EAP (PEAP) problem with MS Win XP

WAYNE VANDERMERWE WAYNE.VANDERMERWE at impilo.ecprov.gov.za
Fri Sep 28 11:00:02 CEST 2007


> have you tested from a non windows box to ensure that you havent fallen foul of the usual EAP problems - as clearly noted at the top of eap.conf?
No, I am not able to do so as i do not have an extra box's. I have searched through all configurations to make sure that 'Auth-Type := EAP'  is not set as stated in the eap.conf
______________________
eap.conf
______________________
 eap {
  
  default_eap_type = tls
  timer_expire     = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
 
  # Supported EAP-types
  md5 {
  }
  # Cisco LEAP
  leap {
  }
  #  Generic Token Card.
  gtc {
   #challenge = "Password: "
   auth_type = PAP
  }
 
  ## EAP-TLS
  tls {
   private_key_password = demo
   private_key_file = ${certsdir}/FreeRADIUS.net-Server.pem
   certificate_file = ${certsdir}/FreeRADIUS.net-Server.crt
   CA_file = ${certsdir}/FreeRADIUS.net-CA.crt
   dh_file = ${certsdir}/dh
   random_file = ${certsdir}/random
 #  fragment_size = 1024
 #  include_length = yes
 #  check_crl = yes
                      check_cert_cn = %{User-Name}
  }
 
  ttls {
   default_eap_type = md5
   copy_request_to_tunnel = no
   use_tunneled_reply = yes   
      
  }
   peap {
   default_eap_type = mschapv2
  }
 
   mschapv2 {
  }
 }
------------------------------------------------------------------------
I am not using LDAP or a Windows Domain Controller. I am using the users.conf file for this.
 
______________
eap.conf
________________
53986067    User-Password := "whatever"
 
#53986067 Cleartext-Password := "whatever"
 
testuser User-Password == "testpw"
 
DEFAULT Auth-Type = System
 Fall-Through = 1
 
DEFAULT Service-Type == Framed-User
 Framed-IP-Address = 255.255.255.254,
 Framed-MTU = 576,
 Service-Type = Framed-User,
 Fall-Through = Yes
 
DEFAULT Framed-Protocol == PPP
 Framed-Protocol = PPP,
 Framed-Compression = Van-Jacobson-TCP-IP
 
DEFAULT Hint == "CSLIP"
 Framed-Protocol = SLIP,
 Framed-Compression = Van-Jacobson-TCP-IP
 
DEFAULT Hint == "SLIP"
 Framed-Protocol = SLIP
-----------------------------------------------------------------------------------------------
 
_______________
radiusd.conf
________________
 
prefix = ..
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
certsdir = ${sysconfdir}/raddb/certs/FreeRADIUS.net/DemoCerts
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
#user = nobody
#group = nobody
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
 max_attributes = 200
 reject_delay = 1
 status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
 start_servers = 5
 max_servers = 32
 min_spare_servers = 3
 max_spare_servers = 10
 max_requests_per_server = 0
}
modules {
 pap {
  auto_header = yes
 }
 
 chap {
  authtype = CHAP
 }
 
 pam {
  pam_auth = radiusd
 }
 unix {
  cache = no
  cache_reload = 600
  radwtmp = ${logdir}/radwtmp
 }
$INCLUDE ${confdir}/eap.conf
 mschap {
  #use_mppe = no
  #require_encryption = yes
  #require_strong = yes
  with_ntdomain_hack = yes
  #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
 }
 ldap {
  server = "ldap.your.domain"
  # identity = "cn=admin,o=My Org,c=UA"
  # password = mypass
  basedn = "o=My Org,c=UA"
  filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
  # base_filter = "(objectclass=radiusprofile)"
  start_tls = no
 
  # tls_cacertfile = /path/to/cacert.pem
  # tls_cacertdir  = /path/to/ca/dir/
  # tls_certfile  = /path/to/radius.crt
  # tls_keyfile  = /path/to/radius.key
  # tls_randfile  = /path/to/rnd
  # tls_require_cert = "demand"
  # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
  # profile_attribute = "radiusProfileDn"
  access_attr = "dialupAccess"
  dictionary_mapping = ${raddbdir}/ldap.attrmap
  ldap_connections_number = 5
  # password_attribute = userPassword
  # edir_account_policy_check=no
  # groupname_attribute = cn
  # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
  # groupmembership_attribute = radiusGroupName
  timeout = 4
  timelimit = 3
  net_timeout = 1
  # compare_check_items = yes
  # do_xlat = yes
  # access_attr_used_for_allow = yes
  # set_auth_type = yes
 }
 #passwd etc_smbpasswd {
 # filename = /etc/smbpasswd
 # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
 # authtype = MS-CHAP
 # hashsize = 100
 # ignorenislike = no
 # allowmultiplekeys = no
 #}
 
