Radius 3 EAP (PEAP) mschapv2 connection problem
Anatoly Oreshkin
anatoly.oreshkin at gmail.com
Thu Jun 4 09:47:36 CEST 2020
I provide debug log for session 72, please see below.
I've found the reason of failed authentication when connecting through AP
192.168.14.247.
Compare request format from AP 192.168.14.241 with one from AP
192.168.14.247.
>From AP 192.168.14.241:
(27) Received Access-Request Id 9 from 192.168.14.241:3074 to
xx.xx.xx.xx:1812 length 159
(27) User-Name = "oreshkin"
(27) NAS-IP-Address = 192.168.14.241
(27) NAS-Port = 0
(27) Called-Station-Id = "00-1E-C1-AE-56-22:HEPD-COMMON"
(27) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(27) Framed-MTU = 1400
(27) NAS-Port-Type = Wireless-802.11
(27) Connect-Info = "CONNECT 0Mbps 802.11"
(27) EAP-Message = 0x0201000d016f726573686b696e
(27) Message-Authenticator = 0x10afad72dec6e948c7598d93b080d695
>From AP 192.168.14.247:
(72) Received Access-Request Id 94 from 192.168.14.247:1024 to
xx.xx.xx.xx:1812 length 289
(72) User-Name = "oreshkin"
(72) Framed-MTU = 1450
(72) EAP-Message =
0x02080062190017030300570000000000000002c33f501457841cbb0e149619fc4d43cc6a068202273d657c55e3e1d067dba950cae1b2c59d5e949e9e1703dc7b5db406d7385c0bc3fc2da7482ca85aeca17ddf01796fc871adcc26d52b52562636df
(72) Message-Authenticator = 0xa57fbdeaacbf7b4d92e68fcf1563b7cc
(72) NAS-IP-Address = 192.168.14.247
(72) NAS-Identifier = "3Com AP9552 Dual Band 802.11n"
(72) NAS-Port = 16912385
(72) NAS-Port-Type = Wireless-802.11
(72) Service-Type = Framed-User
(72) Framed-Protocol = PPP
(72) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(72) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON"
(72) Framed-IP-Address = 10.2.0.118
(72) State = 0xe46f1db3e267046e2153a66971fb5083
In request format from AP 192.168.14.247 presents line
(72) Framed-Protocol = PPP
Users login and password are kept in the file /etc/raddb/users
Default user in /etc/raddb/users is specified as follows:
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
So radius selects DEFAULT user instead of my user name and hence
(72) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
Read debug log
...
(72) files: users: Matched entry DEFAULT at line 181
...
(72) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(72) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
In Radius 2 as DEFAULT user it was specified
DEFAULT Auth-Type = System
Fall-Through = 1
so authentication worked.
In Radius 3 there is no " Auth-Type = System" so I've left DEFAULT which
was in /etc/raddb/users
At least I dont found suitable DEFAULT from the list in /etc/raddb/users
May be you can suggest DEFAULT user ?
Now I've commented out DEFAULT in /etc/raddb/users and authentication
through AP 192.168.14.297 succeeded.
