Hello all, I want to test new features of freeradius 3.0.0 from tarball, but I don't be able run successfull PEAP - MS-CHAPv2 authentization. Testing environment: freeradius 3.0.0 local user in users file (cleartext password: ferda Cleartext-Password := "hello") testing certificates generated by bootstrap Result in debug log: (12) eap_peap : Tunneled authentication was successful. (12) eap_peap : SUCCESS (12) eap : New EAP session, adding 'State' attribute to reply 0xbb50c041b359d9c3 (12) [eap] = handled (12) } # authenticate = handled ... 13) # Executing group from file /etc/freeradius/sites-enabled/default (13) authenticate { (13) eap : Expiring EAP session with state 0xbb50c041b359d9c3 (13) eap : Finished EAP session with state 0xbb50c041b359d9c3 (13) eap : Previous EAP request found for state 0xbb50c041b359d9c3, released from the list (13) eap : Peer sent PEAP (25) (13) eap : EAP PEAP (25) (13) eap : Calling eap_peap to process EAP data (13) eap_peap : processing EAP-TLS (13) eap_peap : eaptls_verify returned 7 (13) eap_peap : Done initial handshake (13) eap_peap : eaptls_process returned 7 (13) eap_peap : FR_TLS_OK (13) eap_peap : Session established. Decoding tunneled attributes. (13) eap_peap : Peap state send tlv success (13) eap_peap : EAP type NAK (3) (13) eap_peap : We sent a success, but received something weird in return. SSL: Removing session 370322346fc943fdb1aad36f4480d755e0cbe3cea31c375242d599bc8f16ad4e from the cache (13) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed (13) eap : Failed in EAP select (13) [eap] = invalid (13) } # authenticate = invalid (13) Failed to authenticate the user. radtest results: # test of inner-tunnel root@ferda:/etc/freeradius# radtest ferda hello localhost:18120 0 testing123 Sending Access-Request of id 124 from 0.0.0.0 port 51463 to 127.0.0.1 port 18120 User-Name = 'ferda' User-Password = 'hello' NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00 rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=124, length=20 root@ferda:/etc/freeradius# radtest -t mschap ferda hello localhost:18120 0 testing123 Sending Access-Request of id 207 from 0.0.0.0 port 56629 to 127.0.0.1 port 18120 User-Name = 'ferda' NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0xcf018e925195d3d9 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000c1dbccbde8a3f351c6abf211ec362574a0791cbeb4d5e93a rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=207, length=84 MS-CHAP-MPPE-Keys = 0xfda95fbeca288d44ac0782e2de2337dee40e54ee732c1af5 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed # test on default port root@ferda:/etc/freeradius# radtest ferda hello localhost 0 testing123 Sending Access-Request of id 34 from 0.0.0.0 port 58221 to 127.0.0.1 port 1812 User-Name = 'ferda' User-Password = 'hello' NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=34, length=20 root@ferda:/etc/freeradius# radtest -t mschap ferda hello localhost 0 testing123 Sending Access-Request of id 58 from 0.0.0.0 port 50981 to 127.0.0.1 port 1812 User-Name = 'ferda' NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0x3391672449586edb MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000cd40eb3770183e9a6ee3cc67da194680f1abb095c7561f41 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=58, length=84 MS-CHAP-MPPE-Keys = 0xfda95fbeca288d44ac0782e2de2337dee40e54ee732c1af5 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed I don't know where is problem. Thanks for tips and advises. Best regards Pavel Polacek
On 11/08/2013 08:13 AM, Polish wrote:
(13) eap_peap : Peap state send tlv success (13) eap_peap : EAP type NAK (3) (13) eap_peap : We sent a success, but received something weird in return.
Simple enough. The client sent something weird. What is the client?
radtest results:
These are basically useless for this problem. Download the wpa_supplicant sources and compile eapol_test, and use that.
Hello Phil, I'm using eapol_test. For production server 2.2.0 returns Access-Accept for testing 3.0.0 returns Access-Reject. Pavel Polacek On Fri, 8 Nov 2013, Phil Mayers wrote:
Simple enough. The client sent something weird.
What is the client?
radtest results:
These are basically useless for this problem. Download the wpa_supplicant sources and compile eapol_test, and use that.
Full FR debug output and a copy of your eapol_test configuration file. I assume you have configured 3.0 from scratch and not just copied v2 files into place at all? alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Hello Alan, ./eapol_test -c/tmp/rad_eap_test.TWKPsz/tmp-2725 -a192.168.13.17 -p1812 -sheslo -t10 -M70:6f:6c:69:73:68 -Crad_eap_test FR config is default, added proxy realm, added local user, changed default_eap_type = peap in eap module (without any effect), that's all i mean. Pavel Polacek On Fri, 8 Nov 2013, Alan Buxey wrote:
Full FR debug output and a copy of your eapol_test configuration file. I assume you have configured 3.0 from scratch and not just copied v2 files into place at all?
On 08/11/13 09:56, Polish wrote:
FR config is default, added proxy realm, added local user, changed default_eap_type = peap in eap module (without any effect), that's all i mean.
That's just odd. eapol_test is sending *more* PEAP data after the tunnel success. The message from FreeRADIUS about NAK looks like a cosmetic bug, but there should be *no* data after the tunnel success. Can you send the output of eapol_test when it fails?
hi, many thanks for providing the details. okay, so with default config....edited the users file to have same details as your test.... eapol_test works: eapol_sm_cb: success=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): be 17 16 e3 45 54 dc cc 39 8f cc 94 60 ca 00 c1 92 97 ab e5 6c 2b af 6f 72 ba 9d e7 cc 14 e1 5b EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS and the final output of FR shows: Sending Access-Accept of id 9 from 127.0.0.1 port 1812 to 127.0.0.1 port 36275 MS-MPPE-Recv-Key = 0xbe1716e34554dccc398fcc9460ca00c19297abe56c2baf6f72ba9de7cc14e15b MS-MPPE-Send-Key = 0x2c65a1bbb0eac18efd38086d80ab12987bb7a73c396c5fd5a3caae0f64f4fbed EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 (9) Finished request 9. Waking up in 4.4 seconds. (0) Cleaning up request packet ID 0 with timestamp +1 (1) Cleaning up request packet ID 1 with timestamp +1 (2) Cleaning up request packet ID 2 with timestamp +1 (3) Cleaning up request packet ID 3 with timestamp +1 (4) Cleaning up request packet ID 4 with timestamp +1 (5) Cleaning up request packet ID 5 with timestamp +1 (6) Cleaning up request packet ID 6 with timestamp +1 (7) Cleaning up request packet ID 7 with timestamp +1 (8) Cleaning up request packet ID 8 with timestamp +1 (9) Cleaning up request packet ID 9 with timestamp +1 Ready to process requests so...what version of eapol_test are you using? alan
Hi Alan, you are right. My version of eapol_test is from December 2010. It works well until now (with Freeradius 2.2.0). With latest stable version of eapol_test is everything ok. on radius: Sending Access-Accept eapol_test result: MPPE keys OK: 1 mismatch: 0 SUCCESS Thank all very much. Now I can test integrated radsec. Best regards Pavel Polacek On Fri, 8 Nov 2013, A.L.M.Buxey@lboro.ac.uk wrote:
so...what version of eapol_test are you using?
alan -
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Phil Mayers -
Polish