Windows Server 2008 R2 (was already working...)
hey all, we do have a freeradius server authenticating with ntml_auth against a win 2008r2 server. this was working for several months but for 2 weeks now the authentication does not work anymore. authenticating on the command line with ntlm_auth is still working: [root@wlan ~]# ntlm_auth --request-nt-key --username=xxx password: NT_STATUS_OK: Success (0x0) but when authenticating with the radius server i am getting this in the debug log. (we have no idea why this is happening.. the radius config was not changed for several months.. we got an automatically installed win2008r2 server update (i know bad idea). the domain is running the ad 2008 r2 schema.) ++[eap] returns updated Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for asartori@fh-salzburg.ac.at with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. thanks for any help. -euro
mr typo wrote:
[mschap] Told to do MS-CHAPv2 for asartori@fh-salzburg.ac.at <mailto:asartori@fh-salzburg.ac.at> with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
You forced MS-CHAP (i.e. non-ntlm_auth) authentication in FreeRADIUS. Fix that. Alan DeKok.
ill try that. it is just strange that it worked until now.. in the module mschap i am doing a ntlm_auth request. that is how the authenticate sections looks like now. authenticate { Auth-Type MS-CHAP { mschap } eap } so i configure ntlm_auth from the modules and put the directive ntlm_auth just before "Auth-Type MS-CHAP"? ill try that tomorrow, right now i have no chance to test it out. regards -euro On Tue, Apr 6, 2010 at 5:20 PM, Alan DeKok <aland@deployingradius.com>wrote:
mr typo wrote:
[mschap] Told to do MS-CHAPv2 for asartori@fh-salzburg.ac.at <mailto:asartori@fh-salzburg.ac.at> with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
You forced MS-CHAP (i.e. non-ntlm_auth) authentication in FreeRADIUS. Fix that.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hello, i have added the with_nt_domain_hack in the mschapv2 section of eap.conf mschapv2 { with_ntdomain_hack = yes } with this change i am getting the following in debug log: [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for asartori@fh-salzburg.ac.at with NT-Password [mschap] expand: --username=%{Stripped-User-Name} -> --username=asartori [mschap] mschap2: f9 [mschap] expand: --challenge=%{mschap:Challenge} -> --challenge=f06598f7d3c7a32d [mschap] expand: --nt-response=%{mschap:NT-Response} -> --nt-response=eee56e2489411d6d778ab1a40cee629b6abce82769c1c1d1 Exec-Program output: NT_KEY: 3395EA4C15F1E2CE98AB55D36DE5DFBB Exec-Program-Wait: plaintext: NT_KEY: 3395EA4C15F1E2CE98AB55D36DE5DFBB Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled but i never receive a access-accept. from my understanding it should work? the complete debug log is at: https://overlord.fh-salzburg.ac.at/~asartori/debug.txt i hope someone can help! kind regards -euro On Tue, Apr 6, 2010 at 8:02 PM, mr typo <euroregistrar@gmail.com> wrote:
ill try that. it is just strange that it worked until now..
in the module mschap i am doing a ntlm_auth request. that is how the authenticate sections looks like now.
authenticate { Auth-Type MS-CHAP { mschap } eap }
so i configure ntlm_auth from the modules and put the directive ntlm_auth just before "Auth-Type MS-CHAP"?
ill try that tomorrow, right now i have no chance to test it out.
