last hurdle...windows clients

Craig White craigwhite at azapple.com
Tue Nov 25 03:44:25 CET 2008 

On Sun, 2008-11-23 at 02:59 -0600, Alan DeKok wrote:
> Craig White wrote:
> > OK - that quiets the notification but I still can't figure out the issue
> > where I can authenticate RRAS, Macintosh and iPod clients against radius
> > via LDAP using mschapv2 but even with the certificates on Windows XP
> > clients, with the 'xpextensions' they always try to authenticate as
> > 'uid=anonymous' and never ask me for name/password credentials to supply
> > for authentication.
> 
>   Then the supplicant is misconfigured.
> 
> > While I probably would agree that the certificates should be enough and
> > not need the user/password authentication, I can't figure out how to
> > tell radiusd to accept those with the certificates.
> 
>   No.  PEAP does MS-CHAP for username/passwd authentication.  If you
> want authentication via client certs, use TLS.
> 
> > Either way I would be happy...getting windows clients to provide
> > username/password or getting radius to accept a client with the
> > certificate.
> 
>   There's something else in your windows configuration that is making it
> *not* ask you for the username/password.  Maybe it's cached in the registry.
----
HLCU\Software\Microsoft doesn't even have an EAPOL entry at all.

fixed the cert issue but still it's trying to authenticate as
anonymous  ;-(

I realize that freeradius has little control over the supplicant but I'm
wondering if it's something in my setup of tls that the authentication
should/shouldn't be part of the tunnel because it just assumes a login
of anonymous instead of the Windows User/Password or never asks me for a
User/Password...

rad_recv: Access-Request packet from host 192.168.1.250:2054, id=168,
length=161
        User-Name = "anonymous"
        NAS-IP-Address = 192.168.1.250
        NAS-Port = 0
        Called-Station-Id = "00-21-29-E3-D1-84"
        Calling-Station-Id = "00-04-23-62-BD-3D"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x026300061900
        State = 0x7de5407f2f55958f61578bc598c219a9
        Message-Authenticator =
0x0682bd2213fba7b19656a91ac1454267                                                                                          
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 46
  modcall[authorize]: module "preprocess" returns ok for request 46
  modcall[authorize]: module "chap" returns noop for request 46
  modcall[authorize]: module "mschap" returns noop for request 46
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 46 
  rlm_eap: EAP packet type response id 99 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 46
    users: Matched entry DEFAULT at line 156
  modcall[authorize]: module "files" returns ok for request 46
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'ou=People,ou=Accounts,o=MyOrg'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with
filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 46
modcall: leaving group authorize (returns updated) for request 46
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf 
modcall: entering group authenticate for request 46
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap:
EAPTLS_HANDLED                                                                                                                              
  modcall[authenticate]: module "eap" returns handled for request 46
modcall: leaving group authenticate (returns handled) for request 46
Sending Access-Challenge of id 168 to 192.168.1.250 port 2054
        EAP-Message =
0x0164040619400355040b130b4d61696e204f6666696365311a3018060355040313117777772e6d756c6c656e6164762e636f6d3121301f06092a864886f70d01090116126372616967406d756c6c656e70722e636f6d301e170d3038313132333030333435375a170d3138313132313030333435375a3081b8310b30090603550406130255533110300e060355040813074172697a6f6e613110300e0603550407130750686f656e69783130302e060355040a13274d756c6c656e204164766572746973696e6720616e64205075626c69632052656c6174696f6e7331143012060355040b130b4d61696e204f6666696365311a301806035504031311                                                                                              
        EAP-Message =
0x7777772e6d756c6c656e6164762e636f6d3121301f06092a864886f70d01090116126372616967406d756c6c656e70722e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100dbda8f2450e25378824b7184fd522e7bd89605a45bd721b4bb16b0d7dc11d400ffa95b3e42cb4f561e99889ccc81b680084d3d6384d4db7157422627750cecd3ec4df2237bf1ca639680ea420bdfe578e63c14e7a840086771b3b5f5e7669b16d89adead0b5a5be27df7b75a91e4767f47c395b1aaddbb592427ed1998fbbb590203010001a382011930820115301d0603551d0e0416041481223bdff5d466a37f81d26e04deec9fe039fbe2                                                                                              
        EAP-Message =
0x3081e50603551d230481dd3081da801481223bdff5d466a37f81d26e04deec9fe039fbe2a181bea481bb3081b8310b30090603550406130255533110300e060355040813074172697a6f6e613110300e0603550407130750686f656e69783130302e060355040a13274d756c6c656e204164766572746973696e6720616e64205075626c69632052656c6174696f6e7331143012060355040b130b4d61696e204f6666696365311a3018060355040313117777772e6d756c6c656e6164762e636f6d3121301f06092a864886f70d01090116126372616967406d756c6c656e70722e636f6d820100300c0603551d13040530030101ff300d06092a8648                                                                                              
        EAP-Message =
0x86f70d010104050003818100768e3a090efeb6defd2310b970964f5b50dd48dd7d740d5f90784cc29688818dd3df60d71a7c06cd9a6c08ac0690df4102b1168ad2c73433558b66f96f1fcee9fd465028e75309c207400f6f7628de7917667c71472930176924b2078cf0b9e007698319fa93199d76c5c69f25936a232a3258e01f99a23798297dfd196ef37b160301010d0c0001090040bcd70764bd8eeff9e536574ff3b2f404043cc23d501c99a5b93d5edd5a8330c40b6e1bb3b2418f455d6511b978ae7e142b35bbf17e9dde8ae088b6bd5770253f00010500409f8a29eea3c97af2ee158cbabf6f536272a84e548678d53c4711c721cedda7c143                                                                                              
        EAP-Message =
0x7f47f869ba7025d999bf4a37469dd40ec3cc                                                                                                
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x28ab70e596615ccdfa8d83b1787bc31e

More information about the Freeradius-Users mailing list