<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt">thanx for responding dude. let's take a look at this part of log!
(remember too that i am a new linux, many thing are still chinese for
me)<br>
<br>
i agree, my certificate are OK to do EAP in general<br>
my coments are the red lines :<br>
<br>
<span style="color: rgb(255, 0, 0);">my mschap module config is:</span><br>
--------------<br>
mschap <span class="br0">{</span><br>
use_mppe = yes<br>
require_encryption = no<br>
require_strong = no<br>
with_ntdomain_hack = yes<br>
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%<span class="br0">{</span>mschap:User-Name<span class="br0">}</span> --challenge=%<span class="br0">{</span>mschap:Challenge:-00<span class="br0">}</span> --nt-response=%<span class="br0">{</span>mschap:NT-Response:-00<span class="br0">}</span><span class="br0">}</span>"<br>
<span class="br0">}<br>
<br>
</span><span style="color: rgb(255, 0, 0);">my peap and mschapv2 module config is:</span><br>
---------------<br>
Module: Linked to sub-module rlm_eap_peap<br>
Module: Instantiating eap-peap<br>
peap <span class="br0">{</span><br>
default_eap_type = "mschapv2"<br>
copy_request_to_tunnel = yes<br>
use_tunneled_reply = yes<br>
proxy_tunneled_request_as_eap = yes<br>
<span class="br0">}</span><br>
Module: Linked to sub-module rlm_eap_mschapv2<br>
Module: Instantiating eap-mschapv2<br>
mschapv2 <span class="br0">{</span><br>
with_ntdomain_hack = yes<br>
<span class="br0">}<br>
<br>
</span><span class="br0"></span><br>
<span style="color: rgb(255, 0, 0);">output of eap/mschapv2authentication is:</span><br>
------------<br>
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. <span style="color: rgb(255, 0, 0);">//Normal, i am not willing to do PAP but mschapv2</span><br>
++<span class="br0">[</span>pap<span class="br0">]</span> returns noop<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
+- entering group authenticate<br>
rlm_eap: Request found, released from the list<br>
rlm_eap: EAP/mschapv2<br>
rlm_eap: processing type mschapv2<br>
+- entering group MS-CHAP<br>
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. <br>
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.<br>
rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password<br>
<span style="color: rgb(255, 0, 0);">//does the 3 previous lines means there is an error? what does "No Cleartext-Password configured means?<br>
// what does LM-Password means? and if it's error, how could i correct it?<br>
// ithought it was normal, as I am surewindows never sends "cleartext-Password"<br>
</span><img src="file:///D:/DOCUME%7E1/Mojo/LOCALS%7E1/Temp/moz-screenshot-1.jpg" alt=""><br>
expand: <span style="color: rgb(0, 0, 191);">--username=%</span><span style="color: rgb(0, 0, 191);" class="br0">{</span><span style="color: rgb(0, 0, 191);">mschap:User-Name</span><span style="color: rgb(0, 0, 191);" class="br0">}</span><span style="color: rgb(0, 0, 191);"></span>-> --username=glouglou <span style="color: rgb(255, 0, 0);">//...???...<br>
<br>
</span>
mschap2: d1<br>
expand: --challenge=%<span class="br0">{</span>mschap:Challenge:-00<span class="br0">}</span> -> --challenge=4a2a69e7929b2c03 <span style="color: rgb(255, 0, 0);">//...???...</span><br>
expand: --nt-response=%<span class="br0">{</span>mschap:NT-Response:-00<span class="br0">}</span><span class="br0">}</span> -> --nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6<span class="br0">} </span><span style="color: rgb(255, 0, 0);">//...???...</span><br>
Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 <span style="color: rgb(255, 0, 0);">//...???...</span><br>
Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 <span style="color: rgb(255, 0, 0);">//...???...<br>
</span><span style="color: rgb(255, 0, 0);">//negociation that is out
of the range of my brain till now, but i think ity's normal security
negociation in windows system, and there is no error here.</span><br>
<br>
Exec-Program: returned: 0 <span style="color: rgb(255, 0, 0);">//...???...<br>
</span>rlm_mschap: adding MS-CHAPv2 MPPE keys<br>
++<span class="br0">[</span>mschap<span class="br0">]</span> returns ok<br>
MSCHAP Success <span style="color: rgb(255, 0, 0);">//...???... if MSCHAP Success, where is the matter with this module???</span><br>
