Problems with PEAP

Peter Carlstedt pc_007 at hotmail.com
Mon Dec 7 14:27:00 CET 2009


Hello everyone,
I know that it is something I have forgot to configure but I cant for my life remember what it is.
What I want to do is to authenticate a user from a windows machine using PEAP.
The error I get in the output is:

rad_recv: Access-Request packet from host 192.168.118.10 port 35923, id=92, length=230
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "Jens"
    State = 0x99a8723d9faf6be067d44ee908d21fb0
    NAS-Port-Id = "wlan2"
    Calling-Station-Id = "00-26-BB-14-50-CF"
    Called-Station-Id = "02-0B-6B-33-62-35:3"
    EAP-Message = 0x0207005b19001703010050ff6dcfaa2e20081def82599ed160a801cb8b3e047fe0408eca8f0ed5bf985a4594dbf7056245f7ff06e823be7ba31220fb494d61db652b3f05bf75b3767bbfcce4d3c8e706312e385afb35dd2fe6f8f9
    Message-Authenticator = 0x0ba6d2c1daab0232a5b4bd95fac8dc78
    NAS-Identifier = "MikroTik"
    NAS-IP-Address = 192.168.118.10
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "Jens", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
    EAP-Message = 0x0207003f1a0207003a31f7f5bfb93119478c28430861f7428ecc000000000000000006883db97ed65677dadd8058359801947d67a7f575431297004a656e73
server  {
  PEAP: Setting User-Name to Jens
Sending tunneled request
    EAP-Message = 0x0207003f1a0207003a31f7f5bfb93119478c28430861f7428ecc000000000000000006883db97ed65677dadd8058359801947d67a7f575431297004a656e73
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "Jens"
    State = 0xdb1b00f8db1c1ab8275dfb2a6c0e04ae
    Service-Type = Framed-User
    Framed-MTU = 1400
    NAS-Port-Id = "wlan2"
    Calling-Station-Id = "00-26-BB-14-50-CF"
    Called-Station-Id = "02-0B-6B-33-62-35:3"
    NAS-Identifier = "MikroTik"
    NAS-IP-Address = 192.168.118.10
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "Jens", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for Jens with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
    MS-CHAP-Error = "\007E=691 R=1"
    EAP-Message = 0x04070004
    Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
    MS-CHAP-Error = "\007E=691 R=1"
    EAP-Message = 0x04070004
    Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 92 to 192.168.118.10 port 35923
    EAP-Message = 0x0108002b19001703010020e9867cd0d691777dff28957e278ff9ee7618f8d26722621a3472801821e637a5
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x99a8723d9ea06be067d44ee908d21fb0
Finished request 197.

Things I´ve have configured in raddb and in raddb/modules is:

1. Added a user called Jens with Cleartext-Password := "kaffe"
2. Added two NAS in clients.conf
3. set "default_eap_type = peap", "copy_request_to_tunnel = yes" and under the peap section also "default_eap_type = mschapv2" in eap.conf
4. set & uncommented "use_mppe = yes" and set "require_encryption" = yes, "require_strong = yes" in mschap in the directory modules.

is there anything else I need to do that I have forgot so I can use peap?

Best regards/ Peter Carlstedt
 		 	   		  
_________________________________________________________________
Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091207/4988d1a2/attachment.html>


More information about the Freeradius-Users mailing list