XP Extensions for PEAP/MSCHAPv2
Casartello, Thomas
tcasartello at wsc.ma.edu
Fri May 30 17:28:16 CEST 2008
Oh and yes, if I just send a non EAP mschap request to the server it works.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: tcasartello at wsc.ma.edu
Red Hat Certified Technician (RHCT)
-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Ivan Kalik
Sent: Friday, May 30, 2008 11:04 AM
To: FreeRadius users mailing list
Subject: RE: XP Extensions for PEAP/MSCHAPv2
Certificates are not the problem. There is MSCHAP Success there which
means that this is inner-tunnel stuff.
Do ordinary mschap requests work?
Ivan Kalik
Kalik Informatika ISP
Dana 30/5/2008, "Casartello, Thomas" <tcasartello at wsc.ma.edu> piše:
>Here's a snippet of the debug..
>
>radius_xlat: '--username=tcasartello'
>radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
> mschap2: 3d
>radius_xlat: '--challenge=c1b030c3f14da3b1'
>radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
>radius_xlat: '--nt-response=39b7dd714f0104723f917c82db10c17738015c22186940b0'
>Exec-Program output: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6
>Exec-Program-Wait: plaintext: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6
>Exec-Program: returned: 0
>rlm_mschap: adding MS-CHAPv2 MPPE keys
> modcall[authenticate]: module "mschap" returns ok for request 37
>modcall: leaving group MS-CHAP (returns ok) for request 37
>MSCHAP Success
> modcall[authenticate]: module "eap" returns handled for request 37
>modcall: leaving group authenticate (returns handled) for request 37
> PEAP: Got tunneled Access-Challenge
> modcall[authenticate]: module "eap" returns handled for request 37
>modcall: leaving group authenticate (returns handled) for request 37
>Sending Access-Challenge of id 38 to 192.168.223.1 port 1645
> EAP-Message = 0x010a004a1900170301003f6adf2a774f5eb8ecfc6247131c81763255f6a526544dab03eb222ffc65777763c1426ce728a43fb70924d29e28f3cd3a145846d0a83a5692518aaf83d99320
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x42e8dc477d661fd07c3ccb0211ac0fac
>Finished request 37
>
>Thomas E. Casartello, Jr.
>Infrastructure Technician
>Linux Specialist
>Department of Information Technology
>Westfield State College
>Wilson 105-A
>(413) 572-8245
>E-Mail: tcasartello at wsc.ma.edu
>
>Red Hat Certified Technician (RHCT)
>
>
>-----Original Message-----
>From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Casartello, Thomas
>Sent: Friday, May 30, 2008 10:15 AM
>To: FreeRadius users mailing list
>Subject: RE: XP Extensions for PEAP/MSCHAPv2
>
>I tried regenerating the certs using the bootstrap file (Which I saw includes the XP extensions with the certs that it generates.) I'm still running into the same issue.
>
>Here's my eap and mschap config..any other info I could show to help troubleshoot?
>
>Eap.conf config:
>
> eap {
> default_eap_type = peap
>
> timer_expire = 60
> ignore_unknown_eap_types = no
>
> cisco_accounting_username_bug = no
> md5 {
> }
> leap {
> }
> gtc {
> auth_type = PAP
> }
> tls {
> private_key_password = whatever
> private_key_file = ${raddbdir}/certs/cert-srv.pem
> certificate_file = ${raddbdir}/certs/cert-srv.pem
> CA_file = ${raddbdir}/certs/demoCA/cacert.pem
> dh_file = ${raddbdir}/certs/dh
> random_file = /dev/urandom
> }
>
> peap {
> default_eap_type = mschapv2
> }
> mschapv2 {
> }
> }
>
>Mschap config:
> mschap {
> with_ntdomain_hack = yes
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%$
> }
>Thomas E. Casartello, Jr.
>Infrastructure Technician
>Linux Specialist
>Department of Information Technology
>Westfield State College
>Wilson 105-A
>(413) 572-8245
>E-Mail: tcasartello at wsc.ma.edu
>
>Red Hat Certified Technician (RHCT)
>
>-----Original Message-----
>From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Alan DeKok
>Sent: Friday, May 30, 2008 1:41 AM
>To: FreeRadius users mailing list
>Subject: Re: XP Extensions for PEAP/MSCHAPv2
>
>Casartello, Thomas wrote:
>> I have everything working, but I believe Iâve hit the problem with the
>> OIDs windows needs for the SSL cert. I generated a key with openssl and
>> a req and I actually have a real cert assigned for the server. How do I
>> go about modifying my key and cert so that XP users will be able to
>> connect? I can connect with other OSes.
>
> In 2.0, see raddb/certs/. There are scripts and configurations to
>make certificates that Windows will like.
>
> Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list