EAP-PEAP + Windows 7 with SSO and Password change

David Mitton david at mitton.com
Thu Apr 5 14:45:07 CEST 2012 

Yes, basically, password change operations are not supported by  
Windows EAP support. Not to mention RADIUS as well.

Dave.

Quoting c_dornig at gmx.de:

> Hi,
>
>
> we would like to use freeradius server for setup port access per   
> 802.1x on wired LAN. The plan is to have a guest-vlan for   
> unauthenticated supplicants and a vlan assignment for authenticated   
> supplicants.
>
> We configured the freeradius Server (Version 2.1.12) to use   
> peap/mschapv2 for user authentication. Each user can have one   
> nativ/untagged VLAN.
> So far, the actual configuration works.
>
> Now we would like to use the Single Sign On feature from windows 7   
> supplicant before the user logged in.
> But this seems to work only if the user account is valid.
> When the User account is new (with password change on next loggon)   
> or the password has expired, then the freeradius send the   
> MS-CHAP-Error to the supplicant. But why the hell, the windows 7   
> client do not popup a window for change the password ?
>
> Is that generally not possible (cause EAP-MSCHAPv2) or something   
> missed in config ?
>
> I tried to use freeradius 3.0.0 from git with enabling the   
> passchange feature in the mschap module.
> I did all steps from doc/mschap.rst.
>
> The follow Debug is from freeradius 3.0.0:
>
> <snip>
> :
> :
> (8) Found Auth-Type = EAP
> (8) # Executing group from file   
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> (8)   group authenticate {
> (8)  - entering group authenticate {...}
> (8) eap : Request found, released from the list
> (8) eap : EAP/mschapv2
> (8) eap : processing type mschapv2
> (8) mschapv2 : # Executing group from file   
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> (8) mschapv2 :   group MS-CHAP {
> (8) mschapv2 :  - entering group MS-CHAP {...}
> (8) mschap : NT Domain delimeter found, should we have enabled   
> with_ntdomain_hack?
> (8) mschap : Creating challenge hash with username: DOMAIN\test-user3
> (8) mschap : Told to do MS-CHAPv2 for DOMAIN\test-user3 with NT-Password
> (8) mschap :    expand: %{Stripped-User-Name} ->
> (8) mschap :    ... expanding second conditional
> (8) mschap :    expand: %{User-Name} -> DOMAIN\test-user3
> (8) mschap :    expand: %{%{User-Name}:-None} -> DOMAIN\test-user3
> (8) mschap :    expand:   
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ->   
> --username=DOMAIN\test-user3
> (8) mschap : NT Domain delimeter found, should we have enabled   
> with_ntdomain_hack?
> (8) mschap : Creating challenge hash with username: DOMAIN\test-user3
> (8) mschap :    expand: %{mschap:Challenge} -> 4b4be3875649ba1a
> (8) mschap :    expand: --challenge=%{%{mschap:Challenge}:-00} ->   
> --challenge=4b4be3875649ba1a
> (8) mschap :    expand: %{mschap:NT-Response} ->   
> a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2
> (8) mschap :    expand: --nt-response=%{%{mschap:NT-Response}:-00}   
> -> --nt-response=a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2
> Exec-Program output: Password expired (0xc0000648)
> Exec-Program-Wait: plaintext: Password expired (0xc0000648)
> Exec-Program: returned: 1
> (8) mschap : ntlm_auth says password has expired
> (8)   [mschap] = reject
> rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found.
> (8) eap : Handler failed in EAP/mschapv2
> (8) eap : Failed in EAP select
> (8)   [eap] = invalid
> (8) Failed to authenticate the user.
> (8) Login incorrect: [DOMAIN\\test-user3/<via Auth-Type = EAP>]   
> (from client switches port 0 via TLS tunnel)
> } # server inner-tunnel
> (8) peap : Got tunneled reply code 3
>         MS-CHAP-Error = "\013E=648 R=0   
> C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired"
>         EAP-Message = 0x040b0004
>         Message-Authenticator = 0x00000000000000000000000000000000
> (8) peap : Got tunneled reply RADIUS code 3
>         MS-CHAP-Error = "\013E=648 R=0   
> C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired"
>         EAP-Message = 0x040b0004
>         Message-Authenticator = 0x00000000000000000000000000000000
> (8) peap : Tunneled authentication was rejected.
> (8) peap : FAILURE
> (8)   [eap] = handled
> Sending Access-Challenge of id 128 to 192.168.15.52 port 2686
>         EAP-Message =   
> 0x010c002b190017030100202f2f3b44177589096e8dbced7004dd801b1a777dd1a966acf5dcbde958537403
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x7cb2ed6374bef496dfd35c4e86820391
> (8) Finished request 8.
> Waking up in 0.1 seconds.
> rad_recv: Access-Request packet from host zzz.aaa.xxx.yyy port 2686,  
>  id=129, length=262
>         Framed-MTU = 1480
>         NAS-IP-Address = zzz.aaa.xxx.yyy
>         NAS-Identifier = "SWITCHxxx"
>         User-Name = "DOMAIN\\test-user3"
>         Service-Type = Framed-User
> :
> :
> :
>
> </snip>
>
> Thanks for any help.
> --
> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
> -
> List info/subscribe/unsubscribe? See   
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list