PEAP-MSCHAP failure. Please help
Jack Daniels
da_very_newbie at hotmail.com
Wed Oct 18 15:39:10 CEST 2006
Hi there, I'm trying to do authentication using the winlogon information and
using PEAP. I'm not using client certificates, only windows domain logon
information.
Here are my config files:
eap.conf
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_password = password
private_key_file = ${raddbdir}/certs/radiuskey.pem
certificate_file = ${raddbdir}/certs/radiuscert.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
}
mschapv2 {
}
}
radiusd.conf
...
modules {
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/opt/samba/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
}
authorize {
eap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
This is my dump of radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: ntlm_auth = "/opt/samba/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/radiuskey.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/radiuscert.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/cacert.pem"
tls: private_key_password = "password"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/dev/urandom"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.254.26:1812, id=22,
length=165
NAS-IP-Address = 192.168.254.26
NAS-Port = 50001
NAS-Port-Type = Ethernet
User-Name = "ASDF\\asdf"
Called-Station-Id = "00-16-46-DB-93-01"
Calling-Station-Id = "00-B0-D0-0C-64-B2"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message =
0x0200002e01415344465c617364660000ff1c53796761746553656375726974794167656e74000000000000000000
Message-Authenticator = 0x38739029b21f29f09cf2d207b03c3a35
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_eap: EAP packet type response id 0 length 46
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 22 to 192.168.254.26 port 1812
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe6aee8ce917ba33b4e9bcb87dc8aa9b0
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.254.26:1812, id=23,
length=217
NAS-IP-Address = 192.168.254.26
NAS-Port = 50001
NAS-Port-Type = Ethernet
User-Name = "ASDF\\asdf"
Called-Station-Id = "00-16-46-DB-93-01"
Calling-Station-Id = "00-B0-D0-0C-64-B2"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xe6aee8ce917ba33b4e9bcb87dc8aa9b0
EAP-Message =
0x0201005019800000004616030100410100003d030145362a3286a98f942b778d74dd470fc449c041d01f0e82822ba3babcf0c7752c00001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0xd0802a126d8f4c4576362704b2b1f3f1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
rlm_eap: EAP packet type response id 1 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 062f], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 23 to 192.168.254.26 port 1812
EAP-Message =
0x0102040a19c00000068c160301004a02000046030145359d132089dfb5b31e89f6df538953346dfb57cb62b10111a9d86165b0459e20ab268afefcbeca633a9567f6bfd548d8b53e0ab1e2952afbb4af996b5ef085a8000400160301062f0b00062b00062800029d3082029930820202a003020102020101300d06092a864886f70d0101040500308188310b3009060355040613024348310d300b060355040813044265726e31163014060355040a130d536166656775617264204c6162312530230603550403131c526f6f742043657274696669636174696f6e20417574686f72697479312b302906092a864886f70d010901161c61646d696e6973
EAP-Message =
0x747261746f72407361666567756172642e74657374301e170d3036313031383032303332375a170d3037313031383032303332375a308182310b3009060355040613024348310d300b060355040813044265726e31163014060355040a130d536166656775617264204c6162311f301d0603550403131646726565526164697573205465737420536572766572312b302906092a864886f70d010901161c61646d696e6973747261746f72407361666567756172642e7465737430819f300d06092a864886f70d010101050003818d0030818902818100cecd0979f9596669055dc8ed59537dbd99cf07497d4eb982c7b68bb66c8bee8ef043f7f8364e
EAP-Message =
0x45a79a16882ec31e6b7edde6e2366b9034781f9757dfe594b3eefd84bfe4bf970425a1eb33c777b429c1789c3ef12fd95ddf5fa8454be474efb29dfa25949e22529b1a196cfb8d9f4510824f6f84e351d1e97239facd5a01294f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181004861289d07bb71f05ec9a11d716299b22f4db328b7e32d55e13e939b4961cc95429a26a793993b1f71cf0525715b9c5ce68554569deb6dad23f2e673035a5d45ce1a5037012e690b2b6c08b4dec0e6a25a7b2b00b0ed4c543bdb1b767365ea70e2b81db574604da6762608a0be9a1c757bf1
EAP-Message =
0x071a2370c3c8652c2900bc06fa9d00038530820381308202eaa003020102020900e24fc4fd6ffcf7c1300d06092a864886f70d0101040500308188310b3009060355040613024348310d300b060355040813044265726e31163014060355040a130d536166656775617264204c6162312530230603550403131c526f6f742043657274696669636174696f6e20417574686f72697479312b302906092a864886f70d010901161c61646d696e6973747261746f72407361666567756172642e74657374301e170d3036313031383032303330375a170d3037313031383032303330375a308188310b3009060355040613024348310d300b060355040813
