FW: Problem with PEAP MS-ChapV2 against AD
I am testing the new version of FreeRadius (v2.1.10) on a CentOS 5 server with Samba 3.4.3 installed. The ultimate goal is to do 802.1x port authentication (Vista machines) for Wired connections and authenticate the users against Windows 2008 R2 AD. I configured Samba and join it to the Domain, and configured FreeRadius per the instructions on the Wiki. Testing against AD was successful, so I configured FreeRadius to use EAP-PEAP, generated my own certificates and ran into problems when testing it out. When I generated the certificates, I created the server key and server csr with openssl. I signed the csr with a Windows CA (adding the XPextensions) and then converted the DER format to PEM using openssl. I verified that the certificate did have the Extended Key Attributes: [root@radius mycerts]# openssl x509 -text -noout -in radius2.pem shows: X509v3 Extended Key Usage: TLS Web Server Authentication When I try to authenticate, I did not see any errors, but at the end of the debug output shows: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x17d5444b10dc5de2 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. I regenerated the certificates with the same results. Does anyone have a clue on what is happening? Here is the Debug output: rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=177, length=112 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" EAP-Message = 0x02010010014d454d5c7267726168616d Message-Authenticator = 0xe1910a3453bca0c7c905bfc2e5cd5aec # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 53 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 177 to 172.16.1.2 port 1645 Service-Type = Framed-User Framed-Protocol = PPP EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b17d75de2f7dce27aee56b663 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=178, length=236 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b17d75de2f7dce27aee56b663 EAP-Message = 0x0202007a198000000070160301006b0100006703014d2f6a09730b74f908bd8b719705 896b0b5eb2fe01f3fa3e0c26d38bcffa7361000018002f00350005000ac009c00ac013c0 1400320038001300040100002600000010000e00000b6d656d5c7267726168616d000a00 080006001700180019000b00020100 Message-Authenticator = 0x63e3265e98a3bb083f39d950ae2ade9f # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 122 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 112 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006b], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 084e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 178 to 172.16.1.2 port 1645 EAP-Message = 0x0103040019c00000088b160301002a0200002603014d2f698b6d3788f388aa9228162c 3f76d3fe9a63fe494c39669259b60b9de8ad00002f00160301084e0b00084a0008470004 af308204ab30820393a003020102020a23987bed000000000009300d06092a864886f70d 0101050500304f31133011060a0992268993f22c6401191603636f6d31173015060a0992 268993f22c64011916076d656d2d696e73311f301d060355040313166d656d2d696e732d 4d454d2d4c41422d4443332d4341301e170d3131303131333138313134385a170d313230 3131333138323134385a308190310b30090603550406130255533111300f060355040813 084d EAP-Message = 0x6973736f7572693111300f06035504071308436f6c756d626961310c300a060355040a 13034d454d310b3009060355040b13024953311b3019060355040313127261646975732e 6d656d2d696e732e636f6d3123302106092a864886f70d01090116147365637572697479 406d656d2d696e732e636f6d305c300d06092a864886f70d0101010500034b0030480241 00f36a27a2cafae70e6ba4a457802e352b6cb99976513c47cad6ec7585eedc5a565e736d bbc5377935dc2143414ee3620b1657503df4f5658c6d4549b322db5a090203010001a382 020d30820209301d0603551d0e04160414787066c86e7a89d1c0bc0df2d001a9de5a7590 a630 EAP-Message = 0x1f0603551d2304183016801477292debc77ac57e073627dba3229e6faf5b76103081d8 0603551d1f0481d03081cd3081caa081c7a081c48681c16c6461703a2f2f2f434e3d6d65 6d2d696e732d4d454d2d4c41422d4443332d43412c434e3d6d656d2d6c61622d6463332c 434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e 3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6d656d2d696e 732c44433d636f6d3f63657274696669636174655265766f636174696f6e4c6973743f62 6173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74 3081 EAP-Message = 0xc806082b060105050701010481bb3081b83081b506082b060105050730028681a86c64 61703a2f2f2f434e3d6d656d2d696e732d4d454d2d4c41422d4443332d43412c434e3d41 49412c434e3d5075626c69632532304b657925323053657276696365732c434e3d536572 76696365732c434e3d436f6e66696775726174696f6e2c44433d6d656d2d696e732c4443 3d636f6d3f634143657274696669636174653f626173653f6f626a656374436c6173733d 63657274696669636174696f6e417574686f72697479300c0603551d130101ff04023000 30130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500 0382 EAP-Message = 0x0101003a8b2d68ea968ca3eb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b16d65de2f7dce27aee56b663 