Authentication issues with Win7 and WPA/WPA2 Enterprise
Dear Users, I hope you will be patient with me, its my first time with freeradius. I have problems to authenticate Windows 7 Clients with freeradius. Using WPA2-Enterprise results in Access-Rejects after one Request. Using WPA-Enterprise results in about nine different Access-Challanges and one final Access-Accept - that cant be right. I have set up a testing scenario with the local test user bob. If local authentication works properly i want to proxy all requests without EAP to another freeradius server. I will have questions to that later :) radtest from localhost an remotehost succeeded. Setting: Win7_Client<-----WLAN----->WAP LinksysWRT54gl<------MPLS-Network over PPPoE----------->FreeRADIUS_proxy(<---------------------------->FreeRADIUS_main) Windows 7 dd-wrt v24 SP2 Ubuntu Server 10.4.2, freeradius 2.1.10 generic 10.73.108.254 internal: 10.0.73.1 external: 213.x.x.x I dont get a clue if the Problem is Windows, Certificates, Network oder simply misconfigured freeradius. certificates: - i build the certs with and without that windows extension OID in server.cnf with make from ../raddb/certs - 2048 bit Windows 7: - installed ca.der as root cert in win7 and configured it for the desired WiFi network - for my eyes no difference in debug logs if validate server cert or not. - unchecked using windows user or domain for auth - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - tls right? WAP: - WPA2 Enterprise with AES no accept packet possible until now - WPA Enterprise with AES results in that 9-times Challenges until accept freeRADIUS: - compiled with installed openSSL dev lib - default config as it comes out of the box, exept: added user bob with cleartext password in users, added the WAP as client in clients.conf, changed default_eap_type = "peap" and private_key_password = "MYSECRET_FROM_SERVER_CERT" in eap.conf configuration and stuff pls look at attached debug.log from running radiusd -X debug.log contains the output of radiusd -X with Access-Requests over WPA-Enterprise. I hope you got a hint for me. Thanks ! Simon FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on May 12 2011 at 13:56:14 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.73.108.0/24 { require_message_authenticator = no secret = "testing123-3" shortname = "Spot" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "MYSECRET_FROM_SERVER_CERT" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /usr/local/etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/usr/local/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.73.108.254 port 2055, id=0, length=119 User-Name = "bob" NAS-IP-Address = 10.73.108.254 Called-Station-Id = "c2c1c018553e" Calling-Station-Id = "001e654bde20" NAS-Identifier = "c2c1c018553e" NAS-Port = 53 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000801626f62 Message-Authenticator = 0xb0dac5d5516e083d0cf8f0844b9c1bf7 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.73.108.254 port 2055 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x100d0b13100f1212d04f6d2a999d2f8b Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.73.108.254 port 2055, id=0, length=246 Cleaning up request 0 ID 0 with timestamp +25 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x100d0b13100f1212 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "bob" NAS-IP-Address = 10.73.108.254 Called-Station-Id = "c2c1c018553e" Calling-Station-Id = "001e654bde20" NAS-Identifier = "c2c1c018553e" NAS-Port = 53 Framed-MTU = 1400 State = 0x100d0b13100f1212d04f6d2a999d2f8b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202007519800000006b16030100660100006203014dd2abd5dd3cdf77091d87a1310cd27e040a8c9c3b2da1a028d11edfafcde2a8000018002f00350005000ac013c014c009c00a003200380013000401000021ff01000100000000080006000003626f62000a0006000400170018000b00020100 Message-Authenticator = 0xc67efa07682c65e72fc0e82a299a912f # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 117 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 107 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0066], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0804], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.73.108.254 port 2055 EAP-Message = 