Freeradius + WPA2 + Windows Client
I have configured a Freeradius 2 server that authenticates on ldap for wireless network connection. While testing, the radtest sends access-accept locally with linux platforms but when I try to test it using the router, it fails. The error in the debug shows: [mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. I've used peap and ttls as default eap type but it goes with the same error. I really need help for this matter. -- View this message in context: http://old.nabble.com/Freeradius-%2B-WPA2-%2B-Windows-Client-tp29479107p2947... Sent from the FreeRadius - User mailing list archive at Nabble.com.
rrperez wrote:
The error in the debug shows:
[mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform requested action.
You edited the default configuration and broke it. Don't do that.
I've used peap and ttls as default eap type but it goes with the same error.
I really need help for this matter.
Stop breaking the configuration. It's really not that hard to get the server up and running. Most of the problems you're running into are because you're destroying the configuration, creating problems for yourself, and then asking us to help you fix them. The best help we can offer is to tell you: stop breaking the configuration. I have no idea what you think you're doing, but stop it. It's wasting your time, and ours. Alan DeKok.
Thanks for the response Alan, I just commented out the pap and uncomment the ldap in the default and like I said, it is working fine but with windows client, it fails the authentication protocol which is mschapv2. My configuration is about freeradius authenticating its users from a domino ldap directory. If I uncomment the pap in the default, the server will perform pap authentication instead of ldap. I want an ldap authentication rather than pap because it is only the possible way for me to authenticate in the domino ldap. By using this method, doing radtest on linux platforms within local network works. But with windows clients n the wireless authentication fails because it uses EAP-MSCHAPv2. (This is also the same if I use pap authentication) I just want to know if there are any EAP protocol aside from MSCHAPv2 that will work on windows clients? -- View this message in context: http://old.nabble.com/Freeradius-%2B-WPA2-%2B-Windows-Client-tp29479107p2947... Sent from the FreeRadius - User mailing list archive at Nabble.com.
rrperez wrote:
I just commented out the pap and uncomment the ldap in the default and like I said, it is working fine but with windows client, it fails the authentication protocol which is mschapv2.
Nonsense. The output you posted showed an "mschapv2" module. There is *no* such module in the default server configuration. I don't think you're intentionally misleading us. I *do* think you're not paying attention to what you're doing, and you're not paying attention to the messages on this list.
My configuration is about freeradius authenticating its users from a domino ldap directory. If I uncomment the pap in the default, the server will perform pap authentication instead of ldap. I want an ldap authentication rather than pap because it is only the possible way for me to authenticate in the domino ldap.
You've said that lots. Repeating yourself like that is another sign that you're not paying attention.
By using this method, doing radtest on linux platforms within local network works. But with windows clients n the wireless authentication fails because it uses EAP-MSCHAPv2. (This is also the same if I use pap authentication)
I just want to know if there are any EAP protocol aside from MSCHAPv2 that will work on windows clients?
Read the messages on this list. Your questions have been asked, and answered many times. Now stop asking questions. *All* of the questions you've asked have been answered already. Go back and read the responses. If you keep asking the same questions, you will be admitting that you're not reading the responses, and that you're wasting everyones time. Alan DeKok.
