EAP (PEAP) problem with MS Win XP
tnt at kalik.co.yu
tnt at kalik.co.yu
Fri Sep 28 12:06:23 CEST 2007
Try with JRadius Simulator:
http://jradius.net/wiki/index.php/JRadiusSimulator
And why have you commented out Cleartext-Password and entered
User-Password?
Ivan Kalik
Kalik Informatika ISP
Dana 28/9/2007, "WAYNE VANDERMERWE"
<WAYNE.VANDERMERWE at impilo.ecprov.gov.za> piše:
>> have you tested from a non windows box to ensure that you havent fallen foul of the usual EAP problems - as clearly noted at the top of eap.conf?
>No, I am not able to do so as i do not have an extra box's. I have searched through all configurations to make sure that 'Auth-Type := EAP' is not set as stated in the eap.conf
>______________________
>eap.conf
>______________________
> eap {
>
> default_eap_type = tls
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
>
> # Supported EAP-types
> md5 {
> }
> # Cisco LEAP
> leap {
> }
> # Generic Token Card.
> gtc {
> #challenge = "Password: "
> auth_type = PAP
> }
>
> ## EAP-TLS
> tls {
> private_key_password = demo
> private_key_file = ${certsdir}/FreeRADIUS.net-Server.pem
> certificate_file = ${certsdir}/FreeRADIUS.net-Server.crt
> CA_file = ${certsdir}/FreeRADIUS.net-CA.crt
> dh_file = ${certsdir}/dh
> random_file = ${certsdir}/random
> # fragment_size = 1024
> # include_length = yes
> # check_crl = yes
> check_cert_cn = %{User-Name}
> }
>
> ttls {
> default_eap_type = md5
> copy_request_to_tunnel = no
> use_tunneled_reply = yes
>
> }
> peap {
> default_eap_type = mschapv2
> }
>
> mschapv2 {
> }
> }
>------------------------------------------------------------------------
>I am not using LDAP or a Windows Domain Controller. I am using the users.conf file for this.
>
>______________
>eap.conf
>________________
>53986067 User-Password := "whatever"
>
>#53986067 Cleartext-Password := "whatever"
>
>testuser User-Password == "testpw"
>
>DEFAULT Auth-Type = System
> Fall-Through = 1
>
>DEFAULT Service-Type == Framed-User
> Framed-IP-Address = 255.255.255.254,
> Framed-MTU = 576,
> Service-Type = Framed-User,
> Fall-Through = Yes
>
>DEFAULT Framed-Protocol == PPP
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
>DEFAULT Hint == "CSLIP"
> Framed-Protocol = SLIP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
>DEFAULT Hint == "SLIP"
> Framed-Protocol = SLIP
>-----------------------------------------------------------------------------------------------
>
>_______________
>radiusd.conf
>________________
>
>prefix = ..