regards
-euro
On Tue, Apr 6, 2010 at 5:20 PM, Alan DeKok <aland@deployingradius.com>wrote:
mr typo wrote:
[mschap] Told to do MS-CHAPv2 for asartori@fh-salzburg.ac.at <mailto:asartori@fh-salzburg.ac.at> with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
You forced MS-CHAP (i.e. non-ntlm_auth) authentication in FreeRADIUS. Fix that.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
so mschap is working again, but now radius stops processing at sending the access-challenge to the accesspoint. it should not be a certificate problem, since the error is happening with all devices (win, mac, mobiles,..). proxy requests to another radius are working fine. andy ideas? i am running on freeradius self compiled under centos5 update: after a reboot it is working again... any ideas what could have caused the problem? reboot is not a solution if it happens again. -euro [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server eduroam-inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b00331a030a002e533d46313235324136433543373437413137363637363739333345314443413030444330393842343436 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x34d7bc0635dca66007f66a576398301e [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b00331a030a002e533d46313235324136433543373437413137363637363739333345314443413030444330393842343436 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x34d7bc0635dca66007f66a576398301e [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 74 to 10.80.10.150 port 1645 EAP-Message = 0x010b005b190017030100505394731e4048fe963007422bc8845a6901f4d04aa5c7f8e3c1bfc8b90a673a8bcde0455548fdfa1613eccb28d130d26caee4ca2fa7780f7f1f6df04625ee7ba950b11c3e610052763cc6cadcf803d7c9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x193fdf6a1034c6d4fb779767b11c2fbf Finished request 9. Going to the next request Waking up in 1.0 seconds. Cleaning up request 0 ID 65 with timestamp +7 On Wed, Apr 7, 2010 at 9:31 AM, mr typo <euroregistrar@gmail.com> wrote:
hello,
i have added the with_nt_domain_hack in the mschapv2 section of eap.conf
mschapv2 { with_ntdomain_hack = yes }
with this change i am getting the following in debug log: [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for asartori@fh-salzburg.ac.at with NT-Password [mschap] expand: --username=%{Stripped-User-Name} -> --username=asartori [mschap] mschap2: f9 [mschap] expand: --challenge=%{mschap:Challenge} -> --challenge=f06598f7d3c7a32d [mschap] expand: --nt-response=%{mschap:NT-Response} -> --nt-response=eee56e2489411d6d778ab1a40cee629b6abce82769c1c1d1 Exec-Program output: NT_KEY: 3395EA4C15F1E2CE98AB55D36DE5DFBB Exec-Program-Wait: plaintext: NT_KEY: 3395EA4C15F1E2CE98AB55D36DE5DFBB Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled
but i never receive a access-accept. from my understanding it should work?
the complete debug log is at: https://overlord.fh-salzburg.ac.at/~asartori/debug.txt
i hope someone can help!
kind regards
-euro
On Tue, Apr 6, 2010 at 8:02 PM, mr typo <euroregistrar@gmail.com> wrote:
ill try that. it is just strange that it worked until now..
in the module mschap i am doing a ntlm_auth request. that is how the authenticate sections looks like now.
authenticate { Auth-Type MS-CHAP { mschap } eap }
so i configure ntlm_auth from the modules and put the directive ntlm_auth just before "Auth-Type MS-CHAP"?
ill try that tomorrow, right now i have no chance to test it out.
regards
-euro
On Tue, Apr 6, 2010 at 5:20 PM, Alan DeKok <aland@deployingradius.com>wrote:
mr typo wrote:
[mschap] Told to do MS-CHAPv2 for asartori@fh-salzburg.ac.at <mailto:asartori@fh-salzburg.ac.at> with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
You forced MS-CHAP (i.e. non-ntlm_auth) authentication in FreeRADIUS. Fix that.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
update: not working again. 4 or 5 requests were working, now it is the same problem again. stopping at the access-challenge.. -euro On Thu, Apr 8, 2010 at 8:36 AM, mr typo <euroregistrar@gmail.com> wrote:
so mschap is working again, but now radius stops processing at sending the access-challenge to the accesspoint. it should not be a certificate problem, since the error is happening with all devices (win, mac, mobiles,..). proxy requests to another radius are working fine.
andy ideas?
i am running on freeradius self compiled under centos5
update: after a reboot it is working again... any ideas what could have caused the problem? reboot is not a solution if it happens again.
