Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
After edit mschap file module by uncommented line containing ntlm_auth =, i used a AP Cisco client from freeradius to test with "test aaa group radius user userpass new-code" User define in user "files" work fine, but user on AD don't. In freeradius using the test bellow, I can access users on AD. root@M:~# ntlm_auth --request-nt-key --domain=XXXXXXX --username=XXXXXXXX password: NT_STATUS_OK: Success (0x0) Why is not working ntlm_auth for ms-chap ? thanks root@MHVRAD01:/usr/local/etc/raddb# radiusd -X FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on Apr 28 2010 at 12:00:46 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.100.0.222 { require_message_authenticator = no secret = "sharedkey2010" shortname = "AP" nastype = "cisco" } client 10.1.3.17 { require_message_authenticator = no secret = "sharedkey2010" shortname = "AP" nastype = "cisco" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-XXXXXXXX} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=XXXXXXXX --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/usr/local/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests.
Pedro Alves wrote:
User define in user “files” work fine, but user on AD don’t.
In freeradius using the test bellow, I can access users on AD.
Have you followed the "Active Directory" howto on http://deployingradius.com?
root@MHVRAD01:/usr/local/etc/raddb# radiusd -X ... Ready to process requests.
... and the server doesn't receive any packets. We can't help you debug an issue if you don't show us what's happening. Alan DeKok.
Hello Again. This is the test with local user: AP#test aaa group radius userlocal localpass new-code Trying to authenticate with Servergroup radius User successfully authenticated rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=174, length=53 User-Password = " localpass " User-Name = " userlocal " NAS-IP-Address = xx.xx.xx.xx +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "local01", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry local01 at line 79 [files] expand: Ola, %{User-Name} -> Ola, local01 ++[files] returns ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 174 to 10.1.3.17 port 1645 Reply-Message = "Ola, local01" Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 174 with timestamp +416 Ready to process requests. This is the test with AD user: AP#test aaa group radius userad userpass new-code Trying to authenticate with Servergroup radius User rejected rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, length=52 User-Password = "userpass" User-Name = "userad" NAS-IP-Address = xx.xx.xx.xx +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> radius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 175 to 10.1.3.17 port 1645 Waking up in 4.9 seconds. Cleaning up request 6 ID 175 with timestamp +531 Ready to process requests. -----Original Message----- From: freeradius-users-bounces+pedrojmalves=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: quarta-feira, 28 de Abril de 2010 16:40 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote:
User define in user “files” work fine, but user on AD don’t.
In freeradius using the test bellow, I can access users on AD.
Have you followed the "Active Directory" howto on http://deployingradius.com?
root@MHVRAD01:/usr/local/etc/raddb# radiusd -X ... Ready to process requests.
... and the server doesn't receive any packets. We can't help you debug an issue if you don't show us what's happening. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pedro Alves wrote:
This is the test with AD user:
AP#test aaa group radius userad userpass new-code Trying to authenticate with Servergroup radius User rejected
rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, length=52 User-Password = "userpass" User-Name = "userad" NAS-IP-Address = xx.xx.xx.xx
So... you're not doing MS-CHAP. Why is this message useful? Again... the Active Directory howto you were pointed to *documents* this. Go read it and follow the steps. If you don't follow the documentation, you probably won't be able to solve the problem. Alan DeKok.
