XP Extensions for PEAP/MSCHAPv2
I have everything working, but I believe I've hit the problem with the OIDs windows needs for the SSL cert. I generated a key with openssl and a req and I actually have a real cert assigned for the server. How do I go about modifying my key and cert so that XP users will be able to connect? I can connect with other OSes. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT)
The problem is that authentication is basically hanging after Access-Challenge packets back to my clients. It happens with Macs as well. I know authentication is working because if I enter the incorrect password I get a totally different type of response. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius .org] On Behalf Of Casartello, Thomas Sent: Thursday, May 29, 2008 4:34 PM To: FreeRadius users mailing list Subject: XP Extensions for PEAP/MSCHAPv2 I have everything working, but I believe I've hit the problem with the OIDs windows needs for the SSL cert. I generated a key with openssl and a req and I actually have a real cert assigned for the server. How do I go about modifying my key and cert so that XP users will be able to connect? I can connect with other OSes. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT)
Casartello, Thomas wrote:
I have everything working, but I believe I’ve hit the problem with the OIDs windows needs for the SSL cert. I generated a key with openssl and a req and I actually have a real cert assigned for the server. How do I go about modifying my key and cert so that XP users will be able to connect? I can connect with other OSes.
In 2.0, see raddb/certs/. There are scripts and configurations to make certificates that Windows will like. Alan DeKok.
I tried regenerating the certs using the bootstrap file (Which I saw includes the XP extensions with the certs that it generates.) I'm still running into the same issue. Here's my eap and mschap config..any other info I could show to help troubleshoot? Eap.conf config: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } peap { default_eap_type = mschapv2 } mschapv2 { } } Mschap config: mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%$ } Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, May 30, 2008 1:41 AM To: FreeRadius users mailing list Subject: Re: XP Extensions for PEAP/MSCHAPv2 Casartello, Thomas wrote:
I have everything working, but I believe I’ve hit the problem with the OIDs windows needs for the SSL cert. I generated a key with openssl and a req and I actually have a real cert assigned for the server. How do I go about modifying my key and cert so that XP users will be able to connect? I can connect with other OSes.
In 2.0, see raddb/certs/. There are scripts and configurations to make certificates that Windows will like. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here's a snippet of the debug.. radius_xlat: '--username=tcasartello' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 3d radius_xlat: '--challenge=c1b030c3f14da3b1' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=39b7dd714f0104723f917c82db10c17738015c22186940b0' Exec-Program output: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program-Wait: plaintext: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 37 modcall: leaving group MS-CHAP (returns ok) for request 37 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 Sending Access-Challenge of id 38 to 192.168.223.1 port 1645 EAP-Message = 0x010a004a1900170301003f6adf2a774f5eb8ecfc6247131c81763255f6a526544dab03eb222ffc65777763c1426ce728a43fb70924d29e28f3cd3a145846d0a83a5692518aaf83d99320 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x42e8dc477d661fd07c3ccb0211ac0fac Finished request 37 Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Casartello, Thomas Sent: Friday, May 30, 2008 10:15 AM To: FreeRadius users mailing list Subject: RE: XP Extensions for PEAP/MSCHAPv2 I tried regenerating the certs using the bootstrap file (Which I saw includes the XP extensions with the certs that it generates.) I'm still running into the same issue. Here's my eap and mschap config..any other info I could show to help troubleshoot? Eap.conf config: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } peap { default_eap_type = mschapv2 } mschapv2 { } } Mschap config: mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%$ } Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, May 30, 2008 1:41 AM To: FreeRadius users mailing list Subject: Re: XP Extensions for PEAP/MSCHAPv2 Casartello, Thomas wrote:
I have everything working, but I believe I’ve hit the problem with the OIDs windows needs for the SSL cert. I generated a key with openssl and a req and I actually have a real cert assigned for the server. How do I go about modifying my key and cert so that XP users will be able to connect? I can connect with other OSes.
