Mschapv2 not working! Please help!

saini_jas16 jaswinder.kaur at northyorks.gov.uk
Fri Oct 17 12:49:32 CEST 2008


My certificate generation went really well, no errors at all. I generated the
certificates with openssl. My windowsd is also upto date. One thing I would
like to drew your attention is, which even myself has just noticed, that it
is going through an ongoing EAP conversation, I do not know what this means,
I am attaching below the complete complete conversation, which is just one
request, but consists of almost 7 pages.

rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=207,
length=145
        NAS-Port-Id = "2049/1"
        Calling-Station-Id = "00-1F-3B-70-5B-7F"
        Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST"
        Service-Type = Framed-User
        EAP-Message = 0x0201000e016a617377696e646572
        User-Name = "jaswinder"
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "3Com"
        NAS-IP-Address = 130.1.254.174
        Message-Authenticator = 0xf63ccec115958bf26b31d981d45e74fc
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jaswinder", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry jaswinder at line 92
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 207 to 130.1.254.174 port 20000
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x42ade4d942affde10d0318327cc26cf5
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=208,
length=145
        NAS-Port-Id = "2049/1"
        Calling-Station-Id = "00-1F-3B-70-5B-7F"
        Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST"
        Service-Type = Framed-User
        EAP-Message = 0x0202000e016a617377696e646572
        User-Name = "jaswinder"
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "3Com"
        NAS-IP-Address = 130.1.254.174
        Message-Authenticator = 0x6ce51603d385790a48f26b8f8b8ced74
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jaswinder", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry jaswinder at line 92
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 208 to 130.1.254.174 port 20000
        EAP-Message = 0x010300061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2aaca71b2aafbed260fc846046180105
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=209,
length=229
        NAS-Port-Id = "2049/1"
        Calling-Station-Id = "00-1F-3B-70-5B-7F"
        Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST"
        Service-Type = Framed-User
        User-Name = "jaswinder"
        State = 0x2aaca71b2aafbed260fc846046180105
        EAP-Message =
0x0203005019800000004616030100410100003d030148f74ff6fe78ad4a45efb2be837bc5286bbf40fd69482e1455cf68232482fe2600001600040005000a000900640062000300060013001200630100
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "3Com"
        NAS-IP-Address = 130.1.254.174
        Message-Authenticator = 0x891f4b7fd81806810ba67094f50d2e72
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jaswinder", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 057f], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 209 to 130.1.254.174 port 20000
        EAP-Message =
0x0104040019c0000005bc160301002a02000026030148f741e17de2bfc1097ed5b10abf43f984fa0df49da2e88cff388b7eed48895200000400160301057f0b00057b0005780005753082057130820359020101300d06092a864886f70d01010505003076310b300906035504061302554b311330110603550408130a4e6f7274682045617374310d300b06035504071304596f726b3121301f060355040a1318496e7465726e6574205769646769747320507479204c74643120301e0603550403131753656c66205369676e6564204365727469666963617465301e170d3038313031353135323832315a170d3138313031333135323832315a308186
        EAP-Message =
