Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
Nathan McDavit-Van Fleet
nmcdavit at alcor.concordia.ca
Wed Apr 14 22:57:12 CEST 2010
Here is the log for it without auto header.
Regards,
-Nathan
++- elsif (outer.NAS-IP-Address == 132.205.198.43) returns ok ...
++skipping elsif for request 30: Preceding "if" was taken ... skipping
++elsif for request 30: Preceding "if" was taken [expiration] returns
++noop [logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/mschapv2 [eap]
processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap]
Told to do MS-CHAPv2 for nmcdavit with NT-Password [mschap] FAILED:
MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [nmcdavit] (from client wireless-lwapp-bench-wlc port 0 via
TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 55 to 132.205.198.43 port 32770
EAP-Message =
0x010a002b190017030100207df23a230dcaee583fabd44fedb5cc15e276675fa5d9a5ad2720
eb869a812361
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1e032ffe160936d2d9627494ce41a8f0
Finished request 30.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 132.205.198.43 port 32770, id=56,
length=233
User-Name = "nmcdavit"
Calling-Station-Id = "00-26-08-E8-67-42"
Called-Station-Id = "00-24-97-F2-89-40:ConcordiaPEAP"
NAS-Port = 5
NAS-IP-Address = 132.205.198.43
NAS-Identifier = "bench-wlc"
Airespace-Wlan-Id = 10
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "268"
EAP-Message =
0x020a002b19001703010020ebc4657c1bed6e0a992ffc4f1dd2ca5ede4739fd6dd2d73825bb
6feb5cdd96ab
State = 0x1e032ffe160936d2d9627494ce41a8f0
Message-Authenticator = 0xf0b7d88f63be8bdd1b466c976efdf519
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "nmcdavit", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel
setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap]
Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [nmcdavit] (from client wireless-lwapp-bench-wlc port 5 cli
00-26-08-E8-67-42) Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> nmcdavit
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
> -----Original Message-----
> From: freeradius-users-
> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org] On Behalf Of
> Nathan McDavit-Van Fleet
> Sent: Wednesday, April 14, 2010 4:16 PM
> To: 'FreeRadius users mailing list'
> Subject: RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
>
> Hi, I did in fact have that enabled.
>
> Should I have it disabled or enabled?
>
>
>
> > -----Original Message-----
> > From: freeradius-users-
> > bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org
> > [mailto:freeradius-users-
> > bounces+nmcdavit=alcor.concordia.ca at lists.freeradius.org] On Behalf
> Of
> > Alan Buxey
> > Sent: Wednesday, April 14, 2010 3:00 PM
> > To: FreeRadius users mailing list
> > Subject: Re: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
> >
> > hi,
> >
> > the error is seen with near bottom
> >
> > [mschapv2] +- entering group MS-CHAP {...}
> > [mschap] No Cleartext-Password configured. Cannot create LM-
> Password.
> > [mschap] No Cleartext-Password configured. Cannot create NT-
> Password.
> > [mschap] Told to do MS-CHAPv2 for username with NT-Password
> > [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> > [mschap] FAILED: MS-CHAP2-Response is incorrect
> >
> >
> > have you got ...i dunno... 'auto_header = yes' in your pap module?
> >
> > alan
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list