Mitchell, Mark wrote:
I'm trying to get 802.1x authentication going using PEAP/MS-CHAPv2 but cant quite get it going (I think I'm pretty cloise though) so I'm hoping someone here can take a look at my debug output below and perhaps offer some helpful advice. Here's the specifics: Ubuntu 7.10, freeRADIUS 1.1.7, Samba 3.0.
I would suggest using v2.0.3, which is much simpler and more flexible. It also has built-in VMPS support, which means there's less need for perl "glue".
Note that there are calls to a freeNAC perl module called check_mac that performs mac-auth-bypass vlan assignment for non-802.1x compliant devices.
Ah. If you're using freenac, that might explain it.
I've followed the freeNAC instructions and tried some slight variations that I've found posted elsewhere but still not gettting it.
Quite frankly, don't use third-party instructions. They're almost always wrong. The documentation in FreeRADIUS is more up to date, and correct.
I've gotten to the point where I can issue the ntlm_auth command "manually" and authenticate to AD so Samba, Winbind, and Kerberos seem to be OK. When I attempt to get freeRADIUS to do the ntlm_auth for me as described in the freeNAC docs and other web resources like deployingradius.com and the freeradius wiki, I keep getting logon failures. See attached radius debug output below.
Running the ntlm_auth command manually means you're giving it clear-text passwords. Running it from FreeRADIUS means it's being given MS-CHAP hashes. The two are different, and add additional complexity.
I'm just attaching the last part of the debug because for one it's quite large and two, it seems to be going well up to a certain point. My EAP-TLS tunnel appears to be getting setup fine but it just act as if my password is wrong.
I would suggest not using EAP until you have the MS-CHAP stuff working. See src/tests/mschapv1 for a "known working" MS-CHAP sample. You can do: $ radclient -f src/tests/mschapv1 -xx localhost auth testing123 Of course, you'll have to add user "bob" with password "bob" to Active Directory. But you should be able to test MS-CHAP with a known working sample. ...
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
There isn't much else that FreeRADIUS can do at this point. If the domain is returning failure, that means failure. You could also try putting the cleartext-password for the user into the "users" file. That would tell you if (maybe) the client is broken, and isn't doing MS-CHAP properly. i.e. (1) test PEAP with local user && password (2) test MS-CHAP with bob/bob against ntlm_auth If both work, then the problem is something complicated somewhere in between ntlm_auth, winbind, or Active Directory. And that's pretty hard to track down, to be frank. Active Directory isn't very good about telling even an admin *why* something went wrong. Alan DeKok.