Greetings
everyone,
I’m
a brand new member and am hoping to find some help with a bizarre
problem. First, I’m not an expert when it comes to RADIUS. I
work for a school district and I inherited this setup from someone else who
left the district over a year ago. I have a fair understanding of how
certificates work, but I’m not an expert in that area either.
Here
is some background on our setup:
Network:
Mixture of Windows 2000/2003 and Novell NetWare 6.5 servers. FreeRADIUS
v1.1.0 is running on SuSE Linux Enterprise Server 10 SP2.
Wireless
infrastructure: We use Aruba wireless technology, with an
FreeRADIUS
is configured to use LDAP authentication to eDirectory, and with EAP-TLS for
the wireless. Workstations use PEAP and are configured not to validate
server certificates.
Wireless
authentication happens by first logging in to a workstation and having Windows
then pass the credentials on to RADIUS and authenticating to eDirectory.
I
will paste relevant portions of the debug output from “radiusd
–X” below. Here is a description of the bizarre problem:
I
have 2 user accounts; let’s call them UserA and UserB. I have 2
laptops; let’s call them Laptop1 and Laptop2. Laptop1 (my laptop)
is a Gateway M465 with an Intel Pro/Wireless 3945ABG card. Laptop2 (one
of my user’s laptops) is a Dell Latitude XT with Dell Wireless 1490 Dual
Band WLAN mini-card. Both are Mini-PCI cards.
UserA
(me) can successfully authenticate on both laptops. UserB can
successfully authenticate on Laptop1, but not on Laptop2. The fact that
UserA can successfully authenticate on both tells me it’s not a laptop
configuration issue, and the fact that UserB can successfully authenticate on
Laptop1 tell me it’s not a user account issue. Also, using
NTRadPing (or radtest on the RADIUS server itself), I can successfully
authenticate as both users, with or without the Windows DOMAIN\ in front.
That leaves me with nothing to go on. I will paste the relevant sections
of the debug outputs from each user on each laptop and point out where the errors
are. I have even gone so far as to set up FreeRADIUS from scratch on a
test Unix machine, with no luck.
In
the debug output I’m pasting below, the only difference I can see between
Laptop1 and Laptop2 is that Laptop2 is passing credentials with the DOMAIN\ in
front, where Laptop1 is not. That in itself is odd, because both laptops
are joined to our Windows domain and both laptops’ users log in to the
domain. But in any case, that part doesn’t seem to be the problem,
because FreeRADIUS is stripping the DOMAIN\ part off when it passes the
authentication request on to eDirectory. I even got a 3rd user
and laptop in for testing, and the results were the same as with Laptop2
– UserA can authenticate successfully on Laptop3, but UserB and UserC
cannot authenticate on Laptop3.
The
other strange thing is that if, on the XP client, I drill down in to the
properties for the wireless profile and un-check the “Automatically use
my Windows logon name and password” option, Windows will prompt me for
credentials, and then they will be accepted!
Software-wise,
the only difference between Laptop1 and Laptop2 and 3 is that Laptop1 has
Service Pack 2 for XP, and the other two have SP3. But that still
doesn’t explain the fact that UserA can successfully authenticate on all
3 laptops.
Any
help will be greatly appreciated.
