cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)

Anders Holm anders.holm at sysadmin.ie
Sun Jul 27 05:24:01 CEST 2008


> [snip]
> 
> rlm_pap: WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.                    //Normal, i am not willing to do
> PAP but mschapv2
> 
> <me> If you¹re not using a module, disable it. All it¹ll do is add latency,
> delays and unnecessary log messages. Comment it out ...
> 
> ++[pap] returns noop
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> +- entering group authenticate
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/mschapv2
>   rlm_eap: processing type mschapv2
> +- entering group MS-CHAP
>   rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
>   rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
>   rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
>     //does the 3 previous lines means there is an error? what does "No
> Cleartext-Password configured means?
> 
> <me> it means, it cannot find a clear text password in the backend data store,
> which it expects to do ..
> 
>    // what does LM-Password means? and if it's error, how could i correct it?
> 
> <me> Check your configuration. All depends on so many things ..
> 
>    // ithought it was normal, as I am surewindows never sends
> "cleartext-Password"
> 
> Oh, Windows sure has been using clear text passwords, so it then also has a
> need to be backwards compatible with itself, right?
> 
> 
>         expand: --username=%{mschap:User-Name}-> --username=glouglou
> //...???...
> 
>  mschap2: d1
>         expand: --challenge=%{mschap:Challenge:-00} ->
> --challenge=4a2a69e7929b2c03 //...???...
>         expand: --nt-response=%{mschap:NT-Response:-00}} ->
> --nt-response=e9ea7e1669ef48501476149962484763f8f98b93fca2ced6} //...???...
> Exec-Program output: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1 //...???...
> Exec-Program-Wait: plaintext: NT_KEY: 067F1C60B6DDB9D2802A458C4EFE22C1
> //...???...
> //negociation that is out of the range of my brain till now, but i think ity's
> normal security negociation in windows system, and there is no error here.
> 
> Exec-Program: returned: 0 //...???...
> rlm_mschap: adding MS-CHAPv2 MPPE keys
> ++[mschap] returns ok
> MSCHAP Success //...???... if MSCHAP Success, where is the matter with this
> module???
> 
> <me> what makes you believe there is a problem at this stage?
> 
> ++[eap] returns handled
> } # server (null) //...???...
>   PEAP: Got tunneled reply RADIUS code 11
>         EAP-Message =
> 0x011200331a0311002e533d313034353230313939324636334439444241323036444246433433
> 41413242354132313236344636
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x95b92b9094ab31501a0a30daea5106ca
>   PEAP: Processing from tunneled session code 0x81b78d8 11
>         EAP-Message =
> 0x011200331a0311002e533d313034353230313939324636334439444241323036444246433433
> 41413242354132313236344636
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x95b92b9094ab31501a0a30daea5106ca
>   PEAP: Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 164 to 10.10.44.246 port 1042
>         EAP-Message =
> 0x0112004a1900170301003f9d2524cd5e275d581a614935870e9c19c11e3a4e05332e915ef1f0
> a46bed9a751bbc330d98db1e52e04119a926415da6ee52cb7e6cc6693a8f1bb8847a7af3
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xe8ed0301efff1a196c3b0024d8e45892 //...???... and then What?
> and why its stops..???...
> 
> <me> why do I get the feeling that if Message-Authenticator is all zeros, it
> is a ³nope, not going to happen mate² type return, effectively stopping any
> further processing. Why I have no idea .. Alan??
> 
> [cut out bits that are not relevant, nor commented, nor anything. Let¹s trim
> messages folks. If it¹s not used or relevant, get rid of it.. It only takes
> space]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080726/2dd0294b/attachment.html>


More information about the Freeradius-Users mailing list