In 2.0, see raddb/certs/. There are scripts and configurations to make certificates that Windows will like. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looks like this may be another Fedora 9 problem. I tried this on a server running Fedora 8 with RADIUS 1.1.7 and it worked. (I tried 1.1.7 on my Fedora 9 machine and had the same problem.) Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Casartello, Thomas Sent: Friday, May 30, 2008 10:24 AM To: FreeRadius users mailing list Subject: RE: XP Extensions for PEAP/MSCHAPv2 Here's a snippet of the debug.. radius_xlat: '--username=tcasartello' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 3d radius_xlat: '--challenge=c1b030c3f14da3b1' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=39b7dd714f0104723f917c82db10c17738015c22186940b0' Exec-Program output: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program-Wait: plaintext: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 37 modcall: leaving group MS-CHAP (returns ok) for request 37 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 Sending Access-Challenge of id 38 to 192.168.223.1 port 1645 EAP-Message = 0x010a004a1900170301003f6adf2a774f5eb8ecfc6247131c81763255f6a526544dab03eb222ffc65777763c1426ce728a43fb70924d29e28f3cd3a145846d0a83a5692518aaf83d99320 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x42e8dc477d661fd07c3ccb0211ac0fac Finished request 37 Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Casartello, Thomas Sent: Friday, May 30, 2008 10:15 AM To: FreeRadius users mailing list Subject: RE: XP Extensions for PEAP/MSCHAPv2 I tried regenerating the certs using the bootstrap file (Which I saw includes the XP extensions with the certs that it generates.) I'm still running into the same issue. Here's my eap and mschap config..any other info I could show to help troubleshoot? Eap.conf config: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } peap { default_eap_type = mschapv2 } mschapv2 { } } Mschap config: mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%$ } Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, May 30, 2008 1:41 AM To: FreeRadius users mailing list Subject: Re: XP Extensions for PEAP/MSCHAPv2 Casartello, Thomas wrote:
I have everything working, but I believe I’ve hit the problem with the OIDs windows needs for the SSL cert. I generated a key with openssl and a req and I actually have a real cert assigned for the server. How do I go about modifying my key and cert so that XP users will be able to connect? I can connect with other OSes.
In 2.0, see raddb/certs/. There are scripts and configurations to make certificates that Windows will like. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificates are not the problem. There is MSCHAP Success there which means that this is inner-tunnel stuff. Do ordinary mschap requests work? Ivan Kalik Kalik Informatika ISP Dana 30/5/2008, "Casartello, Thomas" <tcasartello@wsc.ma.edu> piše:
Here's a snippet of the debug..
radius_xlat: '--username=tcasartello' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 3d radius_xlat: '--challenge=c1b030c3f14da3b1' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=39b7dd714f0104723f917c82db10c17738015c22186940b0' Exec-Program output: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program-Wait: plaintext: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 37 modcall: leaving group MS-CHAP (returns ok) for request 37 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 Sending Access-Challenge of id 38 to 192.168.223.1 port 1645 EAP-Message = 0x010a004a1900170301003f6adf2a774f5eb8ecfc6247131c81763255f6a526544dab03eb222ffc65777763c1426ce728a43fb70924d29e28f3cd3a145846d0a83a5692518aaf83d99320 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x42e8dc477d661fd07c3ccb0211ac0fac Finished request 37
Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu
Red Hat Certified Technician (RHCT)
-----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Casartello, Thomas Sent: Friday, May 30, 2008 10:15 AM To: FreeRadius users mailing list Subject: RE: XP Extensions for PEAP/MSCHAPv2
I tried regenerating the certs using the bootstrap file (Which I saw includes the XP extensions with the certs that it generates.) I'm still running into the same issue.
Here's my eap and mschap config..any other info I could show to help troubleshoot?
Eap.conf config:
eap { default_eap_type = peap
timer_expire = 60 ignore_unknown_eap_types = no
cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom }
peap { default_eap_type = mschapv2 } mschapv2 { } }
Mschap config: mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%$ } Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu
Red Hat Certified Technician (RHCT)
-----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, May 30, 2008 1:41 AM To: FreeRadius users mailing list Subject: Re: XP Extensions for PEAP/MSCHAPv2
Casartello, Thomas wrote:
I have everything working, but I believe Iâve hit the problem with the OIDs windows needs for the SSL cert. I generated a key with openssl and a req and I actually have a real cert assigned for the server. How do I go about modifying my key and cert so that XP users will be able to connect? I can connect with other OSes.
