mschap configuration problem

Piviul piviul at riminilug.it
Tue Jul 14 14:53:34 CEST 2020 

L.P.H. van Belle via Freeradius-Users ha scritto il 07/07/20 alle 15:18:
> Is your AD-DC also a samba server ?
> 
> Try adding this to smb.conf (globel)
>          # Add for freeradius support
>          ntlm auth = mschapv2-and-ntlmv2-only
After changing ntlm_auth, as you suggest, on the samba AD the problem 
seems to be solved.

But now I have another problem using the CA certificate. I would like to 
use freeradius server to authenticate wifi users on WPA2 enterprise 
security settings using peap authentication.
If I configure a linux, win xp and win7 clients using the ca certificate 
and WPA2 Enterprise auth protocol using PEAP and MSCHAP linux seems to 
work but win xp and win7 client didn't. On the winxp logs I can find:
> (30) Found Auth-Type = eap
> (30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (30)   authenticate {
> (30) eap: Expiring EAP session with state 0x1cc2a6451cccbf2e
> (30) eap: Finished EAP session with state 0x1cc2a6451cccbf2e
> (30) eap: Previous EAP request found for state 0x1cc2a6451cccbf2e, released from the list
> (30) eap: Peer sent packet with method EAP PEAP (25)
> (30) eap: Calling submodule eap_peap to process data
> (30) eap_peap: Continuing EAP-TLS
> (30) eap_peap: Peer indicated complete TLS record size will be 77 bytes
> (30) eap_peap: Got complete TLS record (77 bytes)
> (30) eap_peap: [eaptls verify] = length included
> (30) eap_peap: (other): before SSL initialization
> (30) eap_peap: TLS_accept: before SSL initialization
> (30) eap_peap: TLS_accept: before SSL initialization
> (30) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0048] 
> (30) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure 
> (30) eap_peap: ERROR: TLS Alert write:fatal:handshake failure
> tls: TLS_accept: Error in error
> (30) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
> (30) eap_peap: ERROR: System call (I/O) error (-1)
> (30) eap_peap: ERROR: TLS receive handshake failed during operation
> (30) eap_peap: ERROR: [eaptls process] = fail
> (30) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
> (30) eap: Sending EAP Failure (code 4) ID 14 length 4
> (30) eap: Failed in EAP select
> (30)     [eap] = invalid
> (30)   } # authenticate = invalid
> (30) Failed to authenticate the user
> (30) Using Post-Auth-Type Reject

and on the win7 client:
> (14) Found Auth-Type = eap
> (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (14)   authenticate {
> (14) eap: Expiring EAP session with state 0x211f359d22552ca2
> (14) eap: Finished EAP session with state 0x211f359d22552ca2
> (14) eap: Previous EAP request found for state 0x211f359d22552ca2, released from the list
> (14) eap: Peer sent packet with method EAP PEAP (25)
> (14) eap: Calling submodule eap_peap to process data
> (14) eap_peap: Continuing EAP-TLS
> (14) eap_peap: Peer indicated complete TLS record size will be 7 bytes
> (14) eap_peap: Got complete TLS record (7 bytes)
> (14) eap_peap: [eaptls verify] = length included
> (14) eap_peap: <<< recv TLS 1.2  [length 0002] 
> (14) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
> (14) eap_peap: TLS_accept: Need to read more data: error
> (14) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
> (14) eap_peap: In SSL Handshake Phase
> (14) eap_peap: In SSL Accept mode
> (14) eap_peap: SSL Application Data
> (14) eap_peap: ERROR: TLS failed during operation
> (14) eap_peap: ERROR: [eaptls process] = fail
> (14) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
> (14) eap: Sending EAP Failure (code 4) ID 74 length 4
> (14) eap: Failed in EAP select
> (14)     [eap] = invalid
> (14)   } # authenticate = invalid
> (14) Failed to authenticate the user
> (14) Using Post-Auth-Type Reject

Winxp e win7 client both seems to fail during handshake phase; linux 
didn't. From successfully linux logs I can find:
> eap_peap: Peer indicated  complete TLS record size will be 126

but reading winxp logs I can see:
> eap_peap: Peer indicated complete TLS record size will be 77 bytes

and win7:
> eap_peap: Peer indicated complete TLS record size will be 7 bytes


77 or 7 bytes seems to me not to be enought for a TLS record size isn't 
it? That's the problem?

Any way can anyone please help me to find why win{xp,7} clients can't 
communicate using EAP-TLS?

Best regards

Piviul

More information about the Freeradius-Users mailing list