>exec_prefix = ${prefix}
>sysconfdir = ${prefix}/etc
>localstatedir = ${prefix}/var
>sbindir = ${exec_prefix}/sbin
>logdir = ${localstatedir}/log/radius
>raddbdir = ${sysconfdir}/raddb
>radacctdir = ${logdir}/radacct
>certsdir = ${sysconfdir}/raddb/certs/FreeRADIUS.net/DemoCerts
>confdir = ${raddbdir}
>run_dir = ${localstatedir}/run/radiusd
>log_file = ${logdir}/radius.log
>libdir = ${exec_prefix}/lib
>pidfile = ${run_dir}/radiusd.pid
>#user = nobody
>#group = nobody
>max_request_time = 30
>delete_blocked_requests = no
>cleanup_delay = 5
>max_requests = 1024
>bind_address = *
>port = 0
>hostname_lookups = no
>allow_core_dumps = no
>regular_expressions = yes
>extended_expressions = yes
>log_stripped_names = yes
>log_auth = yes
>log_auth_badpass = yes
>log_auth_goodpass = yes
>usercollide = no
>lower_user = no
>lower_pass = no
>nospace_user = no
>nospace_pass = no
>checkrad = ${sbindir}/checkrad
>security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
>}
>proxy_requests = yes
>$INCLUDE ${confdir}/proxy.conf
>$INCLUDE ${confdir}/clients.conf
>snmp = no
>$INCLUDE ${confdir}/snmp.conf
>thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
>}
>modules {
> pap {
> auto_header = yes
> }
>
> chap {
> authtype = CHAP
> }
>
> pam {
> pam_auth = radiusd
> }
> unix {
> cache = no
> cache_reload = 600
> radwtmp = ${logdir}/radwtmp
> }
>$INCLUDE ${confdir}/eap.conf
> mschap {
> #use_mppe = no
> #require_encryption = yes
> #require_strong = yes
> with_ntdomain_hack = yes
> #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
> }
> ldap {
> server = "ldap.your.domain"
> # identity = "cn=admin,o=My Org,c=UA"
> # password = mypass
> basedn = "o=My Org,c=UA"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> # base_filter = "(objectclass=radiusprofile)"
> start_tls = no
>
> # tls_cacertfile = /path/to/cacert.pem
> # tls_cacertdir = /path/to/ca/dir/
> # tls_certfile = /path/to/radius.crt
> # tls_keyfile = /path/to/radius.key
> # tls_randfile = /path/to/rnd
> # tls_require_cert = "demand"
> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> access_attr = "dialupAccess"
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> # password_attribute = userPassword
> # edir_account_policy_check=no
> # groupname_attribute = cn
> # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> # groupmembership_attribute = radiusGroupName
> timeout = 4
> timelimit = 3
> net_timeout = 1
> # compare_check_items = yes
> # do_xlat = yes
> # access_attr_used_for_allow = yes
> # set_auth_type = yes
> }
> #passwd etc_smbpasswd {
> # filename = /etc/smbpasswd
> # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
> # authtype = MS-CHAP
> # hashsize = 100
> # ignorenislike = no
> # allowmultiplekeys = no
> #}
>
> #passwd etc_group {
> # filename = /etc/group
> # format = "=Group-Name:::*,User-Name"
> # hashsize = 50
> # ignorenislike = yes
> # allowmultiplekeys = yes
> # delimiter = ":"
> #}
> realm IPASS {
> format = prefix
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> realm suffix {
> format = suffix
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> realm realmpercent {
> format = suffix
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> realm ntdomain {
> format = prefix
> delimiter = "\\"
> ignore_default = no
> ignore_null = no
> }
> checkval {
> item-name = Calling-Station-Id
> check-name = Calling-Station-Id
> data-type = string
> #notfound-reject = no
> }
> #attr_rewrite sanecallerid {
> # attribute = Called-Station-Id
> # may be "packet", "reply", "proxy", "proxy_reply" or "config"
> # searchin = packet
> # searchfor = "[+ ]"
> # replacewith = ""
> # ignore_case = no
> # new_attribute = no
> # max_matches = 10
> # ## If set to yes then the replace string will be appended to the original string
> # append = no
> #}
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = yes
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
> files {
> usersfile = ${confdir}/users
> acctusersfile = ${confdir}/acct_users
> preproxy_usersfile = ${confdir}/preproxy_users
> compat = no
> }
> detail {
> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d.log
> detailperm = 0777
> #suppress {
> # User-Password
> #}
> }
> detail auth_log {
> detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d.log
> detailperm = 0777
> }
> detail reply_log {
> detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d.log
> detailperm = 0777
> }
