EAP/peap: MSCHAP Success

db7td at gmx.de db7td at gmx.de
Mon Jul 7 16:40:35 CEST 2008


Hmm, it is in fact doing many access-challenges, but the one I have sent it the last one... There is no access-accept (and no reject).


Dietmar


-------- Original-Nachricht --------
> Datum: Mon, 07 Jul 2008 15:29:24 +0100
> Von: "Ivan Kalik" <tnt at kalik.net>
> An: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Betreff: Re: EAP/peap: MSCHAP Success

> That's because it's doing EAP mschapv2 not plain mschap. It's normal
> to get a couple more Challenge-Requests before process is over.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 
> Dana 7/7/2008, "db7td at gmx.de" <db7td at gmx.de> piše:
> 
> >Hello,
> >
> >I have some problems with freeradius 2.0.5 and ntlm_auth: ntlm_auth seems
> to authenticate successful, but freeradius is sending another
> access-challenge istead of access-accept. Finally, authentication fails.
> >
> >Any ideas?
> >
> >Thanks,
> >  Dietmar
> >
> >
> >rad_recv: Access-Request packet from host x.x.x.x port 32770, id=29,
> length=323
> >        User-Name = "xxxx"
> >        Calling-Station-Id = "00-aa-aa-aa-aa-aa"
> >        Called-Station-Id = "bb-bb-bb-bb-bb-bb:abcd"
> >        NAS-Port = 29
> >        NAS-IP-Address = x.x.x.x
> >        NAS-Identifier = "xxxx"
> >        Airespace-Wlan-Id = 1
> >        Service-Type = Framed-User
> >        Framed-MTU = 1300
> >        NAS-Port-Type = Wireless-802.11
> >        Tunnel-Type:0 = VLAN
> >        Tunnel-Medium-Type:0 = IEEE-802
> >        Tunnel-Private-Group-Id:0 = "111"
> >        EAP-Message =
> 0x020800901900170301002068300aa7af68cd11d993c8573581cfda02004335dd25b185c1caa58932f2c445170301006099a8478aa1f46aaee96b7280da1a3112f767ad35f728c5011d8328935379ce01eaf5a2b8bacd04a3ff66b08517d524b80e09809b94ae7720e5de155cb5d9ef20ffbd207bef659afb95d25c15b9898b401ff7eac15cd25109681c5150b976c6bc
> >        State = 0x7641829c70499b7e3361ddd3f9666230
> >        Message-Authenticator = 0xc43073f681146021f4c82a9d2d1ce165
> >+- entering group authorize
> >++[preprocess] returns ok
> >++[mschap] returns noop
> >    rlm_realm: No '@' in User-Name = "xxxx", looking up realm NULL
> >    rlm_realm: No such realm "NULL"
> >++[suffix] returns noop
> >  rlm_eap: EAP packet type response id 8 length 144
> >  rlm_eap: Continuing tunnel setup.
> >++[eap] returns ok
> >  rad_check_password:  Found Auth-Type EAP
> >auth: type "EAP"
> >+- entering group authenticate
> >  rlm_eap: Request found, released from the list
> >  rlm_eap: EAP/peap
> >  rlm_eap: processing type peap
> >  rlm_eap_peap: Authenticate
> >  rlm_eap_tls: processing TLS
> >  eaptls_verify returned 7
> >  rlm_eap_tls: Done initial handshake
> >  eaptls_process returned 7
> >  rlm_eap_peap: EAPTLS_OK
> >  rlm_eap_peap: Session established.  Decoding tunneled attributes.
> >  rlm_eap_peap: EAP type mschapv2
> >  PEAP: Setting User-Name to yyyy\xxxx
> >+- entering group authorize
> >++[preprocess] returns ok
> >++[mschap] returns noop
> >    rlm_realm: No '@' in User-Name = "yyyy\xxxx", looking up realm NULL
> >    rlm_realm: No such realm "NULL"
> >++[suffix] returns noop
> >  rlm_eap: EAP packet type response id 8 length 73
> >  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> >++[eap] returns updated
> >    users: Matched entry DEFAULT at line 1
> >    users: Matched entry DEFAULT at line 460
> >++[files] returns ok
> >++[expiration] returns noop
> >++[logintime] returns noop
> >rlm_pap: WARNING! No "known good" password found for the user. 
> Authentication may fail because of this.
> >++[pap] returns noop
> >  rad_check_password:  Found Auth-Type EAP
> >auth: type "EAP"
> >+- entering group authenticate
> >  rlm_eap: Request found, released from the list
> >  rlm_eap: EAP/mschapv2
> >  rlm_eap: processing type mschapv2
> >+- entering group MS-CHAP
> >  rlm_mschap: No Cleartext-Password configured.  Cannot create
> LM-Password.
> >  rlm_mschap: No Cleartext-Password configured.  Cannot create
> NT-Password.
> >  rlm_mschap: Told to do MS-CHAPv2 for xxxx with NT-Password
> >        expand: --domain=%{mschap:NT-Domain} -> --domain=yyyyyy
> >        expand: --username=%{mschap:User-Name:-None} -> --username=xxxx
> > mschap2: b0
> >        expand: --challenge=%{mschap:Challenge:-00} ->
> --challenge=8fc3f2bd3e12c979
> >        expand: --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=9c59f2bc45acacb2fe7b4068cb014b9aed12664f7135d064
> >Exec-Program output: NT_KEY: 09360732CEED74278E86C2D9A9EBB694
> >Exec-Program-Wait: plaintext: NT_KEY: 09360732CEED74278E86C2D9A9EBB694
> >Exec-Program: returned: 0
> >rlm_mschap: adding MS-CHAPv2 MPPE keys
> >++[mschap] returns ok
> >MSCHAP Success
> >++[eap] returns handled
> >  PEAP: Got tunneled Access-Challenge
> >++[eap] returns handled
> >Sending Access-Challenge of id 29 to x.x.x.x port 32770
> >        EAP-Message =
> 0x0109005b190017030100508b5c946b956210b83f4d4dc1110d22be38775b1fab7e98154dc59571b3e81b6d2f4c06139ebfbaeae78d6b41cd6ef643f1a67d56b96bf669bbb0aab6e6df36281122e5b85d6a1543990e7cd0d61523ed
> >        Message-Authenticator = 0x00000000000000000000000000000000
> >        State = 0x7641829c71489b7e3361ddd3f9666230
> >Finished request 17.
> >-
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list