Hello everyone, I know that it is something I have forgot to configure but I cant for my life remember what it is. What I want to do is to authenticate a user from a windows machine using PEAP. The error I get in the output is: rad_recv: Access-Request packet from host 192.168.118.10 port 35923, id=92, length=230 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "Jens" State = 0x99a8723d9faf6be067d44ee908d21fb0 NAS-Port-Id = "wlan2" Calling-Station-Id = "00-26-BB-14-50-CF" Called-Station-Id = "02-0B-6B-33-62-35:3" EAP-Message = 0x0207005b19001703010050ff6dcfaa2e20081def82599ed160a801cb8b3e047fe0408eca8f0ed5bf985a4594dbf7056245f7ff06e823be7ba31220fb494d61db652b3f05bf75b3767bbfcce4d3c8e706312e385afb35dd2fe6f8f9 Message-Authenticator = 0x0ba6d2c1daab0232a5b4bd95fac8dc78 NAS-Identifier = "MikroTik" NAS-IP-Address = 192.168.118.10 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "Jens", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207003f1a0207003a31f7f5bfb93119478c28430861f7428ecc000000000000000006883db97ed65677dadd8058359801947d67a7f575431297004a656e73 server { PEAP: Setting User-Name to Jens Sending tunneled request EAP-Message = 0x0207003f1a0207003a31f7f5bfb93119478c28430861f7428ecc000000000000000006883db97ed65677dadd8058359801947d67a7f575431297004a656e73 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "Jens" State = 0xdb1b00f8db1c1ab8275dfb2a6c0e04ae Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Id = "wlan2" Calling-Station-Id = "00-26-BB-14-50-CF" Called-Station-Id = "02-0B-6B-33-62-35:3" NAS-Identifier = "MikroTik" NAS-IP-Address = 192.168.118.10 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "Jens", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for Jens with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 92 to 192.168.118.10 port 35923 EAP-Message = 0x0108002b19001703010020e9867cd0d691777dff28957e278ff9ee7618f8d26722621a3472801821e637a5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99a8723d9ea06be067d44ee908d21fb0 Finished request 197. Things I´ve have configured in raddb and in raddb/modules is: 1. Added a user called Jens with Cleartext-Password := "kaffe" 2. Added two NAS in clients.conf 3. set "default_eap_type = peap", "copy_request_to_tunnel = yes" and under the peap section also "default_eap_type = mschapv2" in eap.conf 4. set & uncommented "use_mppe = yes" and set "require_encryption" = yes, "require_strong = yes" in mschap in the directory modules. is there anything else I need to do that I have forgot so I can use peap? Best regards/ Peter Carlstedt _________________________________________________________________ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/soc...
hi, the request gets sent to inner-tunnel (as per standard EAP configuration) but then inner-tunnel cant authenticate the user - ie no authentication method in which your user 'Jens' can be found. check that the requires method is in inner-tunnel alan
Hello everyone, I know that it is something I have forgot to configure but I cant for my life remember what it is. What I want to do is to authenticate a user from a windows machine using PEAP.
Things I´ve have configured in raddb and in raddb/modules is:
1. Added a user called Jens with Cleartext-Password := "kaffe"
No, you haven't:
++[files] returns noop
There is no entry for that user in users file. At least not the one server is using. If you have multiple installations make sure that you are configuring fioles belonging to the instance you are running. Have a look at the debug of the server startup - it will tell you where users file is (when files module is instantiated). Ivan Kalik
participants (3)
-
Alan Buxey -
Peter Carlstedt -
tnt@kalik.net