I have a device that uses EAP-MSCHAPv2 (without PEAP) for authentication. I am running freeRadius on Redhat. The device is plugged into a switch which sends the EAP request to the server. I am unable to get the device authenticated with the Radius server. In the users file should the Auth-type be local or MS-Chap? Should I be sending the authentication request to an NT domain or will the username and password in the user file be sufficient? Any documentation or insight would be very helpful and greatly appreciated! Below is the radius debug output. Thanks, Paul. rad_recv: Access-Request packet from host 13.138.136.68:1645, id=226, length=127 NAS-IP-Address = 13.138.136.68 NAS-Port = 50003 NAS-Port-Type = Ethernet User-Name = "tester" Called-Station-Id = "00-0A-B8-39-79-85" Calling-Station-Id = "00-00-AA-6E-78-F6" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0201000b01746573746572 Message-Authenticator = 0x7836b28d762411aa9dcd27ff0d70d047 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "tester", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 1 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry tester at line 82 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Delaying request 8 for 1 seconds Finished request 8 This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you
"Christopher, Paul" <Paul.Christopher@xerox.com> wrote:
I have a device that uses EAP-MSCHAPv2 (without PEAP) for authentication. I am running freeRadius on Redhat. The device is plugged into a switch which sends the EAP request to the server. I am unable to get the device authenticated with the Radius server. In the users file should the Auth-type be local or MS-Chap?
Neither. Don't set Auth-Type at all. The server WILL figure it out.
Should I be sending the authentication request to an NT domain or will the username and password in the user file be sufficient?
Putting a username and password into the "users" file will be sufficient. # bob User-Password := "hello" # EAP-MSCHAPv2 *will* work. See: http://deployingradius.com/documents/configuration/pap.html Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi Alan, Thanks for the response. I remove the Auth-Type, but it is still not working. Now I get a new set of errors. I did a radtest bob hello localhost 0 testing123 and the user was able to authenticate. I don't know why it doesn't work for EAP-MSchapv2. Thanks for your help! Below is the debug log: rad_recv: Access-Request packet from host 13.138.136.68:1645, id=155, length=140 NAS-IP-Address = 13.138.136.68 NAS-Port = 50003 NAS-Port-Type = Ethernet User-Name = "tester" Called-Station-Id = "00-0A-B8-39-79-85" Calling-Station-Id = "00-0B-DB-64-9B-A7" Service-Type = Framed-User Framed-MTU = 1500 State = 0x9b24bde92b2edf137fd180df54de624a EAP-Message = 0x021300060315 Message-Authenticator = 0x59b57149b1821c1ec87342e2e04cdbc8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module "preprocess" returns ok for request 19 modcall[authorize]: module "chap" returns noop for request 19 modcall[authorize]: module "mschap" returns noop for request 19 rlm_realm: No '@' in User-Name = "tester", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 19 rlm_eap: EAP packet type response id 19 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 19 users: Matched entry tester at line 83 modcall[authorize]: module "files" returns ok for request 19 modcall: leaving group authorize (returns updated) for request 19 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: No such EAP type ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 19 modcall: leaving group authenticate (returns invalid) for request 19 auth: Failed to validate the user. Delaying request 19 for 1 seconds Finished request 19 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 13.138.136.68:1645, id=155, length=140Sending Access-Reject of id 155 to 13.138.136.68 port 1645 EAP-Message = 0x04130004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you -----Original Message----- From: freeradius-users-bounces+paul.christopher=xerox.com@lists.freeradius.org [mailto:freeradius-users-bounces+paul.christopher=xerox.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, September 12, 2006 4:12 PM To: FreeRadius users mailing list Subject: Re: EAP-MSChapv2 authentication "Christopher, Paul" <Paul.Christopher@xerox.com> wrote:
I have a device that uses EAP-MSCHAPv2 (without PEAP) for authentication. I am running freeRadius on Redhat. The device is plugged into a switch which sends the EAP request to the server. I am unable to get the device authenticated with the Radius server. In the users file should the Auth-type be local or MS-Chap?
Neither. Don't set Auth-Type at all. The server WILL figure it out.
Should I be sending the authentication request to an NT domain or will the username and password in the user file be sufficient?
Putting a username and password into the "users" file will be sufficient. # bob User-Password := "hello" # EAP-MSCHAPv2 *will* work. See: http://deployingradius.com/documents/configuration/pap.html Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Christopher, Paul" <Paul.Christopher@xerox.com> wrote:
Thanks for the response. I remove the Auth-Type, but it is still not working. Now I get a new set of errors. I did a radtest bob hello localhost 0 testing123 and the user was able to authenticate.
Because PAP authentication is simple, and doesn't involve EAP.
I don't know why it doesn't work for EAP-MSchapv2. Thanks for your help! Below is the debug log: ... rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: No such EAP type ttls
Uh... what part of that message is unclear? The client isn't doing EAP-MSCHAPv2. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi,
rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: No such EAP type ttls
only a guess - but the above line seems to be the big clue here. have you configured your eap.conf correctly...and did you build from source? if from source, did you check that configure passed by without failing on anything...eg no OpenSSL dev headers etc? you have to have the certificates part in eap.conf sorted, or ttls wont work. alan
Hi Alan, Thanks for your response. I don't understand what you mean by 'did you build from source?' Please explain. I did not generate any certs. I didn't think EAP-MSChapv2 needed certificates. Paul. This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you -----Original Message----- From: freeradius-users-bounces+paul.christopher=xerox.com@lists.freeradius.org [mailto:freeradius-users-bounces+paul.christopher=xerox.com@lists.freera dius.org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Wednesday, September 13, 2006 3:22 PM To: FreeRadius users mailing list Subject: Re: EAP-MSChapv2 authentication Hi,
rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: No such EAP type ttls
only a guess - but the above line seems to be the big clue here. have you configured your eap.conf correctly...and did you build from source? if from source, did you check that configure passed by without failing on anything...eg no OpenSSL dev headers etc? you have to have the certificates part in eap.conf sorted, or ttls wont work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Paul, I think what Alan was getting at is that Your client asked for EAP-TTLS, not EAP-MSChapV2. This might be the root of your problem. If you Intend to do MSChapV2 inside of TTLS Tunnels, you MUST setup a certificate. This is make quite clear in the eap.conf file, that TTLS is dependant on TLS being setup. What is your user source? (users file, passwd file, LDAP, Active Directory) I ask because MSChapV2 is incompatable with a few of these sources.
-----Original Message-----
rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: No such EAP type ttls
Hi,
Hi Alan, Thanks for your response. I don't understand what you mean by 'did you build from source?' Please explain. I did not generate any certs. I didn't think EAP-MSChapv2 needed certificates.
build from source - did you download the freeradius-1.1.3.tar.gz and then extract it, run ./configure, make, make install etc not built from source - did you simply apt-get install freeradius or yum install freeradius etc. PS if a gentoo user, if you 'emerge freeradius' I would class that as building from source ;-) the next question is are you really doing raw EAP-MSCHAPv2 - this isnt too common (on this list anyway....) the error log you posted clearly hinted at EAP-TTLS ... so any MSCHAPv2 would be in the tunnel. if you have this form of EAP then the TLS section must be working...as the first few lines of eap.conf clearly state. otherwise it 'just wont work'(tm) alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Christopher, Paul -
King, Michael