Correct. Just use JRadiusSimulator to make MS-CHAP and work fine. Thanks -----Original Message----- From: freeradius-users-bounces+pedrojmalves=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail.com@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: quarta-feira, 28 de Abril de 2010 20:59 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote:
This is the test with AD user:
AP#test aaa group radius userad userpass new-code Trying to authenticate with Servergroup radius User rejected
rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, length=52 User-Password = "userpass" User-Name = "userad" NAS-IP-Address = xx.xx.xx.xx
So... you're not doing MS-CHAP. Why is this message useful? Again... the Active Directory howto you were pointed to *documents* this. Go read it and follow the steps. If you don't follow the documentation, you probably won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Again. Using JRadiusSimulator to test and receive "Sending Access-Accept" :) But when i use a client AP Cisco Aironet 1121, only users from "files" can connect, users on AD dont. This is the radiusd -X : rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=103, length=121 User-Name = "radius" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001c.bf72.f652" Service-Type = Login-User Message-Authenticator = 0x5421f97a6f252cbb7b15c33e50e083c9 EAP-Message = 0x0214000b01726164697573 NAS-Port-Type = Wireless-802.11 NAS-Port = 333 NAS-IP-Address = 10.1.3.17 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 20 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 103 to 10.1.3.17 port 1645 EAP-Message = 0x011500061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac9d3931ac8820751e3f7dd68458a60f Finished request 142. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=104, length=208 User-Name = "radius" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001c.bf72.f652" Service-Type = Login-User Message-Authenticator = 0xfe9d4d7736eb25ec342eba47caef7bc2 EAP-Message = 0x0215005019800000004616030100410100003d03014bd97bb8c5e84e785ab0eda2044b31ad 36f279237dff6efb4d76d51fc135801b00001600040005000a00090064006200030006001300 1200630100 NAS-Port-Type = Wireless-802.11 NAS-Port = 333 State = 0xac9d3931ac8820751e3f7dd68458a60f NAS-IP-Address = 10.1.3.17 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 21 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0881], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 104 to 10.1.3.17 port 1645 EAP-Message = 0x0116040019c0000008be160301002a0200002603014bd97bc3d689df8189bf1b82478e8b10 b0cdc460dca827895a49c151220d46de0000040016030108810b00087d00087a0003b6308203 b23082029aa003020102020101300d06092a864886f70d0101040500308199310b3009060355 040613025054310f300d060355040813064c6973626f613112301006035504071309416c6672 616769646531153013060355040a130c53756d6f6c2b436f6d70616c3121301f06092a864886 f70d01090116126473694073756d6f6c636f6d70616c2e7074312b3029060355040313225375 6d6f6c2b436f6d70616c20436572746966696361746520417574 EAP-Message = 0x686f72697479301e170d3130303432393130323835355a170d313330343238313032383535 5a308185310b3009060355040613025054310f300d060355040813064c6973626f6131153013 060355040a130c53756d6f6c2b436f6d70616c312b30290603550403132253756d6f6c2b436f 6d70616c20436572746966696361746520417574686f726974793121301f06092a864886f70d 01090116126473694073756d6f6c636f6d70616c2e707430820122300d06092a864886f70d01 010105000382010f003082010a0282010100aead30e6e578a9a3df511d9eea6702ab01f8d0f0 225bc6f044cdda41dc28c39ef7746ba8790d4b86cbe29fc27bb9 EAP-Message = 0x37d171818aa3d8e572af5cca3816a1dbea5a10945323349656c68f7eb947f99cd7db260fe8 4f6d8d5ee453fb228c58cceb0b592def5adb50053d4cebf1edbc4d0a44d49b21ba9dbc3e38b9 5846ba82c0c2b88b132a39f2f80dbe78e1d983577648aab8846a141969fe1b435f07c881611a 434f3bd398b4dea8b1809d46951e9ab9680f04fbc5c65cbde43961850e4cbf87941919ed3614 f87e4f20d38da1cad832f76578fbb920048506e2ac8351d6ed9a41fca5e1028d8fcd4ac768a9 6b6cbf1082c62a17aa16d8b8879c0905c67990d86f0203010001a317301530130603551d2504 0c300a06082b06010505070301300d06092a864886f70d010104 