0x0103040019c00000084816030100310200002d03014dd2abd4a60b5649a868c0dde3471924b6b00c8c381049c16df9d96584020ea000002f000005ff0100010016030108040b0008000007fd0003853082038130820269a003020102020105300d06092a864886f70d0101040500308180310b3009060355040613024445310b3009060355040813025348310d300b060355040713044b69656c310f300d060355040a1306544e47204147311d301b06092a864886f70d010901160e746563686e696b40746e672e6465312530230603550403131c544e4720414720436572746966696361746520417574686f72697479301e170d3131303531373135 EAP-Message = 0x343033355a170d3136303531353135343033355a306e310b3009060355040613024445310b3009060355040813025348310f300d060355040a1306544e472041473122302006035504031319544e4720414720536572766572204365727469666963617465311d301b06092a864886f70d010901160e746563686e696b40746e672e646530820122300d06092a864886f70d01010105000382010f003082010a0282010100d8d6225069787453257c4461758d5a159d09901c830b942fa8dec19f56515ee3e44fd904f5fef9cf2f0a0ed733ba5eb79d8cb00a6c3f1da79210174ffc71f669a083c19a92649be960abe4262506c6ae0d8c88a9eac7835d EAP-Message = 0x65c0ff79a77aa91ca62cb54d37a55ad37948560acd1e70eb26fe3fd1ad5851b3af0b9d0568ec893d70b9fc29710759c0515e511459ae4250a1c9cf72bb207594f9083aaf6901beeca389d14c058e5dd68fb17236305bc2b4a00b8977f4c71fa824f5b7ac16b7afe8aea2959136b73534da6b76c49162d75451d436186228c63926937093804799c40e5f02d8e87cafbc849801640fd0c9a62e2409a2e81822bb967bdce911627eeb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101006f4ebd3de9a045e7453fcaad27f47f9ee18104e54d5aab72ddd77fa1608c59a9a76e20 EAP-Message = 0xa563e682fc457f06a624685583afe2f520ad14e26f79a3d08c6282dee3a15da0c345578e5dad0e4fb0bd18166eaecff9fec1f1f35b5c002ec7ac8718ffab6863a1bc83649fce0967624fad3cd1aedb3f4ac7047f20331b31d3b79a4c3943f0b1cb78451902baae934a4c5f5ac6526a80c063dc531f2d20675928bc081333c9417a5e690624b1faa31bbdfd50d57698ffa432e7796d588a2ced41f4011389c6c8ef2f800ecb70e05f8d626fa6a7cb32f99703b03aabe136ff3398accd3d4c6265c6e0488452a97838c18767a14c451942b51caecd5e93fa6680d56ec5c20004723082046e30820356a003020102020900f2e42380f2d1145d300d06092a EAP-Message = 0x864886f70d01010505003081 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x100d0b13110e1212d04f6d2a999d2f8b Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.73.108.254 port 2055, id=0, length=135 Cleaning up request 1 ID 0 with timestamp +25 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x100d0b13110e1212 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "bob" NAS-IP-Address = 10.73.108.254 Called-Station-Id = "c2c1c018553e" Calling-Station-Id = "001e654bde20" NAS-Identifier = "c2c1c018553e" NAS-Port = 53 Framed-MTU = 1400 State = 0x100d0b13110e1212d04f6d2a999d2f8b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0xd8b0178d466cb36842c8ce7f85249787 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.73.108.254 port 2055 EAP-Message = 0x010403fc194080310b3009060355040613024445310b3009060355040813025348310d300b060355040713044b69656c310f300d060355040a1306544e47204147311d301b06092a864886f70d010901160e746563686e696b40746e672e6465312530230603550403131c544e4720414720436572746966696361746520417574686f72697479301e170d3131303531373135343033355a170d3136303531353135343033355a308180310b3009060355040613024445310b3009060355040813025348310d300b060355040713044b69656c310f300d060355040a1306544e47204147311d301b06092a864886f70d010901160e746563686e696b40 EAP-Message = 0x746e672e6465312530230603550403131c544e4720414720436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e93670e06aaa7ea1894baaf99cd50b7964db3ecf7f569411203334701a6eaa8e36c055cf0cebeac15f0b132e167cb6182ebc88bfc3a334a9470881cf5336ea303ff9f697a494cead9f64f1c508ba4b137d0da09e7adf82643c6f8a17be715dee44e8ae11a0d2222b0085f38cceee12109bdf2e1ac740a9b2fa7bf5fb8b6b8e93b6175be2d78466c35dcce79c5782f4316ee9fee551bef7db556a7af9909114a74902337d97cbf10e5bbe4ec9f55dc3 EAP-Message = 0xd26b4a94092e757d41d68308dd949ebc550a8e91479d7f388ca04915fab9ef496f7e35883a34128fbbae4767faac26278ffd10438cdd7b12e7a50d83db7799fcdaf2cbed54cbc24c297aabd994e76f7b5f0203010001a381e83081e5301d0603551d0e0416041428cf127b083986d7b466b1fd1c00d7d5800f39d73081b50603551d230481ad3081aa801428cf127b083986d7b466b1fd1c00d7d5800f39d7a18186a48183308180310b3009060355040613024445310b3009060355040813025348310d300b060355040713044b69656c310f300d060355040a1306544e47204147311d301b06092a864886f70d010901160e746563686e696b40746e EAP-Message = 0x672e6465312530230603550403131c544e4720414720436572746966696361746520417574686f72697479820900f2e42380f2d1145d300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100d3bfa1a73a0851f70b93f5c4e362c664f12a8a42bfacd0b21514f376cc85e6374946e6d34a71f766bd88ab383176e8e6cede620972b26c7fb859976036ea7a9baad7700cf404a697f56a28dddf08705bba951c61f56e4d407b9b87f28843d48d35432b2d5fb83a393c906e6144337d0865f2ef4de380117f8012455229c35b841403984747f58ab7547e398991c5c318f937cc8c59b45ddda4108cbd0ae1e74c83a7d96e70 