<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
Hi,<br>
<br>
I need to have EAP-TTLS working with LDAP bind and PEAP-MSCHAPV2 with
Samba + Winbind + Active Directory.<br>
I've got winbind very unstable... I can successfully authenticate using
eapol_test but a few minutes later, I've got a<br>
MPPE keys mismatch. If I restart winbind, I can authenticate few times and then, it stops working.<br><br>I'm not really sure to understand how I have to set "Auth-Type" in inner-tunnel and/or default (sites-enabled).<br><br>I've got :<br><br> Auth-Type MS-CHAP {<br> mschap<br> }<br><br>and then<br><br> Auth-Type LDAP {<br> ldap<br> }<br><br>in the authenticate section. I've got mschap then ldap in authorize section.<br><br>Is there a mistake here ?<br><br>This is the end of the output of eapol_test for PEAP when it fails :<br><br>RADIUS packet matching with station<br>decapsulated EAP packet (code=1 id=11 len=91) from RADIUS server: EAP-Request-PEAP (25)<br>EAPOL: Received EAP-Packet frame<br>EAPOL: SUPP_BE entering state REQUEST<br>EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>EAP: Received EAP-Request id=11 method=25 vendor=0 vendorMethod=0<br>EAP: EAP entering state METHOD<br>SSL: Received packet(len=91) - Flags 0x00<br>EAP-PEAP: received 85 bytes encrypted data for Phase 2<br>EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=47): 1a 03 0a 00 2e 53 3d 39 38 37 31 42 31 30 45 38 46 35 35 36 30 41 44 34 37 32 36 36 34 43 34 43 35 45 31 42 32 46 34 39 44 35 36 46 39 39 36<br>EAP-PEAP: received Phase 2: code=1 identifier=11 length=51<br>EAP-PEAP: Phase 2 Request: type=26<br>EAP-MSCHAPV2: RX identifier 11 mschapv2_id 10<br>EAP-MSCHAPV2: Received success<br>EAP-MSCHAPV2: Invalid authenticator response in success request<br>EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL<br>EAP: EAP entering state SEND_RESPONSE<br>EAP: EAP entering state IDLE<br>Signal 2 received - terminating<br>EAPOL: EAP key not available<br>EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit<br>ENGINE: engine deinit<br>MPPE keys OK: 0 mismatch: 1<br>FAILURE<br><br>And then this is the end of the output when it works.<br><br>RADIUS packet matching with station<br>MS-MPPE-Send-Key (sign) - hexdump(len=32): 82 7a 3e ac 0f 7c c7 93 ac af fb d3 02 d7 bd 84 61 44 62 82 82 8b 3d e0 f2 47 27 30 9c a6 12 cb<br>MS-MPPE-Recv-Key (crypt) - hexdump(len=32): fb 0b 78 97 7c 84 13 38 ba 36 77 b8 88 2b b2 9f 3b 79 4c 87 a7 fa 68 e0 3a e6 0c 47 4d 43 34 5c<br>decapsulated EAP packet (code=3 id=12 len=4) from RADIUS server: EAP Success<br>EAPOL: Received EAP-Packet frame<br>EAPOL: SUPP_BE entering state REQUEST<br>EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>EAP: Received EAP-Success<br>EAP: EAP entering state SUCCESS<br>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully<br>EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required<br>WPA: EAPOL processing complete<br>EAPOL: SUPP_PAE entering state AUTHENTICATED<br>EAPOL: SUPP_BE entering state RECEIVE<br>EAPOL: SUPP_BE entering state SUCCESS<br>EAPOL: SUPP_BE entering state IDLE<br>eapol_sm_cb: success=1<br>EAPOL: Successfully fetched key (len=32)<br>PMK from EAPOL - hexdump(len=32): fb 0b 78 97 7c 84 13 38 ba 36 77 b8 88 2b b2 9f 3b 79 4c 87 a7 fa 68 e0 3a e6 0c 47 4d 43 34 5c<br>EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit<br>ENGINE: engine deinit<br>MPPE keys OK: 1 mismatch: 0<br>SUCCESS<br><br>I finally notice that if I use eapol_test for an TTLS authentication, then, immediately, PEAP doesn't work anymore. If I restart winbind, it works again.<br><br>I really don't understand... And because I don't know where is the problem, I've got some difficulties to give you the good informations.<br><br>Thank you for your help !<br><br>J-P.<br><br><hr id="stopSpelling">From: legdf@hotmail.com<br>To: freeradius-users@lists.freeradius.org<br>Subject: RE: eduroam PEAP + TTLS<br>Date: Fri, 18 Jun 2010 13:18:45 +0000<br><br>
<style>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Verdana;}
</style>
Ok,<br><br>Here is my eap.conf.<br><br> eap {<br><br> default_eap_type = peap<br><br> timer_expire = 60<br><br> ignore_unknown_eap_types = yes <br><br> cisco_accounting_username_bug = no<br><br> max_sessions = 4096<br><br> tls {<br><br> certdir = ${confdir}/certs<br> cadir = ${confdir}/certs<br><br> private_key_file = ${certdir}/<i>cert</i>.key<br><br> certificate_file = ${certdir}/cert-3169-<i>cert</i>.pem<br><br> CA_file = ${cadir}/chain-3169-<i>cert</i>.pem<br><br> dh_file = ${certdir}/dh<br> random_file = ${certdir}/random<br><br> cipher_list = "DEFAULT"<br><br> make_cert_command = "${certdir}/bootstrap"<br><br> cache {<br><br> enable = no<br><br> lifetime = 24 # hours<br><br> max_entries = 255<br> }<br> }<br><br> ttls {<br><br> default_eap_type = md5<br><br> copy_request_to_tunnel = yes<br><br> use_tunneled_reply = yes<br><br> virtual_server = "inner-tunnel"<br><br> include_length = yes<br> }<br><br> peap {<br><br> default_eap_type = mschapv2<br><br> copy_request_to_tunnel = yes<br> use_tunneled_reply = yes<br><br> proxy_tunneled_request_as_eap = yes<br><br> virtual_server = "inner-tunnel"<br> }<br><br> mschapv2 {<br> }<br> }<br><br>I'm sorry<br><br>> Date: Fri, 18 Jun 2010 13:27:28 +0100<br>> From: A.L.M.Buxey@lboro.ac.uk<br>> To: freeradius-users@lists.freeradius.org<br>> Subject: Re: eduroam PEAP + TTLS<br>> <br>> Hi,<br>> <br>> > So this is the true question, what error in my configuration can cause this ?<br>> <br>> I cannot read minds..and you havent supplied eg eap.conf (obfuscated as is reasonable)<br>> <br>> alan<br>> -<br>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br> <br><hr>Votre vie privée l'est-elle vraiment ? <a href="http://clk.atdmt.com/FRM/go/232102478/direct/01/">Internet Explorer 8 vous protège gratuitement !</a> <br /><hr />Envie de plus d'originalité dans vos conversations ? <a href='http://www.ilovemessenger.fr/emoticones/telecharger-emoticones-emochticones.aspx' target='_new'>Téléchargez gratuitement les Emoch'ticones !</a></body>
</html>