eap: ERROR: Failed continuing EAP PEAP (25) session.
Hi guys. I'm authenticating users against Samba4 using Winbindd (PEAP-MSCHAPv2). With radtest everything is working fine; the user information are correctly extracted and the authentication process is successful. I'm now trying to access through a WiFi client. The access point is configured properly and can communicate with the FreeRADIUS server. But I'm encountering the following error (radiusd -X): (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state send tlv success (8) eap_peap: Received EAP-TLV response (8) eap_peap: Client rejected our response. The password is probably incorrect (8) eap_peap: ERROR: We sent a success, but the client did not agree (8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (8) eap: Sending EAP Failure (code 4) ID 232 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user I made some tests even with eapol_test, using the EAP-MSCHAPv2 config file reported in http://deployingradius.com: decapsulated EAP packet (code=4 id=8 len=4) from RADIUS server: EAP Failure I'm using the following FreeRADIUS version. radiusd: FreeRADIUS Version 3.0.12 (git #ae2f29c), for host x86_64-unknown-linux-gnu, built on Jul 29 2016 at 11:17:40 FreeRADIUS Version 3.0.12 And the following Samba version (Debian 8.5): 4.2.10. To understand the problem tell me if you need more accurate log. Thanks in advance.
Finally I solved the problem. These are my configuration files, hoping that they can be useful for someone. *** sites/inner-tunnel server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { eap { ok = return } } authenticate { Auth-Type MS-CHAP { mschap } eap } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } } *** sites/default server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } authorize { filter_username preprocess auth_log suffix eap { ok = return } } authenticate { eap } preacct { preprocess acct_unique suffix } accounting { detail unix exec attr_filter.accounting_response } session { } post-auth { update { &reply: += &session-state: } files remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } } pre-proxy { } post-proxy { eap } } *** modules/ldap ldap { server = 'server.testdomain.lan' identity = 'cn=administrator,cn=Users,dc=ad,dc=testdomain,dc=lan' password = p4ss base_dn = 'dc=ad,dc=testdomain,dc=lan' sasl { } update { control:Password-With-Header += 'unicodePWD' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user { base_dn = "${..base_dn}" filter = "(&(objectClass=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))" sasl { } } group { base_dn = 'ou=Groups,dc=ad,dc=testdomain,dc=lan' base_dn = "${..base_dn}" filter = '(objectClass=group)' scope = 'sub' name_attribute = cn membership_filter = "(member=%{control:Ldap-UserDn})" membership_attribute = 'memberOf' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } } *** modules/mschap mschap { winbind_username = "%{mschap:User-Name}" winbind_domain = "TESTDOMAIN" pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 } passchange { } } *** modules/eap eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { auth_type = Local } tls-config tls-common { certdir = /etc/ssl cadir = /etc/ssl/ca private_key_file = ${certdir}/radiuswip.server.lan.key certificate_file = ${certdir}/radiuswip.server.lan.crt ca_file = ${cadir}/ca.crt dh_file = ${certdir}/radius.dh ca_path = ${cadir} cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } tls { tls = tls-common } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } mschapv2 { } } 2016-08-01 13:10 GMT+02:00 Stefano Pardini <stefanopardini@gmail.com>:
Hi guys.
I'm authenticating users against Samba4 using Winbindd (PEAP-MSCHAPv2). With radtest everything is working fine; the user information are correctly extracted and the authentication process is successful.
I'm now trying to access through a WiFi client. The access point is configured properly and can communicate with the FreeRADIUS server. But I'm encountering the following error (radiusd -X):
(8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state send tlv success (8) eap_peap: Received EAP-TLV response (8) eap_peap: Client rejected our response. The password is probably incorrect (8) eap_peap: ERROR: We sent a success, but the client did not agree (8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (8) eap: Sending EAP Failure (code 4) ID 232 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user
I made some tests even with eapol_test, using the EAP-MSCHAPv2 config file reported in http://deployingradius.com: decapsulated EAP packet (code=4 id=8 len=4) from RADIUS server: EAP Failure
I'm using the following FreeRADIUS version. radiusd: FreeRADIUS Version 3.0.12 (git #ae2f29c), for host x86_64-unknown-linux-gnu, built on Jul 29 2016 at 11:17:40 FreeRADIUS Version 3.0.12
And the following Samba version (Debian 8.5): 4.2.10.
To understand the problem tell me if you need more accurate log. Thanks in advance.
The problem was related to the "files" keyword inside the authorize section of inner-tunnel. Removing it everything starts to work. Sorry for the inconvenience. 2016-08-02 10:28 GMT+02:00 Stefano Pardini <stefanopardini@gmail.com>:
Finally I solved the problem. These are my configuration files, hoping that they can be useful for someone.
