PEAP mschapv2 using xp native supplicant
Hi all, I'm using eap for authentication on wired connection ( using freeradius 2.0.5 and LDAP backend ), most of our clients are windows machine so there's little choice for using eap, that is eap-MD5 and PEAP mschapv2. Using EAP-MD5 there isn't any problem, the problem begin with PEAP mschapv2 the debug : ----------------------------------------------------------------- rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=xxx,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by uid rlm_ldap: Added User-Password = Testing10 in check items --------------------------------------------------------------- clearly freeradius can see the password and also it clear text :) below i also add samba schema that contain LM and NT password --------------------------------------------------------------- rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time == "Wk0800-1800" rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x54657374696e6731 rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password == 0x54657374696e6731 rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = "101" rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute Framed-Protocol = PPP rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Framed-User rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ------------------------------------------------------------------- mschap module say no clear text pasword and also can't create LM and NT password ------------------------------------------------------------------- +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testing/<via Auth-Type = EAP>] (from client dotix port 0) PEAP: Tunneled authentication was rejected. anyone can help?Thanks Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk.
oh and also when using users file the PEAP just run with no problem, the problem rise only when using LDAP Thanks Ryan Setiawan H wrote:
Hi all, I'm using eap for authentication on wired connection ( using freeradius 2.0.5 and LDAP backend ), most of our clients are windows machine so there's little choice for using eap, that is eap-MD5 and PEAP mschapv2. Using EAP-MD5 there isn't any problem, the problem begin with PEAP mschapv2
the debug : ----------------------------------------------------------------- rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=xxx,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by uid rlm_ldap: Added User-Password = Testing10 in check items --------------------------------------------------------------- clearly freeradius can see the password and also it clear text :) below i also add samba schema that contain LM and NT password --------------------------------------------------------------- rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute radiusLoginTime as RADIUS attribute Login-Time == "Wk0800-1800" rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0x54657374696e6731 rlm_ldap: LDAP attribute lmPassword as RADIUS attribute LM-Password == 0x54657374696e6731 rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = "101" rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802 rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN rlm_ldap: LDAP attribute radiusFramedProtocol as RADIUS attribute Framed-Protocol = PPP rlm_ldap: LDAP attribute radiusServiceType as RADIUS attribute Service-Type = Framed-User rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ------------------------------------------------------------------- mschap module say no clear text pasword and also can't create LM and NT password ------------------------------------------------------------------- +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testing/<via Auth-Type = EAP>] (from client dotix port 0) PEAP: Tunneled authentication was rejected.
anyone can help?Thanks
Ryan Setiawan H
-- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk.
Ryan Setiawan H wrote:
oh and also when using users file the PEAP just run with no problem, the problem rise only when using LDAP Thanks
Ryan Setiawan H wrote:
Hi all, I'm using eap for authentication on wired connection ( using freeradius 2.0.5 and LDAP backend ), most of our clients are windows machine so there's little choice for using eap, that is eap-MD5 and PEAP mschapv2. Using EAP-MD5 there isn't any problem, the problem begin with PEAP mschapv2
mschap *REQUIRES* either the NT/LM hashes or the plaintext password. What is your LDAP server? If it's ActiveDirectory, you should: * install samba on the machine * join the domain * use the "ntlm_auth" helper If it's another LDAP, you'll need to get the passwords. If you don't have them, it's not possible to do mschap.
Ryan Setiawan H wrote: ...
rlm_ldap: Added User-Password = Testing10 in check items --------------------------------------------------------------- clearly freeradius can see the password and also it clear text :) below i also add samba schema that contain LM and NT password ... ------------------------------------------------------------------- mschap module say no clear text pasword and also can't create LM and NT password ------------------------------------------------------------------- +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
Please post ALL of the debug output. I suspect that you are doing the ldap lookups OUTSIDE of the TLS tunnel rather than INSIDE. Alan DeKok.
participants (3)
-
Alan DeKok -
Phil Mayers -
Ryan Setiawan H