bad radtest results with eap/peap mschap

Sat Apr 29 18:33:48 CEST 2017

PEAP etc use inner-tunnel,  radtest is just a PAP or MSCHAP method,
without any EAP so it doesnt use inner-tunnel....and therefore will
use whatever auth methods you only have in the outer phase (in
'default' server with a default install) - you could try using eg
eapol_test (part of wpa_supplicant) - or, use radtest against the
direct
inner-tunnel listener - read the inner-tunnel config..it has a listen
on localhost 18121 or 18120 or such.... direct your radtest to that.

note that this config wont work if you have real external users (ie
users that you proxy off to a remote RADIUS server - eg in eduroam -
for that you need to also look at setting VLANs in the post-auth outer
phase (or dont assign a VLAN and hope your kit drops people correctly
onto a predefined default vlan.

alan

On 28 April 2017 at 22:06, Michel Villeneuve
<Michel.Villeneuve at univ-brest.fr> wrote:
> Hi,
>
> I use freeradius-3.0.12 on centos 7.3 with an openldap 2.4 and a samba
> attribute EAP / PEAP authentication MSCHAPV2.
>
> I want to authentificate and authorize  users according to  their
> attribute on the LDAP.
> I created an attribute LDAP-Desc mapped with the field
> eduPersonPrimaryAffilation on my LDAP.
> I want to put user on specific VLAN if they are students, employee .... or
> outer people.
>
> For that I use in the inner-tunnel the capabilities to return AVP like
> Tunnel-Private-Group-Id with the good value .
>
> It's work very well, for internal and also for external people. I tested
> also the realm
> value in the default server and I put also the good Tunnel-Private-Group-Id
> depending
> the value of realm. It's work  with device like smartphone, pc ... and
> also with the command.
>
> eapol_test -c afile  -p1812 -smysecret -r1
>
> Everything seems good but not  when I use radtest command
>
> I can't authentificate internal or external people with the test command
> radtest
>
> [root at freeradius-3-a test]# radtest 'teststudent'  'a1z2e3r4*' localhost
> 1812 mysecret
>
> Sent Access-Request Id 154 from 0.0.0.0:54585 to 127.0.0.1:1812 length 81
>         User-Name = "teststudent"
>         User-Password = "a1z2e3r4*"
>         NAS-IP-Address = 195.83.247.135
>         NAS-Port = 1812
>         Message-Authenticator = 0x00
>         Cleartext-Password = "a1z2e3r4*"
> Received Access-Reject Id 154 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
> (0) -: Expected Access-Accept got Access-Reject
>
> nor
>
> radtest -t mschap 'teststudent'  'a1z2e3r4*' 127.0.0.1:18120 1 mysecret
>
> I got
> ot at freeradius-3-a test]#  radtest -t mschap 'teststudent'  'secret'
> 127.0.0.1:18120 1 mysecret
> Sent Access-Request Id 129 from 0.0.0.0:34088 to 127.0.0.1:18120 length 137
>         User-Name = "teststudent"
>         MS-CHAP-Password = "a1z2e3r4*"
>         NAS-IP-Address = 195.83.247.135
>         NAS-Port = 1
>         Message-Authenticator = 0x00
>         Cleartext-Password = "secret"
>         MS-CHAP-Challenge = 0x3a7dd0c59a922170
>         MS-CHAP-Response =
> 0x0001000000000000000000000000000000000000000000000000ae872e407e206d5579b1515fbf4e92f594e5c5e66739c6e7
> Received Access-Reject Id 129 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
> (0) -: Expected Access-Accept got Access-Reject
>
>   Perhaps the problem comes from /etc/raddb/mods-enabled/mschap files
> and I tried differents values with no good results.
>
> mschap {
>         with_ntdomain_hack = no
>         #authtype = MS-CHAP
>         allow_retry = yes
>         use_mppe=yes
>         require_encryption = yes
>         require_strong = yes
>         .....
> I am not sure about the good values needing for this section.
> I would like to have an advice before using this configuration in
> production environment.
>
> here a debug with a Successful results
>
> Thanks in advance for you help
>
> PS:
> sorry for my  english I hope it's comprehensible.
> --
> Michel Villeneuve
> Tel 02 98 01 71 61
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html