++<span class="br0">[</span>eap<span class="br0">]</span> returns handled<br>
<span class="br0">}</span> # server <span class="br0">(</span>null<span class="br0">) </span><span style="color: rgb(255, 0, 0);">//...???...</span><br>
PEAP: Got tunneled reply RADIUS code 11<br>
EAP-Message = 0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x95b92b9094ab31501a0a30daea5106ca<br>
PEAP: Processing from tunneled session code 0x81b78d8 11<br>
EAP-Message = 0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x95b92b9094ab31501a0a30daea5106ca<br>
PEAP: Got tunneled Access-Challenge<br>
++<span class="br0">[</span>eap<span class="br0">]</span> returns handled<br>
Sending Access-Challenge of id 164 to 10.10.44.246 port 1042<br>
EAP-Message =
0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xe8ed0301efff1a196c3b0024d8e45892 <span style="color: rgb(255, 0, 0);">//...???... and then What? and why its stops</span><span style="color: rgb(255, 0, 0);">..???...</span><br>
Finished request 9.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
Cleaning up request 2 ID 157 with timestamp +47<br>
Cleaning up request 3 ID 158 with timestamp +47<br>
Cleaning up request 4 ID 159 with timestamp +47<br>
Cleaning up request 5 ID 160 with timestamp +47<br>
Cleaning up request 6 ID 161 with timestamp +47<br>
Cleaning up request 7 ID 162 with timestamp +47<br>
Cleaning up request 8 ID 163 with timestamp +47<br>
Cleaning up request 9 ID 164 with timestamp +47<br>
Ready to process requests.<br>
<br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><br>> aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON<br>> password:<br>> NT_STATUS_OK: Success (0x0)<br>> aaa:~ # <br>><br>><br>> :/ Any help will be appreciated. these days i am wondering about <br>> validity of the Server certificate!<br>> I have to tell you that, in my case, if i try a peap authentication <br>> against Active Directoiry with wrong users credentials, i have an <br>> error message saying that login or password is incorrect. with good <br>> users credential, i just obtain what you can see in the Radiusd -X <br>> output (<a href="http://tinypaste.com/5b99b" target="_blank">http://tinypaste.com/5b99b</a>)<br>><br>> thank
you<br>> -<br>> List info/subscribe/unsubscribe? See <br>> <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>><br>> ------------------------------------------------------------------------<br>><br>but I think you don't have any problem with certificates, looking at <br>radius debug:<br><br>rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange<br> TLS_accept: SSLv3 read client key exchange A<br> rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]<br> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished<br> TLS_accept: SSLv3 read finished A<br> rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]<br> TLS_accept: SSLv3 write change cipher spec A<br> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished<br> TLS_accept:
SSLv3 write finished A<br> TLS_accept: SSLv3 flush data<br> (other): SSL negotiation finished successfully<br>SSL Connection Established<br><br>the client is telling you that has verified the server cert (against <br>ca.der). Then, the server writes ChangeCipherSpec and Fin, and tls phase <br>is finished. I think you have problems with mschapv2 phase, assuming <br>your sql querys working.<br>Your problem begin here:<br><br>rlm_eap: Request found, released from the list<br> rlm_eap: EAP/mschapv2<br> rlm_eap: processing type mschapv2<br>+- entering group MS-CHAP<br> rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.<br> rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.<br> rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password<br> expand: --username=%{mschap:User-Name} -> --username=glouglou<br><br>I
think......<br>I've never configured peap/mschapv2 but sometimes i've read, not <br>carefully, about some dependencies between mschap module and mschapv2 or <br>something like that.<br>hope this help you<br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></div></div></div><br>
<hr size="1">
Envoyé avec <a href="http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html">Yahoo! Mail</a>.<br>Une boite mail plus intelligente. </a></body></html>