EAP-PEAP + Windows 7 with SSO and Password change

Aman Arneja arneja.aman at gmail.com
Thu Apr 5 15:48:03 CEST 2012


Password change and retry is very much supported for Windows and Eap
for (P)eap-mschapv2. There would be some flag that needs to be set for
this after which it will work, will check what that flag is and write
back in some time

Sent from my Windows Phone
From: David Mitton
Sent: 4/5/2012 6:19 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: EAP-PEAP + Windows 7 with SSO and Password change
Yes, basically, password change operations are not supported by
Windows EAP support. Not to mention RADIUS as well.

Dave.

Quoting c_dornig at gmx.de:

> Hi,
>
>
> we would like to use freeradius server for setup port access per
> 802.1x on wired LAN. The plan is to have a guest-vlan for
> unauthenticated supplicants and a vlan assignment for authenticated
> supplicants.
>
> We configured the freeradius Server (Version 2.1.12) to use
> peap/mschapv2 for user authentication. Each user can have one
> nativ/untagged VLAN.
> So far, the actual configuration works.
>
> Now we would like to use the Single Sign On feature from windows 7
> supplicant before the user logged in.
> But this seems to work only if the user account is valid.
> When the User account is new (with password change on next loggon)
> or the password has expired, then the freeradius send the
> MS-CHAP-Error to the supplicant. But why the hell, the windows 7
> client do not popup a window for change the password ?
>
> Is that generally not possible (cause EAP-MSCHAPv2) or something
> missed in config ?
>
> I tried to use freeradius 3.0.0 from git with enabling the
> passchange feature in the mschap module.
> I did all steps from doc/mschap.rst.
>
> The follow Debug is from freeradius 3.0.0:
>
> <snip>
> :
> :
> (8) Found Auth-Type = EAP
> (8) # Executing group from file
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> (8)   group authenticate {
> (8)  - entering group authenticate {...}
> (8) eap : Request found, released from the list
> (8) eap : EAP/mschapv2
> (8) eap : processing type mschapv2
> (8) mschapv2 : # Executing group from file
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> (8) mschapv2 :   group MS-CHAP {
> (8) mschapv2 :  - entering group MS-CHAP {...}
> (8) mschap : NT Domain delimeter found, should we have enabled
> with_ntdomain_hack?
> (8) mschap : Creating challenge hash with username: DOMAIN\test-user3
> (8) mschap : Told to do MS-CHAPv2 for DOMAIN\test-user3 with NT-Password
> (8) mschap :    expand: %{Stripped-User-Name} ->
> (8) mschap :    ... expanding second conditional
> (8) mschap :    expand: %{User-Name} -> DOMAIN\test-user3
> (8) mschap :    expand: %{%{User-Name}:-None} -> DOMAIN\test-user3
> (8) mschap :    expand:
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ->
> --username=DOMAIN\test-user3
> (8) mschap : NT Domain delimeter found, should we have enabled
> with_ntdomain_hack?
> (8) mschap : Creating challenge hash with username: DOMAIN\test-user3
> (8) mschap :    expand: %{mschap:Challenge} -> 4b4be3875649ba1a
> (8) mschap :    expand: --challenge=%{%{mschap:Challenge}:-00} ->
> --challenge=4b4be3875649ba1a
> (8) mschap :    expand: %{mschap:NT-Response} ->
> a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2
> (8) mschap :    expand: --nt-response=%{%{mschap:NT-Response}:-00}
> -> --nt-response=a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2
> Exec-Program output: Password expired (0xc0000648)
> Exec-Program-Wait: plaintext: Password expired (0xc0000648)
> Exec-Program: returned: 1
> (8) mschap : ntlm_auth says password has expired
> (8)   [mschap] = reject
> rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found.
> (8) eap : Handler failed in EAP/mschapv2
> (8) eap : Failed in EAP select
> (8)   [eap] = invalid
> (8) Failed to authenticate the user.
> (8) Login incorrect: [DOMAIN\\test-user3/<via Auth-Type = EAP>]
> (from client switches port 0 via TLS tunnel)
> } # server inner-tunnel
> (8) peap : Got tunneled reply code 3
>         MS-CHAP-Error = "\013E=648 R=0
> C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired"
>         EAP-Message = 0x040b0004
>         Message-Authenticator = 0x00000000000000000000000000000000
> (8) peap : Got tunneled reply RADIUS code 3
>         MS-CHAP-Error = "\013E=648 R=0
> C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired"
>         EAP-Message = 0x040b0004
>         Message-Authenticator = 0x00000000000000000000000000000000
> (8) peap : Tunneled authentication was rejected.
> (8) peap : FAILURE
> (8)   [eap] = handled
> Sending Access-Challenge of id 128 to 192.168.15.52 port 2686
>         EAP-Message =
> 0x010c002b190017030100202f2f3b44177589096e8dbced7004dd801b1a777dd1a966acf5dcbde958537403
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x7cb2ed6374bef496dfd35c4e86820391
> (8) Finished request 8.
> Waking up in 0.1 seconds.
> rad_recv: Access-Request packet from host zzz.aaa.xxx.yyy port 2686,
>  id=129, length=262
>         Framed-MTU = 1480
>         NAS-IP-Address = zzz.aaa.xxx.yyy
>         NAS-Identifier = "SWITCHxxx"
>         User-Name = "DOMAIN\\test-user3"
>         Service-Type = Framed-User
> :
> :
> :
>
> </snip>
>
> Thanks for any help.
> --
> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list