D-Link Airplus Supplicant MSCHAP2 error

Ben Thompson bt4 at york.ac.uk
Mon Jan 16 11:15:22 CET 2006 

Hi

We run a WPA/TKIP/PEAP wireless network with FreeRADIUS 1.0.1 on Redhat.
Most client machines tend to be Windows XP and we they are usually set
up to use the Microsoft built in supplicant. Occasionally someone comes
along with a Windows 2000 box and we have to set them up using whatever
software came with the network card as there is no wireless
configuration tool included in the OS. Usernames are specified using the
format username at realm and we normally reject anything without a realm
using the following entry in the users file :-
DEFAULT Realm == "NULL", Auth-Type := Reject

we also have :-

DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
        User-Name = "%{User-Name}",
        Fall-Through = Yes

and in eap.conf :-

peap {
	default_eap_type = mschapv2
	copy_request_to_tunnel = yes
        use_tunneled_reply = yes
}

The other day someone came along with a Win2K box with D-Link wireless
card and we attempted to set it up to access the network. We could not
get it to work and noticed the following output from FreeRADIUS :-

modcall: entering group Auth-Type for request 6
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: Found NT-Password
  rlm_mschap: Told to do MS-CHAPv2 for emm502 at york.ac.uk with
NT-Password
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6
modcall: group Auth-Type returns reject for request 6
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
  PEAP: Got tunneled reply RADIUS code 3
        Tunnel-Type:1 := VLAN
        Tunnel-Medium-Type:1 := IEEE-802
        Tunnel-Private-Group-Id:1 := "4025"
        User-Name = "emm502 at york.ac.uk"
        MS-CHAP-Error = "\007E=691 R=1"
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Processing from tunneled session code 0xc15ca10 3
        Tunnel-Type:1 := VLAN
        Tunnel-Medium-Type:1 := IEEE-802
        Tunnel-Private-Group-Id:1 := "4025"
        User-Name = "emm502 at york.ac.uk"
        MS-CHAP-Error = "\007E=691 R=1"
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 168 to 144.32.226.208:1645
        Tunnel-Type:1 := VLAN
        Tunnel-Medium-Type:1 := IEEE-802
        Tunnel-Private-Group-Id:1 := "3970"
        EAP-Message =
0x0108004819001703010018e031d8fca1c0cbfedb0cfcdce46b9a4c46758441f22e0ba417030100203027372cc858586642a97e40254bb292c08bd9e461560f21dd2c8e77b66450ee
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x73386b81b01f285fe325fdeb408f2f43
Finished request 6

Just for testing we removed the NULL realm reject from the users file
and tested the client with username entered on its own and found that
this worked OK. Does this point to a problem with the D-link supppicant
or could it be a problem with our setup? The MSCHAP2 response is
incorrect when I specify the realm. Does this mean the supplicant is
incorrectly handling the username and stripped username?

Thanks 

Ben Thompson
University of York

More information about the Freeradius-Users mailing list