Extract from debug log with authentication failed:
---------------------------------
(72) Received Access-Request Id 94 from 192.168.14.247:1024 to
xx.xx.xx.xx:1812 length 289
(72) User-Name = "oreshkin"
(72) Framed-MTU = 1450
(72) EAP-Message =
0x02080062190017030300570000000000000002c33f501457841cbb0e149619fc4d43cc6a068202273d657c55e3e1d067dba950cae1b2c59d5e949e9e1703dc7b5db406d7385c0bc3fc2da7482ca85aeca17ddf01796fc871adcc26d52b52562636df
(72) Message-Authenticator = 0xa57fbdeaacbf7b4d92e68fcf1563b7cc
(72) NAS-IP-Address = 192.168.14.247
(72) NAS-Identifier = "3Com AP9552 Dual Band 802.11n"
(72) NAS-Port = 16912385
(72) NAS-Port-Type = Wireless-802.11
(72) Service-Type = Framed-User
(72) Framed-Protocol = PPP
(72) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(72) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON"
(72) Framed-IP-Address = 10.2.0.118
(72) State = 0xe46f1db3e267046e2153a66971fb5083
(72) session-state: No cached attributes
(72) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(72) authorize {
(72) policy filter_username {
(72) if (&User-Name) {
(72) if (&User-Name) -> TRUE
(72) if (&User-Name) {
(72) if (&User-Name =~ / /) {
(72) if (&User-Name =~ / /) -> FALSE
(72) if (&User-Name =~ /@[^@]*@/ ) {
(72) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(72) if (&User-Name =~ /\.\./ ) {
(72) if (&User-Name =~ /\.\./ ) -> FALSE
(72) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(72) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(72) if (&User-Name =~ /\.$/) {
(72) if (&User-Name =~ /\.$/) -> FALSE
(72) if (&User-Name =~ /@\./) {
(72) if (&User-Name =~ /@\./) -> FALSE
(72) } # if (&User-Name) = notfound
(72) } # policy filter_username = notfound
(72) [preprocess] = ok
(72) [chap] = noop
(72) [mschap] = noop
(72) suffix: Checking for suffix after "@"
(72) suffix: No '@' in User-Name = "oreshkin", looking up realm NULL
(72) suffix: No such realm "NULL"
(72) [suffix] = noop
(72) ntdomain: Checking for prefix before "\"
(72) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(72) ntdomain: No such realm "NULL"
(72) [ntdomain] = noop
(72) eap: Peer sent EAP Response (code 2) ID 8 length 98
(72) eap: Continuing tunnel setup
(72) [eap] = ok
(72) } # authorize = ok
(72) Found Auth-Type = eap
(72) # Executing group from file /etc/raddb/sites-enabled/default
(72) authenticate {
(72) eap: Expiring EAP session with state 0x34bd73d634b56993
(72) eap: Finished EAP session with state 0xe46f1db3e267046e
(72) eap: Previous EAP request found for state 0xe46f1db3e267046e, released
from the list
(72) eap: Peer sent packet with method EAP PEAP (25)
(72) eap: Calling submodule eap_peap to process data
(72) eap_peap: Continuing EAP-TLS
(72) eap_peap: [eaptls verify] = ok
(72) eap_peap: Done initial handshake
(72) eap_peap: [eaptls process] = ok
(72) eap_peap: Session established. Decoding tunneled attributes
(72) eap_peap: PEAP state phase2
(72) eap_peap: EAP method MSCHAPv2 (26)
(72) eap_peap: Got tunneled request
(72) eap_peap: EAP-Message =
0x020800431a0208003e31db2debec2958a1454151483d486adca50000000000000000b9f84f22b42361e69c262ea08581e402f79c2f9c3a44fa4f006f726573686b696e
(72) eap_peap: Setting User-Name to oreshkin
(72) eap_peap: Sending tunneled request to inner-tunnel
(72) eap_peap: EAP-Message =
0x020800431a0208003e31db2debec2958a1454151483d486adca50000000000000000b9f84f22b42361e69c262ea08581e402f79c2f9c3a44fa4f006f726573686b696e
(72) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(72) eap_peap: User-Name = "oreshkin"
(72) eap_peap: State = 0x34bd73d634b56993b0879cec39df5238
(72) eap_peap: Framed-MTU = 1450
(72) eap_peap: NAS-IP-Address = 192.168.14.247
(72) eap_peap: NAS-Identifier = "3Com AP9552 Dual Band 802.11n"
(72) eap_peap: NAS-Port = 16912385
(72) eap_peap: NAS-Port-Type = Wireless-802.11
(72) eap_peap: Service-Type = Framed-User
(72) eap_peap: Framed-Protocol = PPP
(72) eap_peap: Calling-Station-Id = "30-E3-7A-D5-61-F0"
(72) eap_peap: Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON"