Debug
output from UserA authenticating on Laptop1:
rad_recv:
Access-Request packet from host 20.1.3.140:32958, id=219, length=236
User-Name = "UserA"
NAS-IP-Address = 20.1.3.140
NAS-Port = 1
NAS-Identifier = "20.1.3.140"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0018DE9626C1"
Called-Station-Id = "000B8640C280"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020a00261900170301001b14ecbd30fd1fe2c1fd3a31b577ef8f94002d7c99243e71e0e82f99
State = 0x3167f4c59e25cac9b6ac583bfa7fb3d0
Aruba-Essid-Name = "STAFF"
Aruba-Location-Id = "TestAP"
Message-Authenticator = 0xa1cbcfee4810f80e40407ef46b9d5d39
Processing the authorize section of radiusd.conf
modcall:
entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
radius_xlat:
'UserA'
rlm_attr_rewrite:
Added attribute Stripped-User-Name with value 'UserA'
modcall[authorize]: module "copy.user-name" returns ok for request 8
radius_xlat:
'^(host/.*)'
rlm_attr_rewrite:
No match found for attribute Stripped-User-Name with value 'UserA'
modcall[authorize]: module "add-dollar-sign" returns ok for request 8
radius_xlat:
'^(.*[\/]+)'
rlm_attr_rewrite:
No match found for attribute Stripped-User-Name with value 'UserA'
modcall[authorize]: module "strip-realm-name" returns ok for request
8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "UserA", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: EAP packet type response id 10 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched entry DEFAULT at line 7
modcall[authorize]: module "files" returns ok for request 8
rlm_ldap:
- authorize
rlm_ldap:
performing user authorization for UserA
radius_xlat:
'(cn=UserA)'
radius_xlat:
't=pusd'
rlm_ldap:
ldap_get_conn: Checking Id: 0
rlm_ldap:
ldap_get_conn: Got Id: 0
rlm_ldap:
performing search in t=pusd, with filter (cn=UserA)
rlm_ldap:
Added the eDirectory password in check items
rlm_ldap:
looking for check items in directory...
rlm_ldap:
looking for reply items in directory...
rlm_ldap:
user UserA authorized to use remote access
rlm_ldap:
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 8
modcall:
leaving group authorize (returns updated) for request 8
rad_check_password: Found Auth-Type EAP
auth:
type "EAP"
Processing the authenticate section of radiusd.conf
modcall:
entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall:
leaving group authenticate (returns ok) for request 8
Sending
Access-Accept of id 219 to 20.1.3.140 port 32958
MS-MPPE-Recv-Key =
0xacee5bfc2803579cd0ff5f2b474927b528067e3bb6acb22a5439eaff089f62cb
MS-MPPE-Send-Key =
0xc74619156767ed997ea2729c106a9339a89b919857e4bf804d0aeb8d3f7c8455
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "UserA"
Finished
request 8
Going
to the next request
Waking
up in 6 seconds...
---
Walking the entire request list ---
Cleaning
up request 0 ID 210 with timestamp 48481cbd
Cleaning
up request 1 ID 212 with timestamp 48481cbd
Cleaning
up request 2 ID 213 with timestamp 48481cbd
Cleaning
up request 3 ID 214 with timestamp 48481cbd
Cleaning
up request 4 ID 215 with timestamp 48481cbd
Cleaning
up request 7 ID 216 with timestamp 48481cbd
Cleaning
up request 5 ID 217 with timestamp 48481cbd
Cleaning
up request 6 ID 218 with timestamp 48481cbd
Cleaning
up request 8 ID 219 with timestamp 48481cbd
Nothing
to do. Sleeping until we see a request.
Debug
output from UserB authenticating on Laptop1 looks the same, so I will skip
posting it due to message size limits.
Debug
output from UserA authenticating on Laptop2 is the same as on Laptop1, so I
won’t paste it here either.