-euro
[mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server eduroam-inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b00331a030a002e533d46313235324136433543373437413137363637363739333345314443413030444330393842343436 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x34d7bc0635dca66007f66a576398301e [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b00331a030a002e533d46313235324136433543373437413137363637363739333345314443413030444330393842343436 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x34d7bc0635dca66007f66a576398301e [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server eduroam Sending Access-Challenge of id 74 to 10.80.10.150 port 1645 EAP-Message = 0x010b005b190017030100505394731e4048fe963007422bc8845a6901f4d04aa5c7f8e3c1bfc8b90a673a8bcde0455548fdfa1613eccb28d130d26caee4ca2fa7780f7f1f6df04625ee7ba950b11c3e610052763cc6cadcf803d7c9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x193fdf6a1034c6d4fb779767b11c2fbf Finished request 9. Going to the next request Waking up in 1.0 seconds. Cleaning up request 0 ID 65 with timestamp +7
On Wed, Apr 7, 2010 at 9:31 AM, mr typo <euroregistrar@gmail.com> wrote:
hello,
i have added the with_nt_domain_hack in the mschapv2 section of eap.conf
mschapv2 { with_ntdomain_hack = yes }
with this change i am getting the following in debug log: [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for asartori@fh-salzburg.ac.at with NT-Password [mschap] expand: --username=%{Stripped-User-Name} -> --username=asartori [mschap] mschap2: f9 [mschap] expand: --challenge=%{mschap:Challenge} -> --challenge=f06598f7d3c7a32d [mschap] expand: --nt-response=%{mschap:NT-Response} -> --nt-response=eee56e2489411d6d778ab1a40cee629b6abce82769c1c1d1 Exec-Program output: NT_KEY: 3395EA4C15F1E2CE98AB55D36DE5DFBB Exec-Program-Wait: plaintext: NT_KEY: 3395EA4C15F1E2CE98AB55D36DE5DFBB Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled
but i never receive a access-accept. from my understanding it should work?
the complete debug log is at: https://overlord.fh-salzburg.ac.at/~asartori/debug.txt
i hope someone can help!
kind regards
-euro
On Tue, Apr 6, 2010 at 8:02 PM, mr typo <euroregistrar@gmail.com> wrote:
ill try that. it is just strange that it worked until now..
in the module mschap i am doing a ntlm_auth request. that is how the authenticate sections looks like now.
authenticate { Auth-Type MS-CHAP { mschap } eap }
so i configure ntlm_auth from the modules and put the directive ntlm_auth just before "Auth-Type MS-CHAP"?
ill try that tomorrow, right now i have no chance to test it out.
regards
-euro
On Tue, Apr 6, 2010 at 5:20 PM, Alan DeKok <aland@deployingradius.com>wrote:
mr typo wrote:
[mschap] Told to do MS-CHAPv2 for asartori@fh-salzburg.ac.at <mailto:asartori@fh-salzburg.ac.at> with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
You forced MS-CHAP (i.e. non-ntlm_auth) authentication in FreeRADIUS. Fix that.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mr typo wrote:
update: not working again. 4 or 5 requests were working, now it is the same problem again.
stopping at the access-challenge..
Blame the Windows PC. It doesn't like the certificates. Remember: RADIUS is a protocol that RESPONDS to REQUESTS. If there are no requests, the server does nothing. Don't blame the server when it does nothing. The client isn't sending requests, so there is nothing for the server to do. Alan DeKok.
humm, even when its not working with a mac or other devices? On Thu, Apr 8, 2010 at 8:49 AM, Alan DeKok <aland@deployingradius.com>wrote:
mr typo wrote:
update: not working again. 4 or 5 requests were working, now it is the same problem again.
stopping at the access-challenge..
Blame the Windows PC. It doesn't like the certificates.
Remember: RADIUS is a protocol that RESPONDS to REQUESTS. If there are no requests, the server does nothing.
Don't blame the server when it does nothing. The client isn't sending requests, so there is nothing for the server to do.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mr typo wrote:
humm, even when its not working with a mac or other devices?
