PEAP-MSCHAP failure. Please help
Hi there, I'm trying to do authentication using the winlogon information and using PEAP. I'm not using client certificates, only windows domain logon information. Here are my config files: eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = password private_key_file = ${raddbdir}/certs/radiuskey.pem certificate_file = ${raddbdir}/certs/radiuscert.pem CA_file = ${raddbdir}/certs/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } mschapv2 { } } radiusd.conf ... modules { $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/opt/samba/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } } authorize { eap } authenticate { Auth-Type MS-CHAP { mschap } eap } This is my dump of radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "/opt/samba/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/radiuskey.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/radiuscert.pem" tls: CA_file = "/usr/local/etc/raddb/certs/cacert.pem" tls: private_key_password = "password" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.254.26:1812, id=22, length=165 NAS-IP-Address = 192.168.254.26 NAS-Port = 50001 NAS-Port-Type = Ethernet User-Name = "ASDF\\asdf" Called-Station-Id = "00-16-46-DB-93-01" Calling-Station-Id = "00-B0-D0-0C-64-B2" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200002e01415344465c617364660000ff1c53796761746553656375726974794167656e74000000000000000000 Message-Authenticator = 0x38739029b21f29f09cf2d207b03c3a35 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_eap: EAP packet type response id 0 length 46 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 22 to 192.168.254.26 port 1812 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe6aee8ce917ba33b4e9bcb87dc8aa9b0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.254.26:1812, id=23, length=217 NAS-IP-Address = 192.168.254.26 NAS-Port = 50001 NAS-Port-Type = Ethernet User-Name = "ASDF\\asdf" Called-Station-Id = "00-16-46-DB-93-01" Calling-Station-Id = "00-B0-D0-0C-64-B2" Service-Type = Framed-User Framed-MTU = 1500 State = 0xe6aee8ce917ba33b4e9bcb87dc8aa9b0 EAP-Message = 0x0201005019800000004616030100410100003d030145362a3286a98f942b778d74dd470fc449c041d01f0e82822ba3babcf0c7752c00001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xd0802a126d8f4c4576362704b2b1f3f1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 062f], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 23 to 192.168.254.26 port 1812 EAP-Message = 0x0102040a19c00000068c160301004a02000046030145359d132089dfb5b31e89f6df538953346dfb57cb62b10111a9d86165b0459e20ab268afefcbeca633a9567f6bfd548d8b53e0ab1e2952afbb4af996b5ef085a8000400160301062f0b00062b00062800029d3082029930820202a003020102020101300d06092a864886f70d0101040500308188310b3009060355040613024348310d300b060355040813044265726e31163014060355040a130d536166656775617264204c6162312530230603550403131c526f6f742043657274696669636174696f6e20417574686f72697479312b302906092a864886f70d010901161c61646d696e6973 EAP-Message = 0x747261746f72407361666567756172642e74657374301e170d3036313031383032303332375a170d3037313031383032303332375a308182310b3009060355040613024348310d300b060355040813044265726e31163014060355040a130d536166656775617264204c6162311f301d0603550403131646726565526164697573205465737420536572766572312b302906092a864886f70d010901161c61646d696e6973747261746f72407361666567756172642e7465737430819f300d06092a864886f70d010101050003818d0030818902818100cecd0979f9596669055dc8ed59537dbd99cf07497d4eb982c7b68bb66c8bee8ef043f7f8364e EAP-Message = 0x45a79a16882ec31e6b7edde6e2366b9034781f9757dfe594b3eefd84bfe4bf970425a1eb33c777b429c1789c3ef12fd95ddf5fa8454be474efb29dfa25949e22529b1a196cfb8d9f4510824f6f84e351d1e97239facd5a01294f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181004861289d07bb71f05ec9a11d716299b22f4db328b7e32d55e13e939b4961cc95429a26a793993b1f71cf0525715b9c5ce68554569deb6dad23f2e673035a5d45ce1a5037012e690b2b6c08b4dec0e6a25a7b2b00b0ed4c543bdb1b767365ea70e2b81db574604da6762608a0be9a1c757bf1 