MySQL and PEAP not talking

tnt at kalik.net tnt at kalik.net
Tue Mar 31 00:37:49 CEST 2009 

>I am trying to do PEAP authentication (without certificates) where a
>client (Windows XP/Vista) gains WPA wi-fi access with a username and
>password using FreeRADIUS (v2.1.4) as the RADIUS server on Ubuntu
>Linux 8.10.
>
>I have gotten as far as compiling FreeRADIUS with SSL/TLS support and
>getting a Windows client to gain WPA access where his username/pass is
>in the "/etc/freeradius/users" file. I'm not interested in doing any
>LDAP or Active Directory stuff (don't want to use ntlm_auth), so
>obviously "MS-CHAP-Use-NTLM-Auth := No" was included with the
>user/pass in the "/etc/freeradius/users" file.

If you don't configure ntlm_auth in mschap module you don't need that.
Remove it from the database.

>freeradius debug (with -X switch) gives me the following (I've only
>included the parts which I think are relevant:
>
>...................
>[sql] 	expand: SELECT id, username, attribute, value, op
>FROM radcheck           WHERE username = '%{SQL-User-Name}'
>ORDER BY id -> SELECT id, username, attribute, value, op
>FROM radcheck           WHERE username = 'user1'           ORDER BY id
>[sql] User found in radcheck table
>[sql] 	expand: SELECT id, username, attribute, value, op
>FROM radreply           WHERE username = '%{SQL-User-Name}'
>ORDER BY id -> SELECT id, username, attribute, value, op
>FROM radreply           WHERE username = 'user1'           ORDER BY id
>[sql] 	expand: SELECT groupname           FROM radusergroup
>WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
>SELECT groupname           FROM radusergroup           WHERE username
>= 'user8'           ORDER BY priority
>rlm_sql (sql): Released sql socket id: 3
>++[sql] returns ok
>...................
>	EAP-Message = 0x0108001f1a0108001a1025124f5e6a8bc7778687e657b729c16b7573657238
>	Message-Authenticator = 0x00000000000000000000000000000000
>	State = 0x31f7332531ff293ae0350b28678bf4db
>[peap] Got tunneled reply RADIUS code 11
>	EAP-Message = 0x0108001f1a0108001a1025124f5e6a8bc7778687e657b729c16b7573657238
>	Message-Authenticator = 0x00000000000000000000000000000000
>	State = 0x31f7332531ff293ae0350b28678bf4db
>[peap] Got tunneled Access-Challenge
>++[eap] returns handled

So, this is from different EAP exchange.

>....................
>[eap] Request found, released from the list
>[eap] EAP/mschapv2
>[eap] processing type mschapv2
>[mschapv2] +- entering group MS-CHAP {...}
>[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
>[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
>[mschap] Told to do MS-CHAPv2 for user1 with NT-Password
>[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
>[mschap] FAILED: MS-CHAP2-Response is incorrect
>++[mschap] returns reject
>[eap] Freeing handler
>++[eap] returns reject
>Failed to authenticate the user.
>...................
>
>The parts that gives away the fact that the "MS-CHAP-Use-NTLM-Auth :=
>No" is not being read from the database:
>1) no users are found in the "SELECT FROM radreply" query
>2) underneath "[peap] Got tunneled reply code 11" there is no
>"MS-CHAP-Use-NTLM-Auth := No" as there is when a user is authenticated
>from the "users" file.
>3) The fact that I cannot get the client to gain access!

It is being read! But it does nothing when ntlm_auth is not configured.

You most likely haven't enabled sql in inner-tunnel virtual server. But
since you edited the debug there is no way to say for sure.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list