Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
David Hoepelman
dhoepelman at gmail.com
Sat Jun 5 22:32:27 CEST 2010
Hello all,
my fraternity has been using freeradius for quite some time. However,
there were two problems: the default certificate was used and EAP-PEAP
MSCHAPv2 doesn't work, only EAP-TTLS PAP. This requires users to
install a supplicant (we recommend SecureW2). We would also enable
users to use EAP-PEAP MSCHAPv2 since that is supported by Windows XP
and up by default.
I've cleared the first problem, and I can now connect while validating
the certificate using EAP-TTLS PAP. EAP-PEAP still doesn't work
however. Windows asks for username + password, then again, then fails.
I've configured the module to the best of my knowledge. When
connecting with Window 7 the following gets written to radius.log:
Sat Jun 5 00:00:59 2010 : Info: rlm_eap_md5: Issuing Challenge
Sat Jun 5 00:00:59 2010 : Info: rlm_eap_mschapv2: Issuing Challenge
As opposed to EAP-TTLS, then the following gets written:
Sat Jun 5 00:03:23 2010 : Info: rlm_eap_md5: Issuing Challenge
Here are the relevant config sections for eap.conf:
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
}
mschapv2 {
}
and from radiusd.conf:
mschap {
# I saw this in the default configuration on a site, but in the
documentation it was listed that the server can figure this out for
itself. Is it needed?
#authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-
Nam$
}
As far as I know authentication is performed against local users.
(every user can login through SSH if he wanted). Samba is also
installed (and heavily used) but I could not find a /etc/smbpasswd so
I guess it also authenticates against local users.
Does anyone know where the problem may be? I cannot think of anything
to try anymore.
Thanks in advance,
David
More information about the Freeradius-Users
mailing list