Sorry for the inconvenience Alan, I'm just a student and currently studying/exploring radius servers. Now I changed all the configuration back to default and make the some configuration to make ldap works. Here is the debug and it is quite different from the previous one: rad_recv: Access-Request packet from host 10.96.100.205 port 1494, id=0, length=143 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x37e5184d33e0019d0fd828625cb2b12f NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0xcffe22481a4058a92af0247cdbeb03ec +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1494 EAP-Message = 0x0106002b1900170301002091954e9ec07cc3ca9afa609b287aea0248a1a1fbb2fe6ad3ccf1ea09fba06e11 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x37e5184d32e3019d0fd828625cb2b12f Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1496, id=0, length=196 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x37e5184d32e3019d0fd828625cb2b12f NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0206003b19001703010030b116207fd585e2b669e3f77de44fc303752534eacf129c6be70a929f6c0f467eac807a801d321cd3fbee1078fefb5fcc Message-Authenticator = 0xa31d5cd12cca50d02ad850f9eb1f0ff8 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - kim.almarez [peap] Got tunneled request EAP-Message = 0x02060010016b696d2e616c6d6172657a server { PEAP: Got tunneled identity of kim.almarez PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to kim.almarez Sending tunneled request EAP-Message = 0x02060010016b696d2e616c6d6172657a FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "kim.almarez" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for kim.almarez [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> kim.almarez [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=kim.almarez) [ldap] expand: O=SMPRIME -> O=SMPRIME rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in O=SMPRIME, with filter (uid=kim.almarez) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user kim.almarez authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700251a01070020102ef100c06100accb4d5d1b6ad5d2f8446b696d2e616c6d6172657a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb71a0bf8b71d112af1d78f0bcd53be2d [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700251a01070020102ef100c06100accb4d5d1b6ad5d2f8446b696d2e616c6d6172657a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb71a0bf8b71d112af1d78f0bcd53be2d [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1496 EAP-Message = 0x0107004b19001703010040b41853b36929694f55a975a54e0312aad67a79c95cee9ba97992e39f7d2cb6588c877bec75be8cf35a9a5ef98dad06c34e7356d515ab0acfad5acbec3896cbfa Message-Authenticator = 0x00000000000000000000000000000000 State = 0x37e5184d31e2019d0fd828625cb2b12f Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1498, id=0, length=244 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x37e5184d31e2019d0fd828625cb2b12f NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207006b190017030100601e1827ee2c7843bdfa6b6e4689356b3cf4bbc3f5fe93482b29a244a417d2932b712ffbd46c831824c618053d9e66118c6e9bb1f988abb79558291fd48347ea822c12fa3e712b7512ce80fc6fb19399f71a3dc7d99c9b8ae049e2d93d0119462d Message-Authenticator = 0xab6a9afce0d198bfc3a3acbd3bfb1958 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700461a0207004131c8424ddebbff4ae40360c6bf7d5a207500000000000000006da6ed352c3663c5a057b5a88306c7398494ebcd6bd77420006b696d2e616c6d6172657a server { PEAP: Setting User-Name to kim.almarez Sending tunneled request EAP-Message = 0x020700461a0207004131c8424ddebbff4ae40360c6bf7d5a207500000000000000006da6ed352c3663c5a057b5a88306c7398494ebcd6bd77420006b696d2e616c6d6172657a FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "kim.almarez" State = 0xb71a0bf8b71d112af1d78f0bcd53be2d server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 70 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for kim.almarez [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> kim.almarez [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=kim.almarez) [ldap] expand: O=SMPRIME -> O=SMPRIME rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in O=SMPRIME, with filter (uid=kim.almarez) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user kim.almarez authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for kim.almarez with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1498 EAP-Message = 0x0108002b19001703010020b67088663b6039d4a9c90f13c1f75b147bc25c040460ced33b554cb989f51d40 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x37e5184d30ed019d0fd828625cb2b12f Finished request 8. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1500, id=0, length=180 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x37e5184d30ed019d0fd828625cb2b12f NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0208002b19001703010020afc9ad58dc4eaeb0cd31df70e64a2e70d873b7893fd45c94866f771c430c0c9c Message-Authenticator = 0x1552a063a65c1859294c6558583d7435 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> kim.almarez attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 0 to 10.96.100.205 port 1500 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.6 seconds. Cleaning up request 1 ID 0 with timestamp +21 Cleaning up request 2 ID 0 with timestamp +21 Cleaning up request 3 ID 0 with timestamp +21 Cleaning up request 4 ID 0 with timestamp +21 Cleaning up request 5 ID 0 with timestamp +21 Cleaning up request 6 ID 0 with timestamp +21 Cleaning up request 7 ID 0 with timestamp +21 Cleaning up request 8 ID 0 with timestamp +21 Waking up in 1.0 seconds. Cleaning up request 9 ID 0 with timestamp +21 Ready to process requests. The difference is with this lines: [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for kim.almarez with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect. -- View this message in context: http://old.nabble.com/Freeradius-%2B-WPA2-%2B-Windows-Client-tp29479107p2947... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Thu, Aug 19, 2010 at 3:42 PM, rrperez <rrperez@apc.edu.ph> wrote:
Sorry for the inconvenience Alan, I'm just a student and currently studying/exploring radius servers.
You seem to be selectively ignoring some sugesstions though. It's fine if you REALLY know what you're doing, but this does not seem to be the case.
