PEAP MSCHAP Problem
Grooz, Marc (regio iT)
Marc.Grooz at regioit-aachen.de
Fri Feb 8 12:57:14 CET 2008
Hello,
we have a strange problem with the PEAP MSCHAP authentication truh WLAN.
We use freeradius 1.1.7 on debian etch.
1. If we auth a ActiveDirectory User with automatic sending of username
and password to our wlan everthing is OK. No lan-cabel is connected. In
my case the Username is DOMAIN\\GroozMarc.
2. If we auth the same user with a lan-cabel connected. the auth fails.
In this case the Username is DOMAIN\\groozmarc
3. If we auth the user without automatic sending of username and
password and enter DOMAIN\\groozmarc and have lan connected everthing
fine.
Her is an output from case 2:
rad_recv: Access-Request packet from host x , id=11, length=303
User-Name = "DOMAIN\\groozmarc"
Calling-Station-Id = "x"
Called-Station-Id = "x"
NAS-Port = 2
NAS-IP-Address = x
NAS-Identifier = "x"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "27"
EAP-Message =
0x020a006a1900170301005fca5e86c4de36db061ffe1fc7f358599fa78cd53e221d2899
73525b8ed1328424653bad8e457757c9ae67d167a60b6
0585b1c37d22ed1377e9ed39b37901e7cf213d6a306ef154326ca0f6c2aad68111681c24
4b1523668e9effcfd97e1a216
State = 0xc1c18b62ee37419ada28a725693523d4
Message-Authenticator = 0x8dd2ca9d8fc2a09f7dcaef11b100f2c6
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 39
modcall[authorize]: module "preprocess" returns ok for request 39
modcall[authorize]: module "chap" returns noop for request 39
modcall[authorize]: module "mschap" returns noop for request 39
rlm_realm: No '@' in User-Name = "DOMAIN\groozmarc", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 39
rlm_eap: EAP packet type response id 10 length 106
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 39
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 39
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 39
modcall: leaving group authorize (returns updated) for request 39
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 39
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message =
0x020a00531a020a004e310d11f40d775fc5fcb45ad88a7c4435830000000000000000b8
28c2bcb15e3c9ddaba50c2e6933328d1849c510dc9251
000524547494f49542d41414348454e5c47726f6f7a4d617263
PEAP: Setting User-Name to DOMAIN\groozmarc
PEAP: Adding old state with 6a 6f
PEAP: Sending tunneled request
EAP-Message =
0x020a00531a020a004e310d11f40d775fc5fcb45ad88a7c4435830000000000000000b8
28c2bcb15e3c9ddaba50c2e6933328d1849c510dc9251
000524547494f49542d41414348454e5c47726f6f7a4d617263
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "DOMAIN\\groozmarc"
State = 0x6a6f2590246560c8fdcd054d188cbb3f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 39
modcall[authorize]: module "preprocess" returns ok for request 39
modcall[authorize]: module "chap" returns noop for request 39
modcall[authorize]: module "mschap" returns noop for request 39
rlm_realm: No '@' in User-Name = "DOMAIN\groozmarc", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 39
rlm_eap: EAP packet type response id 10 length 83
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 39
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 39
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 39
modcall: leaving group authorize (returns updated) for request 39
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 39
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 39
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for groozmarc with NT-Password
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Domain'
radius_xlat: '--domain=DOMAIN'
radius_xlat: Running registered xlat function of module mschap for
string 'User-Name'
radius_xlat: '--username=groozmarc'
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
mschap2: e9
radius_xlat: '--challenge=d5ab398544877442'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
radius_xlat:
'--nt-response=b828c2bcb15e3c9ddaba50c2e6933328d1849c510dc92510'
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 39
modcall: leaving group MS-CHAP (returns reject) for request 39
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 39
modcall: leaving group authenticate (returns reject) for request 39
auth: Failed to validate the user.
Login incorrect (rlm_mschap: Logon failure (0xc000006d)):
[DOMAIN\\groozmarc/<no User-Password attribute>] (from client localhost
p
ort 0)
PEAP: Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\nE=691 R=1"
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x80148570 3
MS-CHAP-Error = "\nE=691 R=1"
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 39
modcall: leaving group authenticate (returns handled) for request 39
hope you can help. thanks!
Kind regards
Marc Grooz
More information about the Freeradius-Users
mailing list