In 2.0, see raddb/certs/. There are scripts and configurations to make certificates that Windows will like.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Actually I just tried doing it with putting a username in the users file and it worked... so I have a feeling you're on the right track. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Friday, May 30, 2008 11:04 AM To: FreeRadius users mailing list Subject: RE: XP Extensions for PEAP/MSCHAPv2 Certificates are not the problem. There is MSCHAP Success there which means that this is inner-tunnel stuff. Do ordinary mschap requests work? Ivan Kalik Kalik Informatika ISP Dana 30/5/2008, "Casartello, Thomas" <tcasartello@wsc.ma.edu> piše:
Here's a snippet of the debug..
radius_xlat: '--username=tcasartello' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 3d radius_xlat: '--challenge=c1b030c3f14da3b1' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=39b7dd714f0104723f917c82db10c17738015c22186940b0' Exec-Program output: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program-Wait: plaintext: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 37 modcall: leaving group MS-CHAP (returns ok) for request 37 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 Sending Access-Challenge of id 38 to 192.168.223.1 port 1645 EAP-Message = 0x010a004a1900170301003f6adf2a774f5eb8ecfc6247131c81763255f6a526544dab03eb222ffc65777763c1426ce728a43fb70924d29e28f3cd3a145846d0a83a5692518aaf83d99320 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x42e8dc477d661fd07c3ccb0211ac0fac Finished request 37
Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu
Red Hat Certified Technician (RHCT)
-----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Casartello, Thomas Sent: Friday, May 30, 2008 10:15 AM To: FreeRadius users mailing list Subject: RE: XP Extensions for PEAP/MSCHAPv2
I tried regenerating the certs using the bootstrap file (Which I saw includes the XP extensions with the certs that it generates.) I'm still running into the same issue.
Here's my eap and mschap config..any other info I could show to help troubleshoot?
Eap.conf config:
eap { default_eap_type = peap
timer_expire = 60 ignore_unknown_eap_types = no
cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom }
peap { default_eap_type = mschapv2 } mschapv2 { } }
Mschap config: mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%$ } Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu
Red Hat Certified Technician (RHCT)
-----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, May 30, 2008 1:41 AM To: FreeRadius users mailing list Subject: Re: XP Extensions for PEAP/MSCHAPv2
Casartello, Thomas wrote:
I have everything working, but I believe Iâve hit the problem with the OIDs windows needs for the SSL cert. I generated a key with openssl and a req and I actually have a real cert assigned for the server. How do I go about modifying my key and cert so that XP users will be able to connect? I can connect with other OSes.
In 2.0, see raddb/certs/. There are scripts and configurations to make certificates that Windows will like.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oh and yes, if I just send a non EAP mschap request to the server it works. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Friday, May 30, 2008 11:04 AM To: FreeRadius users mailing list Subject: RE: XP Extensions for PEAP/MSCHAPv2 Certificates are not the problem. There is MSCHAP Success there which means that this is inner-tunnel stuff. Do ordinary mschap requests work? Ivan Kalik Kalik Informatika ISP Dana 30/5/2008, "Casartello, Thomas" <tcasartello@wsc.ma.edu> piše:
Here's a snippet of the debug..
radius_xlat: '--username=tcasartello' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 3d radius_xlat: '--challenge=c1b030c3f14da3b1' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=39b7dd714f0104723f917c82db10c17738015c22186940b0' Exec-Program output: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program-Wait: plaintext: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 37 modcall: leaving group MS-CHAP (returns ok) for request 37 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 Sending Access-Challenge of id 38 to 192.168.223.1 port 1645 EAP-Message = 0x010a004a1900170301003f6adf2a774f5eb8ecfc6247131c81763255f6a526544dab03eb222ffc65777763c1426ce728a43fb70924d29e28f3cd3a145846d0a83a5692518aaf83d99320 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x42e8dc477d661fd07c3ccb0211ac0fac Finished request 37
Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu
Red Hat Certified Technician (RHCT)
-----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Casartello, Thomas Sent: Friday, May 30, 2008 10:15 AM To: FreeRadius users mailing list Subject: RE: XP Extensions for PEAP/MSCHAPv2
I tried regenerating the certs using the bootstrap file (Which I saw includes the XP extensions with the certs that it generates.) I'm still running into the same issue.
Here's my eap and mschap config..any other info I could show to help troubleshoot?
Eap.conf config:
eap { default_eap_type = peap
timer_expire = 60 ignore_unknown_eap_types = no
cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom }
peap { default_eap_type = mschapv2 } mschapv2 { } }
Mschap config: mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%$ } Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu
Red Hat Certified Technician (RHCT)
-----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, May 30, 2008 1:41 AM To: FreeRadius users mailing list Subject: Re: XP Extensions for PEAP/MSCHAPv2
Casartello, Thomas wrote:
I have everything working, but I believe Iâve hit the problem with the OIDs windows needs for the SSL cert. I generated a key with openssl and a req and I actually have a real cert assigned for the server. How do I go about modifying my key and cert so that XP users will be able to connect? I can connect with other OSes.