As I said... the client sends requests. If it doesn't, the client is choosing to stop. Work through my EAP deployment howto: http://deployingradius.com. Then the Active Directory Howto. At some point, it will stop working. That's the thing that needs fixing. Alan DeKok.
hello, we did install a new freeradius server and default configuration. then we did your tutorial step by step. no more lines, nothing left out. it works up to "configuring freeradius to use ntml_auth for ms-chap" password is double checked, everything else should be find. wbinfo works, ntlm_auth works, plain_ntlm works, certificates creates with makefile (so with xpextensions). it is really strange.. -euro rad_recv: Access-Request packet from host 10.80.10.150 port 1645, id=205, length=137 User-Name = "asartori" Framed-MTU = 1400 Called-Station-Id = "0021.d792.3040" Calling-Station-Id = "0023.121b.f71b" Service-Type = Login-User Message-Authenticator = 0xdde7d44ba64198a77fe4911087b2a442 EAP-Message = 0x0202000d0161736172746f7269 NAS-Port-Type = Wireless-802.11 NAS-Port = 1461 NAS-Port-Id = "1461" NAS-IP-Address = 10.80.10.150 NAS-Identifier = "AP50" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "asartori", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 205 to 10.80.10.150 port 1645 EAP-Message = 0x01030016041020f6c8632f50cb7bc445d921e8c7e355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86dda94b86dead6cb4af2a8bdb01132e Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.80.10.150 port 1645, id=206, length=148 User-Name = "asartori" Framed-MTU = 1400 Called-Station-Id = "0021.d792.3040" Calling-Station-Id = "0023.121b.f71b" Service-Type = Login-User Message-Authenticator = 0x6145259b02547df93d0552b7414f0fb5 EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 1461 NAS-Port-Id = "1461" State = 0x86dda94b86dead6cb4af2a8bdb01132e NAS-IP-Address = 10.80.10.150 NAS-Identifier = "AP50" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "asartori", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 206 to 10.80.10.150 port 1645 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86dda94b87d9b06cb4af2a8bdb01132e Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.80.10.150 port 1645, id=207, length=306 User-Name = "asartori" Framed-MTU = 1400 Called-Station-Id = "0021.d792.3040" Calling-Station-Id = "0023.121b.f71b" Service-Type = Login-User Message-Authenticator = 0x6373d1c83ed630d072424e4571b5c427 EAP-Message = 0x020400a419800000009a16030100950100009103014bbdd4e87af6f0d31b28590f069d4838a0fd4a7b44519d4b20b553e8b0a38540000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 1461 NAS-Port-Id = "1461" State = 0x86dda94b87d9b06cb4af2a8bdb01132e NAS-IP-Address = 10.80.10.150 NAS-Identifier = "AP50" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "asartori", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 164 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 154 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0095], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 07d3], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 207 to 10.80.10.150 port 1645 EAP-Message = 0x0105040019c000000810160301002a0200002603014bbdd55952cf35d69ba60e1ebfa404231554215dd7630613d874ef2de8b12a5800002f0016030107d30b0007cf0007cc000368308203643082024ca003020102020101300d06092a864886f70d0101040500307b310b30090603550406130241543111300f0603550408130853616c7a62757267310d300b0603550407130450756368310c300a060355040a1303464853311c301a06092a864886f70d010901160d61646d696e406668732e636f6d311e301c06035504031315464853204578616d706c6520417574686f72697479301e170d3130303430383131353035385a170d313130343038 