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=179, length=120 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b16d65de2f7dce27aee56b663 EAP-Message = 0x020300061900 Message-Authenticator = 0x1a2ddd0cffc8a6eeb4bd5af56a73316f # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 179 to 172.16.1.2 port 1645 EAP-Message = 0x010403fc19407aa413407a16a4e2e344994d020646636e4b03b012a0a7011631e0a917 fd491b2ad6795c8e210fbeb759e66ace486020b3c2da8778d05bf6b04431547da91e04bc 304cc957f8782b5a6a903608da92903dc7bef79579d77e65b65ab8984156d8a6997219b9 0bbd75db4b432c48d3c97430916cc47a76bc095daedc0f0749f05f51bce08543a2192b78 7f15a208d6a2db4009df5079cf20e7986548032df3b55d36428bceae20295f7b7db4b745 18a92058f72016204e226e158f3b1150dcfca79b3f831954b7917f3b52f22e831506b0f0 3d8970e4be34e73ce4edbfe2b52917939b0a1b3026467291a722f3fafa13ec7ad395d76c 7ee0 EAP-Message = 0x0003923082038e30820276a00302010202101d65a3c4272ba9ae4000af16adf133e830 0d06092a864886f70d0101050500304f31133011060a0992268993f22c6401191603636f 6d31173015060a0992268993f22c64011916076d656d2d696e73311f301d060355040313 166d656d2d696e732d4d454d2d4c41422d4443332d4341301e170d313031303134303035 3434315a170d3335313031343031303433395a304f31133011060a0992268993f22c6401 191603636f6d31173015060a0992268993f22c64011916076d656d2d696e73311f301d06 0355040313166d656d2d696e732d4d454d2d4c41422d4443332d434130820122300d0609 2a86 EAP-Message = 0x4886f70d01010105000382010f003082010a0282010100dec78b70f45103e5f3d835b4 d757320e0442c0ce223a37d5148087d0d9cac90f1244fab1b4d6e57bf0f04a9df770d973 d1a35379bd1448159880adb6c059d7bc48c19790b784e0cb0519f73605687435a943a99f 063e36eb4584535c35a7f3d6f4900c54712280080bb229245b8a7f9ec39047ed0e1a906f 632f97d4b75c6369817f85479e6cb009bb5be487ecd7b2186c818efd595b13faafbe0385 5adf655cdf70f23fbc7ddb63c8ea3466ae027252fccb877bc9adebfc4d637faf3f55366c 4fa53cab5dde9edfc1dead59b4b56479ec52fdb91cc8a282ebc2529d41f3088c3858e80b 1628 EAP-Message = 0x708eda94966f51a236d785f13193e252ea7279b5bd6c2ee4553b0203010001a3663064 301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f 0603551d130101ff040530030101ff301d0603551d0e0416041477292debc77ac57e0736 27dba3229e6faf5b7610301006092b06010401823715010403020100300d06092a864886 f70d010105050003820101004ed045d54a6ec8362174cc3b70e9617f31fcec9951c61f8c f8e850fed2b86207295690201a1cbb174870927fa6c847289688da1a0b33ee935c9d2b57 83547de88e1b42e1f04aa001fe2af230e35da26b6cfe17ae58b5e4a875c53d7249380777 82df EAP-Message = 0x6c3bec718651f019 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b15d15de2f7dce27aee56b663 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=180, length=120 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b15d15de2f7dce27aee56b663 EAP-Message = 0x020400061900 Message-Authenticator = 0x952d481043dda4da8eca2b39ffd30fcb # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 180 to 172.16.1.2 port 1645 EAP-Message = 0x010500a519002b3a66c8e8526d8ca3c9e036f7c21295735cffc7cca62e8d1da2526a65 a9f79a69c80e259b2ac75781bf6c6f80ec149a46dd773307ecdfc2346ecd140ae08475e2 bbf8d4cc45677d0c0821e9f3b3001899691830b151c99665a689a177a97682fb1a740da6 bf92d05b83f293bc3d3ce00dea49df7eb6d39032dc5e4ad50419e189e57751e10cb9939b 43a4c39b945fa0fd57f05dc01c16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b14d05de2f7dce27aee56b663 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=181, length=258 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b14d05de2f7dce27aee56b663 EAP-Message = 0x02050090198000000086160301004610000042004019a92f516c2ed12eed5c4b4f4de6 3dbd4200f5c6293ff30e2565451f3775ffcbb01d71c341ac94d80926258517db6c5e7512 05e76bdc724f025dc43e441288b51403010001011603010030b7b8c1cc4e21a2c6fd1e52 308e75c347510b2336a38c4ace61bde40495ac3bc86b53995adf75e9c428d63028edb075 4b Message-Authenticator = 0x502b16df4abdeec82fb8a4031b883444 # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 181 to 172.16.1.2 port 1645 EAP-Message = 0x0106004119001403010001011603010030740816e4b8e4c191780d546c1443a25171c6 2261bb4bbd7fa91dd713403f86418f33de753f3af5259f8ad46ed0d64abf Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b13d35de2f7dce27aee56b663 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=182, length=120 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b13d35de2f7dce27aee56b663 EAP-Message = 0x020600061900 Message-Authenticator = 0x01334a4b91706f8128e35f10f6c74e0d # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 182 to 172.16.1.2 port 1645 EAP-Message = 0x0107002b190017030100201437bd7da4e0d7dccb3f7880d51fa1881eae5c67aad13229 4e712cd80416cfbb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b12d25de2f7dce27aee56b663 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=183, length=173 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b12d25de2f7dce27aee56b663 EAP-Message = 0x0207003b1900170301003076edeff553f5cb4d13a2ed7029ba397c77cf9d64c3d4712d 