MSCHAP module returns OK, authentication fails..
(Hopefully I haven't double posted) Hi, Perhaps someone can help, I'm trying to setup FreeRADIUS as a cheaper/more flexible alternative to buying a Win2k3 Enterprise licence to do PEAP/MSCHAP for wireless clients but seem to be having a problem after the MSCHAP module is run. I'm using a MacOS as a test client, which connects to the wireless network, prompts about an invalid certificate chain for the SSL cert (suggesting that TLS is working) and then prompts for credentials. The credentials seem to get to radiusd okay, the identity is referenced in the debug logs and the authentication (via ntlm_auth) seems to work okay aswell, returning 0 and reporting success, however after this point everything seems to stop. The MacOS client reports that authentication has failed at this point. I've got debug logs for afew different configurations (changing odd MSCHAP module options) but haven't included them due to the size limit. Attached is: radius.log -> ntlm_auth with the domain hard configured via the config files. All of my tests produce the same result, with the MSCHAP module returning success and then (seemingly) nothing happening. I've also tested with eapol from wpa_supplicant, which produces the same effect. Any hints as to what I'm missing would be welcomed :) Thanks, James Yale jim@thebiggame.org
James Yale wrote:
Perhaps someone can help, I'm trying to setup FreeRADIUS as a cheaper/more flexible alternative to buying a Win2k3 Enterprise licence to do PEAP/MSCHAP for wireless clients but seem to be having a problem after the MSCHAP module is run.
See http://deployingradius.com for howto's on getting EAP configured in a few simple steps.
I'm using a MacOS as a test client, which connects to the wireless network, prompts about an invalid certificate chain for the SSL cert (suggesting that TLS is working) and then prompts for credentials. The credentials seem to get to radiusd okay, the identity is referenced in the debug logs and the authentication (via ntlm_auth) seems to work okay aswell, returning 0 and reporting success, however after this point everything seems to stop. The MacOS client reports that authentication has failed at this point.
Because it doesn't like the server certificate. Install the server certificate (or CA.der) on the MAC client. It should then work.
All of my tests produce the same result, with the MSCHAP module returning success and then (seemingly) nothing happening. I've also tested with eapol from wpa_supplicant, which produces the same effect.
This is in the FAQ and in the comments in raddb/eap.conf. The simple summary is that the client doesn't like the server, and has chosen to stop talking to it. In this case, it's because the invalid certificate error you're seeing. Alan DeKok.
Hi,
I'm using a MacOS as a test client, which connects to the wireless network, prompts about an invalid certificate chain for the SSL cert
well, unless you've installed the CA etc that you signed the RADIUS server with, this will always be the case. until you trust the cert (by trusting the CA) then you cant EAP alan
Hi, using unlang I'm trying to modify the User-Name from the user, but something isn't working. Could somebody give me a hand? What I'm doing (sample): authorize { if (NAS-IP-Address == 1.2.3.4) { update request { User-Name = test2; } } ...... Freeradius -X is giving the following: .... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 1.2.3.4 port 13675, id=26, length=61 User-Name = "test1@domain.com" User-Password = "teste" NAS-IP-Address = 1.2.3.4 +- entering group authorize ++? if (NAS-IP-Address == 1.2.3.4) ? Evaluating (NAS-IP-Address == 1.2.3.4) -> TRUE ++? if (NAS-IP-Address == 1.2.3.4) -> TRUE ++- entering if (NAS-IP-Address == 1.2.3.4) +++[request] returns notfound ++- if (NAS-IP-Address == 1.2.3.4) returns notfound ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "domain.com" for User-Name = "test1@domain.com" rlm_realm: Found realm "domain.com" rlm_realm: Adding Stripped-User-Name = "test1" rlm_realm: Adding Realm = "domain.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "test" rlm_pap: Using CRYPT encryption. rlm_pap: User authenticated successfully ++[pap] returns ok +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 26 to 1.2.3.4 port 13675 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 26 with timestamp +3 Ready to process requests. I added the following to proxy.conf: realm NULL { } realm domain.com { } The rest of the configuration files I left untouched. -- ----------------------------------------------------- Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy -----------------------------------------------------
User-Name = "test2" Ivan Kalik Kalik Informatika ISP Dana 26/8/2008, "rgreiner" <mrgreiner@gmail.com> piše:
Hi,
using unlang I'm trying to modify the User-Name from the user, but something isn't working. Could somebody give me a hand?
What I'm doing (sample):
authorize { if (NAS-IP-Address == 1.2.3.4) { update request { User-Name = test2; } } ......
Freeradius -X is giving the following: ..... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 1.2.3.4 port 13675, id=26, length=61 User-Name = "test1@domain.com" User-Password = "teste" NAS-IP-Address = 1.2.3.4 +- entering group authorize ++? if (NAS-IP-Address == 1.2.3.4) ? Evaluating (NAS-IP-Address == 1.2.3.4) -> TRUE ++? if (NAS-IP-Address == 1.2.3.4) -> TRUE ++- entering if (NAS-IP-Address == 1.2.3.4) +++[request] returns notfound ++- if (NAS-IP-Address == 1.2.3.4) returns notfound ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "domain.com" for User-Name = "test1@domain.com" rlm_realm: Found realm "domain.com" rlm_realm: Adding Stripped-User-Name = "test1" rlm_realm: Adding Realm = "domain.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "test" rlm_pap: Using CRYPT encryption. rlm_pap: User authenticated successfully ++[pap] returns ok +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 26 to 1.2.3.4 port 13675 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 26 with timestamp +3 Ready to process requests.
