Tunneled authentication rejected on PEAP

Mario Alberto Cruz Gartner mario.cruz at gmail.com
Tue Jul 12 20:47:51 CEST 2005 

Thks for the reply.

Just below the eap.conf include line:
-----
$INCLUDE ${confdir}/eap.conf
       mschap {
               authtype = MS-CHAP
-----
That, with the commented lines would be:

-----
$INCLUDE ${confdir}/eap.conf

        # Microsoft CHAP authentication
        #
        #  This module supports MS-CHAP and MS-CHAPv2 authentication.
        #  It also enforces the SMB-Account-Ctrl attribute.
        #
        mschap {
                #
                #  As of 0.9, the mschap module does NOT support
                #  reading from /etc/smbpasswd.
                #
                #  If you are using /etc/smbpasswd, see the 'passwd'
                #  module for an example of how to use /etc/smbpasswd

                # authtype value, if present, will be used
                # to overwrite (or add) Auth-Type during
                # authorization. Normally should be MS-CHAP
                authtype = MS-CHAP

                # if use_mppe is not set to no mschap will
                # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
                # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
                #
                #use_mppe = no

                # if mppe is enabled require_encryption makes
                # encryption moderate
                #
                #require_encryption = yes

                # require_strong always requires 128 bit key
                # encryption
                #
                #require_strong = yes

                # Windows sends us a username in the form of
                # DOMAIN\user, but sends the challenge response
                # based on only the user portion.  This hack
                # corrects for that incorrect behavior.
                #
                #with_ntdomain_hack = no

                # The module can perform authentication itself, OR
                # use a Windows Domain Controller.  This configuration
                # directive tells the module to call the ntlm_auth
                # program, which will do the authentication, and return
                # the NT-Key.  Note that you MUST have "winbindd" and
                # "nmbd" running on the local machine for ntlm_auth
                # to work.  See the ntlm_auth program documentation
                # for details.
                #
                # Be VERY careful when editing the following line!
                #
                #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%
{User-Name:-None}} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
        }
----
That's the module definition from radiusd.conf. No?

On 7/12/05, Alan DeKok <aland at ox.org> wrote:
> Mario Alberto Cruz Gartner <mario.cruz at gmail.com> wrote:
> > Looking earlier, on the debug, i'd see:
> >
> > -----
> ...
> >   rlm_eap: processing type mschapv2
> >   ERROR: Unknown value specified for Auth-Type.  Cannot perform
> > requested action.
> ...
> > But... now i don't know if the mschapv2 is the value that is "Unknow"
> > or what value is unknow for the auth?
> 
>   The EAP-MSCHAPv2 code uses the mschap module for authentication.
> 
> > Please, help me telling me what i doing wrong?
> 
>   You deleted the mschap module from radiusd.conf.  Don't do that.
> 
>   Alan DeKok.
>

More information about the Freeradius-Users mailing list