EAP-Message = 0x3131353035385a3057310b30090603550406130241543111300f0603550408130853616c7a62757267310c300a060355040a1303464853312730250603550403131e726164697573612e636f72652e66682d73616c7a627572672e61632e617430820122300d06092a864886f70d01010105000382010f003082010a0282010100c39b6c9e63a914640d8d8a7c1541bd93830de1c9e2cfe9884561c881bf9e24fe0c7a527b9e1b506cf5b3e7d91096f19262938134ec231685c0621f5cbc1c2b89cf0613672e5ae4512824541bb1e25a3e5f312e401c6d55f2f71a7ae6aedd0a2b61322c313ec13c142df0226a2f0f33186a2a79d8a0f4080f75002059 EAP-Message = 0x167cac17436aea8917fea74bf6f3d13e6f1b418bef900a14e412c1be0bf81b73a057b55cc9a8e0716e260a5eb233aae763dd2f8dcffdf00efec148cc3b8a031c91c0afe9e6cbdd4ae309666a8422bf65865f4f25a48cf4a2e6522bc562addf30df7ba7fd91acbac6895d4fcd749165e4c14d401be8f590c88eadf1282576e7d4137a36ed0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101008e95b04b25e446f50b2f051d095242b369ad2a25f21f8a4cca4debec31e3b73adace1f6bee620a4e639392171b73aed8b26df169fe4ab62c52069e4ab6124d5dc9aafaaf6e68ec EAP-Message = 0xbbc076ca92538a95cdbf0661a29c02b103f9bfecbed8eaaaf3a1b6c49b31ef111e3abaa6ebe7a283186f3c3d0e9f07ff3c1cc91eb36547d4cd51bf18b37ca033859df3543283a91e9323b5845c254d600c923ae22fcfbd0c7f90e76d5b3904d84c4cd2c4398f9f430deeabe3e3b7118533e78da3c3512da2caadacdddccd09e2bd939ba7ba591fe9dd2aa43e3a9ce93720e627d5acf6c6bd0f4df106b3356e18ae0be95a63c0c7051f7e296edb76ec57bec3b9b7a47442dee500045e3082045a30820342a003020102020900a85c3b04575e9007300d06092a864886f70d0101050500307b310b30090603550406130241543111300f06035504081308 EAP-Message = 0x53616c7a62757267310d300b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86dda94b84d8b06cb4af2a8bdb01132e Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.80.10.150 port 1645, id=208, length=148 User-Name = "asartori" Framed-MTU = 1400 Called-Station-Id = "0021.d792.3040" Calling-Station-Id = "0023.121b.f71b" Service-Type = Login-User Message-Authenticator = 0x67049f9481a63497a1ad63f7dc535106 EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 1461 NAS-Port-Id = "1461" State = 0x86dda94b84d8b06cb4af2a8bdb01132e NAS-IP-Address = 10.80.10.150 NAS-Identifier = "AP50" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "asartori", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 208 to 10.80.10.150 port 1645 EAP-Message = 0x010603fc19400603550407130450756368310c300a060355040a1303464853311c301a06092a864886f70d010901160d61646d696e406668732e636f6d311e301c06035504031315464853204578616d706c6520417574686f72697479301e170d3130303430383131353035385a170d3131303430383131353035385a307b310b30090603550406130241543111300f0603550408130853616c7a62757267310d300b0603550407130450756368310c300a060355040a1303464853311c301a06092a864886f70d010901160d61646d696e406668732e636f6d311e301c06035504031315464853204578616d706c6520417574686f72697479308201 EAP-Message = 0x22300d06092a864886f70d01010105000382010f003082010a0282010100b38f72d456714063ebf429ab9d7d7611b055d1c8fd97baf555ae442f724484771f7603e32bb1a589ceded13e81867c1a582def69bc191e01d70b6cf21f20f3cdc0a0f706193c6a4beec6a1296192d033f22f7f44ae711f13e523b3fb2ade9459821d25409aed45f4bf058ed465622ac5e7634aaa4522bd388595787df04e04571591124fc8ab145bee8d84c08ca017ae0ee6b1785dbf04dcc257edb447817ef8f6b4a30a7565aa6e909b0baa8a5f1c07d8ef1adc4530a798b46f049ad3f00dea37559fa9cf6a5cd61912f18c8385b50215e38345f6f8b9fb7472d929ffe0d6 EAP-Message = 0x345de234cdf7d8130238a9cfeb0bf2b707297924715caa2b5649f9e26784d61dab0203010001a381e03081dd301d0603551d0e041604145908a6f5bb25e0bbd145dff7b843faebe6cc320c3081ad0603551d230481a53081a280145908a6f5bb25e0bbd145dff7b843faebe6cc320ca17fa47d307b310b30090603550406130241543111300f0603550408130853616c7a62757267310d300b0603550407130450756368310c300a060355040a1303464853311c301a06092a864886f70d010901160d61646d696e406668732e636f6d311e301c06035504031315464853204578616d706c6520417574686f72697479820900a85c3b04575e9007300c