FreeRadius 2.0.5 AD PEAP

Brooks, Kyle Kyle.Brooks at
Thu Aug 21 16:12:07 CEST 2008

>Put a test user in the "users" file:
>test	Cleartest-Password := "blah", MS-CHAP-Use-NTLM-Auth := 0


STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec RADIUS packet matching with station
MS-MPPE-Send-Key (sign) - hexdump(len=32): 3f 44 63 81 21 70 77 27 c0 b8
f7 fd fb 83 9b 16 6c 15 e5 dd 09 29 32 0c 8c 0e 78 41 b6 a7 9b c7
MS-MPPE-Recv-Key (crypt) - hexdump(len=32): c2 48 21 44 3a 14 c1 7a f2
58 9b 0f e5 7c ab 80 6b b5 ff 58 62 46 b7 32 86 fd ee eb eb 38 46 69
decapsulated EAP packet (code=3 id=8 len=4) from RADIUS server: EAP
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames
WPA: EAPOL processing complete
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=1
PMK from EAPOL - hexdump(len=32): c2 48 21 44 3a 14 c1 7a f2 58 9b 0f e5
7c ab 80 6b b5 ff 58 62 46 b7 32 86 fd ee eb eb 38 46 69
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1  mismatch: 0

>>  If that still fails, then there's something wrong with the system
>that breaks the server in 2.0.5.
>Running Samba 3.2.0 on Fedora 9

>Your problem is very odd. I'm using 2.0.5 on RHEL5 with ntlm_auth and 
>it's working fine.

>The only time I've seen eapol_test fail with "mismatch" is when I've 
>failed to strip the DOMAIN\ or @DOMAIN.COM from usernames with realms 
>and this has confused the key hashing - but your usernames are 

>Perhaps the Samba version in F9 has problems? What OS and samba version

>is your (working) 1.1.7 server running?

Samba 3.0.28 for fc7


More information about the Freeradius-Users mailing list