0C603D05D96779E61DF89AF
Fri Mar 18 09:51:31 2011 : Debug: Exec-Program-Wait: plaintext: NT_KEY:
99DC7FD7D0C603D05D96779E61DF89AF
Fri Mar 18 09:51:31 2011 : Debug: Exec-Program: returned: 0
Fri Mar 18 09:51:31 2011 : Info: [mschap] adding MS-CHAPv2 MPPE keys
Fri Mar 18 09:51:31 2011 : Info: ++[mschap] returns ok
Fri Mar 18 09:51:31 2011 : Debug: MSCHAP Success
Fri Mar 18 09:51:31 2011 : Info: ++[eap] returns handled
} # server inner-tunnel
Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled reply code 11
        EAP-Message =
0x011400331a0313002e533d46443545363236453946453838393330423230313643394537314632313231464433373038344446
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x3cafd11f3dbbcb7c3aaaafe5efc8d331
Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled reply RADIUS code 11
        EAP-Message =
0x011400331a0313002e533d46443545363236453946453838393330423230313643394537314632313231464433373038344446
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x3cafd11f3dbbcb7c3aaaafe5efc8d331
Fri Mar 18 09:51:31 2011 : Info: [peap] Got tunneled Access-Challenge
Fri Mar 18 09:51:31 2011 : Info: ++[eap] returns handled
Sending Access-Challenge of id 29 to 10.32.25.204 port 32768
        EAP-Message =
0x0114005b19001703010050efa71e4179b8bba7065b53e5c07cc774ffa8494adc0cd61c810e10ea5af21f52ac755a7f7a908b1c6898ac8039096320bf270f4ff208b22559eb7111f6c2e4412eaad47c33a4e151d5ad626af368c991
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x11c1c21a16d5dba84c633101b1a44bc3
Fri Mar 18 09:51:31 2011 : Info: Finished request 7.
Fri Mar 18 09:51:31 2011 : Debug: Going to the next request
Fri Mar 18 09:51:31 2011 : Debug: Waking up in 4.8 seconds.
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 0 ID 22 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 1 ID 23 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 2 ID 24 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 3 ID 25 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 4 ID 26 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Debug: Waking up in 0.1 seconds.
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 5 ID 27 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 6 ID 28 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Info: Cleaning up request 7 ID 29 with timestamp
+27
Fri Mar 18 09:51:36 2011 : Debug: Ready to process requests.

The server send an Access-Challenge (instead of a Access-Accept ?) again but
the client never answers back and the client gets a "unable to connect to
xxxx...."

Can someone please help me with this ? (All my configuration is visible in
the first debug lines but if needed i can post the content of any file.)

Thanks a lot !!!
Geoffrey.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110318/767d80e3/attachment.html>

More information about the Freeradius-Users mailing list