Authentication with eap/mschapv2
Hello I would like to authenticate my Windows XP wireless users with freeradius against a AD. Test with the local ntlm_auth against the AD worked fine as well radtest with a local user in the users file. It seems to me that Problem ist somewhere here: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 rlm_eap_mschapv2: Invalid response type 4 [eap] Handler failed in EAP/mschapv2 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. I have read in the archive that "Code 4 is MS-CHAP failure. It means that the client told the server it didn't like the previous packet" But I have no idea what the server does not like. The whole debug output is below Any help it greatliy appreciated regards stefan FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Sep 2 2009 at 13:59:26 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy..conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel group = freerad user = freerad including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127..0.0.1 require_message_authenticator = no secret = "testing123-1" shortname = "localhost" nastype = "other" } client 10.0.0.1 { require_message_authenticator = no secret = "testing123-1" shortname = "wireless" nastype = "others" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-mydomain:-mydomain} --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/demoCA/nzzwire01-0.key" certificate_file = "/etc/freeradius/certs/demoCA/nzzwire01-0.crt" CA_file = "/etc/freeradius/certs/demoCA/CA_cert.crt" private_key_password = "WireKey*!4" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {....} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=104, length=145 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0xa1f051e8488f5a50cb044187a8c4c674 EAP-Message = 0x02010010015a4830315c532e486f747a NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 104 to 10.0.0.1 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e80eb716d23cf4280d3865bd8 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=105, length=253 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0x8ea63d676026bf116dc956f454e8088e EAP-Message = 0x0202006a1900160301005f0100005b03014ab1f239fed58a9540ea7eeff0e2d184bfde52a76c671ae71e9ecf769581c7ff00003400390038003500160013000a00330032002f006600050004006500640063006200610060001500120009001400110008000600030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e80eb716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 106 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005f], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 05ce], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 105 to 10.0.0.1 port 1645 EAP-Message = 0x0103040019c00000071d160301002a0200002603014ab1f237fbca05f523e033ce4b7b8ef2489ee1d6fe7016bbe3ffc2f4ab5acb540000390016030105ce0b0005ca0005c7000302308202fe30820267a003020102020103300d06092a864886f70d0101040500304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b301e170d3038313230343037333630395a170d3133313230333037333630395a3066310b3009060355040613026368310b3009060355040813027a68310c300a060355040a13 EAP-Message = 0x036e7a7a31133011060355040b130a696e666f726d6174696b312730250603550403131e6e7a7a7769726530312d302e7a6830312e6e7a7a6772757070652e6e657430819f300d06092a864886f70d010101050003818d0030818902818100bf2852a1be32bc65d8a6bf27c34453b53ae9a378b98943a31b5d4cffd28e96dd9b0fe69212027623d91a92682a238cd190adecad171cee0a76a5c264efd4e159242c850c78c1e8ec9acc7d222c3970510dd21a06596b40b25001fcb62b617d02a3c2cba3821cafd6b656e9eeca3c84a5e4c271b3786a2089de9ce97b9d894b630203010001a381d33081d030090603551d1304023000302c060960864801 EAP-Message = 0x86f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414c93199967c5bdf132d1d5ab3fa15ac9b72ecc78530760603551d23046f306d8014727ea255965d8fbf177009121c46c0ca5c761743a152a450304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b820100300d06092a864886f70d0101040500038181002f9130e3625335befa4741b20897377a22f325d6436e1c36f9be24facaf7d1eb54deaa81edb224429c0854f0f6 EAP-Message = 0x9e6475e665843ce0370b2c4dcfa7fd912d359404dbc1b027aadf3de96180dba9be61bf82785b63a41ec73f7f6b84bcd80990704441a9a84945a2ba2f68c77c8c56880b191482c87285bb22fc9351db0fed03c40002bf308202bb30820224a003020102020100300d06092a864886f70d0101040500304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b301e170d3038313230333135343235395a170d3138313230313135343235395a304e310b3009060355040613026368310b30090603550408 EAP-Message = 0x13027a68310f300d06035504 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e81ea716d23cf4280d3865bd8 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=106, length=153 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0x918316a7a500e443230e4bbc47d5ad7d EAP-Message = 0x020300061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e81ea716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {....} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 106 to 10.0.0.1 port 1645 EAP-Message = 0x0104032d19000713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b30819f300d06092a864886f70d010101050003818d0030818902818100c6c1ffce3fe668d765c1dd77d608b27ae5168f1f7316dfe1a61a51fecf6f027c376b13047d11e34eaefd6ed682d3a580106b2b085f78571cdf1c97d02fff9db2b45ecff5512bf42627b38bb49fcf492066930dd04d889258035bd804da3b43e36fb19fd3c6ade9dc1010b9f2d0886c90a26b5f9d22cd17a296867ecc4c709bab0203010001a381a83081a5301d0603551d0e04160414727ea255965d8fbf177009121c46c0ca5c76174330760603 EAP-Message = 0x551d23046f306d8014727ea255965d8fbf177009121c46c0ca5c761743a152a450304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b820100300c0603551d13040530030101ff300d06092a864886f70d0101040500038181009b2b4c150f7620aaf113a2855c0750f0f50f3265f6dc9fd8fc45c87192e5989f36e2b223cce00d9c2e289c59d7f552348f1befc5041ea840047c8c51b742070d2038a1d8f30d149f97b4cbfc136bfa0953625647d75e1865d30c12c56cd30417e427107d7ac14ab8 EAP-Message = 0xc3a50f63708713e4de5f2a257c536d7c8ec6401d29067103160301010d0c0001090040bc35b1fa5e7e1a1ac57b7f4b1d4bdb2aa0c090840cf3995df0fd2a2125315aeab4113d78cdd6f01841f720a3f51032069994b119ac5e013e6d1c1bdb60055c0b0001020040bb26e792b1a9496427dd930c8f921185af6d0b1301223b7bfff07ab237f63ecd5152d2a79716c1f6d95317f4105666565fc951027f12bdce2a6fec51a49ffa880080562d6f74e16994a4a2757f46b77009569a38e063190ba54e6d395c04837f42a48cb81baee48328a2844d446293b40effd6fa3ba3f2ab86032c5e5d3310ad86eb11ae0eab3c4b922b461f833c66b44a39f19b4b EAP-Message = 0x1fee35da981a6e3f4939e5c3e0187867094c41b1e6bf6da839f737f42dfefea18aa18718509de0791f15edde5316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e82ed716d23cf4280d3865bd8 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=107, length=287 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0xf6e713150b71eaf618f12fde46e3bcbb EAP-Message = 0x0204008c190016030100461000004200401c3ab7dc1a753b6ae3020d96d1d144cadf21b5f3422a6783f77bc954b33441514b12044ddacd7ca955d4e1c23c8fc697df9f9e4cdd9361aca2ed8f9ac3f1e04314030100010116030100309180e1b3bc25f45e673fbe76685a95ecc6440b1b0309c47624f75142ae6c9ada63fa12674301b56444c21b450c6b32e7 NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e82ed716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 140 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 107 to 10.0.0.1 port 1645 EAP-Message = 0x010500411900140301000101160301003020196b841f13a063342315f0272e8781d4be5a2e7147e5bdbbfbdc21aeef3d4ea2affdacf672abbd8534b15150719e00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e83ec716d23cf4280d3865bd8 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=108, length=153 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0x4e257a44e0eb615236e7e6132d5d661f EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e83ec716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 108 to 10.0.0.1 port 1645 EAP-Message = 0x0106002b190017030100204ac0995a7016dc6e2823fe58aa1a8ff6714e685167aa9168e2a18516a34ce6d6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e84ef716d23cf4280d3865bd8 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=109, length=243 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0xa1c6ce6def0c9de02466b5c65e1cf9c3 EAP-Message = 0x0206006019001703010020d89c686f3a414d7446d857dee8506108223b5dc794ab421d80fb05f03f0a2bd21703010030de672b9ad28edfa510afb0379d769393b37e8de8f1cc4e4f7e9153bc4b7c4b9ccae6f4b26cc5a1bf7fcdc31537a79ea0 NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e84ef716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - mydomain\user [peap] Got tunnled request EAP-Message = 0x02060010017a6830315c732e686f747a server (null) { PEAP: Got tunneled identity of mydomain\user PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to mydomain\user Sending tunneled request EAP-Message = 0x02060010017a6830315c732e686f747a FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700251a0107002010c508956d066adc8e3bc9b92127fb2fe27a6830315c732e686f747a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03371cd203300629664a8ed6dcdcbe2d [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700251a0107002010c508956d066adc8e3bc9b92127fb2fe27a6830315c732e686f747a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03371cd203300629664a8ed6dcdcbe2d [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 109 to 10.0.0.1 port 1645 EAP-Message = 0x0107004b19001703010040fd04cc1b4a2605a649d63355aabdeb2632f6f349527cb4013d00d87573592aab6137e23b1f600379195c551950397cce371207f6be612863a7984b38637b9992 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e85ee716d23cf4280d3865bd8 Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=110, length=291 