<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style>.EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; }</style>
</head>
<body>
<font face="Times New Roman, serif" size="3">
<div style="margin-top: 5pt; margin-bottom: 5pt; ">Hello, <br>
<br>
I'm trying to get 802.1x authentication going using PEAP/MS-CHAPv2 but cant quite get it going (I think I'm pretty cloise though) so I'm hoping someone here can take a look at my debug output below and perhaps offer some helpful advice. Here's the specifics:
Ubuntu 7.10, freeRADIUS 1.1.7, Samba 3.0. Note that there are calls to a freeNAC perl module called check_mac that performs mac-auth-bypass vlan assignment for non-802.1x compliant devices.</div>
<div style="margin-top: 5pt; margin-bottom: 5pt; "><br>
I've followed the freeNAC instructions and tried some slight variations that I've found posted elsewhere but still not gettting it. I've gotten to the point where I can issue the ntlm_auth command "manually" and authenticate to AD so Samba, Winbind, and Kerberos
seem to be OK. When I attempt to get freeRADIUS to do the ntlm_auth for me as described in the freeNAC docs and other web resources like deployingradius.com and the freeradius wiki, I keep getting logon failures. See attached radius debug output below. I'm
just attaching the last part of the debug because for one it's quite large and two, it seems to be going well up to a certain point. My EAP-TLS tunnel appears to be getting setup fine but it just act as if my password is wrong. I'm using a Windows XP SP2 client
with a recent PEAP patch added and have tried entering username/password/domain both manually and automatically. I am not validating the server cert at this point. Following is the end of the radius debug:
<br>
<br>
. <br>
. <br>
. <br>
rad_recv: Access-Request packet from host 111.111.28.101:1645, id=245, length=264
<br>
User-Name = "SANDIA\\mgmitch" <br>
Service-Type = Framed-User <br>
Framed-MTU = 1500 <br>
Called-Station-Id = "00-05-74-43-BD-3F" <br>
Calling-Station-Id = "00-0A-E4-23-CD-16" <br>
EAP-Message = 0x020800601900170301005590558ffa6f1d6b8a4bad64a0b8958aa4c140f2c145163dc92ee5b73ae341713f0466627a1454f0ad3f787b9ab756c8e07050b693f28f17f721c200525f544119a36d2d30e31ae5db2f44f8636bdc03c4f71a422436
<br>
Message-Authenticator = 0xb7b52cd2660e4b2695c96dc035368275 <br>
Cisco-NAS-Port = "GigabitEthernet1/4" <br>
NAS-Port = 50104 <br>
NAS-Port-Type = Ethernet <br>
State = 0x5a5253d83424d1e321022fa6ebfd1ece <br>
NAS-IP-Address = 111.111.28.101 <br>
Processing the authorize section of radiusd.conf <br>
modcall: entering group authorize for request 6 <br>
modcall[authorize]: module "preprocess" returns ok for request 6 <br>
perl_pool: item 0x8062e8a0 asigned new request. Handled so far: 3 <br>
found interpetator at address 0x8062e8a0 <br>
perl_pool total/active/spare [3/0/3] <br>
Unreserve perl at address 0x8062e8a0 <br>
modcall[authorize]: module "check_mac" returns ok for request 6 <br>
modcall[authorize]: module "mschap" returns noop for request 6 <br>
rlm_realm: No '@' in User-Name = "SANDIA\mgmitch", looking up realm NULL <br>
rlm_realm: No such realm "NULL" <br>
modcall[authorize]: module "suffix" returns noop for request 6 <br>
rlm_eap: EAP packet type response id 8 length 96 <br>
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation <br>
modcall[authorize]: module "eap" returns updated for request 6 <br>
modcall: leaving group authorize (returns updated) for request 6 <br>
rad_check_password: Found Auth-Type EAP <br>
auth: type "EAP" <br>
Processing the authenticate section of radiusd.conf <br>
modcall: entering group authenticate for request 6 <br>
rlm_eap: Request found, released from the list <br>
rlm_eap: EAP/peap <br>
rlm_eap: processing type peap <br>
rlm_eap_peap: Authenticate <br>
rlm_eap_tls: processing TLS <br>
eaptls_verify returned 7 <br>
rlm_eap_tls: Done initial handshake <br>
