PEAP or TTLS and Microsoft Vista.
nf-vale
nf-vale at critical-links.com
Wed Jul 23 02:12:46 CEST 2008
I'm also suffering from this Vista "disease". But in my case I can
authenticate users using PEAP, from XP SP2 and SP3 clients, even with
"Validating Server Certificate" checked.
The problem is only with Vista. I've all the windows updates available
installed but I can't get it to work even with the "Validate Server
Certificate" unchecked.
The freeradius version that I'm using it's the 2.0.2, and I've tried
both with the radius "test" certificates and other, and the behavior is
exactly the same.
The radius log always shows the following:
"...
rad_recv: Access-Request packet from host 192.168.100.199 port 1024,
id=93, length=340
Framed-MTU = 1480
NAS-IP-Address = 192.168.100.199
NAS-Identifier = "HP ProCurve Switch 2626-PWR"
User-Name = "teste"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 2
NAS-Port-Type = Ethernet
NAS-Port-Id = "2"
Called-Station-Id = "00-11-85-ad-b7-c0"
Calling-Station-Id = "00-1b-38-8f-40-aa"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x2a4cc8322ac0d1b35c7650bea0308dda
EAP-Message =
0x028c007419800000006a16030100650100006103014886730236b0840bd6df9358c1446c3e62e956de01ad320ddc04441dcf82d462000018002f00350005000ac009c00ac013c0140032003800130004010000200000000a00080000057465737465000a00080006001700180019000b00020100
Message-Authenticator = 0xd46becf93b1bcccd0402d3496f7f5721
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "teste", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 140 length 116
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
++[mschap] returns noop
users: Matched entry teste at line 1
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for teste
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=teste)
expand: ou=People,dc=local,dc=loc -> ou=People,dc=local,dc=loc
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=local,dc=loc, with filter
(uid=teste)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
TLS Length 106
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0065], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 03b0], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 93 to 192.168.100.199 port 1024
EAP-Message =
0x018d040019c00000040d160301004a020000460301488672c8ac900c3f88d166a948b5ea07d6e9474d14c3e025ee5b661a96ca4ae4200d2218c482a7afc626cfa166eeac452729093fe79aa43dded4adb3f63518159b002f0016030103b00b0003ac0003a90003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
EAP-Message =
0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303732323233313734365a170d3039303732323233313734365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebb9bc08eac90bd234ec1ddeed261d2ee0a98c1fe1f2c3ef1cc9fb665496
EAP-Message =
0x8c122c5da0678d64eaaf118463b82422c7d7ad07cd049e0a94994b4ffc9c95a6ac5ce278d16d8e9fdeac51a4cca0c8cd78b71e1b282b188798209515da8d688cea3aaef56731d96975f8f99cbdd13d71ff792aa8b44040c4fe1b90aad77057a6b8cc2c238a1319abfe9f0df37f538ef2119ac041e73b00343b1953db2193522a2dab185993a2b7f756e920a89d01f17ce7df5c482064505a102a25ff9421b8aed065f1ca0c2c38a62a616407fb06dd051dfcf00243b83074e724666a332c5baec351eb0df5c8fea22cb8db7892d59f85e0a6070a9461b23f0d568c170dc89f60a3ef0203010001a317301530130603551d25040c300a06082b06010505
EAP-Message =
0x070301300d06092a864886f70d0101040500038201010036adc59ded5d25b5d99cf4d52fab993bab169cf0175b6503aadef2581b50f788abe5e158bed1b1d2eb3295e4aa0e39027f2903047db540be42b71d9ce76d9453fe295252c6a12f3a3d92271111686ebb308682302298c0d6f90f1f1bd3715dea86fa5a8c38a019e438a296dbc226d64e453279b0b21d8d3c46010b829e0075f7c9d267b5938c512113ff718bd462958384b1944bb2e6a17f80ed659c9065eeb40e38da88f071ab970349bf1d7c8cb259d27e7dd2782e82059d8525b01f6d577ba365679b5d107eab1cfcbaaf21c58ef73a85d7b7da9627a6d80fad0580299fca91f51acc8994
EAP-Message = 0x8e17896898d68a07d3dbf173
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2a4cc8322bc1d1b35c7650bea0308dda
Finished request 11.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Cleaning up request 10 ID 92 with timestamp +1627
Cleaning up request 11 ID 93 with timestamp +1627
Ready to process requests.
"
Is there anything that I'm missing?
Nelson Vale
Ter, 2008-07-22 às 23:22 +0200, Lech Karol Pawłaszek escreveu:
> Hello.
>
> I need your help. For the last few days I try to authenticate and
> authorize Microsoft Vista operating system against FreeRADIUS and 3com
> switch (as NAS) for wired authentication with no luck.
>
> I'm using FreeRADIUS 2.0.5 from sources built on Debian Etch GNU/Linux
> and certs made by bootstrap command (so those certs should have a bit of
> magic from xpextensions afaik). I try to make little steps and change as
> less as possible - to be honest I've only added user to the users file
> and client definition to the clients.conf file.
>
> I've tested my configuration with eapol_test command (as suggested at
> this site[1]) and it works fine. I've tested it against MacOsX 10.4 and
> MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2
> and it works fine. It doesn't work with Windows Vista and Windows XP
> SP3. Please help!
>
> What I have spotted is that the server sends "Access Challenge" and then
> on OSX dialog pops up where I can accept server's certificate and on
> Windows it's over. So I think it's the issue mentioned on this site[2]
> however i DO have Validate Server Certificate un-checked.
>
> One more thing. If I won't use Windows' PEAP authorization and install
> securew2 and use securew2's auth - I am able to connect. Work for a
> minute or so and then NAS reports lost carrier and the connection is lost.
>
> I've written about this issue about a year ago however this was put
> on-hold. You might want to look at logfiles from that tests.
>
> [1] - http://deployingradius.com/scripts/eapol_test/
> [2] - http://deployingradius.com/documents/configuration/eap-problems.html
> [3] -
> http://lists.freeradius.org/pipermail/freeradius-users/2007-July/msg00096.html
>
> Any hints and tips much appreciated. I'm attaching two logfiles. The
> first one - freeradius.log - is the one where I'm trying to authenticate
> using system-wide PEAP. The second one, namely freeradius-securew2.log,
> is the one where switch receives Access-Accept and a few moments later
> switch sends back information that the carrier is lost.
>
> I've compressed both logfiles. I hope it's ok here. If it's not - please
> let me know.
>
> Thanks in advance.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list