EAP-Message = 0x044265726e31163014060355040a130d536166656775
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd9e611882c9206e57aa4934cc6c47079
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.254.26:1812, id=24,
length=143
NAS-IP-Address = 192.168.254.26
NAS-Port = 50001
NAS-Port-Type = Ethernet
User-Name = "ASDF\\asdf"
Called-Station-Id = "00-16-46-DB-93-01"
Calling-Station-Id = "00-B0-D0-0C-64-B2"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xd9e611882c9206e57aa4934cc6c47079
EAP-Message = 0x020200061900
Message-Authenticator = 0xb85b165671cc8a30681a688baf2a2136
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 24 to 192.168.254.26 port 1812
EAP-Message =
0x010302921900617264204c6162312530230603550403131c526f6f742043657274696669636174696f6e20417574686f72697479312b302906092a864886f70d010901161c61646d696e6973747261746f72407361666567756172642e7465737430819f300d06092a864886f70d010101050003818d0030818902818100ce868e0ed1ea38ca7578de3aea67f43f6e259e5a3bd1e10c47c4fb588756d5eeb4e3e5a3e346488032f5724849ccdc06281b498b552eb723e84d334771be0b8c6c933a1af86ee8b1ae731eb192c5f25e916df6e22e03fc4e7b18570e894db4f429a99c43082654a5357b7fba485de171faf3567a100118b5327edff6478d0b
EAP-Message =
0xd10203010001a381f03081ed301d0603551d0e0416041448296c477e81278cec7a3d90922e0f427f8968c93081bd0603551d230481b53081b2801448296c477e81278cec7a3d90922e0f427f8968c9a1818ea4818b308188310b3009060355040613024348310d300b060355040813044265726e31163014060355040a130d536166656775617264204c6162312530230603550403131c526f6f742043657274696669636174696f6e20417574686f72697479312b302906092a864886f70d010901161c61646d696e6973747261746f72407361666567756172642e74657374820900e24fc4fd6ffcf7c1300c0603551d13040530030101ff300d0609
EAP-Message =
0x2a864886f70d010104050003818100b6a2bf764bb01820c8650f0bcd7ad1797ce2711f82de2df777607aad7c9cd0f58396dfe1bf6974b9aaf368757de41b49fc4538ed0598aeec5ed8555ce7c44f658fd6ecaa1fabbc2060da8536aa136f86835b8a6731e41c78b0023b572aed7175b94cd93badab450b174067e22c58a4f434d0fd592ec1215a04e184ca612d2c9516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2e288099d22c097d5f415cca50070a5d
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.254.26:1812, id=25,
length=329
NAS-IP-Address = 192.168.254.26
NAS-Port = 50001
NAS-Port-Type = Ethernet
User-Name = "ASDF\\asdf"
Called-Station-Id = "00-16-46-DB-93-01"
Calling-Station-Id = "00-B0-D0-0C-64-B2"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x2e288099d22c097d5f415cca50070a5d
EAP-Message =
0x020300c01980000000b61603010086100000820080883d13d43d2ce12fc3364a5eb33fb861636d18a200a9a0e84d10261e9c86f2350db58c1feba581442c51bee27f89d4d0255ec8509ac3910acf099b23dac128862ee02f0de774f283ae00ed5575c142dde2514d50be4004286b19f35e5c3ed602ffa270cbb94ff2780f81af5834169f9e6573dff346f45bd1c799c3b44f9240cf140301000101160301002070a4cb2e7adb74767794227e6f18c65164cc2e25355bf08505b016f9ed0a1670
Message-Authenticator = 0x65115a527c866e9357aaa8d3844a00ea
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
rlm_eap: EAP packet type response id 3 length 192
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 25 to 192.168.254.26 port 1812
EAP-Message =
0x0104003119001403010001011603010020d0f9a0ba049067d8e4d5c36c88eeaf39cb69d081fcee756c084180b6ac53294f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xed95e59feca1d7ef0ab7eed96cec81c1
Finished request 3
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 22 with timestamp 45359d13
Cleaning up request 1 ID 23 with timestamp 45359d13
Cleaning up request 2 ID 24 with timestamp 45359d13
Cleaning up request 3 ID 25 with timestamp 45359d13
Nothing to do. Sleeping until we see a request.
The CA certificate has been imported to the connecting computer and this
computer is configured with the option "Validate server certificate" with
the appropiate certification authority selected.
When I connect, nothing happens, it doesn't connect but it doesnt complain
either, but the switch's port keeps blocked. From the dump, you can see that
there is no failure in the EAP module, but it doesn't go to the mschap
authentication part.
Questions:
Is there a way to dump more information about what is going on in the TLS
conversation in freeradius?
Why even if EAP doesn't fail it can't reach the mschap part?
Should I consider this part
(other): SSL negotiation finished successfully
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
SSL Connection Established
as a failure or a success?
In the client computer, if I uncheck the "Validate server certificate"
option everything runs smoothly.
I'm using FreeRadius v 1.1.3. Certificates when created were verified with
openssl verify and everything was ok.
Thanks.
Please advice
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
More information about the Freeradius-Users
mailing list