Maybe is that Samba bug?<br><br>The one that makes it apparently work:<br>> [mschap] adding MS-CHAPv2 MPPE keys<br>
> ++[mschap] returns ok<br>
> MSCHAP Success<br>but the client refuses to go on?<br><br>I can't search the archive right now, but I think it would be useful to know the Samba version.<br><br><div class="gmail_extra"><br><br><div class="gmail_quote">
2012/11/7 Matthew Newton <span dir="ltr"><<a href="mailto:mcn4@leicester.ac.uk" target="_blank">mcn4@leicester.ac.uk</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Tue, Nov 06, 2012 at 10:59:45PM -0000, dvmp wrote:<br>
> [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -><br>
> --nt-response=3213a667f5405fe084a9e7291e326e0f0c68ce28482c998a<br>
> Exec-Program output: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53<br>
> Exec-Program-Wait: plaintext: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53<br>
> Exec-Program: returned: 0<br>
> [mschap] adding MS-CHAPv2 MPPE keys<br>
> ++[mschap] returns ok<br>
> MSCHAP Success<br>
> ++[eap] returns handled<br>
<br>
</div>OK, mschap seems to succeed.<br>
<div class="im"><br>
> } # server inner-tunnel<br>
> [peap] Got tunneled reply code 11<br>
</div>...<br>
<div class="im">> [peap] Got tunneled Access-Challenge<br>
> ++[eap] returns handled<br>
> Sending Access-Challenge of id 173 to ip_AP_cisco port 1645<br>
> EAP-Message =<br>
> 0x0109005b190017030100505317a8177c77666155012c3211bf6b1c09ef17d29e1bb1fdcf91<br>
> ae82bf7dc5baae0e670350b67151aefb6bc5e1f18861cd55c6cdb04a829d8d59349be4ae0f68<br>
> a1ccd3f6714ea7a663b7c98ff3904cf9<br>
> Message-Authenticator = 0x00000000000000000000000000000000<br>
> State = 0x2bebcbfd2de2d2392b8b84ab35544cf2<br>
> Finished request 386.<br>
> Going to the next request<br>
> Waking up in 4.9 seconds.<br>
<br>
</div>Client is sent the access challenge for the user's device with the mschap success.<br>
<div class="im"><br>
> rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=174,<br>
> length=167<br>
> User-Name = "DOMAIN\\userADaccount"<br>
> Framed-MTU = 1400<br>
> Called-Station-Id = "003a.994b.fd40"<br>
> Calling-Station-Id = "e02a.8255.86ba"<br>
> Service-Type = Login-User<br>
> Message-Authenticator = 0xbfbafd91f0c8db0b664454958ff46920<br>
> EAP-Message = 0x020200190153554d4f4c434f4d50414c5c5343313031383536<br>
<br>
</div>User's device sends back an EAP Identity<br>
<div class="im"><br>
> [eap] EAP packet type response id 2 length 25<br>
> [eap] No EAP Start, assuming it's an on-going EAP conversation<br>
<br>
</div>Which is why this isn't picked up as part of the previous PEAP<br>
conversation, so the client isn't sent an Access-Accept<br>
<br>
...<br>
<div class="im"><br>
> Exec-Program: returned: 0<br>
> [mschap] adding MS-CHAPv2 MPPE keys<br>
> ++[mschap] returns ok<br>
> MSCHAP Success<br>
> ++[eap] returns handled<br>
> } # server inner-tunnel<br>
</div>...<br>
<div class="im">> ++[eap] returns handled<br>
> Sending Access-Challenge of id 180 to ip_AP_cisco port 1645<br>
> EAP-Message =<br>
> 0x0109005b190017030100502f79f75d930239412dc6c2abfbbed6c6930ef8ed21bedee2d972<br>
> 9a2a1c987a285ddfd23ef4379fa1e6bf44ffa1eb1d08f8a24c50606ba462b9cbdf8c68923e52<br>
> 72a032112af4c2f1af939b470d00b30b<br>
> Message-Authenticator = 0x00000000000000000000000000000000<br>
> State = 0xf9273f5cff2e268144e0f611590a6390<br>
> Finished request 393.<br>
> Going to the next request<br>
> Waking up in 2.4 seconds.<br>
<br>
</div>...<br>
repeat of last time.<br>
<br>
<br>
The client has given up (that much is certain), so check EAP logs<br>
on the client. If it's Windows, you probably don't stand much of a<br>
chance of getting much useful (easy to read) logs. Check things<br>
like certificates expiring (but it doesn't sound like this).<br>
<br>
But first I'd restart winbind and see if it all works again. Then<br>
check your domain join (net ads testjoin or similar). I've seen<br>
similar before when everything individually worked OK, but the<br>
clients didn't like something that was sent back. [0] I think<br>
something has broken with the domain join, or winbind - it isn't<br>
at all obvious, but the client doesn't like it. You could also try<br>
re-joining the server to the domain.<br>
<br>
Oh, and you want to upgrade FreeRADIUS to 2.2.0; there's a<br>
security vulnerability in anything older.<br>
<br>
Cheers<br>
<br>
Matthew<br>
<br>
<br>
<br>
[0] <a href="http://notes.asd.me.uk/2011/01/11/freeradius-and-ntlm_auth-reminder-from-a-silent-failure/" target="_blank">http://notes.asd.me.uk/2011/01/11/freeradius-and-ntlm_auth-reminder-from-a-silent-failure/</a><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
Matthew Newton, Ph.D. <<a href="mailto:mcn4@le.ac.uk">mcn4@le.ac.uk</a>><br>
<br>
Systems Architect (UNIX and Networks), Network Services,<br>
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom<br>
<br>
For IT help contact helpdesk extn. 2253, <<a href="mailto:ithelp@le.ac.uk">ithelp@le.ac.uk</a>><br>
</font></span><div class="HOEnZb"><div class="h5">-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><span style="color:rgb(153,153,153)">Alberto Martínez Setién</span><br style="color:rgb(153,153,153)"><span style="color:rgb(153,153,153)">Servicio Informático</span><br style="color:rgb(153,153,153)">
<span style="color:rgb(153,153,153)">Universidad de Deusto</span><br style="color:rgb(153,153,153)"><span style="color:rgb(153,153,153)">Avda. de las Universidades, 24</span><br style="color:rgb(153,153,153)"><span style="color:rgb(153,153,153)">48007 - Bilbao (SPAIN)</span><br style="color:rgb(153,153,153)">
<span style="color:rgb(153,153,153)">Phone: +34 - 94 413 90 00 Ext 2684</span><br style="color:rgb(153,153,153)"><span style="color:rgb(153,153,153)">Fax: +34 - 94 413 91 01</span><br>
</div>