> detail pre_proxy_log {
> detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d.log
> detailperm = 0777
> }
> detail post_proxy_log {
> detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%dlog
> detailperm = 0777
> }
># sql_log {
># path = ${radacctdir}/sql-relay
># acct_table = "radacct"
># postauth_table = "radpostauth"
>#
># Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
># NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
># AcctSessionTime, AcctTerminateCause) VALUES \
># ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
># '%{Framed-IP-Address}', '%S', '0', '0', '');"
># Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
># NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
># AcctSessionTime, AcctTerminateCause) VALUES \
># ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
># '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \
># '%{Acct-Terminate-Cause}');"
># Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \
># NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \
># AcctSessionTime, AcctTerminateCause) VALUES \
># ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \
># '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"
>#
># Post-Auth = "INSERT INTO ${postauth_table} \
># (user, pass, reply, date) VALUES \
># ('%{User-Name}', '%{User-Password:-Chap-Password}', \
># '%{reply:Packet-Type}', '%S');"
># }
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
> }
> $INCLUDE ${confdir}/sql.conf
> radutmp {
> filename = ${logdir}/radutmp
> username = %{User-Name}
> case_sensitive = yes
> check_with_nas = yes
> perm = 0777
> callerid = "yes"
> }
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0777
> callerid = "no"
> }
> attr_filter {
> attrsfile = ${confdir}/attrs
> }
> counter daily {
> filename = ${raddbdir}/db.daily
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
> #sqlcounter dailycounter {
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
> reply-name = Session-Timeout
> sqlmod-inst = sql
> key = User-Name
> reset = daily
> # For mysql:
># query = "SELECT SUM(AcctSessionTime - \
># GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
># FROM radacct WHERE UserName='%{%k}' AND \
># UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
> # For postgresql:
># query = "SELECT SUM(AcctSessionTime - \
># GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \
># FROM radacct WHERE UserName='%{%k}' AND \
># AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'"
> # For mysql:
># query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
># UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
> # For postgresql:
># query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
># UserName='%{%k}' AND AND AcctStartTime::ABSTIME::INT4 > '%b'"
> # For mysql:
># query = "SELECT SUM(AcctSessionTime) FROM radacct \
># WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
># FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
> # For postgresql:
># query = "SELECT SUM(AcctSessionTime) FROM radacct \
># WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 \
># BETWEEN '%b' AND '%e'"
># }
># sqlcounter monthlycounter {
> counter-name = Monthly-Session-Time
> check-name = Max-Monthly-Session
> reply-name = Session-Timeout
> sqlmod-inst = sql
> key = User-Name
> reset = monthly
> query = "SELECT SUM(AcctSessionTime - \
># GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
># FROM radacct WHERE UserName='%{%k}' AND \
># UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
># query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \
># UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"
># query = "SELECT SUM(AcctSessionTime) FROM radacct \
># WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \
># FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"
># }
> always fail {
> rcode = fail
> }
> always reject {
> rcode = reject
> }
> always ok {
> rcode = ok
> simulcount = 0
> mpp = no
> }
> expr {
> }
> digest {
> }
> exec {
> wait = yes
> input_pairs = request
> }
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = request
> output_pairs = reply
> #packet_type = Access-Accept
> }
> ippool main_pool {
> range-start = 192.168.1.1
> range-stop = 192.168.3.254
> netmask = 255.255.255.0
> cache-size = 800
> session-db = ${raddbdir}/db.ippool
> ip-index = ${raddbdir}/db.ipindex
> override = no
> maximum-timeout = 0
> }
>
> # $INCLUDE ${confdir}/sqlippool.conf
