2008/8/26 <A.L.M.Buxey@lboro.ac.uk>:
Hi,
I'm using a MacOS as a test client, which connects to the wireless network, prompts about an invalid certificate chain for the SSL cert
well, unless you've installed the CA etc that you signed the RADIUS server with, this will always be the case. until you trust the cert (by trusting the CA) then you cant EAP
Thanks for the replies, I was able to hit continue when presented with the SSL certificate warning to use it anyway, so had been doing that. However to make sure I added the CA certificate to the test system, unfortunately it didn't have any effect. I've reverted to a default configuration (using the Fedora Core 9 packaged version of FreeRadius 2.0.5) allowing the certs to be autogenerated to try and spot what in my configuration is making it break. With a default configuration EAP works with a user specified in the users file with a cleartext password (http://jim.geezas.com/stuff/radius-debugging/ *-success.log files). This works via eapol and a Mac test client. As soon as I enable the MSCHAP module (uncommenting the ntlm auth line) all authentication queries the AD here, so the locally configured user fails. When I try a user configured in the AD I'm getting: EAP-MSCHAPV2: Invalid authenticator response in success request In the eapol output, the radiusd logs also stop just after the mschap module returns success (0), finishing up the request. A snippet of the log is below (full logs @ http://jim.geezas.com/stuff/radius-debugging/ *-failure.log), the message authenticator does seem to be invalid, this seeming to happen when the request is proxied to the inner tunnel. MSCHAP Success ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010800331a0307002e533d31343030463445333137313238414639414438433531453433364146453138363141353839363139 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd1ea68cfd0e27269358adf5451b3d294 PEAP: Processing from tunneled session code 0x896ac68 11 EAP-Message = 0x010800331a0307002e533d31343030463445333137313238414639414438433531453433364146453138363141353839363139 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd1ea68cfd0e27269358adf5451b3d294 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 127.0.0.1 port 46172 EAP-Message = 0x0108005b190017030100506c55b2c3a5d1b727e4838dd88ff3d6be564aec2cce92f2cf546f86b9566d9d3add42598ab14de29f1a75b992798a92c28ecedc676ff9a0217787e64e686e93517ccbdce3f1a30e7fb861a382ab957cc8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8347b19df3c62eb11ce04af34e0d0a5 Finished request 15. So, the mschap module returns that the user is valid, but it seems that somewhere during the process the Message-Authenticator field is becoming invalid. Has anyone seen this problem before, or am I looking in the wrong place? Thanks, James