Logins against AD failing in *most* cases. Can see why, but don't*understand* why.

Alan DeKok aland at deployingradius.com
Tue Dec 1 19:18:14 CET 2009


Meyers, Dan wrote:
>> This is most likely a CA cert problem. The comments in the default
>> "eap.conf" give a very specific warning about this (access-challenge
>> which is never replied to) and explain the issue.
> 
> This being the case, why does my machine successfully respond to all the
> other Access-Challenges before the MSCHAPv2 password is dealt with?

  It is setting up a TLS tunnel, and doing certificate exchanges.  In
this regard, RADIUS is *just* like ethernet.  When you connect to a web
server via HTTPS, there is a *lot* of network traffic before you get the
real content: the web page.

  With PEAP, the real content is the username && password in the tunnel.
 If the client doesn't like the server certificate, it spends a lot of
time (and packets) figuring that out.

> The
> trace I gave was for an Access-Challenge id 107. Ids 100 (my initial
> request) to 106 (the other parts of the EAP setup) all finish with an
> Access-Challenge with an EAP-Message being sent to my client, and all of
> those Challenges are successfully responded to.

  Use wireshark to look at the packets.  All it's doing is TLS setup,
and certificate exchanges.  *No* user authentication is happening.

> It was also my (possibly
> erroneous) understanding that FreeRADIUS would never get to the point of
> being able to get the MSCHAPv2 password from the client if the CA cert
> was incorrect, as it would never complete the setup of the EAP session
> inside which the MSCHAPv2 data is contained.

  Yes.  That's what you're seeing.  The *client* is deciding it doesn't
like the certificate, and is stopping.

  Remember... the RADIUS server has nearly *zero* power in the network.
 The NAS controls almost everything.  The supplicant (client machine)
controls almost everything else.  The server has the *least* amount of
power.

> Additionally I am using exactly the same certificates, file ownership
> and permissions and eap.conf settings that worked fine before the AD
> upgrade, and the certificates are not used in talking to the domain to
> auth credentials so I can't think that the issue lies there.

  <shrug>  It's Windows.  It's difficult to tell what it's doing.  AD
upgrades intentionally break inter-operability with Samba, and XP /
Vista upgrades intentionally break inter-operability with all
third-party RADIUS servers.

  And FreeRADIUS always gets the blame.  It explains why I come across
as cranky much of the time.

> I am perfectly willing to accept that you may be right and this may be
> my issue, I just don't understand how it has suddenly become a problem.

  Ask Microsoft for explanations && fixes.  If you get *any* response,
it will be "thanks, we'll look into that".

  The people on this list are stuck just as much as you are.  But we try
to help, which makes a certain class of people think everything is *our*
fault.

  Alan DeKok.



More information about the Freeradius-Users mailing list