MSCHAP module returns OK, authentication fails..

James Yale jim at thebiggame.org
Wed Aug 27 12:04:57 CEST 2008 

2008/8/26  <A.L.M.Buxey at lboro.ac.uk>:
> Hi,
>
>> I'm using a MacOS as a test client, which connects to the wireless
>> network, prompts about an invalid certificate chain for the SSL cert
>
> well, unless you've installed the CA etc that you signed the RADIUS
> server with, this will always be the case. until you trust the cert
> (by trusting the CA) then you cant EAP
>

Thanks for the replies, I was able to hit continue when presented with
the SSL certificate warning to use it anyway, so had been doing that.
However to make sure I added the CA certificate to the test system,
unfortunately it didn't have any effect.

I've reverted to a default configuration (using the Fedora Core 9
packaged version of FreeRadius 2.0.5) allowing the certs to be
autogenerated to try and spot what in my configuration is making it
break.

With a default configuration EAP works with a user specified in the
users file with a cleartext password
(http://jim.geezas.com/stuff/radius-debugging/ *-success.log files).
This works via eapol and a Mac test client.

As soon as I enable the MSCHAP module (uncommenting the ntlm auth
line) all authentication queries the AD here, so the locally
configured user fails. When I try a user configured in the AD I'm
getting:

EAP-MSCHAPV2: Invalid authenticator response in success request

In the eapol output, the radiusd logs also stop just after the mschap
module returns success (0), finishing up the request. A snippet of the
log is below (full logs @
http://jim.geezas.com/stuff/radius-debugging/ *-failure.log), the
message authenticator does seem to be invalid, this seeming to happen
when the request is proxied to the inner tunnel.

MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
  PEAP: Got tunneled reply RADIUS code 11
        EAP-Message =
0x010800331a0307002e533d31343030463445333137313238414639414438433531453433364146453138363141353839363139
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xd1ea68cfd0e27269358adf5451b3d294
  PEAP: Processing from tunneled session code 0x896ac68 11
        EAP-Message =
0x010800331a0307002e533d31343030463445333137313238414639414438433531453433364146453138363141353839363139
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xd1ea68cfd0e27269358adf5451b3d294
  PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 7 to 127.0.0.1 port 46172
        EAP-Message =
0x0108005b190017030100506c55b2c3a5d1b727e4838dd88ff3d6be564aec2cce92f2cf546f86b9566d9d3add42598ab14de29f1a75b992798a92c28ecedc676ff9a0217787e64e686e93517ccbdce3f1a30e7fb861a382ab957cc8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xd8347b19df3c62eb11ce04af34e0d0a5
Finished request 15.

So, the mschap module returns that the user is valid, but it seems
that somewhere during the process the Message-Authenticator field is
becoming invalid.

Has anyone seen this problem before, or am I looking in the wrong place?

Thanks,

James

More information about the Freeradius-Users mailing list