0x310b300906035504061302554b311830160603550408130f4e6f72746820596f726b7368697265311630140603550407130d4e6f727468616c6c6572746f6e310d300b060355040a13044e594343310c300a060355040313034943543128302606092a864886f70d0109011619667761646d696e406e6f727468796f726b732e676f762e756b30820222300d06092a864886f70d01010105000382020f003082020a0282020100bed98962fe36a547055100ea062bc27e267b07ce8a2ed8c8c54741e1f566f8a67e5c6240964f1e97596604064390207cb46bca566b548ff52f7223b627787916bde8578ffae1348d45a2d35f9e75f2e81b188a13c146
        EAP-Message =
0x65b07552f3ee034b02d5b804e54f502d50f7ac23af35f04314a1a76f4626b03499303320cde2786460e70983dba8d208970f5b07ea2b42b197851bd874bfee47489b000209a7f4ff49b781db8ad91985c5c6505d2f0f3f3ee074689045852182b3d38886e34113c41016820dfe5eab673578d46eb57fa2e560947c72d26ce56d7031d24830eeafcd9651632d8dd5f763131cb3616ce8d284079ac502bb13d05e8f4c5cbc8b80d3e8697aa460d19284adaca07ee6cffa512335f865f1f02334aa9fb189a2649e0de2d07112c8bbd6973e7a880405b32f5e51d0bd31472189e58d9bee7293e16d7d522872b5d94efb1104ba2a7fc34c8997ce5d0eeca3f3
        EAP-Message =
0x4761f8760c1376e9b229e9eb056c1be0164b1be2d60620ef21bf0c47404768cfacecc675cd0a36bead65473853410ee9a1ccce01918deca06651890652326146b4b1c4ffbe3ee1745f37b616fe0f520daa878e26c981309f1a6997eb16317c72aeb9c63b36b7cf6be31f42aef27e02998da39be123b1ce7f52582bd6ad84e0550cefa028365c76b8e29e8755935639228cb8287cfa63359a1a788c547d6b2c0bb23bbad9efb23cd590feefbd210203010001300d06092a864886f70d0101050500038202010006f65a65a21f16e7bdf65f6b7b13403f7bbebd7329ffdce2de70327474ce63572e56bdad6fc935d0df75ff1c0582a855cd02135b2c8252
        EAP-Message = 0xf79ea04b8da213dba5afb4a1
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2aaca71b2ba8bed260fc846046180105
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=210,
length=155
        NAS-Port-Id = "2049/1"
        Calling-Station-Id = "00-1F-3B-70-5B-7F"
        Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST"
        Service-Type = Framed-User
        User-Name = "jaswinder"
        State = 0x2aaca71b2ba8bed260fc846046180105
        EAP-Message = 0x020400061900
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "3Com"
        NAS-IP-Address = 130.1.254.174
        Message-Authenticator = 0xedfc96cee46cd1ae4c2bb2edb58beb6d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jaswinder", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 210 to 130.1.254.174 port 20000
        EAP-Message =
0x010501cc1900ad8f81aacc1c1ea3293108bad29497af6488aace454af4ae5cfe840dcbfe98af8028cbf26cf947d56b4d0d6aeb9a9b019fc21277a76632808e3f154dd0794e3ea7908b0e277e9e2b26a0969622a04bf5bd8d1bb52e3391bb06c878659db0529f1659fa5593aa58fba0c11c149e00d83fdaab2452fa32aff4175beedf74e4387c268408bc1bc643c0e4c5662245fadd1c12d01bb10f633321c390bd0957810c9e3aaacf5f4a73636a226b2fefa76c4856a154fb840dfb59a411fe15580854a4ad78b63f84e240b12655b7a6971665cc6ab040f1b8fb38c5ad52dd142018776ed575f1576a7c13501bf849d573341b99fc80ef6fdc649fa2
        EAP-Message =
0x270eb9001d46851f7c2b3952c24edaae2443a81107bb833c09281bacf591d9916c07575605100a21467d4530690e77a4f725a9b216ca755b8d0cd893922fe36b8837c9e8ec081c46f9f4eed2fc9838415ff9fd44c5e2efc04a9037bbd68af38bb76859c79de8c55f689efb8816db1b09b51ba5d6518416b4796263ef38976e33a268920afb4a8e00d28a041133e4c472c44372ee427f00cf1fbc044447054c22025e7fa95392d70a78aae166cca57ac97ff24309543a20ca5389b652b3e8789d11ce199ee1d216030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2aaca71b28a9bed260fc846046180105
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=211,
length=729
        NAS-Port-Id = "2049/1"
        Calling-Station-Id = "00-1F-3B-70-5B-7F"
        Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST"
        Service-Type = Framed-User
        User-Name = "jaswinder"
        State = 0x2aaca71b28a9bed260fc846046180105
        EAP-Message =