EAP-Message = 0x7f9e8eff783a5655 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x100d0b1312091212d04f6d2a999d2f8b Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.73.108.254 port 2055, id=0, length=135 Cleaning up request 2 ID 0 with timestamp +25 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x100d0b1312091212 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "bob" NAS-IP-Address = 10.73.108.254 Called-Station-Id = "c2c1c018553e" Calling-Station-Id = "001e654bde20" NAS-Identifier = "c2c1c018553e" NAS-Port = 53 Framed-MTU = 1400 State = 0x100d0b1312091212d04f6d2a999d2f8b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0x9ee76e174f575c845910ce66467f4e67 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.73.108.254 port 2055 EAP-Message = 0x01050062190029692ee5a7a5fdf4327bcce76583fdd68c78584b3eb346515bf711edbffd111d781f38dc8d8b1d0274d83bb35ecf7f3bdee5f49eb1e7cae44ca1bfbeccb7ce2d94ee34b695fd61bc218b4a647ee316c9f62d9f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x100d0b1313081212d04f6d2a999d2f8b Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.73.108.254 port 2055, id=0, length=467 Cleaning up request 3 ID 0 with timestamp +25 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x100d0b1313081212 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "bob" NAS-IP-Address = 10.73.108.254 Called-Station-Id = "c2c1c018553e" Calling-Station-Id = "001e654bde20" NAS-Identifier = "c2c1c018553e" NAS-Port = 53 Framed-MTU = 1400 State = 0x100d0b1313081212d04f6d2a999d2f8b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020501501980000001461603010106100001020100456d29be5bcf8c5933f9d3bd3c44c6fb96e31800b8152fb037b22f7468711dd5c363dc1899e21479b74e22f0033d92776f433d3349a51ab906f6a310e9c4f9133883cc18ce0ea3ffe494bd72c615977720b37a8feecb3e4ef30be1aa1c3b0d76cbebd8124ec360498dc2bc4f658fc4dd79c55fed00541321757f5c77491f2e25d88e04a27d512603b722f219be8d57e2bf0e278a43a6e2f850de7098f0ad66af8187e1975e6c5271421f6084922a9f7cfd1c79351b7a1a86b9c85564a7921735e1c30ab9852eb8325133f158b8ea08adacc2fb3be3b65ca638d3e0913fee8586cb7d5f26c233b2bc EAP-Message = 0xdf557ea01cf812ec5c351a01293350117225d4df7126b3c21403010001011603010030c206bb2cb47e66202309b01974fcc2e6362787b1339b193ac499a7257ec15f8632b17be84198f82eb730dbcc34482cb2 Message-Authenticator = 0x6f9c48fc5889461cead3fb19b17b93ff # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.73.108.254 port 2055 EAP-Message = 0x01060041190014030100010116030100304f0972823d99581d12bcf661263819e76e1736b7e72545adecd3a27dddb4070adff665ba3372bcf85f0ebc3d5548fa92 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x100d0b13140b1212d04f6d2a999d2f8b Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.73.108.254 port 2055, id=0, length=135 Cleaning up request 4 ID 0 with timestamp +25 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x100d0b13140b1212 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "bob" NAS-IP-Address = 10.73.108.254 Called-Station-Id = "c2c1c018553e" Calling-Station-Id = "001e654bde20" NAS-Identifier = "c2c1c018553e" NAS-Port = 53 Framed-MTU = 1400 State = 0x100d0b13140b1212d04f6d2a999d2f8b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061900 Message-Authenticator = 0xb8ab753ff6c3ac7ed2c119f39f0aa60d # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.73.108.254 port 2055 EAP-Message = 0x0107002b190017030100205663a730679339a6ed2fd9ba1315fdd48ff2937506934a56719d34a40707fea9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x100d0b13150a1212d04f6d2a999d2f8b Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.73.108.254 port 2055, id=0, length=172 Cleaning up request 5 ID 0 with timestamp +25 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x100d0b13150a1212 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "bob" NAS-IP-Address = 10.73.108.254 Called-Station-Id = "c2c1c018553e" Calling-Station-Id = "001e654bde20" NAS-Identifier = "c2c1c018553e" NAS-Port = 53 Framed-MTU = 1400 State = 0x100d0b13150a1212d04f6d2a999d2f8b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207002b190017030100203ce878a12f3ad373255b4dad25ef8b579404aef0cff83c1b595019cfd25ffa57 Message-Authenticator = 0xc7fd9f70162eb96acc1e0836914380d5 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - bob [peap] Got inner identity 'bob' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207000801626f62 server { PEAP: Setting User-Name to bob Sending tunneled request