Debug
output from UserB authenticating on Laptop2:
rad_recv:
Access-Request packet from host 20.1.3.140:32958, id=243, length=307
User-Name = "DOMAIN\\UserB"
NAS-IP-Address = 20.1.3.140
NAS-Port = 2
NAS-Identifier = "20.1.3.140"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "001FE105CE94"
Called-Station-Id = "000B8640C280"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020700631900170301005829c9dcbbb4696aec2f16239d4758e609a7c5e8134ec07054e82abd940b225525b8c4af125b0fd0e3075ea216e190fe99ea4b1ab41b495eb6302d1ec3093d645d827da48ec5b4edba302bb21c8e6f17721a3aab9d313924ca
State = 0x6f3c13804ea9765ef5dfa905d68a4808
Aruba-Essid-Name = "STAFF"
Aruba-Location-Id = "TestAP"
Message-Authenticator = 0xaabdf4b276bf583e2e7373c80b31cf41
Processing the authorize section of radiusd.conf
modcall:
entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
radius_xlat:
'DOMAIN\\UserB'
rlm_attr_rewrite:
Added attribute Stripped-User-Name with value 'DOMAIN\\UserB'
modcall[authorize]: module "copy.user-name" returns ok for request 6
radius_xlat:
'^(host/.*)'
rlm_attr_rewrite:
No match found for attribute Stripped-User-Name with value 'DOMAIN\\UserB'
modcall[authorize]: module "add-dollar-sign" returns ok for request 6
radius_xlat:
'^(.*[\/]+)'
rlm_attr_rewrite:
Changed value for attribute Stripped-User-Name from 'DOMAIN\\UserB' to 'UserB'
modcall[authorize]: module "strip-realm-name" returns ok for request
6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "DOMAIN\UserB", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 7 length 99
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched entry DEFAULT at line 7
modcall[authorize]: module "files" returns ok for request 6
rlm_ldap:
- authorize
rlm_ldap:
performing user authorization for DOMAIN\UserB
radius_xlat:
'(cn=UserB)'
radius_xlat:
't=pusd'
rlm_ldap:
ldap_get_conn: Checking Id: 0
rlm_ldap:
ldap_get_conn: Got Id: 0
rlm_ldap:
performing search in t=pusd, with filter (cn=UserB)
rlm_ldap:
Added the eDirectory password in check items
rlm_ldap:
looking for check items in directory...
rlm_ldap:
looking for reply items in directory...
rlm_ldap:
user DOMAIN\UserB authorized to use remote access
rlm_ldap:
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
modcall:
leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth:
type "EAP"
Processing the authenticate section of radiusd.conf
modcall:
entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to DOMAIN\UserB
PEAP: Adding old state with 89 6c
Processing the authorize section of radiusd.conf
modcall:
entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
radius_xlat:
'DOMAIN\\UserB'
rlm_attr_rewrite:
Added attribute Stripped-User-Name with value 'DOMAIN\\UserB'
modcall[authorize]: module "copy.user-name" returns ok for request 6
radius_xlat:
'^(host/.*)'
rlm_attr_rewrite:
No match found for attribute Stripped-User-Name with value 'DOMAIN\\UserB'
modcall[authorize]: module "add-dollar-sign" returns ok for request 6
radius_xlat:
'^(.*[\/]+)'
rlm_attr_rewrite:
Changed value for attribute Stripped-User-Name from 'DOMAIN\\UserB' to 'UserB'
modcall[authorize]: module "strip-realm-name" returns ok for request
6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "DOMAIN\UserB", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 7 length 76
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched entry DEFAULT at line 7
modcall[authorize]: module "files" returns ok for request 6
rlm_ldap:
- authorize
rlm_ldap:
performing user authorization for DOMAIN\UserB
radius_xlat:
'(cn=UserB)'
radius_xlat:
't=pusd'
rlm_ldap:
ldap_get_conn: Checking Id: 0
rlm_ldap:
ldap_get_conn: Got Id: 0
rlm_ldap:
performing search in t=pusd, with filter (cn=UserB)
rlm_ldap:
Added the eDirectory password in check items
rlm_ldap:
looking for check items in directory...
rlm_ldap:
looking for reply items in directory...
rlm_ldap:
user DOMAIN\UserB authorized to use remote access
rlm_ldap:
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
modcall:
leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth:
type "EAP"
Processing the authenticate section of radiusd.conf
modcall:
entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall:
entering group MS-CHAP for request 6
(This
appears to be where the problem is)
rlm_mschap: Told to do MS-CHAPv2 for UserB with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall:
leaving group MS-CHAP (returns reject) for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall:
leaving group authenticate (returns reject) for request 6
auth:
Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
modcall:
leaving group authenticate (returns handled) for request 6
Sending
Access-Challenge of id 243 to 20.1.3.140 port 32958
EAP-Message =
0x010800261900170301001b39a19f38fd5c0b590dbba6327b62b4410446d5c8341d1831b1dea1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7421d199fd849fb3bbcd35bd05c281b1
Finished
request 6
Going
to the next request
Waking
up in 6 seconds...