1fc345d3d0dfdd1cec8ba1521e7800fab983b4b9c28068bb Message-Authenticator = 0xea354eec0fbb47ee4a142b0d6920754e # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - MEM\test1 [peap] Got inner identity 'MEM\test1' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02070010014d454d5c7267726168616d server { PEAP: Setting User-Name to MEM\test1 Sending tunneled request EAP-Message = 0x02070010014d454d5c7267726168616d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "MEM\\test1" server inner-tunnel { # Executing section authorize from file /usr//etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800251a0108002010a088cefe33e2d8f8c4b799ed59c5fb0d4d454d5c7267726168 616d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0c1c1a1c0c9db106b079f71f54582b1 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800251a0108002010a088cefe33e2d8f8c4b799ed59c5fb0d4d454d5c7267726168 616d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0c1c1a1c0c9db106b079f71f54582b1 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 183 to 172.16.1.2 port 1645 EAP-Message = 0x0108004b190017030100402047ac117f1fb44413571911d8cc5218a52dcd31033604e2 4e1884e44ef4d3a56b0540d56451fbbcaa3dc0ba6856c560b31b06642fa27235651d8869 8617735b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b11dd5de2f7dce27aee56b663 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=184, length=221 User-Name = "MEM\\test1" Service-Type = Framed-User Framed-MTU = 1500 NAS-IP-Address = 172.16.1.2 NAS-Port = 2 Calling-Station-Id = "00-1B-78-4E-00-12" State = 0x17d5444b11dd5de2f7dce27aee56b663 EAP-Message = 0x0208006b19001703010060ed7d3f594ba21455ac85cb59be5680cbec08cd20c7e2ac70 5c3d5289aadb43318fded2bc16e793b1fe21206e81054dece94dc95f6a5402014a10a21c 4f09d86a069d624832465c2ed89040cda57f84cb0298184274cec6eeb88a17f0198a0594 Message-Authenticator = 0x4c97f3f00ebaf2a9bd5a748646064d04 # Executing section authorize from file /usr//etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800461a020800413139db069aec3a1482eaf5437cc12dc36200000000000000002f f233ba94c6cc0ff8b204e09e8217c1f93dd23f6a175caa004d454d5c7267726168616d server { PEAP: Setting User-Name to MEM\test1 Sending tunneled request EAP-Message = 0x020800461a020800413139db069aec3a1482eaf5437cc12dc36200000000000000002f f233ba94c6cc0ff8b204e09e8217c1f93dd23f6a175caa004d454d5c7267726168616d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "MEM\\test1" State = 0xc0c1c1a1c0c9db106b079f71f54582b1 server inner-tunnel { # Executing section authorize from file /usr//etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 70 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: test1 [mschap] Told to do MS-CHAPv2 for test1 with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=test1 [mschap] expand: %{mschap:NT-Domain} -> MEM [mschap] expand: --domain=%{%{mschap:NT-Domain}:-MEM} -> --domain=MEM [mschap] mschap2: a0 [mschap] Creating challenge hash with username: test1 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=101d5affa80deb2a [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=2ff233ba94c6cc0ff8b204e09e8217c1f93dd23f6a175caa Exec-Program output: NT_KEY: D17434B7303CD6FA2ABE17CDB536D69D Exec-Program-Wait: plaintext: NT_KEY: D17434B7303CD6FA2ABE17CDB536D69D Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d363836324644434335413636363431333041383135354636 43454332414535354530433031354133 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0c1c1a1c1c8db106b079f71f54582b1 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d363836324644434335413636363431333041383135354636 43454332414535354530433031354133 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0c1c1a1c1c8db106b079f71f54582b1 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 184 to 172.16.1.2 port 1645 EAP-Message = 0x0109005b190017030100503ab95bfb4fc74f8bdbc39c6a332f01e8238c1548c1d905ed c81dc513033f398190f455a6a164b10035f08c1b0eef983b1174dc9136c66507a8209a06 f26adf1ed27f08e7c1f157ae925b63dc1d3452f0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x17d5444b10dc5de2f7dce27aee56b663 Finished request 7. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 177 with timestamp +72 Cleaning up request 1 ID 178 with timestamp +72 Cleaning up request 2 ID 179 with timestamp +72 Cleaning up request 3 ID 180 with timestamp +72 Cleaning up request 4 ID 181 with timestamp +72 Cleaning up request 5 ID 182 with timestamp +72 Cleaning up request 6 ID 183 with timestamp +72 Cleaning up request 7 ID 184 with timestamp +72 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x17d5444b10dc5de2 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Graham, Robert wrote:
When I generated the certificates, I created the server key and server csr with openssl. I signed the csr with a Windows CA (adding the XPextensions) and then converted the DER format to PEM using openssl.
