PEAP authenication issues - sort of
Capelle, Mark (PCMC-GB)
Mark.Capelle at pcmc.com
Thu Jun 12 21:22:18 CEST 2008
I have FreeRADIUS setup do LDAP authentication against AD and also PEAP
which ultimately uses ntlm_auth against AD. Both work fine for the most
part except some users that I have started to add to the PEAP enabled
wireless network. If I connect to this network, I authenticate fine.
If one of these other accounts connects, the authentication fails for
some reason. Here are the entries from the radius.log file:
Thu Jun 12 13:21:25 2008 : Auth: Login OK: [DOMAIN\\user1] (from client
WLANCTRLR1 port 0)
Thu Jun 12 13:21:25 2008 : Auth: Login OK: [DOMAIN\\user1] (from client
WLANCTRLR1 port 1 cli 00-0E-35-6F-A3-7D)
Thu Jun 12 13:21:54 2008 : Auth: Login incorrect (rlm_ldap: User not
found): [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client
WLANCTRLR1 port 0)
Thu Jun 12 13:21:54 2008 : Auth: Login incorrect:
[DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client WLANCTRLR1
port 1 cli 00-0C-F1-12-49-DD)
Thu Jun 12 13:22:12 2008 : Auth: Login incorrect (rlm_ldap: User not
found): [DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client
WLANCTRLR1 port 0)
Thu Jun 12 13:22:12 2008 : Auth: Login incorrect:
[DOMAIN\\nonworkinguser/<via Auth-Type = EAP>] (from client WLANCTRLR1
port 1 cli 00-0C-F1-12-49-DD)
Thu Jun 12 13:23:04 2008 : Auth: Login OK: [DOMAIN\\user1] (from client
WLANCTRLR1 port 0)
Thu Jun 12 13:23:04 2008 : Auth: Login OK: [DOMAIN\\user1] (from client
WLANCTRLR1 port 2 cli 00-0E-35-6F-A3-7D)
If I try the samba authentication from a command line on the FreeRADIUS
server, it completes successfully:
[root at RADIUS1 raddb]# /usr/local/samba/bin/wbinfo -a
nonworkinguser%testpassword
plaintext password authentication succeeded
challenge/response password authentication succeeded
If I test authentication of the user using radtest, it works fine and is
able to find the user:
[root at RADIUS2 ~]# radtest nonworkinguser testpassword 10.1.1.1 1
testing123
Sending Access-Request of id 221 to 10.1.1.1 port 1812
User-Name = "nonworkinguser"
User-Password = "testpassword"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
rad_recv: Access-Accept packet from host 10.1.1.1 port 1812, id=221,
length=20
What I believe to be the relevant part of the radiusd -X output is:
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create
LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for nonworkinguser with NT-Password
expand: --username=%{mschap:User-Name} ->
--username=nonworkinguser
mschap2: 85
expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=3c2921ed60ab0f28
expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=9b2c345dd9585a0b79b19cd2fe360474a737271903b6989c
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [DOMAIN\\nonworkinguser/<via
Auth-Type = EAP>] (from client WLANCTRLR1 port 0)
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
++[eap] returns handled
Anyone have any ideas as to what the problem might be?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080612/21af53b2/attachment.html>
More information about the Freeradius-Users
mailing list