0x02050240198000000236160301020610000202020023086e39ea84810380a80a421d7846158936dcd4d4c521625afabf1a9945dea981e5c27294816d1034b060f8c96a71fa434ba1a91ad5f2bd8beb9513f93d0d7dbcdaab113931907ff95ebe05c628d90ba8b0adf41c2b74a47ece8a9f6ff09354d4ec36d7a04da07b3bb221f90c811a0eb908b9a67fdd81db14e7bec64beaee466938ef9355214a004096f053c0f6d5afd85b393ea9ae205ddfa3400fe66728b10a24c3e4f234588b15436437cc43277e0512fc2346d3fa788b3e8a67d74917a18dcca8ce934594e4475de0254c9248eadea22e468765b8e1cedf529f109f02c7148ba081c1d01d
        EAP-Message =
0x5013f21536cd80c635dc39f2167476ecc42687792d6374c6bb23847bcfee92aa732393a7734baac02a0dbd5530a84196d0adca485436a896aeb553a32ecba4033c9a5baec9bba8d13eb2f98365f9f3ec48e5e53e75881a96fd1b20c42bacbe5cea1f9188de61f97cb6b4ec6b62c4993ec2ac5174bc428cbb43ee1f16c0b00661fba9834fdfb26136b02ea82419a375a682d5373455514876c41727da3f2b8f97a67e6ec057cd6ad21f359c8df7ba913995a989fcd6137fa6a3f4add6d1e3f4255688174f2d155baeb9ed1cdb9ddc6824f621412eaf48e226b6a01ac97caee423bd7af1c89751bf5c725ab79f981da9659eaab12ae9080f3920e971d7
        EAP-Message =
0xeed4e752b463889892048fb908fbb9e3aa007f818dbd748f52757d122e1403010001011603010020ce5fb7cdcc8e3e0d7d94e85912776bfc213cbd1712f3cb886c58a737608a4f55
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "3Com"
        NAS-IP-Address = 130.1.254.174
        Message-Authenticator = 0x76d3b1109f1d3b8742d0d48a3d5b6287
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jaswinder", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 252
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 566
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0206], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 211 to 130.1.254.174 port 20000
        EAP-Message =
0x0106003119001403010001011603010020b117ea55275553e890ee4de849ea7d495a46e8c5e63d7b80e1a369d181ff8020
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2aaca71b29aabed260fc846046180105
Finished request 4.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=212,
length=182
        NAS-Port-Id = "2049/1"
        Calling-Station-Id = "00-1F-3B-70-5B-7F"
        Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST"
        Service-Type = Framed-User
        User-Name = "jaswinder"
        State = 0x2aaca71b29aabed260fc846046180105
        EAP-Message =
0x02060021198000000017150301001294659677442f8e7a361ee8ee93374c90ed53
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "3Com"
        NAS-IP-Address = 130.1.254.174
        Message-Authenticator = 0xe42d1530c16b34c5b74bfb4c486083aa
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jaswinder", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 33
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 23
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
[peap] WARNING: No data inside of the tunnel.
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Tunneled data is invalid.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> jaswinder
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 212 to 130.1.254.174 port 20000
        EAP-Message = 0x04060004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.
Cleaning up request 0 ID 207 with timestamp +46
Cleaning up request 1 ID 208 with timestamp +46
Cleaning up request 2 ID 209 with timestamp +46
Cleaning up request 3 ID 210 with timestamp +46
Waking up in 0.3 seconds.
Cleaning up request 4 ID 211 with timestamp +46
Waking up in 1.0 seconds.
Cleaning up request 5 ID 212 with timestamp +47
Ready to process requests.



Thanks,
Jas




tnt-4 wrote:
> 
>>>> [peap] eaptls_verify returned 11
>>>> [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
>>>> TLS Alert read:fatal:access denied
>>>> [peap] WARNING: No data inside of the tunnel.
> 
> Something is badly broken here. XP rejected CA certificate. It tends to
> do that if certificate doesn't have xpextensions. Are you using the CA
> certificate generated by freeradius? Were there any errors when you were
> making certificates? Is your XP patched up-to-date?
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p20031019.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list