FreeRadius 2.1.1 with PEAP- EAP-MD5
Hi All, I have been trying to configure PEAP with EAP -MD5 but i juat cannot get it to work. TTLS with EAP -MD5 workes fine. Also PEAP with Token card(gtc) and MSCHAPv2 works fine. What I tried is... 1. When I *comment out MSCHAPv2* in the eap.conf file and I try with the client being in PEAP EAP-MSCHAPv2, then I get a REJECT as below. 2.When I *comment out MD5* in the eap.conf file and try with the client being in PEAP EAP MD5, then I get the same REJECT message as below 3. When *I dont comment out MD5(MD5 is enabled)* in the eap.conf file and try with the client being in PEAP EAP MD5, then I get the same REJECT message as below In all the above three cases, I seem to be getting the same Reject message as below: ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "queenie", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 72 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> queenie attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 9 to 192.168.5.200 port 1024 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.5 seconds. Cleaning up request 0 ID 1 with timestamp +79 Cleaning up request 1 ID 2 with timestamp +79 Cleaning up request 2 ID 3 with timestamp +79 Cleaning up request 3 ID 4 with timestamp +79 Waking up in 0.2 seconds. Cleaning up request 4 ID 5 with timestamp +79 Cleaning up request 5 ID 6 with timestamp +79 Cleaning up request 6 ID 7 with timestamp +79 Cleaning up request 7 ID 8 with timestamp +79 Waking up in 1.0 seconds. Cleaning up request 8 ID 9 with timestamp +79 Ready to process requests. *Is it possible that in the eap.conf file, the MD5 does not get enabled under PEAP? Cause MD5 does work fine with TTLS for me. * Pl help! Regards, Queenie
Error is earlier in the debug. Post the whole thing and I'll point it out. I think that this is a bug. Ivan Kalik Kalik Informatika ISP Dana 6/11/2008, "Queenie de Melo" <queenie245@gmail.com> piše:
Hi All,
I have been trying to configure PEAP with EAP -MD5 but i juat cannot get it to work.
TTLS with EAP -MD5 workes fine. Also PEAP with Token card(gtc) and MSCHAPv2 works fine.
What I tried is... 1. When I *comment out MSCHAPv2* in the eap.conf file and I try with the client being in PEAP EAP-MSCHAPv2, then I get a REJECT as below. 2.When I *comment out MD5* in the eap.conf file and try with the client being in PEAP EAP MD5, then I get the same REJECT message as below 3. When *I dont comment out MD5(MD5 is enabled)* in the eap.conf file and try with the client being in PEAP EAP MD5, then I get the same REJECT message as below
In all the above three cases, I seem to be getting the same Reject message as below:
++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "queenie", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 72 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> queenie attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 9 to 192.168.5.200 port 1024 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.5 seconds. Cleaning up request 0 ID 1 with timestamp +79 Cleaning up request 1 ID 2 with timestamp +79 Cleaning up request 2 ID 3 with timestamp +79 Cleaning up request 3 ID 4 with timestamp +79 Waking up in 0.2 seconds. Cleaning up request 4 ID 5 with timestamp +79 Cleaning up request 5 ID 6 with timestamp +79 Cleaning up request 6 ID 7 with timestamp +79 Cleaning up request 7 ID 8 with timestamp +79 Waking up in 1.0 seconds. Cleaning up request 8 ID 9 with timestamp +79 Ready to process requests.
*Is it possible that in the eap.conf file, the MD5 does not get enabled under PEAP? Cause MD5 does work fine with TTLS for me. *
Pl help!
Regards, Queenie
Thanks Ivan. Please find attached the log. Hope you can get some info from this. 2008/11/6 <tnt@kalik.net>
Error is earlier in the debug. Post the whole thing and I'll point it out. I think that this is a bug.
Ivan Kalik Kalik Informatika ISP
Dana 6/11/2008, "Queenie de Melo" <queenie245@gmail.com> piše:
Hi All,
I have been trying to configure PEAP with EAP -MD5 but i juat cannot get it to work.
TTLS with EAP -MD5 workes fine. Also PEAP with Token card(gtc) and MSCHAPv2 works fine.
What I tried is... 1. When I *comment out MSCHAPv2* in the eap.conf file and I try with the client being in PEAP EAP-MSCHAPv2, then I get a REJECT as below. 2.When I *comment out MD5* in the eap.conf file and try with the client being in PEAP EAP MD5, then I get the same REJECT message as below 3. When *I dont comment out MD5(MD5 is enabled)* in the eap.conf file and try with the client being in PEAP EAP MD5, then I get the same REJECT message as below
In all the above three cases, I seem to be getting the same Reject message as below:
*Is it possible that in the eap.conf file, the MD5 does not get enabled under PEAP? Cause MD5 does work fine with TTLS for me. *
Pl help!
Regards, Queenie
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
server (null) { PEAP: Setting User-Name to queenie Sending tunneled request EAP-Message = 0x020900160410ef6cb6c0397ac7d4c05bf94e3f25b91f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "queenie" State = 0xcec54cd4cfcc481d16e979e447d690e2 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "queenie", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry queenie at line 91 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. That is when things go wrong. It goes to process md5 and returns reject. There is no moaning about wrong password or anything else. Ivan Kalik Kalik Informatika ISP
Appreciate all your help Ivan. Could you get a clue as to what could be causing the Reject? Do you need any more logs? On Thu, Nov 6, 2008 at 7:57 PM, <tnt@kalik.net> wrote:
server (null) { PEAP: Setting User-Name to queenie Sending tunneled request EAP-Message = 0x020900160410ef6cb6c0397ac7d4c05bf94e3f25b91f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "queenie" State = 0xcec54cd4cfcc481d16e979e447d690e2 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "queenie", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry queenie at line 91 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user.
That is when things go wrong. It goes to process md5 and returns reject. There is no moaning about wrong password or anything else.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I think that you should file this as a bug report on http://bugs.freeradius.org/ . Developers will than have a look to see is this a bug or something specific to the equipment/OS you are using. Ivan Kalik Kalik Informatika ISP Dana 7/11/2008, "Queenie de Melo" <queenie245@gmail.com> piše:
Appreciate all your help Ivan. Could you get a clue as to what could be causing the Reject? Do you need any more logs?
On Thu, Nov 6, 2008 at 7:57 PM, <tnt@kalik.net> wrote:
server (null) { PEAP: Setting User-Name to queenie Sending tunneled request EAP-Message = 0x020900160410ef6cb6c0397ac7d4c05bf94e3f25b91f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "queenie" State = 0xcec54cd4cfcc481d16e979e447d690e2 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "queenie", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry queenie at line 91 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user.
That is when things go wrong. It goes to process md5 and returns reject. There is no moaning about wrong password or anything else.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Queenie de Melo -
tnt@kalik.net