EAP-Message = 0x0207000801626f62 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bob" server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0108001d1a0108001810735808091f67266e3b318312610ef9f6626f62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x79d7d2d179dfc809841915d248ba50cb [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001d1a0108001810735808091f67266e3b318312610ef9f6626f62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x79d7d2d179dfc809841915d248ba50cb [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.73.108.254 port 2055 EAP-Message = 0x0108003b19001703010030c7bc245f1bd0e268faedb4f675e900e969f50b1cab2cae28e412fc96f046480f77cb11bb958621d17eff206da5b5e41f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x100d0b1316051212d04f6d2a999d2f8b Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.73.108.254 port 2055, id=0, length=220 Cleaning up request 6 ID 0 with timestamp +25 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x100d0b1316051212 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "bob" NAS-IP-Address = 10.73.108.254 Called-Station-Id = "c2c1c018553e" Calling-Station-Id = "001e654bde20" NAS-Identifier = "c2c1c018553e" NAS-Port = 53 Framed-MTU = 1400 State = 0x100d0b1316051212d04f6d2a999d2f8b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0208005b190017030100500cedee327c0bce1b3ad6baa3ff0a6ea7e1456894b949eaa73fe799c398d8e34954d290510d12b87f6f1f7ffa4ad3de7acabc77a3e10f1485ffaed4b08356b82d9b963a9d1b202067848e9ee0e27f822e Message-Authenticator = 0x8cd5b2eaf4c495aeb9481477f0cdcce2 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0208003e1a02080039317c9b6f62109be2cde0140c2f589125a3000000000000000004984edd0f4562a917adc13677487434711d466f54cd7cef00626f62 server { PEAP: Setting User-Name to bob Sending tunneled request EAP-Message = 0x0208003e1a02080039317c9b6f62109be2cde0140c2f589125a3000000000000000004984edd0f4562a917adc13677487434711d466f54cd7cef00626f62 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bob" State = 0x79d7d2d179dfc809841915d248ba50cb server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 62 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: bob [mschap] Told to do MS-CHAPv2 for bob with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d41433435333132443031413636353737333043423832333937304243373643354145353035334445 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x79d7d2d178dec809841915d248ba50cb [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d41433435333132443031413636353737333043423832333937304243373643354145353035334445 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x79d7d2d178dec809841915d248ba50cb [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.73.108.254 port 2055 EAP-Message = 0x0109005b1900170301005044b49efcb171a5490b136e868d52db798d6fcb5351d2cd12c18507423a29d405a5c37f1fe42e04aa9fa50e2847cf8a1ea8ef4ac6a4b8da81aec317e29c1eb05bd835c61aad87796863946c43fc206ffc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x100d0b1317041212d04f6d2a999d2f8b Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.73.108.254 port 2055, id=0, length=172 Cleaning up request 7 ID 0 with timestamp +25 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x100d0b1317041212 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "bob" NAS-IP-Address = 10.73.108.254 Called-Station-Id = "c2c1c018553e" Calling-Station-Id = "001e654bde20" NAS-Identifier = "c2c1c018553e" NAS-Port = 53 Framed-MTU = 1400 State = 0x100d0b1317041212d04f6d2a999d2f8b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0209002b19001703010020838e3d080afcad2883db41d2f509174a48569119f0694117f43034e0f9ac6517 Message-Authenticator = 0x2b1607b034e50ac42eaffe000bf35724 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { PEAP: Setting User-Name to bob Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bob" State = 0x79d7d2d178dec809841915d248ba50cb server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x95f34e95115465473d1119a5bb913370 MS-MPPE-Recv-Key = 0x7d3d8d135dfa07b63845d55d36cb563d EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "bob" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x95f34e95115465473d1119a5bb913370 MS-MPPE-Recv-Key = 0x7d3d8d135dfa07b63845d55d36cb563d EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "bob" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 10.73.108.254 port 2055 EAP-Message = 0x010a002b190017030100202ee07dd0ea67eadd482aaa41b54e77df0bc0d6a3c5ab2241613579541feae813 