EAP-Message = 0x05000382010100202023fad2fc1181f0f1a8213c9cfe74c61a505191ec8bcb9172987acc3b 53ca9d4c701f4f373be7185568d82285915d4ae5a1079bbaa2b27e64151c680835ad967b80e3 662c4c632b5e8d888783d2b4f514d67a214ebd674fc324a55656c8e3f3e865d08053f35de1a2 8829a6655c5b58c2832c7dd5cfdaa82bf7d6e25307132388d5508e3918bc5bbf0865a8d32e54 9a5678dd2192f4ec0b81da138d59fdb460bd2e7b09648eb226fd0b2433d532206a71dad3cb81 f8205813f7da224921a1718abe53d444fc9eeffa3a08cb59d3114ab207cc3f505cf3c2b3e067 324eb4679fb4857d7a49bc4f494e15bb16b653db09ec29dfe8ec EAP-Message = 0xaf4576c2b0070a32f5800004 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac9d3931ad8b20751e3f7dd68458a60f Finished request 143. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=105, length=134 User-Name = "radius" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001c.bf72.f652" Service-Type = Login-User Message-Authenticator = 0x9afdd3efabb3c2c22f2e620b2b6a45e3 EAP-Message = 0x021600061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 333 State = 0xac9d3931ad8b20751e3f7dd68458a60f NAS-IP-Address = 10.1.3.17 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 22 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 105 to 10.1.3.17 port 1645 EAP-Message = 0x011703fc1940be308204ba308203a2a003020102020900e676cf69665132ea300d06092a86 4886f70d0101050500308199310b3009060355040613025054310f300d060355040813064c69 73626f613112301006035504071309416c6672616769646531153013060355040a130c53756d 6f6c2b436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d 70616c2e7074312b30290603550403132253756d6f6c2b436f6d70616c204365727469666963 61746520417574686f72697479301e170d3130303432393130323835355a170d313330343238 3130323835355a308199310b3009060355040613025054310f30 EAP-Message = 0x0d060355040813064c6973626f613112301006035504071309416c66726167696465311530 13060355040a130c53756d6f6c2b436f6d70616c3121301f06092a864886f70d010901161264 73694073756d6f6c636f6d70616c2e7074312b30290603550403132253756d6f6c2b436f6d70 616c20436572746966696361746520417574686f7269747930820122300d06092a864886f70d 01010105000382010f003082010a0282010100b24bbffe31302f4ad0b6b3d14d25043993513a 6afe0052f53368486e882204788a5c1e7ada8e06a7fd2d664c984bb236dce5b1345a51cd20bb 899cf7ec7e045bb40ad4ad13f8feaf194a33e160f961acea0ac2 EAP-Message = 0x9536cfd418e0a931badb0aa0ccb440d9207e7772e9e310b64df5dc0f3aeba600a74a9d6de7 601ccb89003b676d359ba939d836bb45d3f34e4936a4631ca1b8d33481cf99e872f6ddbdff5c 31ba80129a20b4c8c19d10bdd009ddf9359017d12652135a0c4c51a718c1d940903de92cfb9c cb9f97d3a969471527f2e6ea36269acbded706c93317f2cf2c0b0dd3e1206624c9973e839d27 7e1c59abaec63e132bd2d909df6a134754a37f004b3d0203010001a38201013081fe301d0603 551d0e0416041425f59b62bf9b4f44e8823fd2248371807b17ff903081ce0603551d230481c6 3081c3801425f59b62bf9b4f44e8823fd2248371807b17ff90a1 EAP-Message = 0x819fa4819c308199310b3009060355040613025054310f300d060355040813064c6973626f 613112301006035504071309416c6672616769646531153013060355040a130c53756d6f6c2b 436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c 2e7074312b30290603550403132253756d6f6c2b436f6d70616c204365727469666963617465 20417574686f72697479820900e676cf69665132ea300c0603551d13040530030101ff300d06 092a864886f70d010105050003820101008ebc829a120fb51c2610d99da0f4f67a3630d58830 4df593e3493ff80e94e24e524e43b46d3a5cf8b6adf5c54f3c10 EAP-Message = 0xbb37209851f7c861 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac9d3931ae8a20751e3f7dd68458a60f Finished request 144. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=106, length=134 User-Name = "radius" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001c.bf72.f652" Service-Type = Login-User Message-Authenticator = 0xcc667a485f75d999ee9ca1a1a4d3009f EAP-Message = 0x021700061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 333 State = 0xac9d3931ae8a20751e3f7dd68458a60f NAS-IP-Address = 10.1.3.17 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 23 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 106 to 10.1.3.17 port 1645 EAP-Message = 0x011800d819002f5a83c923534ec2db772cc3ba7177a11bad2ff8c8cb6ee2a62c77ecfdc796 fb35ec7dcc1a3322a76637b2c7d0d2e719a667fabc8033d27214105e5edae46e97a692e4dc65 026a83907bbaf87e18a5027206612b229b0efc65e3f8be783efb2cc3513222abdf137eb6aa7b 2a857ec7b12276b947e05dba00c8d4a881b72a3418d935a5d041a1dbc983d07be4afa5153389 e82f579ee35ea6c5b1e5b31f5e62a1e28d0d23b99fb88ce6384fd7e8533736c3eaf7a5f643f1 8ec93c0c0732e76932667f049f70fc9e4def16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac9d3931af8520751e3f7dd68458a60f Finished request 145. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=107, length=450 User-Name = "radius" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001c.bf72.f652" Service-Type = Login-User Message-Authenticator = 0x504485daa93505822f5226f8336c24c1 EAP-Message = 0x0218014019800000013616030101061000010201000f11893a2a0af5ff119c9aeaf905f745 2ab17e795ff97718a7331a15b262a28985bd6cec5854eb16d2a1df910f3ed31bb4966a8c9efd ed0b5ebe9e17803cbc9a0bded32a9720626fe58ef3e5acfe5aa29b2184f4872ab522ca32c4eb a335742ff20a63c90b52dea3dfba65d0b0407a1040fc59524ef8f5df22775968869da2fe47a7 66f792950eee8b81a61e29b38a4cce55d776aece337c2794e56d3bb395a5619f489553a234f4 43ab9bb2afaedc6dc9a454168e5285ad07b04a82564f34ebe150115a7bb038d8fe90d54d9f3d 9bf48caa31bc4f4a0476a7d82f9380024538e6c6bdc1f4d60130 EAP-Message = 0x27b542fba0cfe08d72e2606c3c67bfb30320ac0133c9f4b7140301000101160301002082ee 41684920bb00277f9676240c2eda7234060fa769c08f7be5046cb4114b4d NAS-Port-Type = Wireless-802.11 NAS-Port = 333 State = 0xac9d3931af8520751e3f7dd68458a60f NAS-IP-Address = 10.1.3.17 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 24 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 107 to 10.1.3.17 port 1645 EAP-Message = 0x0119003119001403010001011603010020620e595ee40aed5c5827c1a95eb2f49bdbd90c99 8731155dcc38ad25392abb11 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac9d3931a88420751e3f7dd68458a60f Finished request 146. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=108, length=134 User-Name = "radius" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001c.bf72.f652" Service-Type = Login-User Message-Authenticator = 0x7023048b235562b398e0d7673adc9c37 EAP-Message = 0x021900061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 333 State = 0xac9d3931a88420751e3f7dd68458a60f NAS-IP-Address = 10.1.3.17 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 25 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 108 to 10.1.3.17 port 1645 EAP-Message = 0x011a002019001703010015b3c0657eb22ecfe39f483c96b6d825dd2ae546aa88 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac9d3931a98720751e3f7dd68458a60f Finished request 147. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=109, length=162 User-Name = "radius" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001c.bf72.f652" Service-Type = Login-User Message-Authenticator = 0x9d9d8018fcf0ca698b3221bdb5074960 EAP-Message = 0x021a002219001703010017a6900bd1d2f519aa0a543ab128c4179ec45369a3b2d332 NAS-Port-Type = Wireless-802.11 NAS-Port = 333 State = 0xac9d3931a98720751e3f7dd68458a60f NAS-IP-Address = 10.1.3.17 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 26 length 34 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - radius [peap] Got tunneled request EAP-Message = 0x021a000b01726164697573 server { PEAP: Got tunneled identity of radius PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to radius Sending tunneled request EAP-Message = 0x021a000b01726164697573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "radius" server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 26 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x011b00201a011b001b10104069986f899325db5507f732c9a84d726164697573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2895040f2924a11970822f6475488c4 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x011b00201a011b001b10104069986f899325db5507f732c9a84d726164697573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2895040f2924a11970822f6475488c4 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 109 to 10.1.3.17 port 1645 EAP-Message = 0x011b00371900170301002c47364676fd9f5f038e2a853553cd5bf9641c40b4027bf9288d54 93f40de0ce78d96664845c9d1b6d299ce2c8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac9d3931aa8620751e3f7dd68458a60f Finished request 148. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=110, length=216 User-Name = "radius" Framed-MTU = 1400 Called-Station-Id = "0016.9df4.c3d0" Calling-Station-Id = "001c.bf72.f652" Service-Type = Login-User Message-Authenticator = 0x45e1406c4831f33a22bb8334777278de EAP-Message = 0x021b00581900170301004d7f244c122bfed197958b6eed9c2d9409b4ab78e3926597e8ee81 d5224c980b78bcd27c6a70ba2c28ad9e2db574e2d2dd9b8f57e68ae15f3ea2256d1a77907d29 b22dfc99484303a45fd6af169c NAS-Port-Type = Wireless-802.11 NAS-Port = 333 State = 0xac9d3931aa8620751e3f7dd68458a60f NAS-IP-Address = 10.1.3.17 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 27 length 88 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x021b00411a021b003c31cd2f712e07f9dfe9f598c4709e20991f00000000000000003e5f3c c91a9b6a17d93fb3fe2df5fe3ca9bb11e445388c4900726164697573 server { PEAP: Setting User-Name to radius Sending tunneled request EAP-Message = 0x021b00411a021b003c31cd2f712e07f9dfe9f598c4709e20991f00000000000000003e5f3c c91a9b6a17d93fb3fe2df5fe3ca9bb11e445388c4900726164697573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "radius" State = 0xf2895040f2924a11970822f6475488c4 server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 27 length 65 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for radius with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=radius [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-domain} -> --domain=domain [mschap] mschap2: 10 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=f8ee793b104b9514 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=3e5f3cc91a9b6a17d93fb3fe2df5fe3ca9bb11e445388c49 Exec-Program output: NT_KEY: 46AA6F75892B0C742D6F219B7DE53841 Exec-Program-Wait: plaintext: NT_KEY: 46AA6F75892B0C742D6F219B7DE53841 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x011c00331a031b002e533d3537343234373641383630373337373030443645313134443939 3143374137323538434136333633 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2895040f3954a11970822f6475488c4 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x011c00331a031b002e533d3537343234373641383630373337373030443645313134443939 3143374137323538434136333633 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2895040f3954a11970822f6475488c4 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 EAP-Message = 0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372 6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac9d3931ab8120751e3f7dd68458a60f Finished request 149. Going to the next request Waking up in 4.7 seconds. -----Original Message----- From: freeradius-users-bounces+pedrojmalves=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail.com@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: quarta-feira, 28 de Abril de 2010 20:59 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote:
This is the test with AD user:
AP#test aaa group radius userad userpass new-code Trying to authenticate with Servergroup radius User rejected
rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175, length=52 User-Password = "userpass" User-Name = "userad" NAS-IP-Address = xx.xx.xx.xx
So... you're not doing MS-CHAP. Why is this message useful? Again... the Active Directory howto you were pointed to *documents* this. Go read it and follow the steps. If you don't follow the documentation, you probably won't be able to solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pedro Alves wrote:
Using JRadiusSimulator to test and receive "Sending Access-Accept" :)
But when i use a client AP Cisco Aironet 1121, only users from "files" can connect, users on AD dont. ... Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 EAP-Message = 0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372 6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac9d3931ab8120751e3f7dd68458a60f Finished request 149. Going to the next request Waking up in 4.7 seconds.