(72) eap_peap: Framed-IP-Address = 10.2.0.118
(72) eap_peap: Event-Timestamp = "Jun 1 2020 14:14:50 MSK"
(72) Virtual server inner-tunnel received request
(72) EAP-Message =
0x020800431a0208003e31db2debec2958a1454151483d486adca50000000000000000b9f84f22b42361e69c262ea08581e402f79c2f9c3a44fa4f006f726573686b696e
(72) FreeRADIUS-Proxied-To = 127.0.0.1
(72) User-Name = "oreshkin"
(72) State = 0x34bd73d634b56993b0879cec39df5238
(72) Framed-MTU = 1450
(72) NAS-IP-Address = 192.168.14.247
(72) NAS-Identifier = "3Com AP9552 Dual Band 802.11n"
(72) NAS-Port = 16912385
(72) NAS-Port-Type = Wireless-802.11
(72) Service-Type = Framed-User
(72) Framed-Protocol = PPP
(72) Calling-Station-Id = "30-E3-7A-D5-61-F0"
(72) Called-Station-Id = "40-01-C6-12-9A-50:HEPD-COMMON"
(72) Framed-IP-Address = 10.2.0.118
(72) Event-Timestamp = "Jun 1 2020 14:14:50 MSK"
(72) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(72) server inner-tunnel {
(72) session-state: No cached attributes
(72) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(72) authorize {
(72) policy filter_username {
(72) if (&User-Name) {
(72) if (&User-Name) -> TRUE
(72) if (&User-Name) {
(72) if (&User-Name =~ / /) {
(72) if (&User-Name =~ / /) -> FALSE
(72) if (&User-Name =~ /@[^@]*@/ ) {
(72) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(72) if (&User-Name =~ /\.\./ ) {
(72) if (&User-Name =~ /\.\./ ) -> FALSE
(72) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(72) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(72) if (&User-Name =~ /\.$/) {
(72) if (&User-Name =~ /\.$/) -> FALSE
(72) if (&User-Name =~ /@\./) {
(72) if (&User-Name =~ /@\./) -> FALSE
(72) } # if (&User-Name) = notfound
(72) } # policy filter_username = notfound
(72) [chap] = noop
(72) [mschap] = noop
(72) ntdomain: Checking for prefix before "\"
(72) ntdomain: No '\' in User-Name = "oreshkin", looking up realm NULL
(72) ntdomain: No such realm "NULL"
(72) [ntdomain] = noop
(72) update control {
(72) &Proxy-To-Realm := LOCAL
(72) } # update control = noop
(72) eap: Peer sent EAP Response (code 2) ID 8 length 67
(72) eap: No EAP Start, assuming it's an on-going EAP conversation
(72) [eap] = updated
(72) files: users: Matched entry DEFAULT at line 181
(72) [files] = ok
(72) [expiration] = noop
(72) [logintime] = noop
(72) [pap] = noop
(72) } # authorize = updated
(72) Found Auth-Type = eap
(72) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(72) authenticate {
(72) eap: Expiring EAP session with state 0x34bd73d634b56993
(72) eap: Finished EAP session with state 0x34bd73d634b56993
(72) eap: Previous EAP request found for state 0x34bd73d634b56993, released
from the list
(72) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(72) eap: Calling submodule eap_mschapv2 to process data
(72) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(72) eap_mschapv2: authenticate {
(72) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(72) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(72) mschap: Creating challenge hash with username: oreshkin
(72) mschap: Client is using MS-CHAPv2
(72) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform
authentication
(72) mschap: ERROR: MS-CHAP2-Response is incorrect
(72) [mschap] = reject
(72) } # authenticate = reject
(72) eap: Sending EAP Failure (code 4) ID 8 length 4
(72) eap: Freeing handler
(72) [eap] = reject
(72) } # authenticate = reject
(72) Failed to authenticate the user
(72) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform
authentication): [oreshkin] (from client 3com9552 port 16912385 cli
30-E3-7A-D5-61-F0 via TLS tunnel)
(72) Using Post-Auth-Type Reject
(72) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(72) Post-Auth-Type REJECT {
(72) update outer.session-state {
(72) &Module-Failure-Message := &request:Module-Failure-Message ->
'mschap: FAILED: No NT/LM-Password. Cannot perform authentication'
(72) } # update outer.session-state = noop
(72) } # Post-Auth-Type REJECT = noop
(72) } # server inner-tunnel
