XP Extensions for PEAP/MSCHAPv2

Casartello, Thomas tcasartello at wsc.ma.edu
Fri May 30 17:58:36 CEST 2008


I'm going to conclude this as an issue with Fedora 9. I'm going to bring my RADIUS server down to Fedora 8. I just installed the newest version of FreeRADIUS on my Fedora 8 box and the EAP works fine even going to the active directory from this same access point.

Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: tcasartello at wsc.ma.edu

Red Hat Certified Technician (RHCT)


-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Casartello, Thomas
Sent: Friday, May 30, 2008 11:28 AM
To: FreeRadius users mailing list
Subject: RE: XP Extensions for PEAP/MSCHAPv2

Oh and yes, if I just send a non EAP mschap request to the server it works.

Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: tcasartello at wsc.ma.edu

Red Hat Certified Technician (RHCT)


-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Ivan Kalik
Sent: Friday, May 30, 2008 11:04 AM
To: FreeRadius users mailing list
Subject: RE: XP Extensions for PEAP/MSCHAPv2

Certificates are not the problem. There is MSCHAP Success there which
means that this is inner-tunnel stuff.

Do ordinary mschap requests work?

Ivan Kalik
Kalik Informatika ISP


Dana 30/5/2008, "Casartello, Thomas" <tcasartello at wsc.ma.edu> piše:

>Here's a snippet of the debug..
>
>radius_xlat:  '--username=tcasartello'
>radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
> mschap2: 3d
>radius_xlat:  '--challenge=c1b030c3f14da3b1'
>radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
>radius_xlat:  '--nt-response=39b7dd714f0104723f917c82db10c17738015c22186940b0'
>Exec-Program output: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 
>Exec-Program-Wait: plaintext: NT_KEY: B53F7A476F9C7D2E744175E014C5EBE6 
>Exec-Program: returned: 0
>rlm_mschap: adding MS-CHAPv2 MPPE keys
>  modcall[authenticate]: module "mschap" returns ok for request 37
>modcall: leaving group MS-CHAP (returns ok) for request 37
>MSCHAP Success 
>  modcall[authenticate]: module "eap" returns handled for request 37
>modcall: leaving group authenticate (returns handled) for request 37
>  PEAP: Got tunneled Access-Challenge
>  modcall[authenticate]: module "eap" returns handled for request 37
>modcall: leaving group authenticate (returns handled) for request 37
>Sending Access-Challenge of id 38 to 192.168.223.1 port 1645
>        EAP-Message = 0x010a004a1900170301003f6adf2a774f5eb8ecfc6247131c81763255f6a526544dab03eb222ffc65777763c1426ce728a43fb70924d29e28f3cd3a145846d0a83a5692518aaf83d99320
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0x42e8dc477d661fd07c3ccb0211ac0fac
>Finished request 37
>
>Thomas E. Casartello, Jr.
>Infrastructure Technician
>Linux Specialist
>Department of Information Technology
>Westfield State College
>Wilson 105-A
>(413) 572-8245
>E-Mail: tcasartello at wsc.ma.edu
>
>Red Hat Certified Technician (RHCT)
>
>
>-----Original Message-----
>From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Casartello, Thomas
>Sent: Friday, May 30, 2008 10:15 AM
>To: FreeRadius users mailing list
>Subject: RE: XP Extensions for PEAP/MSCHAPv2
>
>I tried regenerating the certs using the bootstrap file (Which I saw includes the XP extensions with the certs that it generates.) I'm still running into the same issue. 
>
>Here's my eap and mschap config..any other info I could show to help troubleshoot?
>
>Eap.conf config:
>    
>    eap {
>                default_eap_type = peap
>
>                timer_expire     = 60
>                ignore_unknown_eap_types = no
>                
>                cisco_accounting_username_bug = no
>                md5 {
>                }
>                leap {
>                }
>                gtc {
>                        auth_type = PAP
>                }
>     tls {
>                        private_key_password = whatever
>                        private_key_file = ${raddbdir}/certs/cert-srv.pem
>                        certificate_file = ${raddbdir}/certs/cert-srv.pem
>                        CA_file = ${raddbdir}/certs/demoCA/cacert.pem
>                        dh_file = ${raddbdir}/certs/dh               
>                        random_file = /dev/urandom
>		}
>
>                peap {
>                        default_eap_type = mschapv2    
> 			}
>                mschapv2 {
>                }       
>        }             
>
>Mschap config:
>       mschap {
>                with_ntdomain_hack = yes
>                              ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%$
>        }
>Thomas E. Casartello, Jr.
>Infrastructure Technician
>Linux Specialist
>Department of Information Technology
>Westfield State College
>Wilson 105-A
>(413) 572-8245
>E-Mail: tcasartello at wsc.ma.edu
>
>Red Hat Certified Technician (RHCT)
>
>-----Original Message-----
>From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Alan DeKok
>Sent: Friday, May 30, 2008 1:41 AM
>To: FreeRadius users mailing list
>Subject: Re: XP Extensions for PEAP/MSCHAPv2
>
>Casartello, Thomas wrote:
>> I have everything working, but I believe I’ve hit the problem with the
>> OIDs windows needs for the SSL cert. I generated a key with openssl and
>> a req and I actually have a real cert assigned for the server. How do I
>> go about modifying my key and cert so that XP users will be able to
>> connect? I can connect with other OSes.
>
>  In 2.0, see raddb/certs/.  There are scripts and configurations to
>make certificates that Windows will like.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list