EAP-Message = 0x0603551d13040530030101ff300d06092a864886f70d010105050003820101001ac5ce19a6d2ffac80d6d2f4128e9f10d4ba702680306bf4e4e7e3c7e45840e13cbd09e025bad22c7a0c74b03fdacdfcf81c61047acfa10d6338471f5a511a9f8ff316ea110719c709a8a95b63587d72648ba47072101a7a49b9ea3cd4b47f073739a0bbac5f520c309fba8bcd0db79a54f57ad6a3ad38e3112443c9a9fd1293a990a745dec88ef20c509aa6631e09aa0596cecb0d72088a44b8d0e89a7c730a0f165497b61ceb98285b9aad131d86bb73bc2514b387d4dad5a281dab3caa22d2d99b9722babc49058f91a438c4e82b3796c03c7b685b81587893675ff EAP-Message = 0x5c06f7a83b954177 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86dda94b85dbb06cb4af2a8bdb01132e Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.80.10.150 port 1645, id=209, length=148 User-Name = "asartori" Framed-MTU = 1400 Called-Station-Id = "0021.d792.3040" Calling-Station-Id = "0023.121b.f71b" Service-Type = Login-User Message-Authenticator = 0xfa6f8dca0f9adcba437686053c92c7df EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 1461 NAS-Port-Id = "1461" State = 0x86dda94b85dbb06cb4af2a8bdb01132e NAS-IP-Address = 10.80.10.150 NAS-Identifier = "AP50" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "asartori", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 209 to 10.80.10.150 port 1645 EAP-Message = 0x0107002a1900f4905796e9fc4532e77ad4389d9a690206e471189f26d41b82512116030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86dda94b82dab06cb4af2a8bdb01132e Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.80.10.150 port 1645, id=210, length=480 User-Name = "asartori" Framed-MTU = 1400 Called-Station-Id = "0021.d792.3040" Calling-Station-Id = "0023.121b.f71b" Service-Type = Login-User Message-Authenticator = 0x0f678c6346e200b30e4eb192c234cfa5 EAP-Message = 0x020701501980000001461603010106100001020100b50408ec4644c60fcd4ef40d2ecbab1baeb98f024f5533545bf9f838d30a9231704176dc37a4e202c2666ae66f50a841f8217ddc0f3dd611c4c4e0f266f0e864fccf3072d065341e9b1ef0ddb0e740b02bcc76a3a699d30b3fc2d57b50251a8888604437ab94f5a2f3339166a59dfa02e2f01db8c93c22ca7b977cf04887f9a77f1d9832fb991888224344c77ccd82cc6ee36f853f8b3ecc659914bf2e7d5d70d001d623ff302826540564ab3e8a047b84d0820d178adacea88b5514b26caca2d0a0c5ef4ef1d37ca9e57bd38308bafa8d898d123fd297ea2682161d5d0d8f5a1225e101347b37ad EAP-Message = 0x169980a7d425eff0390e9aca9a190e112a8cc25f449cb802140301000101160301003085391c105bd0ffcc46770ade2bd77ce23d8a064dad7423b83c7925ccd0cf9b1537c383c4d5551c2582ff37e3e304ba01 NAS-Port-Type = Wireless-802.11 NAS-Port = 1461 NAS-Port-Id = "1461" State = 0x86dda94b82dab06cb4af2a8bdb01132e NAS-IP-Address = 10.80.10.150 NAS-Identifier = "AP50" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "asartori", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 210 to 10.80.10.150 port 1645 EAP-Message = 0x01080041190014030100010116030100303ab52cb7421fe368739c6fb0ebcedfbe1829be5c8f2f519f42c5414eac35d4b2dcb900321e194dfd1cad32a515ab5645 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86dda94b83d5b06cb4af2a8bdb01132e Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.80.10.150 port 1645, id=211, length=148 User-Name = "asartori" Framed-MTU = 1400 Called-Station-Id = "0021.d792.3040" Calling-Station-Id = "0023.121b.f71b" Service-Type = Login-User Message-Authenticator = 0x6f2d93f260692f000e61dd774cebe08b EAP-Message = 0x020800061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 1461 NAS-Port-Id = "1461" State = 0x86dda94b83d5b06cb4af2a8bdb01132e