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x100d0b1318071212d04f6d2a999d2f8b Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.73.108.254 port 2055, id=0, length=172 Cleaning up request 8 ID 0 with timestamp +25 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x100d0b1318071212 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "bob" NAS-IP-Address = 10.73.108.254 Called-Station-Id = "c2c1c018553e" Calling-Station-Id = "001e654bde20" NAS-Identifier = "c2c1c018553e" NAS-Port = 53 Framed-MTU = 1400 State = 0x100d0b1318071212d04f6d2a999d2f8b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a002b19001703010020dd2bba1c8637183f34912e930a6ea4aabd765737b0d070833ed2ba7f7cd8ea92 Message-Authenticator = 0x843b0013b75780b3b25163a515a8ecb4 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 0 to 10.73.108.254 port 2055 MS-MPPE-Recv-Key = 0x4f13a7a3e0360ac31ae13e261d82ef623a266a784f5b418478729547e2fbab8d MS-MPPE-Send-Key = 0xf2f9ecb0844e975644bb0d44d4b7c92af509807316647edeeabe60eea3a09eb2 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "bob" Finished request 9. Going to the next request Waking up in 4.9 seconds. Cleaning up request 9 ID 0 with timestamp +25 Ready to process requests. Sending Access-Request of id 25 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "hello" NAS-IP-Address = 213.1xx.xx.xx NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=25, length=20 bob Cleartext-Password := "hello" DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP
I can't comment on your problem right now, but be aware there seem to be MANY issues with Windows 7. Our config works PERFECT with XP, Apple IOS, and other "basic" stuff. When we started testing Windows 7 (WPA2 Enterprise) we ran into all kinds of weirdness. And just when we think we have a working config and have a few users start testing it breaks. The web is littered with people having problems with Windows 7. I'm convinced the W7 Supplicant is really broken. In our environment FR doesn't even see the PEAP, just an MSCHAP, and that even fails! Anyway... Maybe if someone knows of a tool to dehash/decrypt the MSCHAP stuff I could actually see what's different in the requests between a working auth and a rejected auth. Right now we're grasping at straws and can't figure out why MS is essentially doing nothing about this... G -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Simon L. Sent: Wednesday, May 18, 2011 10:27 AM To: FreeRadius users mailing list Subject: Authentication issues with Win7 and WPA/WPA2 Enterprise Dear Users, I hope you will be patient with me, its my first time with freeradius. I have problems to authenticate Windows 7 Clients with freeradius. Using WPA2-Enterprise results in Access-Rejects after one Request. Using WPA-Enterprise results in about nine different Access-Challanges and one final Access-Accept - that cant be right. I have set up a testing scenario with the local test user bob. If local authentication works properly i want to proxy all requests without EAP to another freeradius server. I will have questions to that later :) radtest from localhost an remotehost succeeded. Setting: Win7_Client<-----WLAN----->WAP LinksysWRT54gl<------MPLS-Network over PPPoE----------->FreeRADIUS_proxy(<---------------------------->FreeRADIUS_main) Windows 7 dd-wrt v24 SP2 Ubuntu Server 10.4.2, freeradius 2.1.10 generic 10.73.108.254 internal: 10.0.73.1 external: 213.x.x.x I dont get a clue if the Problem is Windows, Certificates, Network oder simply misconfigured freeradius. certificates: - i build the certs with and without that windows extension OID in server.cnf with make from ../raddb/certs - 2048 bit Windows 7: - installed ca.der as root cert in win7 and configured it for the desired WiFi network - for my eyes no difference in debug logs if validate server cert or not. - unchecked using windows user or domain for auth - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - tls right? WAP: - WPA2 Enterprise with AES no accept packet possible until now - WPA Enterprise with AES results in that 9-times Challenges until accept freeRADIUS: - compiled with installed openSSL dev lib - default config as it comes out of the box, exept: added user bob with cleartext password in users, added the WAP as client in clients.conf, changed default_eap_type = "peap" and private_key_password = "MYSECRET_FROM_SERVER_CERT" in eap.conf configuration and stuff pls look at attached debug.log from running radiusd -X debug.log contains the output of radiusd -X with Access-Requests over WPA-Enterprise. I hope you got a hint for me. Thanks ! Simon <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
