Here's a snippet of the debug.. radius_xlat: '--username=tcasartello' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 3d radius_xlat: '--challenge=c1b030c3f14da3b1' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=39b7dd714f0104723f917c82db10c17738015c22186940b0' Exec-Program output: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program-Wait: plaintext: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 37 modcall: leaving group MS-CHAP (returns ok) for request 37 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 Sending Access-Challenge of id 38 to 192.168.223.1 port 1645 EAP-Message = 0x010a004a1900170301003f6adf2a774f5eb8ecfc6247131c81763255f6a526544dab03eb222ffc65777763c1426ce728a43fb70924d29e28f3cd3a145846d0a83a5692518aaf83d99320 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x42e8dc477d661fd07c3ccb0211ac0fac Finished request 37 Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Casartello, Thomas Sent: Friday, May 30, 2008 10:15 AM To: FreeRadius users mailing list Subject: RE: XP Extensions for PEAP/MSCHAPv2 I tried regenerating the certs using the bootstrap file (Which I saw includes the XP extensions with the certs that it generates.) I'm still running into the same issue. Here's my eap and mschap config..any other info I could show to help troubleshoot? Eap.conf config: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } peap { default_eap_type = mschapv2 } mschapv2 { } } Mschap config: mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%$ } Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, May 30, 2008 1:41 AM To: FreeRadius users mailing list Subject: Re: XP Extensions for PEAP/MSCHAPv2 Casartello, Thomas wrote:
I have everything working, but I believe I’ve hit the problem with the OIDs windows needs for the SSL cert. I generated a key with openssl and a req and I actually have a real cert assigned for the server. How do I go about modifying my key and cert so that XP users will be able to connect? I can connect with other OSes.
In 2.0, see raddb/certs/. There are scripts and configurations to make certificates that Windows will like. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html