NAS-IP-Address = 10.80.10.150 NAS-Identifier = "AP50" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "asartori", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 211 to 10.80.10.150 port 1645 EAP-Message = 0x0109002b1900170301002076466e1135c056a6527a2a708b4251813d1f38271fd843d3cde43f6baa6e14e6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86dda94b80d4b06cb4af2a8bdb01132e Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.80.10.150 port 1645, id=212, length=185 User-Name = "asartori" Framed-MTU = 1400 Called-Station-Id = "0021.d792.3040" Calling-Station-Id = "0023.121b.f71b" Service-Type = Login-User Message-Authenticator = 0x59d7bbb9d55c9f5bb299c085bc74c031 EAP-Message = 0x0209002b19001703010020c1c0917073c12dced76254e218501258277be220391dc99ad0d529323ff6121e NAS-Port-Type = Wireless-802.11 NAS-Port = 1461 NAS-Port-Id = "1461" State = 0x86dda94b80d4b06cb4af2a8bdb01132e NAS-IP-Address = 10.80.10.150 NAS-Identifier = "AP50" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "asartori", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - asartori [peap] Got tunneled request EAP-Message = 0x0209000d0161736172746f7269 server { PEAP: Got tunneled identity of asartori PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to asartori Sending tunneled request EAP-Message = 0x0209000d0161736172746f7269 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "asartori" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "asartori", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00221a010a001d100c689ea9809fa0838234c966c821e9bb61736172746f7269 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb24fee6fb245f433fdbba9329dca04b3 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00221a010a001d100c689ea9809fa0838234c966c821e9bb61736172746f7269 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb24fee6fb245f433fdbba9329dca04b3 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 212 to 10.80.10.150 port 1645 EAP-Message = 0x010a004b19001703010040cdc6317e2ff6c9d3c89ab6117470329dd73fa12bf1908cde2bca4d90a9cf3f80fd6ea002994ea13db3b9e77e0c0e6239532f294f142143440694facf692a6628 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86dda94b81d7b06cb4af2a8bdb01132e Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.80.10.150 port 1645, id=213, length=249 User-Name = "asartori" Framed-MTU = 1400 Called-Station-Id = "0021.d792.3040" Calling-Station-Id = "0023.121b.f71b" Service-Type = Login-User Message-Authenticator = 0x8711a7593adce970637511cdfb6fdf93 EAP-Message = 0x020a006b19001703010060e26d5b3e614ba6d3033b4c830626fa0fe19c112648fa68b6fe5e0be1377918efb7640489515fa9285dffc3f9acd9d58fdf4f214a94e4d0f80797bf953a8f7533978bc6f4dc86271728a72369d5e478dae6c06a37893a8db46d8a8af29af965b5 NAS-Port-Type = Wireless-802.11 NAS-Port = 1461 NAS-Port-Id = "1461" State = 0x86dda94b81d7b06cb4af2a8bdb01132e NAS-IP-Address = 10.80.10.150 NAS-Identifier = "AP50" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "asartori", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00431a020a003e317cfba43e0f5c2bbaa5f9ea2f7ecab36300000000000000009e634fd362803e8b674b270cea334172de0831f9ae2e13a70061736172746f7269 server { PEAP: Setting User-Name to asartori Sending tunneled request EAP-Message = 0x020a00431a020a003e317cfba43e0f5c2bbaa5f9ea2f7ecab36300000000000000009e634fd362803e8b674b270cea334172de0831f9ae2e13a70061736172746f7269 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "asartori" State = 0xb24fee6fb245f433fdbba9329dca04b3 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "asartori", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 10 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for