eaptls_process returned 7 <br>
rlm_eap_peap: EAPTLS_OK <br>
rlm_eap_peap: Session established. Decoding tunneled attributes. <br>
rlm_eap_peap: EAP type mschapv2 <br>
rlm_eap_peap: Tunneled data is valid. <br>
PEAP: Got tunneled EAP-Message <br>
EAP-Message = 0x020800491a020800443191a4d2d65459406cb3e67baa8f903a120000000000000000fde26c946d2f343603ffe6e34f2ad40987f990c82eeecf550053414e4449415c6d676d69746368
<br>
PEAP: Setting User-Name to SANDIA\mgmitch <br>
PEAP: Adding old state with 56 ed <br>
PEAP: Sending tunneled request <br>
EAP-Message = 0x020800491a020800443191a4d2d65459406cb3e67baa8f903a120000000000000000fde26c946d2f343603ffe6e34f2ad40987f990c82eeecf550053414e4449415c6d676d69746368
<br>
FreeRADIUS-Proxied-To = 127.0.0.1 <br>
User-Name = "SANDIA\\mgmitch" <br>
State = 0x56ed3aacd660b70c9a6a4fde3b0858f9 <br>
Processing the authorize section of radiusd.conf <br>
modcall: entering group authorize for request 6 <br>
modcall[authorize]: module "preprocess" returns ok for request 6 <br>
perl_pool: item 0x809a4090 asigned new request. Handled so far: 3 <br>
found interpetator at address 0x809a4090 <br>
perl_pool total/active/spare [3/0/3] <br>
Unreserve perl at address 0x809a4090 <br>
modcall[authorize]: module "check_mac" returns ok for request 6 <br>
modcall[authorize]: module "mschap" returns noop for request 6 <br>
rlm_realm: No '@' in User-Name = "SANDIA\mgmitch", looking up realm NULL <br>
rlm_realm: No such realm "NULL" <br>
modcall[authorize]: module "suffix" returns noop for request 6 <br>
rlm_eap: EAP packet type response id 8 length 73 <br>
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation <br>
modcall[authorize]: module "eap" returns updated for request 6 <br>
modcall: leaving group authorize (returns updated) for request 6 <br>
rad_check_password: Found Auth-Type EAP <br>
auth: type "EAP" <br>
Processing the authenticate section of radiusd.conf <br>
modcall: entering group authenticate for request 6 <br>
rlm_eap: Request found, released from the list <br>
rlm_eap: EAP/mschapv2 <br>
rlm_eap: processing type mschapv2 <br>
Processing the authenticate section of radiusd.conf <br>
modcall: entering group MS-CHAP for request 6 <br>
rlm_mschap: No User-Password configured. Cannot create LM-Password. <br>
rlm_mschap: No User-Password configured. Cannot create NT-Password. <br>
rlm_mschap: Told to do MS-CHAPv2 for mgmitch with NT-Password <br>
radius_xlat: Running registered xlat function of module mschap for string 'User-Name'
<br>
radius_xlat: '--username=mgmitch' <br>
radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain'
<br>
radius_xlat: '--domain=SANDIA' <br>
radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
<br>
mschap2: 8c <br>
radius_xlat: '--challenge=3f6d14e36675d931' <br>
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
<br>
radius_xlat: '--nt-response=fde26c946d2f343603ffe6e34f2ad40987f990c82eeecf55' <br>
Exec-Program output: Logon failure (0xc000006d) <br>
Exec-Program-Wait: plaintext: Logon failure (0xc000006d) <br>
Exec-Program: returned: 1 <br>
rlm_mschap: External script failed. <br>
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect <br>
modcall[authenticate]: module "mschap" returns reject for request 6 <br>
modcall: leaving group MS-CHAP (returns reject) for request 6 <br>
rlm_eap: Freeing handler <br>
modcall[authenticate]: module "eap" returns reject for request 6 <br>
modcall: leaving group authenticate (returns reject) for request 6 <br>
auth: Failed to validate the user. <br>
PEAP: Got tunneled reply RADIUS code 3 <br>
MS-CHAP-Error = "\010E=691 R=1" <br>
EAP-Message = 0x04080004 <br>
Message-Authenticator = 0x00000000000000000000000000000000 <br>
PEAP: Processing from tunneled session code 0x80674b80 3 <br>
MS-CHAP-Error = "\010E=691 R=1" <br>
EAP-Message = 0x04080004 <br>
Message-Authenticator = 0x00000000000000000000000000000000 <br>
PEAP: Tunneled authentication was rejected. <br>