 #passwd etc_group {
 # filename = /etc/group
 # format = "=Group-Name:::*,User-Name"
 # hashsize = 50
 # ignorenislike = yes
 # allowmultiplekeys = yes
 # delimiter = ":"
 #}
 realm IPASS {
  format = prefix
  delimiter = "/"
  ignore_default = no
  ignore_null = no
 }
 realm suffix {
  format = suffix
  delimiter = "@"
  ignore_default = no
  ignore_null = no
 }
 realm realmpercent {
  format = suffix
  delimiter = "%"
  ignore_default = no
  ignore_null = no
 }
 realm ntdomain {
  format = prefix
  delimiter = "\\"
  ignore_default = no
  ignore_null = no
 } 
 checkval {
  item-name = Calling-Station-Id
  check-name = Calling-Station-Id
  data-type = string
  #notfound-reject = no
 }
 #attr_rewrite sanecallerid {
 # attribute = Called-Station-Id
  # may be "packet", "reply", "proxy", "proxy_reply" or "config"
 # searchin = packet
 # searchfor = "[+ ]"
 # replacewith = ""
 # ignore_case = no
 # new_attribute = no
 # max_matches = 10
 # ## If set to yes then the replace string will be appended to the original string
 # append = no
 #}
 preprocess {
  huntgroups = ${confdir}/huntgroups
  hints = ${confdir}/hints
  with_ascend_hack = no
  ascend_channels_per_line = 23
  with_ntdomain_hack = yes
  with_specialix_jetstream_hack = no
  with_cisco_vsa_hack = no
 }
 files {
  usersfile = ${confdir}/users
  acctusersfile = ${confdir}/acct_users
  preproxy_usersfile = ${confdir}/preproxy_users
  compat = no
 }
 detail {
  detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d.log
  detailperm = 0777
  #suppress {
   # User-Password
  #}
 }
  detail auth_log {
  detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d.log
         detailperm = 0777
 }
 detail reply_log {
  detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d.log
  detailperm = 0777
 }
 detail pre_proxy_log {
  detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d.log
  detailperm = 0777
 }
 detail post_proxy_log {
  detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d.log
  detailperm = 0777
 }
# sql_log {
#  path = ${radacctdir}/sql-relay
#  acct_table = "radacct"
#  postauth_table = "radpostauth"
#
#  Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
#   NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
#   AcctSessionTime, AcctTerminateCause) VALUES                 \
#   ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
#   '%{Framed-IP-Address}', '%S', '0', '0', '');"
#  Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName,  \
#   NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
#   AcctSessionTime, AcctTerminateCause) VALUES                 \
#   ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
#   '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}',  \
#   '%{Acct-Terminate-Cause}');"
#  Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
#   NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
#   AcctSessionTime, AcctTerminateCause) VALUES                 \
#   ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
#   '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
#
#  Post-Auth = "INSERT INTO ${postauth_table}                   \
#   (user, pass, reply, date) VALUES                            \
#   ('%{User-Name}', '%{User-Password:-Chap-Password}',         \
#   '%{reply:Packet-Type}', '%S');"
# }
 acct_unique {
  key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
 }
 $INCLUDE  ${confdir}/sql.conf
 radutmp {
  filename = ${logdir}/radutmp
  username = %{User-Name}
  case_sensitive = yes
  check_with_nas = yes  
  perm = 0777
  callerid = "yes"
 }
 radutmp sradutmp {
  filename = ${logdir}/sradutmp
  perm = 0777
  callerid = "no"
 }
 attr_filter {
  attrsfile = ${confdir}/attrs
 }
 counter daily {
  filename = ${raddbdir}/db.daily
  key = User-Name
  count-attribute = Acct-Session-Time
  reset = daily
  counter-name = Daily-Session-Time
  check-name = Max-Daily-Session
  allowed-servicetype = Framed-User
  cache-size = 5000
 }
 #sqlcounter dailycounter {
  counter-name = Daily-Session-Time
  check-name = Max-Daily-Session
  reply-name = Session-Timeout
  sqlmod-inst = sql
  key = User-Name
  reset = daily
  # For mysql:
#  query = "SELECT SUM(AcctSessionTime - \
#                GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
#                 FROM radacct WHERE UserName='%{%k}' AND \
#                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
  # For postgresql:
#  query = "SELECT SUM(AcctSessionTime - \
#                GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \
#                FROM radacct WHERE UserName='%{%k}' AND \
#                AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'"
  # For mysql:
#  query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
#                UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
  # For postgresql:
#  query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
#                UserName='%{%k}' AND AND AcctStartTime::ABSTIME::INT4 > '%b'"
  # For mysql:
#  query = "SELECT SUM(AcctSessionTime) FROM radacct \
#                WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
#                FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
  # For postgresql:
#  query = "SELECT SUM(AcctSessionTime) FROM radacct \
#                WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 \
#                BETWEEN '%b' AND '%e'"
# }
# sqlcounter monthlycounter {
  counter-name = Monthly-Session-Time
  check-name = Max-Monthly-Session
  reply-name = Session-Timeout
  sqlmod-inst = sql
  key = User-Name
  reset = monthly
  query = "SELECT SUM(AcctSessionTime - \
#                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
#                FROM radacct WHERE UserName='%{%k}' AND \
#                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
#  query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
#                UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
#  query = "SELECT SUM(AcctSessionTime) FROM radacct \
#                WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
#                FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
# }
 always fail {
  rcode = fail
 }
 always reject {
  rcode = reject
 }
 always ok {
  rcode = ok
  simulcount = 0
  mpp = no
 }
 expr {
 }
 digest {
 }
 exec {
  wait = yes
  input_pairs = request
 }
 exec echo {
  wait = yes
  program = "/bin/echo %{User-Name}"
  input_pairs = request
  output_pairs = reply
  #packet_type = Access-Accept
 }
 ippool main_pool {
  range-start = 192.168.1.1
  range-stop = 192.168.3.254
  netmask = 255.255.255.0
  cache-size = 800
  session-db = ${raddbdir}/db.ippool
  ip-index = ${raddbdir}/db.ipindex
  override = no
  maximum-timeout = 0
 }
 
