I have a strange problem where the initial 802.1X authentication is
successful, but then fails subsequent auth attempts. This is using
Windows XP sp3 PEAP/MS-Chapv2, FreeRADIUS 2.1.3, with Active Directory
running on a Windows2003 server.
I noticed the following discrepency in the RADIUS logs. The two auth attempts are identical until this part:
Successful
Info: Found Auth-type = EAP
Info: +- entering group authenticate (...)
Info: [eap] Request found,released from list
Info: [eap] EAP/peap
Info: [eap] processing type peap
Info: [peap] processing EAP-TLS
Info: [peap] eaptls_verify returned 7
Info: [peap] Done initial handshake
Info: [peap] eaptls_process returned 7
Info: [peap] EAPTLS_OK
Info: [peap] Session established. Decoding tunneled attributes.
Info: [peap] Received EAP-TLV response.
Info: [peap] Success
Info: [peap] Using saved attributes from the original Access-Accept
Unsuccessful
Info: Found Auth-type = EAP
Info: +- entering group authenticate (...)
Info: [eap] Request found,released from list
Info: [eap] EAP/mschapv2
Info: [eap] processing type mschapv2
Info: [mschapv2] +-entering group MS-CHAP (...)
Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password.
Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password.
Info: [mschap] Told to do MS-CHAPv2 for seth with NT-Password
...
Info: Debug: Exec-Program output: Logon failure (0xxc000006d)
Info: Debug: Exec-Program-Wait: plaintext: Logon failure (0xxc000006d)
Info: Debug: Exec-Program: returned 1
Info: [mschap] External script failed.
Info: [mschap] FAILED: MS-CHAP2-Response is incorrect
Info: ++[mschap] returns reject
Info: [eap] Freeing handler
Info: ++[eap] returns reject
Info: Failed to authenticate the user.
Why
is one auth request using the mschapv2 group and the other PEAP? Both
are from the same client on the same switchport. Has anyone else run
into this type of problem? Is there a configuration on the supplicant
or Active Directory that could cause this?
More information if necessary:
from modules.conf
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/cert_privkey.key
certificate_file = ${raddbdir}/cert_certificate.