PEAP authenication issues - sort of
I have FreeRADIUS setup do LDAP authentication against AD and also PEAP which ultimately uses ntlm_auth against AD. Both work fine for the most part except some users that I have started to add to the PEAP enabled wireless network. If I connect to this network, I authenticate fine. If one of these other accounts connects, the authentication fails for some reason. Here are the entries from the radius.log file: Thu Jun 12 13:21:25 2008 : Auth: Login OK: [DOMAIN\\user1] (from client WLANCTRLR1 port 0) Thu Jun 12 13:21:25 2008 : Auth: Login OK: [DOMAIN\\user1] (from client WLANCTRLR1 port 1 cli 00-0E-35-6F-A3-7D) Thu Jun 12 13:21:54 2008 : Auth: Login incorrect (rlm_ldap: User not found): [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client WLANCTRLR1 port 0) Thu Jun 12 13:21:54 2008 : Auth: Login incorrect: [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client WLANCTRLR1 port 1 cli 00-0C-F1-12-49-DD) Thu Jun 12 13:22:12 2008 : Auth: Login incorrect (rlm_ldap: User not found): [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client WLANCTRLR1 port 0) Thu Jun 12 13:22:12 2008 : Auth: Login incorrect: [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client WLANCTRLR1 port 1 cli 00-0C-F1-12-49-DD) Thu Jun 12 13:23:04 2008 : Auth: Login OK: [DOMAIN\\user1] (from client WLANCTRLR1 port 0) Thu Jun 12 13:23:04 2008 : Auth: Login OK: [DOMAIN\\user1] (from client WLANCTRLR1 port 2 cli 00-0E-35-6F-A3-7D) If I try the samba authentication from a command line on the FreeRADIUS server, it completes successfully: [root@RADIUS1 raddb]# /usr/local/samba/bin/wbinfo -a nonworkinguser%testpassword plaintext password authentication succeeded challenge/response password authentication succeeded If I test authentication of the user using radtest, it works fine and is able to find the user: [root@RADIUS2 ~]# radtest nonworkinguser testpassword 10.1.1.1 1 testing123 Sending Access-Request of id 221 to 10.1.1.1 port 1812 User-Name = "nonworkinguser" User-Password = "testpassword" NAS-IP-Address = 127.0.0.1 NAS-Port = 1 rad_recv: Access-Accept packet from host 10.1.1.1 port 1812, id=221, length=20 What I believe to be the relevant part of the radiusd -X output is: auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for nonworkinguser with NT-Password expand: --username=%{mschap:User-Name} -> --username=nonworkinguser mschap2: 85 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=3c2921ed60ab0f28 expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=9b2c345dd9585a0b79b19cd2fe360474a737271903b6989c Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client WLANCTRLR1 port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Anyone have any ideas as to what the problem might be?
I'm not anywhere near expert enough with FreeRADIUS to be able to point you to the solution to your problem, but I think I can at least help you understand some of the behaviour you're seeing ... On Thu, 12 Jun 2008, Capelle, Mark (PCMC-GB) wrote:
Thu Jun 12 13:21:54 2008 : Auth: Login incorrect (rlm_ldap: User not found): [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client WLANCTRLR1 port 0)
This part is very significant of course. Can you perform an LDAP search for the user, using the same credentials and search filters as are used by FreeRADIUS?
If I try the samba authentication from a command line on the FreeRADIUS server, it completes successfully:
That suggests to me that your non-working user exists in the directory, but not in the container that FreeRADIUS is looking for it in its LDAP configuration. For example does the user exist in the "basedn" you have configured RADIUS to look in?
If I test authentication of the user using radtest, it works fine and is able to find the user: ...
Follow the RADIUS server's -X output when you do that and compare to when an authentication request comes in from the WLAN controller. You'll find that radtest isn't performing any form of EAP authentication so your PEAP setup isn't being tested with that. To test thoroughly you'll probably want to use a utility such as wpa_supplicant's eapol_test. I'm sorry I can't help more than that but I hope I'll have helped you gather more information and test more closely to what you want to be testing. -- ---------------------------------------------------------------------- Sylvain Robitaille syl@alcor.concordia.ca Systems and Network analyst Concordia University Instructional & Information Technology Montreal, Quebec, Canada ----------------------------------------------------------------------
participants (2)
-
Capelle, Mark (PCMC-GB) -
Sylvain Robitaille