I added the following to proxy.conf: realm NULL { } realm domain.com { }
The rest of the configuration files I left untouched.
-- ----------------------------------------------------- Marcos Roberto Greiner
Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy -----------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've tried that, also with and without the semi-colon at the end. Same result.... Roberto PS: Forgot to mention: running version 2.0.5 on Debian Etch Ivan Kalik wrote:
User-Name = "test2"
Ivan Kalik Kalik Informatika ISP
Dana 26/8/2008, "rgreiner" <mrgreiner@gmail.com> pi¹e:
Hi,
using unlang I'm trying to modify the User-Name from the user, but something isn't working. Could somebody give me a hand?
What I'm doing (sample):
authorize { if (NAS-IP-Address == 1.2.3.4) { update request { User-Name = test2; } } ......
Freeradius -X is giving the following: ..... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 1.2.3.4 port 13675, id=26, length=61 User-Name = "test1@domain.com" User-Password = "teste" NAS-IP-Address = 1.2.3.4 +- entering group authorize ++? if (NAS-IP-Address == 1.2.3.4) ? Evaluating (NAS-IP-Address == 1.2.3.4) -> TRUE ++? if (NAS-IP-Address == 1.2.3.4) -> TRUE ++- entering if (NAS-IP-Address == 1.2.3.4) +++[request] returns notfound ++- if (NAS-IP-Address == 1.2.3.4) returns notfound ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "domain.com" for User-Name = "test1@domain.com" rlm_realm: Found realm "domain.com" rlm_realm: Adding Stripped-User-Name = "test1" rlm_realm: Adding Realm = "domain.com" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "test" rlm_pap: Using CRYPT encryption. rlm_pap: User authenticated successfully ++[pap] returns ok +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 26 to 1.2.3.4 port 13675 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 26 with timestamp +3 Ready to process requests.
I added the following to proxy.conf: realm NULL { } realm domain.com { }
The rest of the configuration files I left untouched.
-- ----------------------------------------------------- Marcos Roberto Greiner
Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy -----------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------- Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy -----------------------------------------------------
2008/8/26 <A.L.M.Buxey@lboro.ac.uk>:
Hi,
I'm using a MacOS as a test client, which connects to the wireless network, prompts about an invalid certificate chain for the SSL cert
well, unless you've installed the CA etc that you signed the RADIUS server with, this will always be the case. until you trust the cert (by trusting the CA) then you cant EAP
Thanks for the replies, I was able to hit continue when presented with the SSL certificate warning to use it anyway, so had been doing that. However to make sure I added the CA certificate to the test system, unfortunately it didn't have any effect. I've reverted to a default configuration (using the Fedora Core 9 packaged version of FreeRadius 2.0.5) allowing the certs to be autogenerated to try and spot what in my configuration is making it break. With a default configuration EAP works with a user specified in the users file with a cleartext password (http://jim.geezas.com/stuff/radius-debugging/ *-success.log files). This works via eapol and a Mac test client. As soon as I enable the MSCHAP module (uncommenting the ntlm auth line) all authentication queries the AD here, so the locally configured user fails. When I try a user configured in the AD I'm getting: EAP-MSCHAPV2: Invalid authenticator response in success request In the eapol output, the radiusd logs also stop just after the mschap module returns success (0), finishing up the request. A snippet of the log is below (full logs @ http://jim.geezas.com/stuff/radius-debugging/ *-failure.log), the message authenticator does seem to be invalid, this seeming to happen when the request is proxied to the inner tunnel. MSCHAP Success ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010800331a0307002e533d31343030463445333137313238414639414438433531453433364146453138363141353839363139 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd1ea68cfd0e27269358adf5451b3d294 PEAP: Processing from tunneled session code 0x896ac68 11 EAP-Message = 0x010800331a0307002e533d31343030463445333137313238414639414438433531453433364146453138363141353839363139 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd1ea68cfd0e27269358adf5451b3d294 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 127.0.0.1 port 46172 EAP-Message = 0x0108005b190017030100506c55b2c3a5d1b727e4838dd88ff3d6be564aec2cce92f2cf546f86b9566d9d3add42598ab14de29f1a75b992798a92c28ecedc676ff9a0217787e64e686e93517ccbdce3f1a30e7fb861a382ab957cc8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8347b19df3c62eb11ce04af34e0d0a5 Finished request 15. So, the mschap module returns that the user is valid, but it seems that somewhere during the process the Message-Authenticator field is becoming invalid. Has anyone seen this problem before, or am I looking in the wrong place? Thanks, James
James Yale wrote:
With a default configuration EAP works with a user specified in the users file with a cleartext password (http://jim.geezas.com/stuff/radius-debugging/ *-success.log files). This works via eapol and a Mac test client.
Ah.
As soon as I enable the MSCHAP module (uncommenting the ntlm auth line) all authentication queries the AD here, so the locally configured user fails. When I try a user configured in the AD I'm getting:
EAP-MSCHAPV2: Invalid authenticator response in success request
Upgrade Samba. If you're not using at least 3.2.1, upgrade to that.
http://jim.geezas.com/stuff/radius-debugging/ *-failure.log), the message authenticator does seem to be invalid,
No. eapol_test is saying that the MSCHAP response is invalid.
Has anyone seen this problem before, or am I looking in the wrong place?
Others have seen exactly the same thing in the past weeks. Upgrading Samba fixed it. Alan DeKok.
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Ivan Kalik -
James Yale -
rgreiner