rlm_eap_peap: FAILURE <br>
modcall[authenticate]: module "eap" returns handled for request 6 <br>
modcall: leaving group authenticate (returns handled) for request 6 <br>
Sending Access-Challenge of id 245 to 111.111.28.101 port 1645 <br>
EAP-Message = 0x010900261900170301001b05fb2b4d0b7732c23c08f5b0c933d75f9c6e7c894c6f5eb0b85242
<br>
Message-Authenticator = 0x00000000000000000000000000000000 <br>
State = 0x975785863b043e267c2ca1d79c291dde <br>
Finished request 6 <br>
Going to the next request <br>
Waking up in 6 seconds... <br>
rad_recv: Access-Request packet from host 111.111.28.101:1645, id=246, length=206
<br>
User-Name = "SANDIA\\mgmitch" <br>
Service-Type = Framed-User <br>
Framed-MTU = 1500 <br>
Called-Station-Id = "00-05-74-43-BD-3F" <br>
Calling-Station-Id = "00-0A-E4-23-CD-16" <br>
EAP-Message = 0x020900261900170301001be11c8a187a3a255b0ded0e8a021d224bce90335e6c02dac30ab5e8
<br>
Message-Authenticator = 0xa2889de2b2358293a5d30fd95541b61b <br>
Cisco-NAS-Port = "GigabitEthernet1/4" <br>
NAS-Port = 50104 <br>
NAS-Port-Type = Ethernet <br>
State = 0x975785863b043e267c2ca1d79c291dde <br>
NAS-IP-Address = 111.111.28.101 <br>
Processing the authorize section of radiusd.conf <br>
modcall: entering group authorize for request 7 <br>
modcall[authorize]: module "preprocess" returns ok for request 7 <br>
perl_pool: item 0x8012eae0 asigned new request. Handled so far: 4 <br>
found interpetator at address 0x8012eae0 <br>
perl_pool total/active/spare [3/0/3] <br>
Unreserve perl at address 0x8012eae0 <br>
modcall[authorize]: module "check_mac" returns ok for request 7 <br>
modcall[authorize]: module "mschap" returns noop for request 7 <br>
rlm_realm: No '@' in User-Name = "SANDIA\mgmitch", looking up realm NULL <br>
rlm_realm: No such realm "NULL" <br>
modcall[authorize]: module "suffix" returns noop for request 7 <br>
rlm_eap: EAP packet type response id 9 length 38 <br>
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation <br>
modcall[authorize]: module "eap" returns updated for request 7 <br>
modcall: leaving group authorize (returns updated) for request 7 <br>
rad_check_password: Found Auth-Type EAP <br>
auth: type "EAP" <br>
Processing the authenticate section of radiusd.conf <br>
modcall: entering group authenticate for request 7 <br>
rlm_eap: Request found, released from the list <br>
rlm_eap: EAP/peap <br>
rlm_eap: processing type peap <br>
rlm_eap_peap: Authenticate <br>
rlm_eap_tls: processing TLS <br>
eaptls_verify returned 7 <br>
rlm_eap_tls: Done initial handshake <br>
eaptls_process returned 7 <br>
rlm_eap_peap: EAPTLS_OK <br>
rlm_eap_peap: Session established. Decoding tunneled attributes. <br>
rlm_eap_peap: Received EAP-TLV response. <br>
rlm_eap_peap: Tunneled data is valid. <br>
rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session.
<br>
rlm_eap: Handler failed in EAP/peap <br>
rlm_eap: Failed in EAP select <br>
modcall[authenticate]: module "eap" returns invalid for request 7 <br>
modcall: leaving group authenticate (returns invalid) for request 7 <br>
auth: Failed to validate the user. <br>
Delaying request 7 for 1 seconds <br>
Finished request 7 <br>
Going to the next request <br>
--- Walking the entire request list --- <br>
Waking up in 1 seconds... <br>
--- Walking the entire request list --- <br>
Waking up in 1 seconds... <br>
--- Walking the entire request list --- <br>
Sending Access-Reject of id 246 to 111.111.28.101 port 1645 <br>
EAP-Message = 0x04090004 <br>
Message-Authenticator = 0x00000000000000000000000000000000 <br>
Waking up in 3 seconds... <br>
<br>
<br>
</div>
<div style="margin-top: 5pt; margin-bottom: 5pt; "> </div>
<div style="margin-top: 5pt; margin-bottom: 5pt; ">If anyone can help shed light on this, I would sure appreciate it.<br>
<br>
Thanks, <br>
<br>
Mark</div>
<div> </div>
<div><font face="Arial, sans-serif" size="2"> </font></div>
</font>
</body>
</html>