In 2.0, see raddb/certs/. There are scripts and configurations to make certificates that Windows will like.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm going to conclude this as an issue with Fedora 9. I'm going to bring my RADIUS server down to Fedora 8. I just installed the newest version of FreeRADIUS on my Fedora 8 box and the EAP works fine even going to the active directory from this same access point. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Casartello, Thomas Sent: Friday, May 30, 2008 11:28 AM To: FreeRadius users mailing list Subject: RE: XP Extensions for PEAP/MSCHAPv2 Oh and yes, if I just send a non EAP mschap request to the server it works. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Friday, May 30, 2008 11:04 AM To: FreeRadius users mailing list Subject: RE: XP Extensions for PEAP/MSCHAPv2 Certificates are not the problem. There is MSCHAP Success there which means that this is inner-tunnel stuff. Do ordinary mschap requests work? Ivan Kalik Kalik Informatika ISP Dana 30/5/2008, "Casartello, Thomas" <tcasartello@wsc.ma.edu> piše:
Here's a snippet of the debug..
radius_xlat: '--username=tcasartello' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 3d radius_xlat: '--challenge=c1b030c3f14da3b1' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=39b7dd714f0104723f917c82db10c17738015c22186940b0' Exec-Program output: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program-Wait: plaintext: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 37 modcall: leaving group MS-CHAP (returns ok) for request 37 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 37 modcall: leaving group authenticate (returns handled) for request 37 Sending Access-Challenge of id 38 to 192.168.223.1 port 1645 EAP-Message = 0x010a004a1900170301003f6adf2a774f5eb8ecfc6247131c81763255f6a526544dab03eb222ffc65777763c1426ce728a43fb70924d29e28f3cd3a145846d0a83a5692518aaf83d99320 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x42e8dc477d661fd07c3ccb0211ac0fac Finished request 37
Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu
Red Hat Certified Technician (RHCT)
-----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Casartello, Thomas Sent: Friday, May 30, 2008 10:15 AM To: FreeRadius users mailing list Subject: RE: XP Extensions for PEAP/MSCHAPv2
I tried regenerating the certs using the bootstrap file (Which I saw includes the XP extensions with the certs that it generates.) I'm still running into the same issue.
Here's my eap and mschap config..any other info I could show to help troubleshoot?
Eap.conf config:
eap { default_eap_type = peap
timer_expire = 60 ignore_unknown_eap_types = no
cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom }
peap { default_eap_type = mschapv2 } mschapv2 { } }
Mschap config: mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%$ } Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu
Red Hat Certified Technician (RHCT)
-----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, May 30, 2008 1:41 AM To: FreeRadius users mailing list Subject: Re: XP Extensions for PEAP/MSCHAPv2
Casartello, Thomas wrote:
I have everything working, but I believe Iâve hit the problem with the OIDs windows needs for the SSL cert. I generated a key with openssl and a req and I actually have a real cert assigned for the server. How do I go about modifying my key and cert so that XP users will be able to connect? I can connect with other OSes.
In 2.0, see raddb/certs/. There are scripts and configurations to make certificates that Windows will like.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I'm going to conclude this as an issue with Fedora 9. I'm going to bring my RADIUS server down to Fedora 8. I just installed the newest version of FreeRADIUS on my Fedora 8 box and the EAP works fine even going to the active directory from this same access point.
home built freeradius on FC9, or the RPM supplied? there is a known issue with GCC compiler and packages made by it - you've probably been bitten by one of the issues. alan
It did it in both. I compiled without compiler optimization so I didn't have the port listening issue. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: tcasartello@wsc.ma.edu Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius .org] On Behalf Of A.L.M.Buxey@lboro.ac.uk Sent: Friday, May 30, 2008 12:54 PM To: FreeRadius users mailing list Subject: Re: XP Extensions for PEAP/MSCHAPv2 Hi,
I'm going to conclude this as an issue with Fedora 9. I'm going to bring my RADIUS server down to Fedora 8. I just installed the newest version of FreeRADIUS on my Fedora 8 box and the EAP works fine even going to the active directory from this same access point.
home built freeradius on FC9, or the RPM supplied? there is a known issue with GCC compiler and packages made by it - you've probably been bitten by one of the issues. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Casartello, Thomas -
Ivan Kalik