 # $INCLUDE  ${confdir}/sqlippool.conf
 # $INCLUDE  ${confdir}/otp.conf
 
}
 
instantiate {
 exec
 expr
# daily
}
authorize {
 preprocess
 auth_log
# attr_filter
 chap
 mschap
# digest
# IPASS
 suffix
# ntdomain
 eap
 files
# sql
# etc_smbpasswd
# ldap
# daily
# checkval
 pap
}
authenticate {
 Auth-Type PAP {
  pap
 }
 Auth-Type CHAP {
  chap
 }
 Auth-Type MS-CHAP {
  mschap
 }
# digest
# pam
 unix
# Auth-Type LDAP {
#  ldap
# }
 eap
}
preacct {
 preprocess
 acct_unique
# IPASS
 suffix
# ntdomain
 files
}
accounting {
 detail
 daily
 unix
 radutmp
# sradutmp
# main_pool
# sql
# sql_log
# pgsql-voip
 
}
session {
 radutmp
# sql
}
post-auth {
# main_pool
 reply_log
# sql
# sql_log
# ldap
# Post-Auth-Type REJECT {
#  insert-module-name-here
# }
 
}
pre-proxy {
# attr_rewrite
# files
 pre_proxy_log
}
post-proxy {
 post_proxy_log
# attr_rewrite
# attr_filter
 eap
}
--------------------------------------------------------
I  still get the same results from the debug
______________
debug
--------------------
rad_recv: Access-Request packet from host 10.219.157.232:20000, id=63, length=149
 NAS-Port-Id = "2/1"
 Calling-Station-Id = "00-0F-CB-FA-D4-63"
 Called-Station-Id = "00-18-6E-95-A2-C0:ELHC"
 Service-Type = Framed-User
 EAP-Message = 0x0201001401434e393030305c3533393836303637
 User-Name = "CN9000\\53986067"
 NAS-Port-Type = Wireless-802.11
 NAS-Identifier = "3Com"
 NAS-IP-Address = 10.219.157.232
 Message-Authenticator = 0x9e21864de4c626d3cfdac3077ceda7bb
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '../var/log/radius/radacct/10.219.157.232/auth-detail-20070919.log'
rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/10.219.157.232/auth-detail-20070919.log
  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "53986067", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: EAP packet type response id 1 length 20
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched entry 53986067 at line 84
  modcall[authorize]: module "files" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
  rlm_eap: Failed in handler
  modcall[authenticate]: module "eap" returns invalid for request 0
modcall: leaving group authenticate (returns invalid) for request 0
auth: Failed to validate the user.
Login incorrect: [53986067/<no User-Password attribute>] (from client elhc-network port 0 cli 00-0F-CB-FA-D4-63)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 63 to 10.219.157.232 port 20000
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 63 with timestamp 46f0d4b4
Nothing to do.  Sleeping until we see a request.
----------------------------------------------------------------------------------------------------------------------------------------
 
 
if so, then i would be concerned by this int he debug:


> modcall: entering group authenticate for request 0
> rlm_eap: Identity does not match User-Name, setting from EAP Identity.
>   rlm_eap: Failed in handler
>   modcall[authenticate]: module "eap" returns invalid for request 0
> modcall: leaving group authenticate (returns invalid) for request 0
> auth: Failed to validate the user.
> Login incorrect: [53986067/<no User-Password attribute>] (from client elhc-network port 0 cli 00-0F-CB-FA-D4-63)


what are you doing with the User-Name and/or identity? you cant play with those
packets as it breaks EAP.  the debug also looks worryingly short. you should
post the whole debug. also, HOW are you authenticating the users? you
dont have ntlm_auth set and LDAP doesnt seem to be doing anything...I fear
very very much that you have some Auth-Type := EAP  in yours users file
or something worse!  please post your config files.

oh, and dont hurry, i'm certainly not demanding an urgent response.

alan



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070928/0dfc34b3/attachment.html>


More information about the Freeradius-Users mailing list