mschapv2 and peap not working, please help
Hi, I am a newbee on Linux and RAdius stuff. I am trying to authenticate WinXP and Win 7 machines on wireless using Freeradius, LDAP authentication. Please help. Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap ldap { server = "10.73.93.13" port = 389 password = "" identity = "" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "dc=uforadius,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x9ac42e8 Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server_keycert.pem" certificate_file = "/etc/raddb/certs/server_keycert.pem" CA_file = "/etc/raddb/certs/cacert.pem" private_key_password = "ufo@123" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 } listen { type = "acct" ipaddr = * port = 1813 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. [ldap] looking for reply items in directory... [ldap] user mahendra authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server [peap] Got tunneled reply code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 EAP-Message = 0x010800221a0108001d10f7973d26db065858580c2296c2a3df776d6168656e647261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e8caef75e84b4df9661a9005c9f7f60 [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 EAP-Message = 0x010800221a0108001d10f7973d26db065858580c2296c2a3df776d6168656e647261 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e8caef75e84b4df9661a9005c9f7f60 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 244 to 10.73.93.151 port 1027 EAP-Message = 0x010800391900170301002ee74a640228010756561c836a369e3317bd7c17ce26878f4122350b0fb26885e6ffadb3826841e731266a7356c939 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x91d6325996de2bb0f03f9ab7fb903713 Finished request 7. Going to the next request Waking up in 1.5 seconds. rad_recv: Access-Request packet from host 10.73.93.151 port 1027, id=245, length=286 User-Name = "mahendra" Calling-Station-Id = "00-1F-3C-E1-17-A9" NAS-IP-Address = 10.73.93.151 NAS-Port = 1 Called-Station-Id = "AC-67-06-39-C6-59" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AC-67-06-39-C6-59" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0208005a1900170301004fba54ddc1773706da1c180a69c21a6c1a0d0e5a461491374132cd70d5627be31dbade31fa910676053a7ac065595523a960b54039ec23d4b9ee842adddefcaa9b6cb0ef69bd73f0ade2dc4db2a9c2af State = 0x91d6325996de2bb0f03f9ab7fb903713 Vendor-25053-Attr-3 = 0x55464f4d6f7669657a Message-Authenticator = 0xeb1b3365cbe0ebcae1c4ffd65d153119 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mahendra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 90 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800431a0208003e318cc1ff4314496a738afa9d819cbc6ca80000000000000000edd8688f221fea656143e0f13405d011f0622a7a24f16481006d6168656e647261 server { PEAP: Setting User-Name to mahendra Sending tunneled request EAP-Message = 0x020800431a0208003e318cc1ff4314496a738afa9d819cbc6ca80000000000000000edd8688f221fea656143e0f13405d011f0622a7a24f16481006d6168656e647261 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "mahendra" State = 0x5e8caef75e84b4df9661a9005c9f7f60 server { # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mahendra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry DEFAULT at line 3 ++[files] returns ok [ldap] performing user authorization for mahendra [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> mahendra [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=mahendra) [ldap] expand: dc=uforadius,dc=com -> dc=uforadius,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=uforadius,dc=com, with filter (uid=mahendra) [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{crypt}$1$94hl3NgJ$AuuZleae5i2GkzrT9XIye0" [ldap] looking for reply items in directory... [ldap] user mahendra authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/default [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: mahendra [mschap] Told to do MS-CHAPv2 for mahendra with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [mahendra] (from client UFO-Network port 0 via TLS tunnel) } # server [peap] Got tunneled reply code 3 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 245 to 10.73.93.151 port 1027 EAP-Message = 0x010900261900170301001bf48d95f3c39075c79520a6eee44c17e2d9ae0941c29d65ec059b22 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x91d6325999df2bb0f03f9ab7fb903713 Finished request 8. Going to the next request Waking up in 1.5 seconds. rad_recv: Access-Request packet from host 10.73.93.151 port 1027, id=246, length=234 User-Name = "mahendra" Calling-Station-Id = "00-1F-3C-E1-17-A9" NAS-IP-Address = 10.73.93.151 NAS-Port = 1 Called-Station-Id = "AC-67-06-39-C6-59" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AC-67-06-39-C6-59" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020900261900170301001b61517419592d02817a09b553536ccb662e4e62ca241c6f768e47c5 State = 0x91d6325999df2bb0f03f9ab7fb903713 Vendor-25053-Attr-3 = 0x55464f4d6f7669657a Message-Authenticator = 0x986e9740d6c4076ab6c8dd79e0e4c2e8 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mahendra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [mahendra] (from client UFO-Network port 1 cli 00-1F-3C-E1-17-A9) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> mahendra attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 246 to 10.73.93.151 port 1027 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.5 seconds. Cleaning up request 0 ID 237 with timestamp +51 Cleaning up request 1 ID 238 with timestamp +51 Cleaning up request 2 ID 239 with timestamp +51 Cleaning up request 3 ID 240 with timestamp +52 Cleaning up request 4 ID 241 with timestamp +52 Cleaning up request 5 ID 242 with timestamp +52 Waking up in 3.3 seconds. Cleaning up request 6 ID 243 with timestamp +55 Cleaning up request 7 ID 244 with timestamp +55 Cleaning up request 8 ID 245 with timestamp +55 Waking up in 0.7 seconds. Cleaning up request 9 ID 246 with timestamp +55 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please... Sent from the FreeRadius - User mailing list archive at Nabble.com.
syharash wrote:
I am a newbee on Linux and RAdius stuff. I am trying to authenticate WinXP and Win 7 machines on wireless using Freeradius, LDAP authentication. Please help.
