XP Extensions for PEAP/MSCHAPv2

Casartello, Thomas tcasartello at wsc.ma.edu
Fri May 30 17:28:16 CEST 2008


Oh and yes, if I just send a non EAP mschap request to the server it works.

Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: tcasartello at wsc.ma.edu

Red Hat Certified Technician (RHCT)


-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Ivan Kalik
Sent: Friday, May 30, 2008 11:04 AM
To: FreeRadius users mailing list
Subject: RE: XP Extensions for PEAP/MSCHAPv2

Certificates are not the problem. There is MSCHAP Success there which
means that this is inner-tunnel stuff.

Do ordinary mschap requests work?

Ivan Kalik
Kalik Informatika ISP


Dana 30/5/2008, "Casartello, Thomas" <tcasartello at wsc.ma.edu> piše:

>Here's a snippet of the debug..
>
>radius_xlat:  '--username=tcasartello'
>radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
> mschap2: 3d
>radius_xlat:  '--challenge=c1b030c3f14da3b1'
>radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
>radius_xlat:  '--nt-response=39b7dd714f0104723f917c82db10c17738015c22186940b0'
>Exec-Program output: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 
>Exec-Program-Wait: plaintext: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 
>Exec-Program: returned: 0
>rlm_mschap: adding MS-CHAPv2 MPPE keys
>  modcall[authenticate]: module "mschap" returns ok for request 37
>modcall: leaving group MS-CHAP (returns ok) for request 37
>MSCHAP Success 
>  modcall[authenticate]: module "eap" returns handled for request 37
>modcall: leaving group authenticate (returns handled) for request 37
>  PEAP: Got tunneled Access-Challenge
>  modcall[authenticate]: module "eap" returns handled for request 37
>modcall: leaving group authenticate (returns handled) for request 37
>Sending Access-Challenge of id 38 to 192.168.223.1 port 1645
>        EAP-Message = 0x010a004a1900170301003f6adf2a774f5eb8ecfc6247131c81763255f6a526544dab03eb222ffc65777763c1426ce728a43fb70924d29e28f3cd3a145846d0a83a5692518aaf83d99320
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x42e8dc477d661fd07c3ccb0211ac0fac
>Finished request 37
>
>Thomas E. Casartello, Jr.
>Infrastructure Technician
>Linux Specialist
>Department of Information Technology
>Westfield State College
>Wilson 105-A
>(413) 572-8245
>E-Mail: tcasartello at wsc.ma.edu
>
>Red Hat Certified Technician (RHCT)
>
>
>-----Original Message-----
>From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Casartello, Thomas
>Sent: Friday, May 30, 2008 10:15 AM
>To: FreeRadius users mailing list
>Subject: RE: XP Extensions for PEAP/MSCHAPv2
>
>I tried regenerating the certs using the bootstrap file (Which I saw includes the XP extensions with the certs that it generates.) I'm still running into the same issue. 
>
>Here's my eap and mschap config..any other info I could show to help troubleshoot?
>
>Eap.conf config:
>    
>    eap {
>                default_eap_type = peap
>
>                timer_expire     = 60
>                ignore_unknown_eap_types = no
>                
>                cisco_accounting_username_bug = no
>                md5 {
>                }
>                leap {
>                }
>                gtc {
>                        auth_type = PAP
>                }
>     tls {
>                        private_key_password = whatever
>                        private_key_file = ${raddbdir}/certs/cert-srv.pem
>                        certificate_file = ${raddbdir}/certs/cert-srv.pem
>                        CA_file = ${raddbdir}/certs/demoCA/cacert.pem
>                        dh_file = ${raddbdir}/certs/dh               
>                        random_file = /dev/urandom
>		}
>
>                peap {
>                        default_eap_type = mschapv2    
> 			}
>                mschapv2 {
>                }       
>        }             
>
>Mschap config:
>       mschap {
>                with_ntdomain_hack = yes
>                              ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%$
>        }
>Thomas E. Casartello, Jr.
>Infrastructure Technician
>Linux Specialist
>Department of Information Technology
>Westfield State College
>Wilson 105-A
>(413) 572-8245
>E-Mail: tcasartello at wsc.ma.edu
>
>Red Hat Certified Technician (RHCT)
>
>-----Original Message-----
>From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Alan DeKok
>Sent: Friday, May 30, 2008 1:41 AM
>To: FreeRadius users mailing list
>Subject: Re: XP Extensions for PEAP/MSCHAPv2
>
>Casartello, Thomas wrote:
>> I have everything working, but I believe I’ve hit the problem with the
>> OIDs windows needs for the SSL cert. I generated a key with openssl and
>> a req and I actually have a real cert assigned for the server. How do I
>> go about modifying my key and cert so that XP users will be able to
>> connect? I can connect with other OSes.
>
>  In 2.0, see raddb/certs/.  There are scripts and configurations to
>make certificates that Windows will like.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list