Re : Re : Re : EAP-TLS OK - EAP-PEAP KO!! why that?
thank you Alan (i am on the FAQ) user=maman passwd= maman is a sql based user. trying peap with sql based user give error message, but trying it with Ad_based user give no error message, just don't connect... with radtest: radtest maman maman localhost 1812 testing123 Sending Access-Request of id 48 to 127.0.0.1 port 1812 User-Name = "maman" User-Password = "maman" NAS-IP-Address = 127.0.0.2 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=48, length=20 same credential with my Access-Point (part of output). --------------------------------------------------------------------------------------------- rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: Told to do MS-CHAPv2 for maman with NT-Password expand: --username=%{mschap:User-Name} -> --username=maman mschap2: 64 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2ebb047f9367e21a expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=9a350da9a792cd203c8bbc949a8522dc0540f2f6561bc24b Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [maman/<via Auth-Type = EAP>] (from client Ap8500 port 2 cli 00-12-F0-0C-97-61 via TLS tunnel) } # server (null) PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\021E=691 R=1" EAP-Message = 0x04110004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81d8f90 3 MS-CHAP-Error = "\021E=691 R=1" EAP-Message = 0x04110004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 93 to 10.10.44.246 port 1036 EAP-Message = 0x011200261900170301001b073fa5a0bd298ecb1079cb86c898132309fee25458125b2dd2fa73 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf57621b1f264389c4e317c094fd9f295 Finished request 477. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.44.246 port 1036, id=94, length=194 User-Name = "maman" NAS-IP-Address = 10.10.44.246 NAS-Port = 2 Called-Station-Id = "00-1C-F0-08-FB-FA:PEAP" Calling-Station-Id = "00-12-F0-0C-97-61" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x021200261900170301001b45d08a0aa2a8e62c56613f082cafa76f4b6f51d358557fefd07b7f State = 0xf57621b1f264389c4e317c094fd9f295 Message-Authenticator = 0xc80003ff430d4f991ea016e1e620ecaf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "maman", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 18 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [maman/<via Auth-Type = EAP>] (from client Ap8500 port 2 cli 00-12-F0-0C-97-61) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> maman attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 94 to 10.10.44.246 port 1036 EAP-Message = 0x04120004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 478. Going to the next request Waking up in 4.8 seconds. --------------------------------------------------------------------------------------------- ----- Message d'origine ---- De : Alan DeKok <aland@deployingradius.com> À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Envoyé le : Samedi, 19 Juillet 2008, 17h19mn 58s Objet : Re: Re : Re : EAP-TLS OK - EAP-PEAP KO!! why that? Reveal MAP wrote:
Now i am trying to authenticate via PEAP a user existing onmy sql database:
The debug log doesn't show that.
the output is too long, mailing list parameters won't accept it. i post part of the output that seem to give the point of misconfiguration. if it is not sufficient, please let me know, and i will find a way to put somewher the whole output of RADIUD -X. thank you. ... Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
What's the problem? You're using Samba to authenticate to Active Directory, and the password is wrong. Check that the passwords are correct. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
Reveal MAP wrote:
user=maman passwd= maman is a sql based user.
trying peap with sql based user give error message,
Which... is what? Is it a secret?
but trying it with Ad_based user give no error message, just don't connect...
FreeRADIUS gives no error message? Or the client? Are you trying to debug the FreeRADIUS configuration by looking at the login screen on the client machine?
with radtest:
Which sends a PAP request. Which doesn't use the MS-CHAP module. Which doesn't go to AD.
same credential with my Access-Point (part of output). ---------------------------------------------------------------------------------------------
rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2
Which is using MS-CHAP. Which then uses the MS-CHAP module. Which *you* have configured to ask AD.
Exec-Program output: Logon failure (0xc000006d)
So... fix that. Run ntlm_auth from the command line until it works. Then use the same password to log in via PEAP. Or... if you want to authenticate PEAP users via SQL (which you seem to be saying), then don't configure the mschap module to use ntlm_auth. Alan DeKok.
participants (2)
-
Alan DeKok -
Reveal MAP