asartori with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=asartori [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-FHS} -> --domain=FHS [mschap] mschap2: 0c [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=1c7d952acd9082a2 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=9e634fd362803e8b674b270cea334172de0831f9ae2e13a7 Exec-Program output: NT_KEY: 34B23A4A9A7D33D7F95F179B116492ED Exec-Program-Wait: plaintext: NT_KEY: 34B23A4A9A7D33D7F95F179B116492ED Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b00331a030a002e533d31414445413043344632373745353141393134464234323839304246394246454430393642333543 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb24fee6fb344f433fdbba9329dca04b3 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b00331a030a002e533d31414445413043344632373745353141393134464234323839304246394246454430393642333543 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb24fee6fb344f433fdbba9329dca04b3 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 213 to 10.80.10.150 port 1645 EAP-Message = 0x010b005b190017030100500bbb95462d8c42ed4affecd3c7a13a31f6a78c2061c64accf1f54660b9cadfb560b141370ba12cca3b97c261c41559d43c77d5fc9bbe09b2e21c171638666eafafbe82f51e4783bf2b13fec525aea889 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86dda94b8ed6b06cb4af2a8bdb01132e Finished request 8. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 205 with timestamp +13 Cleaning up request 1 ID 206 with timestamp +13 Cleaning up request 2 ID 207 with timestamp +13 Cleaning up request 3 ID 208 with timestamp +14 Cleaning up request 4 ID 209 with timestamp +14 Cleaning up request 5 ID 210 with timestamp +14 Cleaning up request 6 ID 211 with timestamp +14 Cleaning up request 7 ID 212 with timestamp +14 Cleaning up request 8 ID 213 with timestamp +14 Ready to process requests. [root@radiusa raddb]# On Thu, Apr 8, 2010 at 9:45 AM, Alan DeKok <aland@deployingradius.com>wrote:
mr typo wrote:
humm, even when its not working with a mac or other devices?
As I said... the client sends requests. If it doesn't, the client is choosing to stop.
Work through my EAP deployment howto: http://deployingradius.com. Then the Active Directory Howto. At some point, it will stop working. That's the thing that needs fixing.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mr typo wrote:
it works up to "configuring freeradius to use ntml_auth for ms-chap"
password is double checked, everything else should be find. wbinfo works, ntlm_auth works, plain_ntlm works, certificates creates with makefile (so with xpextensions).
it is really strange..
OK. It's a Samba problem. Change the version of Samba to something that works. There's a Samba bug about this, but I can't find it right now. I think the most recent Samba might be better. Alan DeKok.
there was a bug with NT_STATUS_PIPE_DISCONNECTED from last year in the samba. i think i have tried 2 or 3 stable versions right now. ill gonna compile the latest from svn tree and report back after a view tests. -euro On Thu, Apr 8, 2010 at 4:03 PM, Alan DeKok <aland@deployingradius.com>wrote:
mr typo wrote:
it works up to "configuring freeradius to use ntml_auth for ms-chap"
password is double checked, everything else should be find. wbinfo works, ntlm_auth works, plain_ntlm works, certificates creates with makefile (so with xpextensions).
it is really strange..
OK. It's a Samba problem. Change the version of Samba to something that works. There's a Samba bug about this, but I can't find it right now.
I think the most recent Samba might be better.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
mr typo