Now I changed all the configuration back to default and make the some configuration to make ldap works.
Here is the debug and it is quite different from the previous one:
Here's some things you need to take note of: (1) If you configure clients to use PEAPv0/EAP-MSCHAPv2 (or sometimes refered to as PEAP only), it does not supply plain-text/cleartext password (2) authenticating to Lotus Domino requires that you supply plain-text password, since Lotus stores password using some propietary hash/encryption (3) One of the EAP methods that can send plain-text password is PEAP-GTC (others on this list have suggested TTLS-PAP) (4) Windows by itself does not support PEAP-GTC or TTLS-PAP (5) Thus, you need third-party supplicant to have Windows be able to use EAP methods which sends cleartext password. Does this make sense so far? Have you use any third-party supplicant and configure them to do either PEAP-GTC or TTLS-PAP? If yes, the password that you typed when authenticating should show up in the debug log (which doesn't seem to be the case). See http://wiki.freeradius.org/Extensible_Authentication_Protocol http://lists.freeradius.org/pipermail/freeradius-users/2010-August/msg00297.... Commercial supplicant is also available: http://www.ciscosystems.com/en/US/products/ps7034/products_configuration_exa... -- Fajar
Thanks for this response Fajar, It definitely make sense, now I'm trying to install Open1x, but I can't find a manual on how to configure this. Do you know some references that can help me configuring Open1x? -- View this message in context: http://old.nabble.com/Freeradius-%2B-WPA2-%2B-Windows-Client-tp29479107p2948... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Fri, Aug 20, 2010 at 10:05 AM, rrperez <rrperez@apc.edu.ph> wrote:
Thanks for this response Fajar,
It definitely make sense, now I'm trying to install Open1x, but I can't find a manual on how to configure this. Do you know some references that can help me configuring Open1x?
No, sorry. You might have better luck asking on Open1x list, or just explore the options that the GUI provides. I've tested wpa_supllicant for windows (second link on my original mail) some time ago. The file README-Windows.txt has some documentation on using it (if you like using command line), but you'd probably want to stick with the GUI (which is pretty much self-explanatory). FWIW, officially my company uses Odyssey Access Client (there's trial version available: http://www.juniper.net/support/products/oac/ent/#sw) for Windows to connect to connect to wireless network, using PEAP-GTC, authenticating to Lotus Domino LDAP. I don't use it though, and simply use Ubuntu Lucid with its built-in network-manager (which can connect just fine). Whatever supplicant you use, if you want to go through PEAP-GTC route like I do, you basically need to configure the supplicant client to choose: - 802.1X (or WPA2 enterprise if it's not available) wireless security - EAP or EAP-PEAP, or PEAP authentication protocol (different supplicant may use different terms) - GTC or EAP-GTC inner authentication you may also need to disable server certificate verification (since most likely you'll be using self-signed certificate, at least for testing purposes) -- Fajar
I have some issues: Open1x - not supported on windows 7 when im trying to install it. wpa_supplicant - i can't access the link you have given me. Odyssey - for the mean time, I'll try this and also I'm installing secureW2 supplicant (because it supports Windows 7). Regarding with what you said about "authenticating to Lotus Domino LDAP", does this mean that they communicate with each other directly without FR or with FR? With other platforms, I guess I don't have problem with that because only clients with windows platforms are using MS-CHAPv2 protocol(if I'm right). -- View this message in context: http://old.nabble.com/Freeradius-%2B-WPA2-%2B-Windows-Client-tp29479107p2948... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Fri, Aug 20, 2010 at 2:14 PM, rrperez <rrperez@apc.edu.ph> wrote:
Regarding with what you said about "authenticating to Lotus Domino LDAP", does this mean that they communicate with each other directly without FR or with FR?
The official implementation: using a commercial radius appliance which uses Lotus Domino LDAP for authorization and authentication. I've reproduced the same functionality with FR just fine though.
With other platforms, I guess I don't have problem with that because only clients with windows platforms are using MS-CHAPv2 protocol(if I'm right).
A more accurate description would be other popular desktop OS (Linux, OS-X, and even iphone) has PEAP-GTC support built in. -- Fajar
participants (3)
-
Alan DeKok -
Fajar A. Nugraha -
rrperez