cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)

Reveal MAP revealmapp at yahoo.fr
Sun Jul 27 05:03:27 CEST 2008 

thanx for responding dude. let's take a look at this part of log!
(remember too that i am a new linux, many thing are still chinese for
me)

i agree, my certificate are OK to do EAP in general
my coments are the red lines :

my mschap module config is:
--------------
mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = yes
        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}}"
  }

my peap and mschapv2 module config is:
---------------
Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
        proxy_tunneled_request_as_eap = yes
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = yes
   }


output of eap/mschapv2authentication is:
------------
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.                    //Normal, i am not willing to do PAP but mschapv2
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password. 
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
    //does the 3 previous lines means there is an error? what does "No Cleartext-Password configured means?
   // what does LM-Password means? and if it's error, how could i correct it?
   // ithought it was normal, as I am surewindows never sends "cleartext-Password"

        expand: --username=%{mschap:User-Name}-> --username=glouglou //...???...

  mschap2: d1
        expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4a2a69e7929b2c03 //...???...
        expand: --nt-response=%{mschap:NT-Response:-00}} ->  --nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???...
Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???...
Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???...
//negociation that is out
of the range of my brain till now, but i think ity's normal security
negociation in windows system, and there is no error here.

Exec-Program: returned: 0 //...???...
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success //...???... if MSCHAP Success, where is the matter with this module???
++[eap] returns handled
} # server (null) //...???...
  PEAP: Got tunneled reply RADIUS code 11
        EAP-Message = 0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x95b92b9094ab31501a0a30daea5106ca
  PEAP: Processing from tunneled session code 0x81b78d8 11
        EAP-Message = 0x011200331a0311002e533d31303435323031393932463633443944424132303644424643343341413242354132313236344636
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x95b92b9094ab31501a0a30daea5106ca
  PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 164 to 10.10.44.246 port 1042
        EAP-Message =
0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then What? and why its stops..???...
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 157 with timestamp +47
Cleaning up request 3 ID 158 with timestamp +47
Cleaning up request 4 ID 159 with timestamp +47
Cleaning up request 5 ID 160 with timestamp +47
Cleaning up request 6 ID 161 with timestamp +47
Cleaning up request 7 ID 162 with timestamp +47
Cleaning up request 8 ID 163 with timestamp +47
Cleaning up request 9 ID 164 with timestamp +47
Ready to process requests.
      


> aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON
> password:
> NT_STATUS_OK: Success (0x0)
> aaa:~ #                    
>
>
> :/ Any help will be appreciated. these days i am wondering about 
> validity of the Server certificate!
> I have to tell you that, in my case, if i try a peap authentication 
> against Active Directoiry with wrong users credentials, i have an 
> error message saying that login or password is incorrect. with good 
> users credential, i just obtain what you can see in the Radiusd -X 
> output (http://tinypaste.com/5b99b)
>
> thank you
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
> ------------------------------------------------------------------------
>
but I think you don't have any problem with certificates, looking at 
radius debug:

rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established

the client is telling you that has verified the server cert (against 
ca.der). Then, the server writes ChangeCipherSpec and Fin, and tls phase 
is finished. I think you have problems with mschapv2 phase, assuming 
your sql querys working.
Your problem begin here:

rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
        expand: --username=%{mschap:User-Name} -> --username=glouglou

I think......
I've never configured peap/mschapv2 but sometimes i've read, not 
carefully, about some dependencies between mschap module and mschapv2 or 
something like that.
hope this help you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


      _____________________________________________________________________________ 
Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080727/94e17015/attachment.html>

More information about the Freeradius-Users mailing list