PEAP authentication with freerad ?

thomas hahusseau thomas.hahusseau at gmail.com
Tue Jun 6 17:03:06 CEST 2006


Yes i use PEAP/MsChapv2 , and password in OpenLDAP are stocked in clear mode
, but there is a really strange eror while I try an autothentication via
EAP-PEAP (MSCHAPv2) here is the output of Freeradius :

lm_ldap: checking if remote access for test is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 6
modcall: group authorize returns ok for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6
modcall: group Auth-Type returns reject for request 6
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
Login incorrect: [test/<no User-Password attribute>] (from client localhost
port 0)
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE

I dont know if that error is due to an impossible comporason beetwen hashed
password in mschap and clear openldap password or if there is  problems
fields NT/LM-Password.


2006/6/6, Michael Griego <mgriego at utdallas.edu>:
>
> I assume by PEAP, you mean the most-often-seen PEAP/EAP-MSCHAPv2.  In
> this case, MD5 is not involved anywhere.  The passwords are hashed
> differently.  As such, you must either have an NT hashed password
> (which is actually a unicode-encoded MD4 hash of the password) or a
> cleartext password in your directory.
>
> --Mike
>
> On Jun 6, 2006, at 3:36 AM, thomas hahusseau wrote:
>
> > Hello,
> >
> > I would like to use PEAP to perfome authentication of wlan users ,
> > I choose PEAP because Users and Passwords are in an LDAP Server
> > (OPEN-LDAP). According to me PEAP works like this :
> >
> > Phase 1 :: TLS handshake the server authenticate to the client as a
> > trusted radius serveur and a cipher tunel is created.
> > Phase 2 :: Login + Password + Domain hashed with MD5 are send to
> > the Radius Server which ask LDAP server for password and login.
> >
> > acording to the doc file :  realm_eap , freeradius supports only
> > eap-tls (authentication based only on certificates (client +
> > server ) lead and eap-MD5 ( according to me even if PEAP use MD5
> > hash , the EAP-MD5 is different with no mutual autenthication and
> > no TLS handshake )
> >
> > I dont want to use a full certifcate based solution like EAP-TLS or
> > a authentification with no ciphered tunel like with EAP-MD5
> >
> > Anyone could help me for using PEAP (or at least authentication
> > with the two phases described upper) with freeradius ?
> >
> > thank you.
> >
> > Ps : sorry for english mistakes :)
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> > users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060606/2cce7385/attachment.html>


More information about the Freeradius-Users mailing list