(72) Virtual server sending reply
(72) Framed-Protocol = PPP
(72) Framed-Compression = Van-Jacobson-TCP-IP
(72) MS-CHAP-Error = "\010E=691 R=1 C=2aadf661100584402f8bb93462af5d53
V=3 M=Authentication failed"
(72) EAP-Message = 0x04080004
(72) Message-Authenticator = 0x00000000000000000000000000000000
(72) eap_peap: Got tunneled reply code 3
(72) eap_peap: Framed-Protocol = PPP
(72) eap_peap: Framed-Compression = Van-Jacobson-TCP-IP
(72) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=2aadf661100584402f8bb93462af5d53 V=3 M=Authentication failed"
(72) eap_peap: EAP-Message = 0x04080004
(72) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(72) eap_peap: Got tunneled reply RADIUS code 3
(72) eap_peap: Framed-Protocol = PPP
(72) eap_peap: Framed-Compression = Van-Jacobson-TCP-IP
(72) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=2aadf661100584402f8bb93462af5d53 V=3 M=Authentication failed"
(72) eap_peap: EAP-Message = 0x04080004
(72) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(72) eap_peap: Tunneled authentication was rejected
(72) eap_peap: FAILURE
(72) eap: Sending EAP Request (code 1) ID 9 length 46
(72) eap: EAP session adding &reply:State = 0xe46f1db3e366046e
(72) [eap] = handled
(72) } # authenticate = handled
(72) Using Post-Auth-Type Challenge
(72) # Executing group from file /etc/raddb/sites-enabled/default
(72) Challenge { ... } # empty sub-section is ignored
(72) session-state: Saving cached attributes
(72) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.
Cannot perform authentication"
(72) Sent Access-Challenge Id 94 from xx.xx.xx.xx:1812 to
192.168.14.247:1024 length 0
(72) EAP-Message =
0x0109002e190017030300232f1c04ca542acfe094941bb20f03a5498700ed1375fd28eec62833f28ad725fdd3f9f5
(72) Message-Authenticator = 0x00000000000000000000000000000000
(72) State = 0xe46f1db3e366046e2153a66971fb5083
(72) Finished request
I've commented DEFAULT user in /etc/raddb/users and
ср, 3 июн. 2020 г. в 16:06, Alan DeKok <aland at deployingradius.com>:
> On Jun 3, 2020, at 6:27 AM, Anatoly Oreshkin <anatoly.oreshkin at gmail.com>
> wrote:
> >
> > I was for several years successfully using Radius 2 with authentication
> > types EAP (PEAP) mschapv2. Now I've upgraded to Radius 3 with the same
> > authentication.
> > From laptop under MS Windows 10 I' trying to connect to WiFi network
> through
> > Access Points (AP). After some time I've managed to connect wifi network.
> > Then I've disconnected intentionally from network and attempted once more
> > connect to network but this time failed to connect.
> > Radius debug log is very big, so I provide
> > extract from Radius debug log below.
> > From debug log I see that laptop is eventually authenticated through AP
> > 192.168.14.241 but going through many unsuccessful steps.
> > The line
> > Login OK: [oreshkin] (from client 3com9150 port 0 cli 30-E3-7A-D5-61-F0)
> > shows that.
> >
> > Why is it required so many steps to successfully connect ?
> > Some errors in radius configuration ?
> >
> > Second attempt to connect after disconnection is failed. Why ?
>
> Read the debug log.
>
> (72) mschap: WARNING: No Cleartext-Password configured. Cannot create
> NT-Password
> (72) mschap: WARNING: No Cleartext-Password configured. Cannot create
> LM-Password
>
> Why is there no password? I have no idea. You deleted all of the debug
> output from packet (72) which shows where the password came from. Which
> also mans we don't know *why* the password lookup failed.
>
> Please follow the instructions on https://wiki.freeradius.org/list-help
>
> There is no need to post debug output from an authentication session
> which succeeds. It doesn't help. Post the debug output for a session
> which fails. *ALL* of the debug output.
>
> Editing the debug output is like taking your car to a mechanic and
> saying "something's wrong, but I'm not going to tell you what. You have to
> figure it out and fix it"
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list