Thanks for posting the debug output, but it would help if you read it. It's not complicated. Also post the debug output into the form at: http://networkradius.com/freeradius.html That will make it clearer what's going wrong, and why. Alan DeKok.
Dear Alan, I am doing this all for the very first time. Could you please help me out? I do not understand what seems to be wrong? I have added that user "mahendra" in linux, ldap and also in the raddb/users file. The file contents are here; /etc/passwd mahendra:x:516:516::/home/mahendra:/bin/bash ldapsearch # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: uid=mahendra # requesting: ALL # # mahendra, People, uforadius.com dn: uid=mahendra,ou=People,dc=uforadius,dc=com uid: mahendra cn: mahendra objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJDk0aGwzTmdKJEF1dVpsZWFlNWkyR2t6clQ5WEl5ZTA= shadowLastChange: 15071 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 516 gidNumber: 516 homeDirectory: /home/mahendra # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 /etc/raddb/users DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 001E65003C44 User-Name = rasheed, User-Password == "M@d33na", Tunnel-Private-Group-ID := 3 001F3CD13053 User-Name = paresh, User-Password == "paresh@123", Tunnel-Private-Group-ID := 18 001F3CD12B6C User-Name = subhash, User-Password == "sub@1979", Tunnel-Private-Group-ID := 2 001F3CE117A9 User-Name = mahendra, User-Password == "ufo@123", Tunnel-Private-Group-ID := 4 AC670639D299 User-Name = sachin, User-Password == "sachin123", Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Dear Alan, I am doing this all for the very first time. Could you please help me out? I do not understand what seems to be wrong? I have added that user "mahendra" in linux, ldap and also in the raddb/users file. The file contents are here; /etc/passwd mahendra:x:516:516::/home/mahendra:/bin/bash ldapsearch # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: uid=mahendra # requesting: ALL # # mahendra, People, uforadius.com dn: uid=mahendra,ou=People,dc=uforadius,dc=com uid: mahendra cn: mahendra objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQxJDk0aGwzTmdKJEF1dVpsZWFlNWkyR2t6clQ5WEl5ZTA= shadowLastChange: 15071 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 516 gidNumber: 516 homeDirectory: /home/mahendra # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 /etc/raddb/users DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802 001E65003C44 User-Name = rasheed, User-Password == "M@d33na", Tunnel-Private-Group-ID := 3 001F3CD13053 User-Name = paresh, User-Password == "paresh@123", Tunnel-Private-Group-ID := 18 001F3CD12B6C User-Name = subhash, User-Password == "sub@1979", Tunnel-Private-Group-ID := 2 001F3CE117A9 User-Name = mahendra, User-Password == "ufo@123", Tunnel-Private-Group-ID := 4 AC670639D299 User-Name = sachin, User-Password == "sachin123", Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please... Sent from the FreeRadius - User mailing list archive at Nabble.com.
[ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{crypt}$1$94hl3NgJ$AuuZleae5i2GkzrT9XIye0"
"crypt" passwords cannot be used to do MS-CHAP. It is impossible. MS-CHAP requires either the cleartext password or NT/LM hashes. See: http://deployingradius.com/documents/protocols/compatibility.html
[ldap] looking for reply items in directory... [ldap] user mahendra authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/default [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: mahendra [mschap] Told to do MS-CHAPv2 for mahendra with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
...because you only have crypt passwords, it fails. You MUST store plaintext or nt/lm hashes if you want to do PEAP/MSCHAP
Great Phil, I've changed my /etc/raddb/users file and it worked, could you please help me if i can make a particular user login only from a single machine using the MAC Address of that machine. my existing /etc/raddb/users file looks like this DEFAULT Auth-Type = System Fall-Through = 1 # # Defaults for LDAP # #DEFAULT Auth-Type := LDAP # Fall-Through = 1 DEFAULT Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Service-Type = Framed-User, Fall-Through = Yes abdul Cleartext-Password := "test123", Tunnel-Private-Group-ID := 18 -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, comparisons/requirements are ont he first line, replies are on following lines ie user Cleartext-Password := "testing", NAS-IP-Address = "192.168.0.1" AttributeX = "this", AttributeY = "that" alan
Hi Alan, Thanks, everything is set. works fine just that my client pc is not getting an IP address leased from that particular vlan's dhcp scope. It just worked once but after that its baffling that the client's are not getting an IP address leased from the dhcp scope. my routing is fine, on the wired i get IP addresses from all the respective vlan scopes. I have pasted the debug output +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "ufomoviez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 219 [files] users: Matched entry ufomoviez at line 229 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/default [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: ufomoviez [mschap] Told to do MS-CHAPv2 for ufomoviez with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server [peap] Got tunneled reply code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" EAP-Message = 0x010900331a0308002e533d34313037344535313739393032323230383532353333343343333634413033453935423736413131 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf8774653f97e5cc97113aabe8c277640 [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" EAP-Message = 0x010900331a0308002e533d34313037344535313739393032323230383532353333343343333634413033453935423736413131 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf8774653f97e5cc97113aabe8c277640 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 67 to 10.73.93.151 port 1027 EAP-Message = 0x0109004a1900170301003f666073d1310682a7a10b8428e26dd7635ca8d935dd7fddec1cd136768ca41bfdfc62b2d099c4f981e4d80d6d36eadf76aeb394d608351f6f58a4a2aed304bd Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc25314c9ca5a0d8b20dd096be7aef9e4 Finished request 35. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.73.93.151 port 1027, id=68, length=226 User-Name = "ufomoviez" Calling-Station-Id = "00-1F-3C-E1-17-A9" NAS-IP-Address = 10.73.93.151 NAS-Port = 1 Called-Station-Id = "AC-67-06-39-C7-A9" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AC-67-06-39-C7-A9" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0209001d19001703010012fb14fcf6b8188d4bec31a53ccd4a02d3fe40 State = 0xc25314c9ca5a0d8b20dd096be7aef9e4 Vendor-25053-Attr-3 = 0x55464f4d6f7669657a Message-Authenticator = 0xf765d281ccdde6faa88707b082869895 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "ufomoviez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 29 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { PEAP: Setting User-Name to ufomoviez Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "ufomoviez" State = 0xf8774653f97e5cc97113aabe8c277640 server { # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "ufomoviez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 219 [files] users: Matched entry ufomoviez at line 229 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [ufomoviez] (from client UFO-Network port 0 via TLS tunnel) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop } # server [peap] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x583bbf3ecc34ab92bc1824d5c0249269 MS-MPPE-Recv-Key = 0x61a7c64013fb5d61b9adb74485a8acf1 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "ufomoviez" [peap] Got tunneled reply RADIUS code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x583bbf3ecc34ab92bc1824d5c0249269 MS-MPPE-Recv-Key = 0x61a7c64013fb5d61b9adb74485a8acf1 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "ufomoviez" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 68 to 10.73.93.151 port 1027 EAP-Message = 0x010a00261900170301001b99404e8ab4de5b56a43db0956aa82ebfb29618713b9de45db0e54e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc25314c9cb590d8b20dd096be7aef9e4 Finished request 36. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.73.93.151 port 1027, id=69, length=235 User-Name = "ufomoviez" Calling-Station-Id = "00-1F-3C-E1-17-A9" NAS-IP-Address = 10.73.93.151 NAS-Port = 1 Called-Station-Id = "AC-67-06-39-C7-A9" Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "AC-67-06-39-C7-A9" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020a00261900170301001bb4f7f0e5778dfe42c680e547967d6d7958220b935d455b7a6f6960 State = 0xc25314c9cb590d8b20dd096be7aef9e4 Vendor-25053-Attr-3 = 0x55464f4d6f7669657a Message-Authenticator = 0xbfe2fcfb9ad0cda62daa05fb90f44522 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "ufomoviez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok Login OK: [ufomoviez] (from client UFO-Network port 1 cli 00-1F-3C-E1-17-A9) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 69 to 10.73.93.151 port 1027 MS-MPPE-Recv-Key = 0xd44aa3f35fffa8182e9ef33a3128ac1788fca22db1b321d463f5bfe5e702be85 MS-MPPE-Send-Key = 0x543ffe1228cdbaab4b7b2a266becbd26f31181794f3a531d1707aee149821182 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "ufomoviez" Finished request 37. Going to the next request Waking up in 4.9 seconds. Cleaning up request 27 ID 59 with timestamp +402 Cleaning up request 28 ID 60 with timestamp +402 Cleaning up request 29 ID 61 with timestamp +402 Cleaning up request 30 ID 62 with timestamp +402 Cleaning up request 31 ID 63 with timestamp +402 Cleaning up request 32 ID 64 with timestamp +402 Cleaning up request 33 ID 65 with timestamp +402 Cleaning up request 34 ID 66 with timestamp +402 Cleaning up request 35 ID 67 with timestamp +402 Cleaning up request 36 ID 68 with timestamp +402 Cleaning up request 37 ID 69 with timestamp +402 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/mschapv2-and-peap-not-working-please... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (4)
-
Alan Buxey -
Alan DeKok -
Phil Mayers -
syharash