EAP-MSChapv2 authentication

Christopher, Paul Paul.Christopher at xerox.com
Wed Sep 13 19:46:50 CEST 2006 

Hi Alan,
Thanks for the response. I remove the Auth-Type, but it is still not working. Now I get a new set of errors. I did a radtest bob hello localhost 0 testing123 and the user was able to authenticate. I don't know why it doesn't work for EAP-MSchapv2. Thanks for your help! Below is the debug log: 

rad_recv: Access-Request packet from host 13.138.136.68:1645, id=155, length=140        NAS-IP-Address = 13.138.136.68
        NAS-Port = 50003
        NAS-Port-Type = Ethernet
        User-Name = "tester"
        Called-Station-Id = "00-0A-B8-39-79-85"
        Calling-Station-Id = "00-0B-DB-64-9B-A7"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x9b24bde92b2edf137fd180df54de624a
        EAP-Message = 0x021300060315
        Message-Authenticator = 0x59b57149b1821c1ec87342e2e04cdbc8
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 19
  modcall[authorize]: module "preprocess" returns ok for request 19
  modcall[authorize]: module "chap" returns noop for request 19
  modcall[authorize]: module "mschap" returns noop for request 19
    rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 19
  rlm_eap: EAP packet type response id 19 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 19
    users: Matched entry tester at line 83
  modcall[authorize]: module "files" returns ok for request 19
modcall: leaving group authorize (returns updated) for request 19
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: EAP-NAK asked for EAP-Type/ttls
 rlm_eap: No such EAP type ttls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 19
modcall: leaving group authenticate (returns invalid) for request 19
auth: Failed to validate the user.
Delaying request 19 for 1 seconds
Finished request 19
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 13.138.136.68:1645, id=155, length=140Sending Access-Reject of id 155 to 13.138.136.68 port 1645
        EAP-Message = 0x04130004
        Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 1 seconds...

This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you


-----Original Message-----
From: freeradius-users-bounces+paul.christopher=xerox.com at lists.freeradius.org [mailto:freeradius-users-bounces+paul.christopher=xerox.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Tuesday, September 12, 2006 4:12 PM
To: FreeRadius users mailing list
Subject: Re: EAP-MSChapv2 authentication 


"Christopher, Paul" <Paul.Christopher at xerox.com> wrote:
> I have a device that uses EAP-MSCHAPv2 (without PEAP) for 
> authentication. I am running freeRadius on Redhat. The device is 
> plugged into a switch which sends the EAP request to the server. I am 
> unable to get the device authenticated with the Radius server. In the 
> users file should the Auth-type be local or MS-Chap?

  Neither.  Don't set Auth-Type at all.  The server WILL figure it out.

>  Should I be sending the authentication request to an NT domain or 
> will the username and password in the user file be sufficient?

  Putting a username and password into the "users" file will be sufficient.

#
bob	User-Password := "hello"

#

  EAP-MSCHAPv2 *will* work.  See:

http://deployingradius.com/documents/configuration/pap.html

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list