EAP (PEAP) problem with MS Win XP
WAYNE VANDERMERWE
WAYNE.VANDERMERWE at impilo.ecprov.gov.za
Fri Sep 28 11:00:02 CEST 2007
> have you tested from a non windows box to ensure that you havent fallen foul of the usual EAP problems - as clearly noted at the top of eap.conf?
No, I am not able to do so as i do not have an extra box's. I have searched through all configurations to make sure that 'Auth-Type := EAP' is not set as stated in the eap.conf
______________________
eap.conf
______________________
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
# Supported EAP-types
md5 {
}
# Cisco LEAP
leap {
}
# Generic Token Card.
gtc {
#challenge = "Password: "
auth_type = PAP
}
## EAP-TLS
tls {
private_key_password = demo
private_key_file = ${certsdir}/FreeRADIUS.net-Server.pem
certificate_file = ${certsdir}/FreeRADIUS.net-Server.crt
CA_file = ${certsdir}/FreeRADIUS.net-CA.crt
dh_file = ${certsdir}/dh
random_file = ${certsdir}/random
# fragment_size = 1024
# include_length = yes
# check_crl = yes
check_cert_cn = %{User-Name}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
------------------------------------------------------------------------
I am not using LDAP or a Windows Domain Controller. I am using the users.conf file for this.
______________
eap.conf
________________
53986067 User-Password := "whatever"
#53986067 Cleartext-Password := "whatever"
testuser User-Password == "testpw"
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
-----------------------------------------------------------------------------------------------
_______________
radiusd.conf
________________
prefix = ..
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
certsdir = ${sysconfdir}/raddb/certs/FreeRADIUS.net/DemoCerts
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
#user = nobody
#group = nobody
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
#use_mppe = no
#require_encryption = yes
#require_strong = yes
with_ntdomain_hack = yes
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
ldap {
server = "ldap.your.domain"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"
start_tls = no
# tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# password_attribute = userPassword
# edir_account_policy_check=no
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
# set_auth_type = yes
}
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
# authtype = MS-CHAP
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}
#passwd etc_group {
# filename = /etc/group
# format = "=Group-Name:::*,User-Name"
# hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
# delimiter = ":"
#}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
#notfound-reject = no
}
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
# searchin = packet
# searchfor = "[+ ]"
# replacewith = ""
# ignore_case = no
# new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be appended to the original string
# append = no
#}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = yes
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d.log
detailperm = 0777
#suppress {
# User-Password
#}
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d.log
detailperm = 0777
}
detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d.log
detailperm = 0777
}
detail pre_proxy_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d.log
detailperm = 0777
}
detail post_proxy_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d.log
detailperm = 0777
}
# sql_log {
# path = ${radacctdir}/sql-relay
# acct_table = "radacct"
# postauth_table = "radpostauth"
#
# Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES \
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '%S', '0', '0', '');"
# Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES \
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \
# '%{Acct-Terminate-Cause}');"
# Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
# NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
# AcctSessionTime, AcctTerminateCause) VALUES \
# ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
# '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
#
# Post-Auth = "INSERT INTO ${postauth_table} \
# (user, pass, reply, date) VALUES \
# ('%{User-Name}', '%{User-Password:-Chap-Password}', \
# '%{reply:Packet-Type}', '%S');"
# }
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0777
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0777
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
#sqlcounter dailycounter {
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = daily
# For mysql:
# query = "SELECT SUM(AcctSessionTime - \
# GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
# FROM radacct WHERE UserName='%{%k}' AND \
# UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
# For postgresql:
# query = "SELECT SUM(AcctSessionTime - \
# GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \
# FROM radacct WHERE UserName='%{%k}' AND \
# AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'"
# For mysql:
# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