On 18/05/11 16:50, Gary Gatten wrote:
I can't comment on your problem right now, but be aware there seem to be MANY issues with Windows 7. Our config works PERFECT with XP, Apple IOS, and other "basic" stuff. When we started testing Windows 7 (WPA2 Enterprise) we ran into all kinds of weirdness. And just when we think we have a working config and have a few users start testing it breaks.
The web is littered with people having problems with Windows 7. I'm convinced the W7 Supplicant is really broken. In our environment FR doesn't even see the PEAP, just an MSCHAP, and that even fails!
We have no problems with Windows 7. It works just fine. There don't seem to be significant differences between it and Windows XP SP3 from our point of view.
Anyway... Maybe if someone knows of a tool to dehash/decrypt the MSCHAP stuff I could actually see what's different in the requests between a working auth and a rejected auth. Right now we're grasping at straws and can't figure out why MS is essentially doing nothing about this...
Can you be more specific about what kind of "script" you want? I've got a bunch of python tools I use for testing here.
I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. I have FR debugs of a working auth and a rejected auth. I'd like to "unhash" the MSCHAP stuff to see in clear text what's getting sent back and forth so I can get a better idea of why the request is being rejected. G -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 11:01 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 16:50, Gary Gatten wrote:
I can't comment on your problem right now, but be aware there seem to be MANY issues with Windows 7. Our config works PERFECT with XP, Apple IOS, and other "basic" stuff. When we started testing Windows 7 (WPA2 Enterprise) we ran into all kinds of weirdness. And just when we think we have a working config and have a few users start testing it breaks.
The web is littered with people having problems with Windows 7. I'm convinced the W7 Supplicant is really broken. In our environment FR doesn't even see the PEAP, just an MSCHAP, and that even fails!
We have no problems with Windows 7. It works just fine. There don't seem to be significant differences between it and Windows XP SP3 from our point of view.
Anyway... Maybe if someone knows of a tool to dehash/decrypt the MSCHAP stuff I could actually see what's different in the requests between a working auth and a rejected auth. Right now we're grasping at straws and can't figure out why MS is essentially doing nothing about this...
Can you be more specific about what kind of "script" you want? I've got a bunch of python tools I use for testing here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
On 18/05/11 17:10, Gary Gatten wrote:
I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them.
I have FR debugs of a working auth and a rejected auth. I'd like to "unhash" the MSCHAP stuff to see in clear text what's getting sent back and forth so I can get a better idea of why the request is being rejected.
That isn't really how it works. MS-CHAP is a (reasonably) cryptographically secure protocol. You can't go backwards from: MS-CHAP-Challenge = xxx MS-CHAP2-Response = yyy ...to anything meaningful. You *can* check that a given response is valid for a given challenge, if you know the password or nt hash.
That's what I was afraid of... Can you expand on this: "You *can* check that a given response is valid for a given challenge, if you know the password or nt hash." TIA G -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 11:27 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 17:10, Gary Gatten wrote:
I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them.
I have FR debugs of a working auth and a rejected auth. I'd like to "unhash" the MSCHAP stuff to see in clear text what's getting sent back and forth so I can get a better idea of why the request is being rejected.
That isn't really how it works. MS-CHAP is a (reasonably) cryptographically secure protocol. You can't go backwards from: MS-CHAP-Challenge = xxx MS-CHAP2-Response = yyy ...to anything meaningful. You *can* check that a given response is valid for a given challenge, if you know the password or nt hash. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
On 18/05/11 17:35, Gary Gatten wrote:
That's what I was afraid of...