EAP-Message = 0x071a2370c3c8652c2900bc06fa9d00038530820381308202eaa003020102020900e24fc4fd6ffcf7c1300d06092a864886f70d0101040500308188310b3009060355040613024348310d300b060355040813044265726e31163014060355040a130d536166656775617264204c6162312530230603550403131c526f6f742043657274696669636174696f6e20417574686f72697479312b302906092a864886f70d010901161c61646d696e6973747261746f72407361666567756172642e74657374301e170d3036313031383032303330375a170d3037313031383032303330375a308188310b3009060355040613024348310d300b060355040813 EAP-Message = 0x044265726e31163014060355040a130d536166656775 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd9e611882c9206e57aa4934cc6c47079 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.254.26:1812, id=24, length=143 NAS-IP-Address = 192.168.254.26 NAS-Port = 50001 NAS-Port-Type = Ethernet User-Name = "ASDF\\asdf" Called-Station-Id = "00-16-46-DB-93-01" Calling-Station-Id = "00-B0-D0-0C-64-B2" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd9e611882c9206e57aa4934cc6c47079 EAP-Message = 0x020200061900 Message-Authenticator = 0xb85b165671cc8a30681a688baf2a2136 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 24 to 192.168.254.26 port 1812 EAP-Message = 0x010302921900617264204c6162312530230603550403131c526f6f742043657274696669636174696f6e20417574686f72697479312b302906092a864886f70d010901161c61646d696e6973747261746f72407361666567756172642e7465737430819f300d06092a864886f70d010101050003818d0030818902818100ce868e0ed1ea38ca7578de3aea67f43f6e259e5a3bd1e10c47c4fb588756d5eeb4e3e5a3e346488032f5724849ccdc06281b498b552eb723e84d334771be0b8c6c933a1af86ee8b1ae731eb192c5f25e916df6e22e03fc4e7b18570e894db4f429a99c43082654a5357b7fba485de171faf3567a100118b5327edff6478d0b EAP-Message = 0xd10203010001a381f03081ed301d0603551d0e0416041448296c477e81278cec7a3d90922e0f427f8968c93081bd0603551d230481b53081b2801448296c477e81278cec7a3d90922e0f427f8968c9a1818ea4818b308188310b3009060355040613024348310d300b060355040813044265726e31163014060355040a130d536166656775617264204c6162312530230603550403131c526f6f742043657274696669636174696f6e20417574686f72697479312b302906092a864886f70d010901161c61646d696e6973747261746f72407361666567756172642e74657374820900e24fc4fd6ffcf7c1300c0603551d13040530030101ff300d0609 EAP-Message = 0x2a864886f70d010104050003818100b6a2bf764bb01820c8650f0bcd7ad1797ce2711f82de2df777607aad7c9cd0f58396dfe1bf6974b9aaf368757de41b49fc4538ed0598aeec5ed8555ce7c44f658fd6ecaa1fabbc2060da8536aa136f86835b8a6731e41c78b0023b572aed7175b94cd93badab450b174067e22c58a4f434d0fd592ec1215a04e184ca612d2c9516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e288099d22c097d5f415cca50070a5d Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.254.26:1812, id=25, length=329 NAS-IP-Address = 192.168.254.26 NAS-Port = 50001 NAS-Port-Type = Ethernet User-Name = "ASDF\\asdf" Called-Station-Id = "00-16-46-DB-93-01" Calling-Station-Id = "00-B0-D0-0C-64-B2" Service-Type = Framed-User Framed-MTU = 1500 State = 0x2e288099d22c097d5f415cca50070a5d EAP-Message = 0x020300c01980000000b61603010086100000820080883d13d43d2ce12fc3364a5eb33fb861636d18a200a9a0e84d10261e9c86f2350db58c1feba581442c51bee27f89d4d0255ec8509ac3910acf099b23dac128862ee02f0de774f283ae00ed5575c142dde2514d50be4004286b19f35e5c3ed602ffa270cbb94ff2780f81af5834169f9e6573dff346f45bd1c799c3b44f9240cf140301000101160301002070a4cb2e7adb74767794227e6f18c65164cc2e25355bf08505b016f9ed0a1670 Message-Authenticator = 0x65115a527c866e9357aaa8d3844a00ea Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 rlm_eap: EAP packet type response id 3 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 25 to 192.168.254.26 port 1812 EAP-Message = 0x0104003119001403010001011603010020d0f9a0ba049067d8e4d5c36c88eeaf39cb69d081fcee756c084180b6ac53294f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed95e59feca1d7ef0ab7eed96cec81c1 Finished request 3 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 22 with timestamp 45359d13 Cleaning up request 1 ID 