Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not

Jean-Yves Avenard jyavenard at gmail.com
Thu Aug 26 14:48:51 CEST 2010 

Following on an earlier thread:
http://lists.freeradius.org/pipermail/freeradius-users/2010-June/msg00116.html

Of which I couldn't get any answer unfortunately..

I am experiencing a similar problem.

I am running freeradius that comes installed and configured with MacOS
10.6 server.

A Windows XP can connect just fine using Microsoft Protected EAP.
iPhone, mac os client connect just fine using EAP-TTLS

Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but
not with the default build-in PEAP.

I have modified module/mschap as followed, as per various instructions:


# Microsoft CHAP authentication
#
#  This module supports MS-CHAP and MS-CHAPv2 authentication.
#  It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
	#
	#  If you are using /etc/smbpasswd, see the 'passwd'
	#  module for an example of how to use /etc/smbpasswd
	authtype = MS-CHAP

	# if use_mppe is not set to no mschap will
	# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
	# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
	#
	use_mppe = yes

	# if mppe is enabled require_encryption makes
	# encryption moderate
	#
	require_encryption = yes

	# require_strong always requires 128 bit key
	# encryption
	#
	require_strong = yes

	# Windows sends us a username in the form of
	# DOMAIN\user, but sends the challenge response
	# based on only the user portion.  This hack
	# corrects for that incorrect behavior.
	#
	with_ntdomain_hack = yes

	# The module can perform authentication itself, OR
	# use a Windows Domain Controller.  This configuration
	# the "best" user name for the request.
	#
	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}

In the log, when connecting using Windows XP I would see:

Thu Aug 26 02:04:20 2010 : Info: rlm_sql_sqlite: sqlite3_open() = 0
Thu Aug 26 02:04:20 2010 : Info: rlm_sql_sqlite: Opening sqlite
database /private/etc/raddb/sqlite_radius_client_database for #4
Thu Aug 26 02:04:20 2010 : Info: rlm_sql_sqlite: sqlite3_open() = 0
Thu Aug 26 02:04:20 2010 : Info: Ready to process requests.
Thu Aug 26 02:07:43 2010 : Auth: rlm_opendirectory: User
<jean-yves.avenard> is authorized.

When connecting with Windows 7, I would read:

Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the
user's uuid.
Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef():
dsGetRecordList() status = 0, recCount=0


Any hint about what I should be looking at?
Mind new, I'm a complete noob when it comes to radius, I only started
playing with it 2 days ago.

Thank you for your help troubleshooting this matter.

Regards
Jean-Yves

More information about the Freeradius-Users mailing list