FreeRadius 2.0.5 AD PEAP

Brooks, Kyle Kyle.Brooks at nrc-cnrc.gc.ca
Wed Aug 20 22:04:44 CEST 2008 

Here we go,

TTLS/PAP works

STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec RADIUS packet matching with station
MS-MPPE-Send-Key (sign) - hexdump(len=32): c5 bd 3a 25 91 1b fa 82 01 4c
d2 d3 0f 50 b9 69 57 32 5c 19 73 03 2a 02 d2 47 36 bd 0d 79 a7 09
MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 7e c5 98 86 14 43 b5 20 08
fd fa 5c 6a e6 7c b5 cd 42 aa d5 8f 10 8c b6 9c 01 d3 9a 86 f1 7f 15
decapsulated EAP packet (code=3 id=7 len=4) from RADIUS server: EAP
Success
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames
required
WPA: EAPOL processing complete
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=1
PMK from EAPOL - hexdump(len=32): 7e c5 98 86 14 43 b5 20 08 fd fa 5c 6a
e6 7c b5 cd 42 aa d5 8f 10 8c b6 9c 01 d3 9a 86 f1 7f 15
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1  mismatch: 0
SUCCESS


TTLS/MSCHAPV2 fails

STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.02 sec RADIUS packet matching with station
decapsulated EAP packet (code=1 id=8 len=111) from RADIUS server:
EAP-Request-TTLS (21)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=8 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=111) - Flags 0x80
SSL: TLS Message Length: 101
EAP-TTLS: received 101 bytes encrypted data for Phase 2
EAP-TTLS: Decrypted Phase 2 AVPs - hexdump(len=56): 00 00 00 1a c0 00 00
37 00 00 01 37 49 53 3d 42 46 32 34 44 44 43 43 44 31 46 37 44 36 39 37
32 45 33 34 37 30 30 42 46 44 30 35 34 43 39 43 38 45 45 34 30 30 38 45
00
EAP-TTLS: AVP: code=26 flags=0xc0 length=55
EAP-TTLS: AVP vendor_id 311
EAP-TTLS: AVP data - hexdump(len=43): 49 53 3d 42 46 32 34 44 44 43 43
44 31 46 37 44 36 39 37 32 45 33 34 37 30 30 42 46 44 30 35 34 43 39 43
38 45 45 34 30 30 38 45
EAP-TTLS: MS-CHAP2-Success - hexdump_ascii(len=43):
     49 53 3d 42 46 32 34 44 44 43 43 44 31 46 37 44   IS=BF24DDCCD1F7D
     36 39 37 32 45 33 34 37 30 30 42 46 44 30 35 34   6972E34700BFD054
     43 39 43 38 45 45 34 30 30 38 45                  C9C8EE4008E     
EAP-TTLS: Invalid authenticator response in Phase 2 MSCHAPV2 success
request
EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: startWhen --> 0
EAPOL test timed out
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE


>  Perhaps try it with a Cleartext-Password in the "users" file.  i.e.
>*Without* using ntlm_auth.  That works for me, including with
eapol_test, and TTLS/EAP-MSCHAPv2.

Can you clarify this setup/change to test?  I was pretty sure I needed
to use ntlm_auth to auth against AD to test mschapv2

>  If that still fails, then there's something wrong with the system
that breaks the server in 2.0.5.

Running Samba 3.2.0 on Fedora 9

> FYI: Unknown network block for the CA_CERT with regards to the eapol 
> test config file

>  What does that mean?
Within the config you provided to for eapol_test at the bottom is a
ca_cert declaration that errors out when uncommented

Anyone using FC9 with freeradius 2.0.5 against AD working that I can use
to compare?

Thanks much appreciated

More information about the Freeradius-Users mailing list