AW: AW: Authentication with eap/mschapv2

Stefan Hotz stefhotz at yahoo.de
Fri Sep 18 11:28:44 CEST 2009 

Yes it works with an entry in the user file

+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for s.hotz with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled

It works as well if I try it with the ntlm command from the radius server

/usr/bin/ntlm_auth --request-nt-key --domain=domain--username=s.hotz

So is my guess correct that I have to investigate further in the ntlm_auth command in the mschap module?
I have tried different parameters. Right now it looks like:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{%{mschap:User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
 





________________________________
Von: Ivan Kalik <tnt at kalik.net>
An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Gesendet: Donnerstag, den 17. September 2009, 19:30:15 Uhr
Betreff: Re: AW: Authentication with eap/mschapv2

> I have tried now both with or without encryption
>
> Module: Instantiating mschap
>   mschap {
>         use_mppe = yes
>         require_encryption = no
>         require_strong = no
>         with_ntdomain_hack = yes
>
> unfortunately the result is still the same
>
> Found Auth-Type = EAP
> +- entering group authenticate {....}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Invalid response type 4
> [eap] Handler failed in EAP/mschapv2
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
>
> Does it make sense to enable the encryption for mschap since the eap
> tunnel (as far I have understood) is the whole way from the client to the
> radius server.

MPPE is encrypting connection between the user and NAS. Nothing to do with
authentication encryption.

Does PEAP work  for username/pass in users file? Comment out ntlm_auth
line in mschap module and see if authentication can complete like that.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090918/c3f9fa73/attachment.html>

More information about the Freeradius-Users mailing list