Re : cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)
thanx for responding dude. let's take a look at this part of log! (remember too that i am a new linux, many thing are still chinese for me) i agree, my certificate are OK to do EAP in general my coments are the red lines : my mschap module config is: -------------- mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}}" } my peap and mschapv2 module config is: --------------- Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = yes } output of eap/mschapv2authentication is: ------------ rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. //Normal, i am not willing to do PAP but mschapv2 ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password //does the 3 previous lines means there is an error? what does "No Cleartext-Password configured means? // what does LM-Password means? and if it's error, how could i correct it? // ithought it was normal, as I am surewindows never sends "cleartext-Password" expand: --username=%{mschap:User-Name}-> --username=glouglou //...???... mschap2: d1 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4a2a69e7929b2c03 //...???... expand: --nt-response=%{mschap:NT-Response:-00}} -> --nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???... Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???... Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???... //negociation that is out of the range of my brain till now, but i think ity's normal security negociation in windows system, and there is no error here. Exec-Program: returned: 0 //...???... rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success //...???... if MSCHAP Success, where is the matter with this module??? ++[eap] returns handled } # server (null) //...???... PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x95b92b9094ab31501a0a30daea5106ca PEAP: Processing from tunneled session code 0x81b78d8 11 EAP-Message = 0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x95b92b9094ab31501a0a30daea5106ca PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 164 to 10.10.44.246 port 1042 EAP-Message = 0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then What? and why its stops..???... Finished request 9. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 157 with timestamp +47 Cleaning up request 3 ID 158 with timestamp +47 Cleaning up request 4 ID 159 with timestamp +47 Cleaning up request 5 ID 160 with timestamp +47 Cleaning up request 6 ID 161 with timestamp +47 Cleaning up request 7 ID 162 with timestamp +47 Cleaning up request 8 ID 163 with timestamp +47 Cleaning up request 9 ID 164 with timestamp +47 Ready to process requests.
aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON password: NT_STATUS_OK: Success (0x0) aaa:~ #
:/ Any help will be appreciated. these days i am wondering about validity of the Server certificate! I have to tell you that, in my case, if i try a peap authentication against Active Directoiry with wrong users credentials, i have an error message saying that login or password is incorrect. with good users credential, i just obtain what you can see in the Radiusd -X output (http://tinypaste.com/5b99b)
thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
but I think you don't have any problem with certificates, looking at radius debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established the client is telling you that has verified the server cert (against ca.der). Then, the server writes ChangeCipherSpec and Fin, and tls phase is finished. I think you have problems with mschapv2 phase, assuming your sql querys working. Your problem begin here: rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password expand: --username=%{mschap:User-Name} -> --username=glouglou I think...... I've never configured peap/mschapv2 but sometimes i've read, not carefully, about some dependencies between mschap module and mschapv2 or something like that. hope this help you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
[snip]
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. //Normal, i am not willing to do PAP but mschapv2
<me> If you¹re not using a module, disable it. All it¹ll do is add latency, delays and unnecessary log messages. Comment it out ...
++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password //does the 3 previous lines means there is an error? what does "No Cleartext-Password configured means?
<me> it means, it cannot find a clear text password in the backend data store, which it expects to do ..
// what does LM-Password means? and if it's error, how could i correct it?
<me> Check your configuration. All depends on so many things ..
// ithought it was normal, as I am surewindows never sends "cleartext-Password"
Oh, Windows sure has been using clear text passwords, so it then also has a need to be backwards compatible with itself, right?
expand: --username=%{mschap:User-Name}-> --username=glouglou //...???...
mschap2: d1 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4a2a69e7929b2c03 //...???... expand: --nt-response=%{mschap:NT-Response:-00}} -> --nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???... Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???... Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???... //negociation that is out of the range of my brain till now, but i think ity's normal security negociation in windows system, and there is no error here.
Exec-Program: returned: 0 //...???... rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success //...???... if MSCHAP Success, where is the matter with this module???
<me> what makes you believe there is a problem at this stage?
++[eap] returns handled } # server (null) //...???... PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x011200331a0311002e533d313034353230313939324636334439444241323036444246433433 41413242354132313236344636 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x95b92b9094ab31501a0a30daea5106ca PEAP: Processing from tunneled session code 0x81b78d8 11 EAP-Message = 0x011200331a0311002e533d313034353230313939324636334439444241323036444246433433 41413242354132313236344636 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x95b92b9094ab31501a0a30daea5106ca PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 164 to 10.10.44.246 port 1042 EAP-Message = 0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0 a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then What? and why its stops..???...
<me> why do I get the feeling that if Message-Authenticator is all zeros, it is a ³nope, not going to happen mate² type return, effectively stopping any further processing. Why I have no idea .. Alan??
[cut out bits that are not relevant, nor commented, nor anything. Let¹s trim messages folks. If it¹s not used or relevant, get rid of it.. It only takes space]
Anders Holm escribió:
[snip]
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. //Normal, i am not willing to do PAP but mschapv2
<me> If you’re not using a module, disable it. All it’ll do is add latency, delays and unnecessary log messages. Comment it out ...
++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password //does the 3 previous lines means there is an error? what does "No Cleartext-Password configured means?
<me> it means, it cannot find a clear text password in the backend data store, which it expects to do ..
// what does LM-Password means? and if it's error, how could i correct it?
<me> Check your configuration. All depends on so many things ..
// ithought it was normal, as I am surewindows never sends "cleartext-Password"
Oh, Windows sure has been using clear text passwords, so it then also has a need to be backwards compatible with itself, right?
expand: --username=%{mschap:User-Name}-> --username=glouglou //...???...
mschap2: d1 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4a2a69e7929b2c03 //...???... expand: --nt-response=%{mschap:NT-Response:-00}} -> --nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???... Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???... Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???... //negociation that is out of the range of my brain till now, but i think ity's normal security negociation in windows system, and there is no error here.
Exec-Program: returned: 0 //...???... rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success //...???... if MSCHAP Success, where is the matter with this module???
<me> what makes you believe there is a problem at this stage?
++[eap] returns handled } # server (null) //...???... PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x95b92b9094ab31501a0a30daea5106ca PEAP: Processing from tunneled session code 0x81b78d8 11 EAP-Message = 0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x95b92b9094ab31501a0a30daea5106ca PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 164 to 10.10.44.246 port 1042 EAP-Message = 0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then What? and why its stops..???...
<me> why do I get the feeling that if Message-Authenticator is all zeros, it is a “nope, not going to happen mate” type return, effectively stopping any further processing. Why I have no idea .. Alan??
[cut out bits that are not relevant, nor commented, nor anything. Let’s trim messages folks. If it’s not used or relevant, get rid of it.. It only takes space]
I'm agree, a good begining would be comment out all modules you're not using. The instances of the modules are in sites-enabled/default and sites-enabled/inner-tunnel (for peap and ttls).
Sergio wrote:
I'm agree, a good begining would be comment out all modules you're not using. The instances of the modules are in sites-enabled/default and sites-enabled/inner-tunnel (for peap and ttls).
For debugging... no. The default configuration file WORKS in the widest possible set of circumstances. If it isn't working, it's usually: a) the client (e.g. Windows) b) the NAS (e.g. recent comments about 3com) You should edit the default configuration ONLY for production environments, and ONLY after the debug setup is working to your satisfaction. Alan DeKok.
participants (4)
-
Alan DeKok -
Anders Holm -
Reveal MAP -
Sergio