*** sites/inner-tunnel server inner-tunnel {
listen { ipaddr = 127.0.0.1 port = 18120 type = auth }
authorize { eap { ok = return } }
authenticate { Auth-Type MS-CHAP { mschap }
eap }
session { radutmp }
post-auth {
}
pre-proxy {
}
post-proxy { eap }
}
*** sites/default server default {
listen { type = auth ipaddr = * port = 0
limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }
listen { ipaddr = * port = 0 type = acct limit {
} }
authorize { filter_username preprocess auth_log suffix
eap { ok = return } }
authenticate { eap }
preacct { preprocess acct_unique suffix }
accounting { detail unix exec attr_filter.accounting_response }
session {
}
post-auth { update { &reply: += &session-state: }
files
remove_reply_message_if_eap
Post-Auth-Type REJECT { -sql attr_filter.access_reject
eap
remove_reply_message_if_eap } }
pre-proxy {
}
post-proxy { eap }
}
*** modules/ldap ldap { server = 'server.testdomain.lan' identity = 'cn=administrator,cn=Users,dc=ad,dc=testdomain,dc=lan' password = p4ss base_dn = 'dc=ad,dc=testdomain,dc=lan' sasl { } update { control:Password-With-Header += 'unicodePWD' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute' } user { base_dn = "${..base_dn}" filter = "(&(objectClass=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))" sasl { } } group { base_dn = 'ou=Groups,dc=ad,dc=testdomain,dc=lan' base_dn = "${..base_dn}" filter = '(objectClass=group)' scope = 'sub' name_attribute = cn membership_filter = "(member=%{control:Ldap-UserDn})" membership_attribute = 'memberOf' } profile { } client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' template { } attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } accounting { reference = "%{tolower:type.%{Acct-Status-Type}}" type { start { update { description := "Online at %S" } } interim-update { update { description := "Last seen at %S" } } stop { update { description := "Offline at %S" } } } } post-auth { update { description := "Authenticated at %S" } } options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } }
*** modules/mschap mschap { winbind_username = "%{mschap:User-Name}" winbind_domain = "TESTDOMAIN" pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 } passchange { } }
*** modules/eap eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { auth_type = Local } tls-config tls-common { certdir = /etc/ssl cadir = /etc/ssl/ca private_key_file = ${certdir}/radiuswip.server.lan.key certificate_file = ${certdir}/radiuswip.server.lan.crt ca_file = ${cadir}/ca.crt dh_file = ${certdir}/radius.dh ca_path = ${cadir} cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } tls { tls = tls-common } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } mschapv2 { } }
2016-08-01 13:10 GMT+02:00 Stefano Pardini <stefanopardini@gmail.com>:
Hi guys.
I'm authenticating users against Samba4 using Winbindd (PEAP-MSCHAPv2). With radtest everything is working fine; the user information are correctly extracted and the authentication process is successful.
I'm now trying to access through a WiFi client. The access point is configured properly and can communicate with the FreeRADIUS server. But I'm encountering the following error (radiusd -X):
(8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state send tlv success (8) eap_peap: Received EAP-TLV response (8) eap_peap: Client rejected our response. The password is probably incorrect (8) eap_peap: ERROR: We sent a success, but the client did not agree (8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (8) eap: Sending EAP Failure (code 4) ID 232 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user
I made some tests even with eapol_test, using the EAP-MSCHAPv2 config file reported in http://deployingradius.com: decapsulated EAP packet (code=4 id=8 len=4) from RADIUS server: EAP Failure
I'm using the following FreeRADIUS version. radiusd: FreeRADIUS Version 3.0.12 (git #ae2f29c), for host x86_64-unknown-linux-gnu, built on Jul 29 2016 at 11:17:40 FreeRADIUS Version 3.0.12
And the following Samba version (Debian 8.5): 4.2.10.
To understand the problem tell me if you need more accurate log. Thanks in advance.
On Aug 2, 2016, at 10:44 AM, Stefano Pardini <stefanopardini@gmail.com> wrote:
The problem was related to the "files" keyword inside the authorize section of inner-tunnel. Removing it everything starts to work.
Why? It's in the default configuration so that you can add users there. If it doesn't work, it's likely because you added a user there with a different password than what's in AD. As always, reading the FULL debug output will tell you what's going wrong, and why. Alan DeKok.
On Tue, Aug 02, 2016 at 10:44:31AM +0200, Stefano Pardini wrote:
The problem was related to the "files" keyword inside the authorize section of inner-tunnel.
This is in the default configuration, and works fine. If that was causing problems then it will be something you added to your 'users' file, rather than the fact that 'files' was being called.
Removing it everything starts to work.
Good that you got it working. Next time if you post the full debug output rather than just a few lines then you might get more responses. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
You are right, I modified the users file with the following options. DEFAULT Ldap-Group == "testGroup", Auth-type := Accept Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 41 Day after day learning more. Thanks again. 2016-08-02 11:35 GMT+02:00 Matthew Newton <mcn4@leicester.ac.uk>:
On Tue, Aug 02, 2016 at 10:44:31AM +0200, Stefano Pardini wrote:
The problem was related to the "files" keyword inside the authorize section of inner-tunnel.
This is in the default configuration, and works fine.
If that was causing problems then it will be something you added to your 'users' file, rather than the fact that 'files' was being called.
Removing it everything starts to work.
Good that you got it working.
Next time if you post the full debug output rather than just a few lines then you might get more responses.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Aug 02, 2016 at 12:21:44PM +0200, Stefano Pardini wrote:
You are right, I modified the users file with the following options.
DEFAULT Ldap-Group == "testGroup", Auth-type := Accept Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 41
Yes, that will break it. You can't blindly accept an EAP connection; it has to be done properly by the eap module to send the correct EAP-Success back.
Day after day learning more.
That's good! Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
Alan DeKok -
Matthew Newton -
Stefano Pardini