Can you expand on this:
"You *can* check that a given response is valid for a given challenge, if you know the password or nt hash."
At length, but I would be here all day ;o) Basically, I've got a python script that performs the MS-CHAP crypto. I'll see if I can stick it somewhere people can make use of it. But FreeRADIUS does this "right". There's no need for an external script (unless you're fiddling with the MS-CHAP module guts, which I was when I wrote it). If FreeRADIUS is telling you the mschap response is wrong, it's wrong. Either: 1. The client is sending wrong data 2. The server has wrong data (password/hash) 3. Something is fiddling with the data in transit Since we *know* your Aruba kit is doing some fiddling, it
On 18/05/11 17:10, Gary Gatten wrote:
I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them.
As per previous posts: Your Aruba wireless equipment is: a. Terminating the outer EAP-PEAP b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2 I strongly suspect this will be causing the problems you are having, and I even suspect I know how - I think it's probably clients typing in their username in mIxEd-CaSe, which will cause cryptographich (hash) mismatches at client and server without careful preservation of the EAP payload. As per Neal Garber's post of 10th May, even FreeRADIUS had problems with this prior to 2.1.10 Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 ?
I have a 2.1.10 server we are tesing with, but I thought the patch you mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x? We will be testing passing the entire *eap session to FR this afternoon. ----- Original Message ----- From: Phil Mayers [mailto:p.mayers@imperial.ac.uk] Sent: Wednesday, May 18, 2011 12:29 PM To: freeradius-users@lists.freeradius.org <freeradius-users@lists.freeradius.org> Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 17:10, Gary Gatten wrote:
I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them.
As per previous posts: Your Aruba wireless equipment is: a. Terminating the outer EAP-PEAP b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2 I strongly suspect this will be causing the problems you are having, and I even suspect I know how - I think it's probably clients typing in their username in mIxEd-CaSe, which will cause cryptographich (hash) mismatches at client and server without careful preservation of the EAP payload. As per Neal Garber's post of 10th May, even FreeRADIUS had problems with this prior to 2.1.10 Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
On 18/05/11 18:41, Gary Gatten wrote:
I have a 2.1.10 server we are tesing with, but I thought the patch you mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x?
The patch which handles mixed-case client username in PEAP/MSCHAP was written by Neal Garber, and is in 2.1.10. The patches I've written recently are not related to this. They're new functionality for other things.
Initial test results passing PEAP et al to FR (vs. Aruba terminating PEAP) and "proxying" MSCHAP APPEAR to work well. Testing is by no means 100% complete, but so far so good. Scenarios that used to result in a reject are now working as expected. I had an initial problem 'cause I installed this to /devel/ to test with and I mucked something up and many files and dirs ended up directly unders /devel instead of for instance /devel/raddb/. I created raddb and copied certs there and it was more happy. FWIW: We are NOT using client certs at this time, we are using the PEAP/MSCHAPv2 and "use my windows credentials" option. Thanks! Gary -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Wednesday, May 18, 2011 12:41 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise I have a 2.1.10 server we are tesing with, but I thought the patch you mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x? We will be testing passing the entire *eap session to FR this afternoon. ----- Original Message ----- From: Phil Mayers [mailto:p.mayers@imperial.ac.uk] Sent: Wednesday, May 18, 2011 12:29 PM To: freeradius-users@lists.freeradius.org <freeradius-users@lists.freeradius.org> Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 17:10, Gary Gatten wrote:
I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them.
As per previous posts: Your Aruba wireless equipment is: a. Terminating the outer EAP-PEAP b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2 I strongly suspect this will be causing the problems you are having, and I even suspect I know how - I think it's probably clients typing in their username in mIxEd-CaSe, which will cause cryptographich (hash) mismatches at client and server without careful preservation of the EAP payload. As per Neal Garber's post of 10th May, even FreeRADIUS had problems with this prior to 2.1.10 Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 18/05/11 17:10, Gary Gatten wrote:
I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them.
