freeradius authentication stops working after some time...

Korosi, Nick nkorosi at indians.com
Wed Sep 8 22:09:44 CEST 2010


I was wondering if anybody had any more information with this topic.  Winbind authentication works every time during testing of ntlm_auth, but PEAP will only work once after a reboot and then fails every time.  I can see a difference in the EAP-Message when running in debug mode once it gets Request 3's Access-Request packet.

>> When Successful:
rad_recv: Access-Request packet from host 172.20.1.99 port 65288, id=212, length=522
                User-Name = " MYDOMAIN\\myuser"
                NAS-Port = 68
                State = 0xbdba4064bfb959ed871d7a760f4a6189
                EAP-Message = 0x02030150198000000146160301010610000102010041edfd5ca690a35d3f2b0852c9b0018961373e600fa0f7d65fd7b37580cd527e634e4eba1fcf9ac1103146b7520c7d273f43d6698c3ce14a6d7650d6a1deaa28bc9d3156ffa21d627d91d6b7da5b229abfcab7a73b083fdb79e43a49dc98f0d20c497600cd96f2fe13587bb0d5e59f49c32cb36a0ee8efe471e77f4d128bfa815336b198e84a3d3549f1eaf2a7cce6b0ddc0c1d01b2685f34d23d8170f8e657ebfa9b33e5c95ba5e1fc1bf83f49a1031b228272d2f21af93c904cfc31a9689a3028ccd4f8eb0eed67d54b07459deef5618bff59d2ba2a6fe801868ddaa6b321200824fd6d2011a5f
                EAP-Message = 0x640caaf2df40538fd91c1da8c2189b89d9d59e66b40f816d14030100010116030100303628b50481fc50a51db0c5315a5898ada3f498ed9385706e9b165e322cdb655704b73380d527cfa1966359f43e23b54a
                Message-Authenticator = 0xe0435af614c2b43a52ab07911e607257
                Acct-Session-Id = "8O2.1x8155007a0006d0e1"
                NAS-Port-Id = "ge-0/0/1.0"
                Calling-Station-Id = "00-21-86-a0-d5-b6"
                Called-Station-Id = "00-1f-12-35-a3-40"
                NAS-IP-Address = 172.20.1.99
                NAS-Identifier = "CL-SW-SPARE-P48-1"
                NAS-Port-Type = Ethernet
....
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 212 to 172.20.1.99 port 65288
                EAP-Message = 0x01040041190014030100010116030100304722cf0ba4ff47b05d93e56d91e9f7fb385859f4517e96acb6f13887cee6d51e2e786637fb3a783ce362542c4004da32
                Message-Authenticator = 0x00000000000000000000000000000000
                State = 0xbdba4064bebe59ed871d7a760f4a6189



>> When Fails:
rad_recv: Access-Request packet from host 172.20.1.99 port 60566, id=62, length=190
                User-Name = "MYDOMAIN\\myuser"
                NAS-Port = 68
                State = 0x98b30a269ab013ceb4bf9c4f43040953
                EAP-Message = 0x020300061900
                Message-Authenticator = 0x20ce44a84dc4391f888de907003c74b8
                Acct-Session-Id = "8O2.1x81c3024a00011abf"
                NAS-Port-Id = "ge-0/0/1.0"
                Calling-Station-Id = "00-21-86-a0-d5-b6"
                Called-Station-Id = "00-1f-12-35-a3-40"
                NAS-IP-Address = 172.20.1.99
                NAS-Identifier = "CL-SW-SPARE-P48-1"
                NAS-Port-Type = Ethernet
....
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 62 to 172.20.1.99 port 60566
                EAP-Message = 0x010400061900
                Message-Authenticator = 0x00000000000000000000000000000000
                State = 0x98b30a269bb713ceb4bf9c4f43040953

>From what I can see, I'm getting a TLS ACK and no SSL connection established when it fails.

I generated my server certificate from our internal Microsoft Certificate Authority and installed them on the server.  I'm pretty sure everything is okay since my Windows 2007 computer authenticates every time if configured to use certificate authentication rather than PEAP.  Also, if I use Microsoft IAS as my radius server PEAP works every time, therefore I don't believe my network equipment is having any problems.

Any additional ideas would be greatly appreciated.

Thanks,
Nick









-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100908/acbc61dd/attachment.html>


More information about the Freeradius-Users mailing list