Good morning, Just a few lines to update on this case: We finally found where the problem was: the winbind daemon. On our new server, both freeradius (3.0.10) and openssl (OpenSSL 1.0.1e) were working ok. But the winbind daemon (4.1.12) used to authenticate mschapv2 with the windows domain [1] had some bug. It works ok for some time, and suddenly it gets "bugged". It continues running, ntlm_auth still works ok, but when used through freeradius, for some reason, it fails to continue the conversation after sent the tunnelled MSCHAPv2 response. And if it gets restarted, it begins working again! It happens like twice a week. We have not continued investigating where the problem lies inside the winbind daemon. Instead, we are using some script to check and restart the daemon whenever this bug happens. In the future, we will also store NT-Password in LDAP, so that freeradius can take it from LDAP (as it already does with userPassword for PAP), and use it to authenticate MSCHAPv2 instead of using winbind/ntlm_auth. [2] That way we will not depend on samba software anymore. I guess maybe it will also be faster. Thank you much for everybody helping with this issue. It really helped us to find where was the problem. Regards, [1] Config from: http://deployingradius.com/documents/configuration/active_directory.html [2] As seen on: http://lists.freeradius.org/pipermail/freeradius-users/2011-November/057124.... *Oscar Remírez de Ganuza Satrústegui* IT Services Universidad de Navarra Tel. +34 948425600 x803130 http://www.unav.edu/web/it/ On Fri, Jan 15, 2016 at 5:45 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 15, 2016, at 11:37 AM, Óscar Remírez de Ganuza Satrústegui < oscarrdg@unav.es> wrote:
I have continued investigating this issue, reproducing the problem with eapol_test. Disabling tlsv1_2 did not affect the result, and I was still having problems.
That's bad.
So I have installed the new freeradius version on the old server, in order to being able to compare the results, and I have found that the new freeradius works ok on the old server!
That's good. We've put a lot of effort into working around OpenSSL problems. :(
Comparing the debug logs, line by line, I see that the first difference is in the EAP-Message of Access-Request #6, much bigger in case #2:
In Case #1: (6) Received Access-Request Id 6 from 159.237.8.31:44007 to 159.237.12.8:1812 length 142 (6) User-Name = "anonino@unav.es" (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) EAP-Message = 0x020600061900
That's an EAP-TLS ACK.
In Case #2: (6) Received Access-Request Id 6 from 159.237.8.31:32965 to 159.237.18.104:1812 length 280 (6) User-Name = "anonino@unav.es" (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) EAP-Message =
0x02060090198000000086160301004610000042410483144b3e8df35650f6435c0906f39d3d33301f98f391c1bc73127ff72afe7ef82d6aa40707f062c2eaab73383292ca022f1469df43863eda1d869a64b3607c5014030100010116030100303b6e2063d8d994c891195fb9e8c3103b1344b7b90b063b
And that's EAP-TLS data. It *should* work....
I have seen that there are also some problems with versions OpenSSL 1.0.1f and 1.0.1g:
http://lists.freeradius.org/pipermail/freeradius-users/2015-December/081251....
Yes.
Is it correct if I conclude that this version (OpenSSL 1.0.1e) is also not working properly??
I'd be happy to blame OpenSSL.
Is there a way to make freeradius use a different version of openssl on the same server?
Yes. But it's not trivial. That's because the compiler can find the second version, but has a MUCH harder time ignoring the first version. Unless we can make it ignore the first version... it can compile against some combination of the versions, which is bad.
Virtual machines are cheap. I'd suggest trying a new virtual machine, which you can put only one version of OpenSSL on.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html