Problem with MSCHAP
Mark Holmes
mark.holmes at nuffield.ox.ac.uk
Fri Oct 8 15:24:46 CEST 2010
This is my first post to this list, so first of all, hi!
I'm new to freeradius, I'm working on setting it up to authenticate users to our wireless network. We want to use PEAP-MSCHAPv2 and authenticate against Active Directory. I'm using samba and ntlm_auth.
Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29
I have the ntlm_auth part working in as far as I can put DEFAULT Auth-Type = ntlm_auth in users and then do
radtest user password localhost 0 testing123
and I see the server returns Access-Accept.
I then configure MS-CHAP, removing the DEFAULT Auth-Type from users and editing modules/mschap as follows
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
and set up a wireless access point up to, add it to clients and have it point at the radius server
Now when I try to connect I get Access-Reject - I've tried a couple of devices - an iPhone and a Win XP machine.
Output from radius -X at the bottom of this message. The bit that looks relevant to me is
++[mschap] returns noop
Which I guess indicates a problem with mschap somewhere
Also
[suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name = "firstname.lastname at mydomain.ox.ac.uk"
[suffix] No such realm "mydomain.ox.ac.uk"
However I'm not sure I need to worry about that bit - at the moment this is just a single, stand alone RADIUS server so I'm not sure I need to worry about realms or do I?....
Not sure where to go from here - are there some basic things I should check? I haven't included my conf files in this post but happy to do so if required.
Any advice/hints much appreciated as to how I should look to troubleshoot this.
Thanks,
Mark
Output from -X
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.10 port 1286, id=39, length=267
Message-Authenticator = 0x2e5d3be1821aead988b3d37cba9afd08
Service-Type = Framed-User
User-Name = "firstname.lastname at mydomain.ox.ac.uk"
Framed-MTU = 1488
State = 0x0f85e60107a2ffd7a9724559c0c7d131
Called-Station-Id = "00-24-73-54-22-C2:Test-WLAN"
Calling-Station-Id = "78-E4-00-B2-E2-D5"
NAS-Identifier = "Wireless AP - I6"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0227002b1900170301002067b2b3a9663cb4262b845b709b8619eb1d6ae803961cb66e52227722f3d8e496
NAS-IP-Address = 192.168.1.10
NAS-Port = 4
NAS-Port-Id = "STA port # 4"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name = "firstname.lastname at mydomain.ox.ac.uk"
[suffix] No such realm "mydomain.ox.ac.uk"
++[suffix] returns noop
[eap] EAP packet type response id 39 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> firstname.lastname at mydomain.ox.ac.uk
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 99 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 99
Sending Access-Reject of id 39 to 192.168.1.10 port 1286
EAP-Message = 0x04270004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Cleaning up request 90 ID 30 with timestamp +1733
Cleaning up request 91 ID 31 with timestamp +1733
Cleaning up request 92 ID 32 with timestamp +1733
Cleaning up request 93 ID 33 with timestamp +1733
Cleaning up request 94 ID 34 with timestamp +1733
Cleaning up request 95 ID 35 with timestamp +1733
Cleaning up request 96 ID 36 with timestamp +1733
Cleaning up request 97 ID 37 with timestamp +1733
Cleaning up request 98 ID 38 with timestamp +1733
Waking up in 0.9 seconds.
Cleaning up request 99 ID 39 with timestamp +1733
Ready to process requests.
More information about the Freeradius-Users
mailing list