XP Extensions for PEAP/MSCHAPv2

Casartello, Thomas tcasartello at wsc.ma.edu
Fri May 30 16:57:36 CEST 2008 

Looks like this may be another Fedora 9 problem. I tried this on a server running Fedora 8 with RADIUS 1.1.7 and it worked. (I tried 1.1.7 on my Fedora 9 machine and had the same problem.) 

Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: tcasartello at wsc.ma.edu

Red Hat Certified Technician (RHCT)


-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Casartello, Thomas
Sent: Friday, May 30, 2008 10:24 AM
To: FreeRadius users mailing list
Subject: RE: XP Extensions for PEAP/MSCHAPv2

Here's a snippet of the debug..

radius_xlat:  '--username=tcasartello'
radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
 mschap2: 3d
radius_xlat:  '--challenge=c1b030c3f14da3b1'
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
radius_xlat:  '--nt-response=39b7dd714f0104723f917c82db10c17738015c22186940b0'
Exec-Program output: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 
Exec-Program-Wait: plaintext: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
  modcall[authenticate]: module "mschap" returns ok for request 37
modcall: leaving group MS-CHAP (returns ok) for request 37
MSCHAP Success 
  modcall[authenticate]: module "eap" returns handled for request 37
modcall: leaving group authenticate (returns handled) for request 37
  PEAP: Got tunneled Access-Challenge
  modcall[authenticate]: module "eap" returns handled for request 37
modcall: leaving group authenticate (returns handled) for request 37
Sending Access-Challenge of id 38 to 192.168.223.1 port 1645
        EAP-Message = 0x010a004a1900170301003f6adf2a774f5eb8ecfc6247131c81763255f6a526544dab03eb222ffc65777763c1426ce728a43fb70924d29e28f3cd3a145846d0a83a5692518aaf83d99320
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x42e8dc477d661fd07c3ccb0211ac0fac
Finished request 37

Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: tcasartello at wsc.ma.edu

Red Hat Certified Technician (RHCT)


-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Casartello, Thomas
Sent: Friday, May 30, 2008 10:15 AM
To: FreeRadius users mailing list
Subject: RE: XP Extensions for PEAP/MSCHAPv2

I tried regenerating the certs using the bootstrap file (Which I saw includes the XP extensions with the certs that it generates.) I'm still running into the same issue. 

Here's my eap and mschap config..any other info I could show to help troubleshoot?

Eap.conf config:
    
    eap {
                default_eap_type = peap

                timer_expire     = 60
                ignore_unknown_eap_types = no
                
                cisco_accounting_username_bug = no
                md5 {
                }
                leap {
                }
                gtc {
                        auth_type = PAP
                }
     tls {
                        private_key_password = whatever
                        private_key_file = ${raddbdir}/certs/cert-srv.pem
                        certificate_file = ${raddbdir}/certs/cert-srv.pem
                        CA_file = ${raddbdir}/certs/demoCA/cacert.pem
                        dh_file = ${raddbdir}/certs/dh               
                        random_file = /dev/urandom
		}

                peap {
                        default_eap_type = mschapv2    
 			}
                mschapv2 {
                }       
        }             

Mschap config:
       mschap {
                with_ntdomain_hack = yes
                              ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%$
        }
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: tcasartello at wsc.ma.edu

Red Hat Certified Technician (RHCT)

-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Friday, May 30, 2008 1:41 AM
To: FreeRadius users mailing list
Subject: Re: XP Extensions for PEAP/MSCHAPv2

Casartello, Thomas wrote:
> I have everything working, but I believe I’ve hit the problem with the
> OIDs windows needs for the SSL cert. I generated a key with openssl and
> a req and I actually have a real cert assigned for the server. How do I
> go about modifying my key and cert so that XP users will be able to
> connect? I can connect with other OSes.

  In 2.0, see raddb/certs/.  There are scripts and configurations to
make certificates that Windows will like.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list