I have a strange problem where the initial 802.1X authentication is
successful, but then fails subsequent auth attempts. This is using
Windows XP sp3 PEAP/MS-Chapv2, FreeRADIUS 2.1.3, with Active Directory
running on a Windows2003 server.<br>
<br>I noticed the following discrepency in the RADIUS logs. The two auth attempts are identical until this part:<br><br><font face="Arial"><span style="font-size: 11pt;">Successful<br>Info: Found Auth-type = EAP<br></span></font><font face="Arial"><span style="font-size: 11pt;">Info: +- entering group authenticate (...)</span></font><br>
<font face="Arial"><span style="font-size: 11pt;">Info: [eap] Request found,released from list<br>
Info: [eap] EAP/peap<b><br>
</b>Info: [eap] processing type peap<br>
Info: [peap] processing EAP-TLS<br>
</span></font><font face="Arial"><span style="font-size: 11pt;">Info: </span></font><font face="Arial"><span style="font-size: 11pt;">[peap] eaptls_verify returned 7<br></span></font><font face="Arial"><span style="font-size: 11pt;">Info: </span></font><font face="Arial"><span style="font-size: 11pt;">[peap] Done initial handshake<br>
</span></font><font face="Arial"><span style="font-size: 11pt;">Info: </span></font><font face="Arial"><span style="font-size: 11pt;">[peap] eaptls_process returned 7<br></span></font><font face="Arial"><span style="font-size: 11pt;">Info: </span></font><font face="Arial"><span style="font-size: 11pt;">[peap] EAPTLS_OK<br>
</span></font><font face="Arial"><span style="font-size: 11pt;">Info: </span></font><font face="Arial"><span style="font-size: 11pt;">[peap] Session established. Decoding tunneled attributes.<br></span></font><font face="Arial"><span style="font-size: 11pt;">Info: </span></font><font face="Arial"><span style="font-size: 11pt;">[peap] Received EAP-TLV response.<br>
</span></font><font face="Arial"><span style="font-size: 11pt;">Info: </span></font><font face="Arial"><span style="font-size: 11pt;">[peap] Success<br></span></font><font face="Arial"><span style="font-size: 11pt;">Info: </span></font><font face="Arial"><span style="font-size: 11pt;">[peap] Using saved attributes from the original Access-Accept<br>
<br>
Unsuccessful<br></span></font><font face="Arial"><span style="font-size: 11pt;">Info: Found Auth-type = EAP<br></span></font><font face="Arial"><span style="font-size: 11pt;">Info: +- entering group authenticate (...)</span></font><br>
<font face="Arial"><span style="font-size: 11pt;">Info: [eap] Request found,released from list<br>
Info: [eap] EAP/mschapv2<b><br>
</b>Info: [eap] processing type mschapv2<br>
Info: [mschapv2] +-entering group MS-CHAP (...)<br>
</span></font>
<font face="Arial"><span style="font-size: 11pt;">Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password.<br></span></font><font face="Arial"><span style="font-size: 11pt;">Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password.<br>
</span></font><font face="Arial"><span style="font-size: 11pt;">Info: [mschap] Told to do MS-CHAPv2 for seth with NT-Password<br></span></font><font face="Arial"><span style="font-size: 11pt;">...<br></span></font><font face="Arial"><span style="font-size: 11pt;">Info: Debug: Exec-Program output: Logon failure (0xxc000006d)<br>
</span></font><font face="Arial"><span style="font-size: 11pt;">Info: Debug: Exec-Program-Wait: plaintext: Logon failure </span></font><font face="Arial"><span style="font-size: 11pt;">(0xxc000006d)</span></font><br><font face="Arial"><span style="font-size: 11pt;">Info: Debug: Exec-Program: returned 1<br>
</span></font><font face="Arial"><span style="font-size: 11pt;"></span></font><font face="Arial"><span style="font-size: 11pt;">Info: [mschap] External script failed.<br></span></font><font face="Arial"><span style="font-size: 11pt;">Info: [mschap] FAILED: MS-CHAP2-Response is incorrect<br>
</span></font><font face="Arial"><span style="font-size: 11pt;">Info: ++[mschap] returns reject<br></span></font><font face="Arial"><span style="font-size: 11pt;">Info: [eap] Freeing handler<br></span></font><font face="Arial"><span style="font-size: 11pt;">Info: ++[eap] returns reject<br>
</span></font><font face="Arial"><span style="font-size: 11pt;">Info: Failed to authenticate the user.</span></font><br><font face="Arial"><span style="font-size: 11pt;"><br></span></font>Why
is one auth request using the mschapv2 group and the other PEAP? Both
are from the same client on the same switchport. Has anyone else run
into this type of problem? Is there a configuration on the supplicant
or Active Directory that could cause this?<br>
<br>More information if necessary:<br><br>from modules.conf<br><br> eap {<br> default_eap_type = md5<br> timer_expire = 60<br> ignore_unknown_eap_types = no<br> cisco_accounting_username_bug = no<br> tls {<br>
private_key_password = whatever<br> private_key_file = ${raddbdir}/cert_privkey.key<br> certificate_file = ${raddbdir}/cert_certificate.<div id=":e6" class="ii gt">pem<br> CA_file = ${raddbdir}/cert_ca_cert.pem<br>
dh_file = /etc/raddb/certs/dh<br>
random_file = /etc/raddb/certs/random<br> fragment_size = 1024<br> include_length = yes<br> check_crl = no<br> check_cert_cn = %{Stripped-User-Name:-%{User-Name}}<br> peap {<br> default_eap_type = mschapv2<br>
copy_request_to_tunnel = yes<br> use_tunneled_reply = yes<br> proxy_tunneled_request_as_eap = yes<br> }<br> mschapv2 {<br> }<br>}<br><br><br>Thanks,<br><br>/Seth<br></div>