See the FAQ and the comments in eap.conf in recent versions of the server. It may also be a Samba bug. See: https://bugzilla.samba.org/show_bug.cgi?id=6563 Alan DeKok.
I'm using Samba v3.4.0, freeradius v2.1.8, on unbuntu desktop v9.10. Active Directory is a Win2008 server Standard R2. Do you think can be a samba bug ? -----Original Message----- From: freeradius-users-bounces+pedrojmalves=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail.com@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: sexta-feira, 30 de Abril de 2010 8:58 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote:
Using JRadiusSimulator to test and receive "Sending Access-Accept" :)
But when i use a client AP Cisco Aironet 1121, only users from "files" can connect, users on AD dont. ... Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 EAP-Message =
0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372
6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac9d3931ab8120751e3f7dd68458a60f Finished request 149. Going to the next request Waking up in 4.7 seconds.
See the FAQ and the comments in eap.conf in recent versions of the server. It may also be a Samba bug. See: https://bugzilla.samba.org/show_bug.cgi?id=6563 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I think the problem is the Windows Supplicant because i use a "Intel PROSet Wireless" to connect with success. Need to add [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 to the PKCS#7 keybag attributes holding the client's private key. Already search in here but the two info pages I find are broken: http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm http://www.hep.phys.soton.ac.uk/~jhe/documents/WPA-Authentication+RADIUS-HOW TO.html How can I do this ? Thanks -----Original Message----- From: freeradius-users-bounces+pedrojmalves=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail.com@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: sexta-feira, 30 de Abril de 2010 8:58 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote:
Using JRadiusSimulator to test and receive "Sending Access-Accept" :)
But when i use a client AP Cisco Aironet 1121, only users from "files" can connect, users on AD dont. ... Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 EAP-Message =
0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372
6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac9d3931ab8120751e3f7dd68458a60f Finished request 149. Going to the next request Waking up in 4.7 seconds.
See the FAQ and the comments in eap.conf in recent versions of the server. It may also be a Samba bug. See: https://bugzilla.samba.org/show_bug.cgi?id=6563 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pedro Alves wrote:
Already search in here but the two info pages I find are broken: http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm http://www.hep.phys.soton.ac.uk/~jhe/documents/WPA-Authentication+RADIUS-HOW TO.html
How can I do this ?
Read http://freeradius.org/doc/ This is documented. Alan DeKok.
I see that the file xpextensions is already in /raddb/certs dir and is included when create certificates using bootstrap : "openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1" But Windows XP and Vista Supplicant can't authenticate, always have "Sending Access-Challenge" What is the best Samba version to communicate with Win2008 server Standard R2 (Active Directory) ? Cumprimentos Pedro Alves -----Original Message----- From: freeradius-users-bounces+pedrojmalves=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+pedrojmalves=gmail.com@lists.freeradius.org ] On Behalf Of Alan DeKok Sent: sexta-feira, 30 de Abril de 2010 8:58 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP Pedro Alves wrote:
Using JRadiusSimulator to test and receive "Sending Access-Accept" :)
But when i use a client AP Cisco Aironet 1121, only users from "files" can connect, users on AD dont. ... Sending Access-Challenge of id 110 to 10.1.3.17 port 1645 EAP-Message =
0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372
6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac9d3931ab8120751e3f7dd68458a60f Finished request 149. Going to the next request Waking up in 4.7 seconds.
See the FAQ and the comments in eap.conf in recent versions of the server. It may also be a Samba bug. See: https://bugzilla.samba.org/show_bug.cgi?id=6563 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pedro Alves wrote:
But Windows XP and Vista Supplicant can't authenticate, always have "Sending Access-Challenge"
What is the best Samba version to communicate with Win2008 server Standard R2 (Active Directory) ?
http://deployingradius.com Follow the HOWTOs on the main page for getting EAP to work. They include instructions on how to debug common problems, how to find out exactly what's going wrong, and how to fix it. Alan DeKok.
participants (3)
-
Alan DeKok -
Garber, Neal -
Pedro Alves