Re: PEAP mschapv2 using xp native supplicant
Ryan Setiawan H wrote:
Please post ALL of the debug output. I suspect that you are doing the ldap lookups OUTSIDE of the TLS tunnel rather than INSIDE.
...
repost forgot change subject I'm sorry I didn't include all the debug, because it was so large... anyway here the debug :
As I suspected... you are doing the LDAP lookups *outside* of the tunnel. See raddb/sites-available/inner-tunnel. Ensure that the references to "ldap" are uncommented.
Alan DeKok.
Hi, I've uncomment the ldap section at inner-tunnel also make sure at eap.conf default eap type peap, but still don't work. I've tried to make the eap session directly go to inner-tunnel server at client.conf, but i think it's not good idea and also don't work. any other ways? or am I miss something? Thanks auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: Invalid LM-Password rlm_mschap: Invalid NT-Password rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testing/<via Auth-Type = EAP>] (from client dotix port 0) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled } # server nispdot1x EAP-Message = 0x010a00261900170301001ba41a64fc5858e400f6380342e22751610df4070fb87d66fcd1dcbb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x252558f1222f410baf9655c23dbf74f3 Finished request 7. Going to the next request Waking up in 4.7 seconds. Framed-MTU = 1480 NAS-IP-Address = 192.168.12.130 NAS-Identifier = "ProCurve Switch 2650" User-Name = "testing" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-1c-2e-73-85-00" Calling-Station-Id = "00-16-36-5a-f1-e4" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x252558f1222f410baf9655c23dbf74f3 EAP-Message = 0x020a00261900170301001ba49c9266682a7900ffd51675496e5519722e108c0e7a1eaf33a31a Message-Authenticator = 0xeaa952199e0cb6c5e3852ba39433eed3 server nispdot1x { +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testing", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 10 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk.
Ryan Setiawan H wrote:
Hi, I've uncomment the ldap section at inner-tunnel also make sure at eap.conf default eap type peap, but still don't work. I've tried to make the eap session directly go to inner-tunnel server at client.conf,
That's not a good idea. It won't work.
rlm_mschap: Invalid LM-Password rlm_mschap: Invalid NT-Password
Well, that should be a hint. How about trying to add a user && password in the "users" file? An example is in the FAQ. What you've done is to add *wrong* authentication information. You've also taken care to *not* post what you *are* doing. Alan DeKok.
participants (2)
-
Alan DeKok -
Ryan Setiawan H