EAP-TLS OK - EAP-PEAP KO!! why that?
Reveal MAP
revealmapp at yahoo.fr
Sat Jul 19 19:46:26 CEST 2008
thank you Alan
(i am on the FAQ)
user=maman
passwd= maman
is a sql based user.
trying peap with sql based user give error message, but trying it with Ad_based user give no error message, just don't connect...
with radtest:
radtest maman maman localhost 1812 testing123
Sending Access-Request of id 48 to 127.0.0.1 port 1812
User-Name = "maman"
User-Password = "maman"
NAS-IP-Address = 127.0.0.2
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=48, length=20
same credential with my Access-Point (part of output).
---------------------------------------------------------------------------------------------
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: Told to do MS-CHAPv2 for maman with NT-Password
expand: --username=%{mschap:User-Name} -> --username=maman
mschap2: 64
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2ebb047f9367e21a
expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=9a350da9a792cd203c8bbc949a8522dc0540f2f6561bc24b
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [maman/<via Auth-Type = EAP>] (from client Ap8500 port 2 cli 00-12-F0-0C-97-61 via TLS tunnel)
} # server (null)
PEAP: Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\021E=691 R=1"
EAP-Message = 0x04110004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x81d8f90 3
MS-CHAP-Error = "\021E=691 R=1"
EAP-Message = 0x04110004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
Sending Access-Challenge of id 93 to 10.10.44.246 port 1036
EAP-Message = 0x011200261900170301001b073fa5a0bd298ecb1079cb86c898132309fee25458125b2dd2fa73
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf57621b1f264389c4e317c094fd9f295
Finished request 477.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.44.246 port 1036, id=94, length=194
User-Name = "maman"
NAS-IP-Address = 10.10.44.246
NAS-Port = 2
Called-Station-Id = "00-1C-F0-08-FB-FA:PEAP"
Calling-Station-Id = "00-12-F0-0C-97-61"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x021200261900170301001b45d08a0aa2a8e62c56613f082cafa76f4b6f51d358557fefd07b7f
State = 0xf57621b1f264389c4e317c094fd9f295
Message-Authenticator = 0xc80003ff430d4f991ea016e1e620ecaf
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "maman", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 18 length 38
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [maman/<via Auth-Type = EAP>] (from client Ap8500 port 2 cli 00-12-F0-0C-97-61)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> maman
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 94 to 10.10.44.246 port 1036
EAP-Message = 0x04120004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 478.
Going to the next request
Waking up in 4.8 seconds.
---------------------------------------------------------------------------------------------
----- Message d'origine ----
De : Alan DeKok <aland at deployingradius.com>
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Envoyé le : Samedi, 19 Juillet 2008, 17h19mn 58s
Objet : Re: Re : Re : EAP-TLS OK - EAP-PEAP KO!! why that?
Reveal MAP wrote:
> Now i am trying to authenticate via PEAP a user existing onmy sql database:
The debug log doesn't show that.
> the output is too long, mailing list parameters won't accept it. i post
> part of the output that seem to give the point of misconfiguration. if
> it is not sufficient, please let me know, and i will find a way to put
> somewher the whole output of RADIUD -X. thank you.
...
> Exec-Program output: Logon failure (0xc000006d)
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
> Exec-Program: returned: 1
> rlm_mschap: External script failed.
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
What's the problem? You're using Samba to authenticate to Active
Directory, and the password is wrong.
Check that the passwords are correct.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_____________________________________________________________________________
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080719/d22d4437/attachment.html>
More information about the Freeradius-Users
mailing list