rad_recv:
Access-Request packet from host 20.1.3.140:32958, id=244, length=246
User-Name = "DOMAIN\\UserB"
NAS-IP-Address = 20.1.3.140
NAS-Port = 2
NAS-Identifier = "20.1.3.140"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "001FE105CE94"
Called-Station-Id = "000B8640C280"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020800261900170301001bf3eab0cca7796ad13f102214334fada4a48b4ea56c555b3127decb
State = 0x7421d199fd849fb3bbcd35bd05c281b1
Aruba-Essid-Name = "STAFF"
Aruba-Location-Id = "TestAP"
Message-Authenticator = 0x2458e54cc6a52e081b42407e963f6571
Processing the authorize section of radiusd.conf
modcall:
entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
radius_xlat:
'DOMAIN\\UserB'
rlm_attr_rewrite:
Added attribute Stripped-User-Name with value 'DOMAIN\\UserB'
modcall[authorize]: module "copy.user-name" returns ok for request 7
radius_xlat:
'^(host/.*)'
rlm_attr_rewrite:
No match found for attribute Stripped-User-Name with value 'DOMAIN\\UserB'
modcall[authorize]: module "add-dollar-sign" returns ok for request 7
radius_xlat:
'^(.*[\/]+)'
rlm_attr_rewrite:
Changed value for attribute Stripped-User-Name from 'DOMAIN\\UserB' to 'UserB'
modcall[authorize]: module "strip-realm-name" returns ok for request
7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "DOMAIN\UserB", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: EAP packet type response id 8 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched entry DEFAULT at line 7
modcall[authorize]: module "files" returns ok for request 7
rlm_ldap:
- authorize
rlm_ldap:
performing user authorization for DOMAIN\UserB
radius_xlat:
'(cn=UserB)'
radius_xlat:
't=pusd'
rlm_ldap:
ldap_get_conn: Checking Id: 0
rlm_ldap:
ldap_get_conn: Got Id: 0
rlm_ldap:
performing search in t=pusd, with filter (cn=UserB)
rlm_ldap:
Added the eDirectory password in check items
rlm_ldap:
looking for check items in directory...
rlm_ldap:
looking for reply items in directory...
rlm_ldap:
user DOMAIN\UserB authorized to use remote access
rlm_ldap:
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 7
modcall:
leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth:
type "EAP"
Processing the authenticate section of radiusd.conf
modcall:
entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
(Another
problem here)
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap:
Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 7
modcall:
leaving group authenticate (returns invalid) for request 7
auth:
Failed to validate the user.
Delaying
request 7 for 1 seconds
Finished
request 7
Going
to the next request
Waking
up in 6 seconds...
rad_recv:
Access-Request packet from host 20.1.3.140:32958, id=244, length=246
Sending
Access-Reject of id 244 to 20.1.3.140 port 32958
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
---
Walking the entire request list ---
Waking
up in 1 seconds...
---
Walking the entire request list ---
Cleaning
up request 0 ID 237 with timestamp 48481e9b
Cleaning
up request 1 ID 238 with timestamp 48481e9b
Cleaning
up request 2 ID 239 with timestamp 48481e9b
Cleaning
up request 5 ID 240 with timestamp 48481e9b
Cleaning
up request 3 ID 241 with timestamp 48481e9b
Cleaning
up request 4 ID 242 with timestamp 48481e9b
Cleaning
up request 6 ID 243 with timestamp 48481e9b
Cleaning
up request 7 ID 244 with timestamp 48481e9b
Nothing
to do. Sleeping until we see a request.
Bryce Newall
Systems
Administrator
Poway
Unified
(858)
679-2576