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0x1cd29e39402a6e840e8f6556bf46928e EAP-Message = 0x0207009019001703010020bd76d0b1af16c027e5a9da101b14ee7fe6ff2cf97814650047851242be007a711703010060c32b500bc499db805ab72b291f00d4005f04d993d16bb7061e2d52b47c7d9556b3c7c11b69878df2bb9d162d0785d085987181a73a81d9315139e4662efa7b54369921d174a6047bb7746897a46c93a795a8ebc3c4856481f9e1323ad8bcbdb5 NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e85ee716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x020700461a0207004131f57076f6190b1451606d6ed9d3c3b80f0000000000000000758dee0f5cf4b7ea3cd150fa32ff165723887bae940074c4007a6830315c732e686f747a server (null) { PEAP: Setting User-Name to mydomain\user Sending tunneled request EAP-Message = 0x020700461a0207004131f57076f6190b1451606d6ed9d3c3b80f0000000000000000758dee0f5cf4b7ea3cd150fa32ff165723887bae940074c4007a6830315c732e686f747a FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "mydomain\\user" State = 0x03371cd203300629664a8ed6dcdcbe2d Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560..3e95" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 70 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for user with NT-Password expand: --domain=%{mschap:NT-mydomain:-mydomain} -> --domain=mydomain expand: --username=%{mschap:User-Name:-None} -> --username=user [mschap] mschap2: c5 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=8660dea0f174464c expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=758dee0f5cf4b7ea3cd150fa32ff165723887bae940074c4 Exec-Program output: NT_KEY: B9C1923227672CF3D5079723D78E41A0 Exec-Program-Wait: plaintext: NT_KEY: B9C1923227672CF3D5079723D78E41A0 Exec-Program: returned: 0 ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800331a0307002e533d32423538443738374433374635314433313846413736343432333539463034384645433535353044 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03371cd2023f0629664a8ed6dcdcbe2d [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800331a0307002e533d32423538443738374433374635314433313846413736343432333539463034384645433535353044 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03371cd2023f0629664a8ed6dcdcbe2d [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 110 to 10.0.0.1 port 1645 EAP-Message = 0x0108005b1900170301005055895bdec32accf23e83a028b4dacbd15c004660b5f7894904db99814756478b5e75b0d7784be8499937b31e7b49ac566dea2f9ffcfec48f52c6187290e8531f7f1f1227f27d7b589aea4033a7d24ea9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e86e1716d23cf4280d3865bd8 Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10..0.0.1 port 1645, id=111, length=227 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0xca25c9fefffe68fb16b7540330f886cd EAP-Message = 0x0208005019001703010020218fcc3ddf31542a1f4561375cb7b54f876cad08360a35bbee7cffcc512cd1a1170301002029173c496b16779ef3bb3d5172702d36c240bd8357def389fac4eb3212046f6e NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e86e1716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x020800061a04 server (null) { PEAP: Setting User-Name to mydomain\user Sending tunneled request EAP-Message = 0x020800061a04 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "mydomain\\user" State = 0x03371cd2023f0629664a8ed6dcdcbe2d Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {....} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 rlm_eap_mschapv2: Invalid response type 4 [eap] Handler failed in EAP/mschapv2 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 111 to 10.0.0.1 port 1645 EAP-Message = 0x0109002b19001703010020b12908003d5c6d7d90cd3130cf111d70753d81ca7757744970195793cf356978 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x80e9682e87e0716d23cf4280d3865bd8 Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=112, length=227 User-Name = "mydomain\\user" Framed-MTU = 1400 Called-Station-Id = "000d.2868.4801" Calling-Station-Id = "000e.3560.3e95" Service-Type = Login-User Message-Authenticator = 0x508935028611f6b0a47361317bf28b8f EAP-Message = 0x02090050190017030100203ce39908b6bbd121e3b74f1b47e4df5e0a3b29c6bad8add51bdfad7e96ecb35917030100208618b9c909461c0afd54c4187f4fc76076ec42ed2d702e7cdd3e3099dc3b0f6b NAS-Port-Type = Wireless-802.11 NAS-Port = 4392 State = 0x80e9682e87e0716d23cf4280d3865bd8 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "wireless" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> mydomain\user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 112 to 10.0.0.1 port 1645 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds.
I would like to authenticate my Windows XP wireless users with freeradius against a AD. Test with the local ntlm_auth against the AD worked fine as well radtest with a local user in the users file.
