PEAP MSCHAP Problem

Grooz, Marc (regio iT) Marc.Grooz at regioit-aachen.de
Fri Feb 8 12:57:14 CET 2008


Hello,

we have a strange problem with the PEAP MSCHAP authentication truh WLAN.
We use freeradius 1.1.7 on debian etch.

1. If we auth a ActiveDirectory User with automatic sending of username
and password to our wlan everthing is OK. No lan-cabel is connected. In
my case the Username is DOMAIN\\GroozMarc.

2. If we auth the same user with a lan-cabel connected. the auth fails.
In this case the Username is DOMAIN\\groozmarc

3. If we auth the user without automatic sending of username and
password and enter DOMAIN\\groozmarc and have lan connected everthing
fine.

Her is an output from case 2:

rad_recv: Access-Request packet from host x , id=11, length=303
        User-Name = "DOMAIN\\groozmarc"
        Calling-Station-Id = "x"
        Called-Station-Id = "x"
        NAS-Port = 2
        NAS-IP-Address = x
        NAS-Identifier = "x"
        Airespace-Wlan-Id = 1
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "27"
        EAP-Message =
0x020a006a1900170301005fca5e86c4de36db061ffe1fc7f358599fa78cd53e221d2899
73525b8ed1328424653bad8e457757c9ae67d167a60b6
0585b1c37d22ed1377e9ed39b37901e7cf213d6a306ef154326ca0f6c2aad68111681c24
4b1523668e9effcfd97e1a216
        State = 0xc1c18b62ee37419ada28a725693523d4
        Message-Authenticator = 0x8dd2ca9d8fc2a09f7dcaef11b100f2c6
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 39
  modcall[authorize]: module "preprocess" returns ok for request 39
  modcall[authorize]: module "chap" returns noop for request 39
  modcall[authorize]: module "mschap" returns noop for request 39
    rlm_realm: No '@' in User-Name = "DOMAIN\groozmarc", looking up
realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 39
  rlm_eap: EAP packet type response id 10 length 106
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 39
    users: Matched entry DEFAULT at line 152
    users: Matched entry DEFAULT at line 171
  modcall[authorize]: module "files" returns ok for request 39
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 39
modcall: leaving group authorize (returns updated) for request 39
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 39
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled EAP-Message
        EAP-Message =
0x020a00531a020a004e310d11f40d775fc5fcb45ad88a7c4435830000000000000000b8
28c2bcb15e3c9ddaba50c2e6933328d1849c510dc9251
000524547494f49542d41414348454e5c47726f6f7a4d617263
  PEAP: Setting User-Name to DOMAIN\groozmarc
  PEAP: Adding old state with 6a 6f
  PEAP: Sending tunneled request
        EAP-Message =
0x020a00531a020a004e310d11f40d775fc5fcb45ad88a7c4435830000000000000000b8
28c2bcb15e3c9ddaba50c2e6933328d1849c510dc9251
000524547494f49542d41414348454e5c47726f6f7a4d617263
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "DOMAIN\\groozmarc"
        State = 0x6a6f2590246560c8fdcd054d188cbb3f
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 39
  modcall[authorize]: module "preprocess" returns ok for request 39
  modcall[authorize]: module "chap" returns noop for request 39
  modcall[authorize]: module "mschap" returns noop for request 39
    rlm_realm: No '@' in User-Name = "DOMAIN\groozmarc", looking up
realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 39
  rlm_eap: EAP packet type response id 10 length 83
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 39
    users: Matched entry DEFAULT at line 152
  modcall[authorize]: module "files" returns ok for request 39
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 39
modcall: leaving group authorize (returns updated) for request 39
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 39
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 39
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for groozmarc with NT-Password
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Domain'
radius_xlat:  '--domain=DOMAIN'
radius_xlat: Running registered xlat function of module mschap for
string 'User-Name'
radius_xlat:  '--username=groozmarc'
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
 mschap2: e9
radius_xlat:  '--challenge=d5ab398544877442'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
radius_xlat:
'--nt-response=b828c2bcb15e3c9ddaba50c2e6933328d1849c510dc92510'
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 39
modcall: leaving group MS-CHAP (returns reject) for request 39
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 39
modcall: leaving group authenticate (returns reject) for request 39
auth: Failed to validate the user.
Login incorrect (rlm_mschap: Logon failure (0xc000006d)):
[DOMAIN\\groozmarc/<no User-Password attribute>] (from client localhost
p
ort 0)
  PEAP: Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\nE=691 R=1"
        EAP-Message = 0x040a0004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Processing from tunneled session code 0x80148570 3
        MS-CHAP-Error = "\nE=691 R=1"
        EAP-Message = 0x040a0004
        Message-Authenticator = 0x00000000000000000000000000000000
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
  modcall[authenticate]: module "eap" returns handled for request 39
modcall: leaving group authenticate (returns handled) for request 39

hope you can help. thanks!

Kind regards

Marc Grooz 
  




More information about the Freeradius-Users mailing list