FreeRadius 2.1.6 + EAP-PEAP issue

Anatoly Oreshkin Anatoly.Oreshkin at pnpi.spb.ru
Wed Jul 8 15:39:41 CEST 2009 

Hello,

I am configuring FreeRadius 2.1.6 to athenticate MS Vista user
using EAP-PEAP protocol.

The file users looks as follows:

csd-notebook\user_name Cleartext-Password := "user_password"

Where csd-notebook is notebook name.
This setting  is working.

But I would like to make 2 improvements to current configuration.

1.  to have an ability to specify only user name in users file in order to
not depend on user computer name.

I was trying to do this by changing some FR 2.1.6 configuration parameters
but failed.

2. To add athentication by computer MAC address

I added Calling-Station-Id == "00-16-EA-8A-DE-38" parameter to users file

csd-notebook\user_name Cleartext-Password := "user_password", Calling-Station-Id == "00-16-EA-8A-DE-38"

but got such error message:

.....
[eap] EAP packet type response id 17 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 159
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for oreshkin with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject


What parameters should I change to make these 2 configurations to work ?

Current FR 2.1.6 configuration is as follows.

eap.conf:
----------

peap {
      default_eap_type = mschapv2
      copy_request_to_tunnel = no
      use_tunneled_reply = no
      proxy_tunneled_request_as_eap = no
      virtual_server = "inner-tunnel"
}

modules/mschap:
--------------

mschap {
        use_mppe = yes
        require_encryption = yes
        require_strong = yes
        with_ntdomain_hack = yes
}

modules/preprocess:
-------------------

preprocess {
            with_ascend_hack = no
            with_ntdomain_hack = no
            with_specialix_jetstream_hack = no
            with_cisco_vsa_hack = no
}

modules/realm:
--------------

realm ntdomain {
         format = prefix
         delimiter = "\\"
}


sites-available/default:
-----------------------

authorize {
           preprocess
           mschap
           suffix

}

authenticate {

              Auth-Type MS-CHAP {
                      mschap
              }

...
}

sites-available/inner-tunnel:
----------------------------

authorize {
           mschap
           suffix
           update control {
                Proxy-To-Realm := LOCAL
         }
...
}

Thank you.

More information about the Freeradius-Users mailing list