eap: Freeradius proxy doesn't work with EAP PEAP auth

Danilo Raspa danilo.raspa at gmail.com
Thu Jul 6 13:57:33 CEST 2017


Alan,
>Now when I tried to login I can read the folling lines from Radius server
log:
The partial log is from RADIUS SERVER And no Radius proxy.
Thanks
Il 06 Lug 2017 13:06, "Danilo Raspa" <danilo.raspa at gmail.com> ha scritto:

Hi Alan,
Thank you for your time.
I removed the extra changes and now I'm at the same situation that I was in
the first mail, now I added "nostrip" for my realm.
I remember you that I modified the mods-enabled/eap with this two lines:

eap {

        default_eap_type = peap
        proxy_tunneled_request_as_eap = no
        [..]
}

Now when I tried to login I can read the folling lines from Radius server
log:

(20)  # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(20)    authenticate {
(20)   eap : Expiring EAP session with state 0x6ddc6af26dd57012
(20)   eap : Finished EAP session with state 0x6ddc6af26dd57012
(20)   eap : Previous EAP request found for state 0x6ddc6af26dd57012,
released from the list
(20)   eap : Peer sent method MSCHAPv2 (26)
(20)   eap : EAP MSCHAPv2 (26)
(20)   eap : Calling eap_mschapv2 to process EAP data
(20)   eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/
inner-tunnel
(20)   eap_mschapv2 :  Auth-Type MS-CHAP {
(20)    WARNING: mschap : No Cleartext-Password configured.  Cannot create
LM-Password
(20)    WARNING: mschap : No Cleartext-Password configured.  Cannot create
NT-Password
(20)    mschap : Creating challenge hash with username:
danilo.raspa at realm_example.com
(20)    mschap : Client is using MS-CHAPv2
(20)    ERROR: mschap : FAILED: No NT/LM-Password.  Cannot perform
authentication
(20)    ERROR: mschap : MS-CHAP2-Response is incorrect
(20)     [mschap] = reject
(20)    } # Auth-Type MS-CHAP = reject

Thank you in advance

Danilo


Danilo

2017-07-05 20:13 GMT+02:00 Alan DeKok <aland at deployingradius.com>:

> On Jul 5, 2017, at 11:54 AM, Danilo Raspa <danilo.raspa at gmail.com> wrote:
> >
> > Hi Alan,
> >> You're not testing it with the same user-name?
> > Sorry Alan, I forgot to say that I've modified the delimiter from @ to %.
> > Yes I used the same user-name.
>
>   That's wrong.
>
>   You should test ONE thing at a time.  Don't make 3-4 changes, and wonder
> why it doesn't work.  Make ONE change.
>
>   The answer I gave in my first message WILL WORK.  The reason it doesn't
> work is because you went and changed lots of other things, and didn't
> re-run the same test.
>
> > Maybe yes... What do you mean with this phrase "You have the proxy
> editing
> > the User-Name." ?
>
>   I meant you should add "nostrip", which makes the proxy stop editing the
> User-Name.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
> /users.html
>


More information about the Freeradius-Users mailing list