> # $INCLUDE ${confdir}/otp.conf
>
>}
>
>instantiate {
> exec
> expr
># daily
>}
>authorize {
> preprocess
> auth_log
># attr_filter
> chap
> mschap
># digest
># IPASS
> suffix
># ntdomain
> eap
> files
># sql
># etc_smbpasswd
># ldap
># daily
># checkval
> pap
>}
>authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
># digest
># pam
> unix
># Auth-Type LDAP {
># ldap
># }
> eap
>}
>preacct {
> preprocess
> acct_unique
># IPASS
> suffix
># ntdomain
> files
>}
>accounting {
> detail
> daily
> unix
> radutmp
># sradutmp
># main_pool
># sql
># sql_log
># pgsql-voip
>
>}
>session {
> radutmp
># sql
>}
>post-auth {
># main_pool
> reply_log
># sql
># sql_log
># ldap
># Post-Auth-Type REJECT {
># insert-module-name-here
># }
>
>}
>pre-proxy {
># attr_rewrite
># files
> pre_proxy_log
>}
>post-proxy {
> post_proxy_log
># attr_rewrite
># attr_filter
> eap
>}
>--------------------------------------------------------
>I still get the same results from the debug
>______________
>debug
>--------------------
>rad_recv: Access-Request packet from host 10.219.157.232:20000, id=63, length=149
> NAS-Port-Id = "2/1"
> Calling-Station-Id = "00-0F-CB-FA-D4-63"
> Called-Station-Id = "00-18-6E-95-A2-C0:ELHC"
> Service-Type = Framed-User
> EAP-Message = 0x0201001401434e393030305c3533393836303637
> User-Name = "CN9000\\53986067"
> NAS-Port-Type = Wireless-802.11
> NAS-Identifier = "3Com"
> NAS-IP-Address = 10.219.157.232
> Message-Authenticator = 0x9e21864de4c626d3cfdac3077ceda7bb
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
>radius_xlat: '../var/log/radius/radacct/10.219.157.232/auth-detail-20070919log'
>rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/10.219.157.232/auth-detail-20070919.log
> modcall[authorize]: module "auth_log" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "53986067", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: EAP packet type response id 1 length 20
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 0
> users: Matched entry 53986067 at line 84
> modcall[authorize]: module "files" returns ok for request 0
>rlm_pap: Found existing Auth-Type, not changing it.
> modcall[authorize]: module "pap" returns noop for request 0
>modcall: leaving group authorize (returns updated) for request 0
> rad_check_password: Found Auth-Type EAP
>auth: type "EAP"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 0
>rlm_eap: Identity does not match User-Name, setting from EAP Identity.
> rlm_eap: Failed in handler
> modcall[authenticate]: module "eap" returns invalid for request 0
>modcall: leaving group authenticate (returns invalid) for request 0
>auth: Failed to validate the user.
>Login incorrect: [53986067/<no User-Password attribute>] (from client elhc-network port 0 cli 00-0F-CB-FA-D4-63)
>Delaying request 0 for 1 seconds
>Finished request 0
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Waking up in 1 seconds...
>--- Walking the entire request list ---
>Sending Access-Reject of id 63 to 10.219.157.232 port 20000
>Waking up in 4 seconds...
>--- Walking the entire request list ---
>Cleaning up request 0 ID 63 with timestamp 46f0d4b4
>Nothing to do. Sleeping until we see a request.
>----------------------------------------------------------------------------------------------------------------------------------------
>
>
>if so, then i would be concerned by this int he debug:
>
>
>> modcall: entering group authenticate for request 0
>> rlm_eap: Identity does not match User-Name, setting from EAP Identity.
>> rlm_eap: Failed in handler
>> modcall[authenticate]: module "eap" returns invalid for request 0
>> modcall: leaving group authenticate (returns invalid) for request 0
>> auth: Failed to validate the user.
>> Login incorrect: [53986067/<no User-Password attribute>] (from client elhc-network port 0 cli 00-0F-CB-FA-D4-63)
>
>
>what are you doing with the User-Name and/or identity? you cant play with those
>packets as it breaks EAP. the debug also looks worryingly short. you should
>post the whole debug. also, HOW are you authenticating the users? you
>dont have ntlm_auth set and LDAP doesnt seem to be doing anything...I fear
>very very much that you have some Auth-Type := EAP in yours users file
>or something worse! please post your config files.
>
>oh, and dont hurry, i'm certainly not demanding an urgent response.
>
>alan
>
>
>
>
>
More information about the Freeradius-Users
mailing list