I have read in the archive that "Code 4 is MS-CHAP failure. It means that the client told the server it didn't like the previous packet"
But I have no idea what the server does not like. mschap { use_mppe = no require_encryption = yes
You have disabled MPPE (Microsoft Point-to-Point Encryption) yet you require encryption. Ivan Kalik Kalik Informatika ISP
What is the compatibility for clients when you force encryption? Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Thursday, September 17, 2009 10:56 AM To: FreeRadius users mailing list Subject: Re: Authentication with eap/mschapv2
I would like to authenticate my Windows XP wireless users with freeradius against a AD. Test with the local ntlm_auth against the AD worked fine as well radtest with a local user in the users file.
I have read in the archive that "Code 4 is MS-CHAP failure. It means that the client told the server it didn't like the previous packet"
But I have no idea what the server does not like. mschap { use_mppe = no require_encryption = yes
You have disabled MPPE (Microsoft Point-to-Point Encryption) yet you require encryption.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank's for the answer Ivan. I have tried now both with or without encryption Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes unfortunately the result is still the same Found Auth-Type = EAP +- entering group authenticate {....} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 rlm_eap_mschapv2: Invalid response type 4 [eap] Handler failed in EAP/mschapv2 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Does it make sense to enable the encryption for mschap since the eap tunnel (as far I have understood) is the whole way from the client to the radius server. ________________________________ Von: Ivan Kalik <tnt@kalik.net> An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Gesendet: Donnerstag, den 17. September 2009, 16:55:33 Uhr Betreff: Re: Authentication with eap/mschapv2
I would like to authenticate my Windows XP wireless users with freeradius against a AD. Test with the local ntlm_auth against the AD worked fine as well radtest with a local user in the users file.
I have read in the archive that "Code 4 is MS-CHAP failure. It means that the client told the server it didn't like the previous packet"
But I have no idea what the server does not like. mschap { use_mppe = no require_encryption = yes
You have disabled MPPE (Microsoft Point-to-Point Encryption) yet you require encryption. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have tried now both with or without encryption
Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes
unfortunately the result is still the same
Found Auth-Type = EAP +- entering group authenticate {....} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 rlm_eap_mschapv2: Invalid response type 4 [eap] Handler failed in EAP/mschapv2 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user.
Does it make sense to enable the encryption for mschap since the eap tunnel (as far I have understood) is the whole way from the client to the radius server.
MPPE is encrypting connection between the user and NAS. Nothing to do with authentication encryption. Does PEAP work for username/pass in users file? Comment out ntlm_auth line in mschap module and see if authentication can complete like that. Ivan Kalik Kalik Informatika ISP
Yes it works with an entry in the user file +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for s.hotz with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled It works as well if I try it with the ntlm command from the radius server /usr/bin/ntlm_auth --request-nt-key --domain=domain--username=s.hotz So is my guess correct that I have to investigate further in the ntlm_auth command in the mschap module? I have tried different parameters. Right now it looks like: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{%{mschap:User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ________________________________ Von: Ivan Kalik <tnt@kalik.net> An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Gesendet: Donnerstag, den 17. September 2009, 19:30:15 Uhr Betreff: Re: AW: Authentication with eap/mschapv2
I have tried now both with or without encryption
Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes
unfortunately the result is still the same
Found Auth-Type = EAP +- entering group authenticate {....} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 rlm_eap_mschapv2: Invalid response type 4 [eap] Handler failed in EAP/mschapv2 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user.
Does it make sense to enable the encryption for mschap since the eap tunnel (as far I have understood) is the whole way from the client to the radius server.
MPPE is encrypting connection between the user and NAS. Nothing to do with authentication encryption. Does PEAP work for username/pass in users file? Comment out ntlm_auth line in mschap module and see if authentication can complete like that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes it works with an entry in the user file
It works as well if I try it with the ntlm command from the radius server
So is my guess correct that I have to investigate further in the ntlm_auth command in the mschap module?
Not exactly. I think the whole samba setup needs to be examined. There are known issues with samba 3.2.x but I must say failure doesn't look like this in cases I have seen. If you are using that, try downgrading to 3.0.x which is known to work well. Ivan Kalik Kalik Informatika ISP
Hi,
Not exactly. I think the whole samba setup needs to be examined. There are known issues with samba 3.2.x but I must say failure doesn't look like this in cases I have seen. If you are using that, try downgrading to 3.0.x which is known to work well.
latest version of SAMBA sends back different answers etc than older version. this messes things up - i'm awaiting announcement of when that issue has been fixed by the SAMBA people alan
participants (4)
-
Alan Buxey -
Ivan Kalik -
Nathan McDavit-Van Fleet -
Stefan Hotz