EAP-PEAP + Windows 7 with SSO and Password change

Thu Apr 12 12:17:43 CEST 2012

Hi,

it seems that is not possible that a user can change the password on loggon screen in windows 7 with freeradius after it has expired, except i use a windows IAS / NPS Server, or not ?

I debugged the RAS crap on windows side and in the Logs i have:

[3564] 04-12 12:02:33:182: EapChapBeginMSChapV2
[3564] 04-12 12:02:33:182: ReadUserData
[3564] 04-12 12:02:33:182: Version three user blob is passed, size: 1018
[3564] 04-12 12:02:33:182: ReadConnectionData
[3564] 04-12 12:02:33:182: EapChapBeginCommon
[3564] 04-12 12:02:33:182: ChapBegin(fS=0,bA=0x81)
[3564] 04-12 12:02:33:182: StoreCredentials
[3564] 04-12 12:02:33:198: ChapBegin done.
[3564] 04-12 12:02:33:198: ChapMakeMessage,RBuf=0000000000000000
[3564] 04-12 12:02:33:198: ChapCMakeMessage...
[3564] 04-12 12:02:33:198: CS_Initial
[3564] 04-12 12:02:33:198: EapMSChapv2MakeMessage
[3564] 04-12 12:02:33:198: EapMSChapv2CMakeMessage (DOMAIN\test)
[3564] 04-12 12:02:33:198: EMV2_Initial
[3564] 04-12 12:02:33:198: EapMSChapv2CMakeMessage: Rcvd packet size: 37
[3564] 04-12 12:02:33:198: ChapMakeMessage,RBuf=0000000004352B35
[3564] 04-12 12:02:33:198: ChapCMakeMessage...
[3564] 04-12 12:02:33:198: CS_WaitForChallenge
[3564] 04-12 12:02:33:198: MakeResponseMessage...
[3564] 04-12 12:02:33:198: Generating Challenge
[3564] 04-12 12:02:33:198: GetChallenge.
[3564] 04-12 12:02:33:198: GetChallenge: LsaCallAuthenticationPackage succeeded
[3564] 04-12 12:02:33:198: GetChallenge.
[3564] 04-12 12:02:33:198: GetChallenge: LsaCallAuthenticationPackage succeeded
[3564] 04-12 12:02:33:198: GetChallengeResponse
[3564] 04-12 12:02:33:198: GetDESChallengeResponse
[3564] 04-12 12:02:33:198: GetDESChallengeResponse Success
[3564] 04-12 12:02:33:198: GetMD5ChallengeResponse Success
[3564] 04-12 12:02:33:198: GetMD5ChallengeResponse Success
[3564] 04-12 12:02:33:198: GetChallengeResponse Success
[3564] 04-12 12:02:33:198: GetChallengeResponse=0
02 09 00 41 31 1F C4 A4 0B D5 E9 77 D5 CB E9 34 |...A1......w...4|
94 7E 7B 04 E2 00 00 00 00 00 00 00 00 85 83 94 |.~{.............|
DF 03 C5 95 73 46 E5 57 2D A5 03 D5 1B 75 EE 7F |....sF.W-....u.|
26 D3 16 59 DE 00 5A 4F 4F 50 4C 55 53 5C 77 74 |&..Y..DOMAIN\tes|
33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |t...............|
[3564] 04-12 12:02:33:245: EapMSChapv2MakeMessage
[3564] 04-12 12:02:33:245: EapMSChapv2CMakeMessage (DOMAIN\test)
[3564] 04-12 12:02:33:245: EMV2_ResponseSend
[3564] 04-12 12:02:33:245: Got a Code Failure when expecting Response. Failing Auth
[3728] 04-12 12:02:34:290: EapMSChapv2End
[3728] 04-12 12:02:34:290: ChapEnd

Maybe the FR send a wrong EAP Messages to the Client ?

Is it anyway possible to get the whole unencrypted EAP Message from FR ?
Network traces are useless cause crypted traffic.

thanks,

C.

-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de