# For postgresql:
# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
# UserName='%{%k}' AND AND AcctStartTime::ABSTIME::INT4 > '%b'"
# For mysql:
# query = "SELECT SUM(AcctSessionTime) FROM radacct \
# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
# For postgresql:
# query = "SELECT SUM(AcctSessionTime) FROM radacct \
# WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 \
# BETWEEN '%b' AND '%e'"
# }
# sqlcounter monthlycounter {
counter-name = Monthly-Session-Time
check-name = Max-Monthly-Session
reply-name = Session-Timeout
sqlmod-inst = sql
key = User-Name
reset = monthly
query = "SELECT SUM(AcctSessionTime - \
# GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
# FROM radacct WHERE UserName='%{%k}' AND \
# UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
# query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
# UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
# query = "SELECT SUM(AcctSessionTime) FROM radacct \
# WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
# FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
# }
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
#packet_type = Access-Accept
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
# $INCLUDE ${confdir}/sqlippool.conf
# $INCLUDE ${confdir}/otp.conf
}
instantiate {
exec
expr
# daily
}
authorize {
preprocess
auth_log
# attr_filter
chap
mschap
# digest
# IPASS
suffix
# ntdomain
eap
files
# sql
# etc_smbpasswd
# ldap
# daily
# checkval
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
# digest
# pam
unix
# Auth-Type LDAP {
# ldap
# }
eap
}
preacct {
preprocess
acct_unique
# IPASS
suffix
# ntdomain
files
}
accounting {
detail
daily
unix
radutmp
# sradutmp
# main_pool
# sql
# sql_log
# pgsql-voip
}
session {
radutmp
# sql
}
post-auth {
# main_pool
reply_log
# sql
# sql_log
# ldap
# Post-Auth-Type REJECT {
# insert-module-name-here
# }
}
pre-proxy {
# attr_rewrite
# files
pre_proxy_log
}
post-proxy {
post_proxy_log
# attr_rewrite
# attr_filter
eap
}
--------------------------------------------------------
I still get the same results from the debug
______________
debug
--------------------
rad_recv: Access-Request packet from host 10.219.157.232:20000, id=63, length=149
NAS-Port-Id = "2/1"
Calling-Station-Id = "00-0F-CB-FA-D4-63"
Called-Station-Id = "00-18-6E-95-A2-C0:ELHC"
Service-Type = Framed-User
EAP-Message = 0x0201001401434e393030305c3533393836303637
User-Name = "CN9000\\53986067"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "3Com"
NAS-IP-Address = 10.219.157.232
Message-Authenticator = 0x9e21864de4c626d3cfdac3077ceda7bb
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '../var/log/radius/radacct/10.219.157.232/auth-detail-20070919.log'
rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/10.219.157.232/auth-detail-20070919.log
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "53986067", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 20
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry 53986067 at line 84
modcall[authorize]: module "files" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 0
modcall: leaving group authenticate (returns invalid) for request 0
auth: Failed to validate the user.
Login incorrect: [53986067/<no User-Password attribute>] (from client elhc-network port 0 cli 00-0F-CB-FA-D4-63)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 63 to 10.219.157.232 port 20000
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 63 with timestamp 46f0d4b4
Nothing to do. Sleeping until we see a request.
----------------------------------------------------------------------------------------------------------------------------------------
if so, then i would be concerned by this int he debug:
> modcall: entering group authenticate for request 0
> rlm_eap: Identity does not match User-Name, setting from EAP Identity.
> rlm_eap: Failed in handler
> modcall[authenticate]: module "eap" returns invalid for request 0
> modcall: leaving group authenticate (returns invalid) for request 0
> auth: Failed to validate the user.
> Login incorrect: [53986067/<no User-Password attribute>] (from client elhc-network port 0 cli 00-0F-CB-FA-D4-63)
what are you doing with the User-Name and/or identity? you cant play with those
packets as it breaks EAP. the debug also looks worryingly short. you should
post the whole debug. also, HOW are you authenticating the users? you
dont have ntlm_auth set and LDAP doesnt seem to be doing anything...I fear
very very much that you have some Auth-Type := EAP in yours users file
or something worse! please post your config files.
oh, and dont hurry, i'm certainly not demanding an urgent response.
alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070928/0dfc34b3/attachment.html>
More information about the Freeradius-Users
mailing list