23 with timestamp 45359d13 Cleaning up request 2 ID 24 with timestamp 45359d13 Cleaning up request 3 ID 25 with timestamp 45359d13 Nothing to do. Sleeping until we see a request. The CA certificate has been imported to the connecting computer and this computer is configured with the option "Validate server certificate" with the appropiate certification authority selected. When I connect, nothing happens, it doesn't connect but it doesnt complain either, but the switch's port keeps blocked. From the dump, you can see that there is no failure in the EAP module, but it doesn't go to the mschap authentication part. Questions: Is there a way to dump more information about what is going on in the TLS conversation in freeradius? Why even if EAP doesn't fail it can't reach the mschap part? Should I consider this part (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established as a failure or a success? In the client computer, if I uncheck the "Validate server certificate" option everything runs smoothly. I'm using FreeRadius v 1.1.3. Certificates when created were verified with openssl verify and everything was ok. Thanks. Please advice _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
"Jack Daniels" <da_very_newbie@hotmail.com> wrote:
Is there a way to dump more information about what is going on in the TLS conversation in freeradius?
No. What more information do you think you would need?
Why even if EAP doesn't fail it can't reach the mschap part?
Because the Windows client stops talking to the server.
Should I consider this part (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established as a failure or a success?
I could swear that message has the word "successfully" in it. That looks a whole lot like "success" to me.
In the client computer, if I uncheck the "Validate server certificate" option everything runs smoothly.
Then the problem is that you didn't create the certificates with the magic OID's. See http://wiki.freeradius.org/WPA_HOWTO and http://www.alphacore.net/contrib/nantes-wireless/eap-tls-HOWTO.html If you didn't use the "xpextensions" file, Windows won't like the certs.
I'm using FreeRadius v 1.1.3. Certificates when created were verified with openssl verify and everything was ok.
They're certs, but they're not certs Windows likes. I think for the next rev of the server, we'll take a look at putting huge screaming messages in the logs if the certs don't have the OID's. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi,
I think for the next rev of the server, we'll take a look at putting huge screaming messages in the logs if the certs don't have the OID's.
hmm, or just simply make radiusd die with such a message as its last line of output - just like when some other settings are messed up ;-) alan
A.L.M.Buxey@lboro.ac.uk wrote:
hmm, or just simply make radiusd die with such a message as its last line of output - just like when some other settings are messed up ;-)
Some people do deploy TTLS only, which doesn't need those OID's. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Thanks for your answers, I forgot to mention that when I generated the certs I did use the OID. When I look at the certs' details, one of those details reads "Enhanced key usage: Server Authentication (1.3.6.1.5.5.7.3.1)" Even with this, it doesn't work. I'll try generating (once again) the certs. Thanks -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org [mailto:freeradius-users-bounces+hector.ortiz=swisscom.com@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 18. Oktober 2006 20:55 An: FreeRadius users mailing list Betreff: Re: PEAP-MSCHAP failure. Please help A.L.M.Buxey@lboro.ac.uk wrote:
hmm, or just simply make radiusd die with such a message as its last line of output - just like when some other settings are messed up ;-)
Some people do deploy TTLS only, which doesn't need those OID's. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Hector.Ortiz@swisscom.com -
Jack Daniels