PEAP mschapv2 using xp native supplicant

Ryan Setiawan H ryan.setiawan at banknisp.com
Tue Aug 26 09:44:03 CEST 2008 

> Ryan Setiawan H wrote:
>   
>>>   Please post ALL of the debug output.  I suspect that you are doing the
>>> ldap lookups OUTSIDE of the TLS tunnel rather than INSIDE.
>>>       
> ...
>   
>> repost forgot change subject
>> I'm sorry I didn't include all the debug, because it was so large...
>> anyway here the debug :
>>     
>
>   As I suspected... you are doing the LDAP lookups *outside* of the
> tunnel.  See raddb/sites-available/inner-tunnel.  Ensure that the
> references to "ldap" are uncommented.
>
>   Alan DeKok.
>   
Hi, I've uncomment the ldap section at inner-tunnel also make sure at 
eap.conf default eap type peap, but still don't work. I've tried to make 
the eap session directly go to inner-tunnel server at client.conf, but i 
think it's not good idea and also don't work. any other ways? or am I 
miss something?
Thanks

auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: Invalid LM-Password
rlm_mschap: Invalid NT-Password
  rlm_mschap: Told to do MS-CHAPv2 for testing with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
  rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [testing/<via Auth-Type = EAP>] (from client dotix port 0)
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
++[eap] returns handled
} # server nispdot1x
        EAP-Message = 
0x010a00261900170301001ba41a64fc5858e400f6380342e22751610df4070fb87d66fcd1dcbb
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x252558f1222f410baf9655c23dbf74f3
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
        Framed-MTU = 1480
        NAS-IP-Address = 192.168.12.130
        NAS-Identifier = "ProCurve Switch 2650"
        User-Name = "testing"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 1
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "1"
        Called-Station-Id = "00-1c-2e-73-85-00"
        Calling-Station-Id = "00-16-36-5a-f1-e4"
        Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1"
        State = 0x252558f1222f410baf9655c23dbf74f3
        EAP-Message = 
0x020a00261900170301001ba49c9266682a7900ffd51675496e5519722e108c0e7a1eaf33a31a
        Message-Authenticator = 0xeaa952199e0cb6c5e3852ba39433eed3
server nispdot1x {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "testing", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 10 length 38
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap:  Had sent TLV failure.  User was rejected earlier in 
this session.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select

-- 
DISCLAIMER:

The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk.

More information about the Freeradius-Users mailing list