What's wrong with the certificate creation scripts in raddb/certs? They work...
I verified that the certificate did have the Extended Key Attributes:
[root@radius mycerts]# openssl x509 -text -noout -in radius2.pem shows:
X509v3 Extended Key Usage: TLS Web Server Authentication
Which is required, but not sufficient for Windows to work.
When I try to authenticate, I did not see any errors, but at the end of the debug output shows:
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x17d5444b10dc5de2 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ... I regenerated the certificates with the same results. Does anyone have a clue on what is happening?
Have you tried reading that web page? It contains detailed instructions. It also contains a pointer to another web page with step-by-step instructions for debugging PEAP. This *is* documented. Alan DeKok.
Alan, Thanks for the quick response. The reason I generated my own certs was that if we can get 802.1x to work, when we move to production we will want to have the certificate signed by our Windows CA. So I wanted this to be part of the test plan. I looked at that webpage at least three times today. I think I am so glued to the issue that the xpextension are missing or wrong, but when I view the certificate issued by our CA, it does have the attributes there with an OID of 1.3.6.1.5.5.7.3.1 for Server Certificate Requirements. http://freeradius.1045715.n5.nabble.com/file/n3340698/cert.jpg Are you referring to the Debugging it yourself section? I am in the process of installing screen and going through those steps. Thanks -Robert -- View this message in context: http://freeradius.1045715.n5.nabble.com/FW-Problem-with-PEAP-MS-ChapV2-again... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Robert Graham wrote:
Thanks for the quick response. The reason I generated my own certs was that if we can get 802.1x to work, when we move to production we will want to have the certificate signed by our Windows CA. So I wanted this to be part of the test plan.
That's nice. Are you going to test with a method that is *known* to work, or are you going to ignore the existing documentation, and do it your own way?
I looked at that webpage at least three times today. I think I am so glued to the issue that the xpextension are missing or wrong, but when I view the certificate issued by our CA, it does have the attributes there with an OID of 1.3.6.1.5.5.7.3.1 for Server Certificate Requirements.
That is required, but insufficient.
Are you referring to the Debugging it yourself section? I am in the process of installing screen and going through those steps.
No. I'm referring you to "Certificate Compatibility" page, which is the URL in the huge WARNING messge. Go read it. It includes a reference to another page, with STEP BY STEP instructions for configuring EAP. It includes documentation on how to create test certificates, how to create production certificates, and how to gradually go from one to the other. It really isn't difficult. An hour, tops. *If* you follow instructions. If you insist on doing it your own way, well. there's no documentation for that, and we can't help you. Alan DeKok.
Alan, Thanks for the tips. I followed everything, PAP worked fine, but I still had problems with EAP even with using the certificates from the Radius disto. The part that didn't make a lot of sense to me was it would go thru all the process, and MSCHAP showed success: [mschap] Creating challenge hash with username: test1 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=101d5affa80deb2a [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=2ff233ba94c6cc0ff8b204e09e8217c1f93dd23f6a175caa Exec-Program output: NT_KEY: D17434B7303CD6FA2ABE17CDB536D69D Exec-Program-Wait: plaintext: NT_KEY: D17434B7303CD6FA2ABE17CDB536D69D Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success But after that was [peap] Got tunneled reply code 11. Some searches on google indicated that I might be facing a Samba bug. After upddating to the latest release 3.5.6 and adding winbind:forcesamlogon to the smb.conf file it started working. Now I am off to adding LDAP for group membership and configure for dynamic vlans and acls. -Robert -- View this message in context: http://freeradius.1045715.n5.nabble.com/FW-Problem-with-PEAP-MS-ChapV2-again... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (3)
-
Alan DeKok -
Graham, Robert -
Robert Graham