Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
Hello, I'm trying to get Freeradius 2.1.7 working on Redhat. I had previously gotten PEAP working with ntlm_auth using the walk-through on deployingradius.com on a Debian machine. However, it was version 2.0.7 so things have changed quite a bit in the config files. In the new walkthrough I noticed that the ntlm_auth definition is supposed to be its own module, even though there is still the commented out example inside the mschap module. The new walkthrough does not mention modifying the mschap module at all so I wonder which place I should have the config. I tried with it just in mschap, just in its own module, and both. So far I have not be successful in enabling the AD feature on my server. I tested ntlm_auth directly and it works perfectly. Samba and everything else is all good, I got TTLS and the users files authenticating well as well (so my cert is good and TLS is good). So it appears as if I'm missing something in my Freeradius configs that specifically has to do with PEAP/MSCHAP/AD. Thanks, -Nathan
Hi,
I tested ntlm_auth directly and it works perfectly. Samba and everything else is all good, I got TTLS and the users files authenticating well as well (so my cert is good and TLS is good). So it appears as if I’m missing something in my Freeradius configs that specifically has to do with PEAP/MSCHAP/AD.
radiusd -X ? alan
I attached the logs for freeradius -X
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Tuesday, April 13, 2010 1:55 PM To: FreeRadius users mailing list Subject: Re: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
Hi,
I tested ntlm_auth directly and it works perfectly. Samba and everything else is all good, I got TTLS and the users files authenticating well as well (so my cert is good and TLS is good). So it appears as if I’m missing something in my Freeradius configs that specifically has to do with PEAP/MSCHAP/AD.
radiusd -X ?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry Guys, Here is some sanitized output of the debug. It is what I believe is two attempts, LEAP and PEAP. Regards, Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Garber, Neal Sent: Tuesday, April 13, 2010 5:55 PM To: 'FreeRadius users mailing list' Subject: RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
I attached the logs for freeradius -X
The logs you attached just show the startup output, not an actual request that was rejected.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Wednesday, April 14, 2010 9:44 AM To: 'FreeRadius users mailing list' Subject: RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
Sorry Guys,
Here is some sanitized output of the debug. It is what I believe is two attempts, LEAP and PEAP.
Regards,
Nathan Van Fleet
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Garber, Neal Sent: Tuesday, April 13, 2010 5:55 PM To: 'FreeRadius users mailing list' Subject: RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
I attached the logs for freeradius -X
The logs you attached just show the startup output, not an actual request that was rejected.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, the error is seen with near bottom [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for username with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect have you got ...i dunno... 'auto_header = yes' in your pap module? alan
Hi, I did in fact have that enabled. Should I have it disabled or enabled?
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, April 14, 2010 3:00 PM To: FreeRadius users mailing list Subject: Re: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
hi,
the error is seen with near bottom
[mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for username with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect
have you got ...i dunno... 'auto_header = yes' in your pap module?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here is the log for it without auto header. Regards, -Nathan ++- elsif (outer.NAS-IP-Address == 132.205.198.43) returns ok ... ++skipping elsif for request 30: Preceding "if" was taken ... skipping ++elsif for request 30: Preceding "if" was taken [expiration] returns ++noop [logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for nmcdavit with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [nmcdavit] (from client wireless-lwapp-bench-wlc port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 55 to 132.205.198.43 port 32770 EAP-Message = 0x010a002b190017030100207df23a230dcaee583fabd44fedb5cc15e276675fa5d9a5ad2720 eb869a812361 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1e032ffe160936d2d9627494ce41a8f0 Finished request 30. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 132.205.198.43 port 32770, id=56, length=233 User-Name = "nmcdavit" Calling-Station-Id = "00-26-08-E8-67-42" Called-Station-Id = "00-24-97-F2-89-40:ConcordiaPEAP" NAS-Port = 5 NAS-IP-Address = 132.205.198.43 NAS-Identifier = "bench-wlc" Airespace-Wlan-Id = 10 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "268" EAP-Message = 0x020a002b19001703010020ebc4657c1bed6e0a992ffc4f1dd2ca5ede4739fd6dd2d73825bb 6feb5cdd96ab State = 0x1e032ffe160936d2d9627494ce41a8f0 Message-Authenticator = 0xf0b7d88f63be8bdd1b466c976efdf519 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "nmcdavit", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [nmcdavit] (from client wireless-lwapp-bench-wlc port 5 cli 00-26-08-E8-67-42) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> nmcdavit attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Wednesday, April 14, 2010 4:16 PM To: 'FreeRadius users mailing list' Subject: RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
Hi, I did in fact have that enabled.
Should I have it disabled or enabled?
-----Original Message----- From: freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia.ca@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, April 14, 2010 3:00 PM To: FreeRadius users mailing list Subject: Re: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
hi,
the error is seen with near bottom
[mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM- Password. [mschap] No Cleartext-Password configured. Cannot create NT- Password. [mschap] Told to do MS-CHAPv2 for username with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect
have you got ...i dunno... 'auto_header = yes' in your pap module?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Here is the log for it without auto header.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!
map Cleartext-Password to the attribute in LDAP - been following a FR 1.x guide? alan
participants (3)
-
Alan Buxey -
Garber, Neal -
Nathan McDavit-Van Fleet