Are you / have you been able to:
1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10
I can at least confirm the following from my Aruba setup here: a) _not_ terminating the outer EAP-PEAP in the Aruba and b) passing the whole thing to FR 2.1.10 works with any Windows I have so far encountered. (as far as the other things like server certificate chain, etc. are correct.) So the setup Win7->Aruba->FR _will_ work, if you don't let the Aruba gear fiddle with your EAP. Grüße, Sven. -- Sigmentation fault. Core dumped.
On 18/05/11 16:26, Simon L. wrote:
Using WPA2-Enterprise results in Access-Rejects after one Request.
That is not normal. WPA2 should be the same as WPA at the radius level.
Using WPA-Enterprise results in about nine different Access-Challanges and one final Access-Accept - that cant be right.
That is normal. EAP exchanges are usually 9/10 request/challenge pairs followed by a final request/accept. What exactly is your problem?
I have set up a testing scenario with the local test user bob. If local authentication works properly i want to proxy all requests without EAP to another freeradius server. I will have questions to that later :)
radtest from localhost an remotehost succeeded.
Sorry - radtest does not do EAP. radtest is not a valid test.
I dont get a clue if the Problem is Windows, Certificates, Network oder simply misconfigured freeradius.
You haven't told us what the problem is. WPA-Enterprise is working for you - the radius server is sending an access-accept. What problem are you experiencing?
certificates: - i build the certs with and without that windows extension OID in server.cnf with make from ../raddb/certs
Why? You MUST include the OID.
- 2048 bit
Windows 7: - installed ca.der as root cert in win7 and configured it for the desired WiFi network - for my eyes no difference in debug logs if validate server cert or not.
"Validate server cert" is done on the client. You won't see any difference on the server.
- unchecked using windows user or domain for auth - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - tls right?
PEAP uses TLS. PEAP needs certs too.
WAP: - WPA2 Enterprise with AES no accept packet possible until now
As above - that's not normal. The debug you sent contains no reject. Please send a debug for this case.
- WPA Enterprise with AES results in that 9-times Challenges until accept
As above - this is normal Access-Accept means everything is working. If you are still having problems after the Access-Accept, you need to describe what those problems are.
One point of clarification: "PEAP uses TLS. PEAP needs certs too." Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a common example. G -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 10:52 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 16:26, Simon L. wrote:
Using WPA2-Enterprise results in Access-Rejects after one Request.
That is not normal. WPA2 should be the same as WPA at the radius level.
Using WPA-Enterprise results in about nine different Access-Challanges and one final Access-Accept - that cant be right.
That is normal. EAP exchanges are usually 9/10 request/challenge pairs followed by a final request/accept. What exactly is your problem?
I have set up a testing scenario with the local test user bob. If local authentication works properly i want to proxy all requests without EAP to another freeradius server. I will have questions to that later :)
radtest from localhost an remotehost succeeded.
Sorry - radtest does not do EAP. radtest is not a valid test.
I dont get a clue if the Problem is Windows, Certificates, Network oder simply misconfigured freeradius.
You haven't told us what the problem is. WPA-Enterprise is working for you - the radius server is sending an access-accept. What problem are you experiencing?
certificates: - i build the certs with and without that windows extension OID in server.cnf with make from ../raddb/certs
Why? You MUST include the OID.
- 2048 bit
Windows 7: - installed ca.der as root cert in win7 and configured it for the desired WiFi network - for my eyes no difference in debug logs if validate server cert or not.
"Validate server cert" is done on the client. You won't see any difference on the server.
- unchecked using windows user or domain for auth - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - tls right?
PEAP uses TLS. PEAP needs certs too.
WAP: - WPA2 Enterprise with AES no accept packet possible until now
As above - that's not normal. The debug you sent contains no reject. Please send a debug for this case.
- WPA Enterprise with AES results in that 9-times Challenges until accept
As above - this is normal Access-Accept means everything is working. If you are still having problems after the Access-Accept, you need to describe what those problems are. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
I don't recall doing anything with server certs either - but this was LONG ago. Plus, you are FAR more knowledgeable than I in these matters so I defer to you and stand corrected. The next sound you hear is my tail dragging on the ground as walk away, head down, in shame.... -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 11:10 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 16:59, Gary Gatten wrote:
One point of clarification:
"PEAP uses TLS. PEAP needs certs too."
Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a common example.
Incorrect. PEAP *requires* a server certificate. The client does not need one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
participants (4)
-
Gary Gatten -
Phil Mayers -
Simon L. -
Sven Hartge