I am trying to do PEAP authentication (without certificates) where a client (Windows XP/Vista) gains WPA wi-fi access with a username and password using FreeRADIUS (v2.1.4) as the RADIUS server on Ubuntu Linux 8.10.
I have gotten as far as compiling FreeRADIUS with SSL/TLS support and getting a Windows client to gain WPA access where his username/pass is in the "/etc/freeradius/users" file. I'm not interested in doing any LDAP or Active Directory stuff (don't want to use ntlm_auth), so obviously "MS-CHAP-Use-NTLM-Auth := No" was included with the user/pass in the "/etc/freeradius/users" file.
If you don't configure ntlm_auth in mschap module you don't need that. Remove it from the database.
freeradius debug (with -X switch) gives me the following (I've only included the parts which I think are relevant:
................... [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'user1' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'user1' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'user8' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ................... EAP-Message = 0x0108001f1a0108001a1025124f5e6a8bc7778687e657b729c16b7573657238 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x31f7332531ff293ae0350b28678bf4db [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001f1a0108001a1025124f5e6a8bc7778687e657b729c16b7573657238 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x31f7332531ff293ae0350b28678bf4db [peap] Got tunneled Access-Challenge ++[eap] returns handled
So, this is from different EAP exchange.
.................... [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for user1 with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. ...................
The parts that gives away the fact that the "MS-CHAP-Use-NTLM-Auth := No" is not being read from the database: 1) no users are found in the "SELECT FROM radreply" query 2) underneath "[peap] Got tunneled reply code 11" there is no "MS-CHAP-Use-NTLM-Auth := No" as there is when a user is authenticated from the "users" file. 3) The fact that I cannot get the client to gain access!
It is being read! But it does nothing when ntlm_auth is not configured. You most likely haven't enabled sql in inner-tunnel virtual server. But since you edited the debug there is no way to say for sure. Ivan Kalik Kalik Informatika ISP