PEAP/MSCHAPv2 problem

Stefan Winter stefan.winter at restena.lu
Mon Apr 4 16:27:36 CEST 2011 

Hi,

PEAP can work with or without client certs. Both run through the "tls"
instance; that is no error. The problem is much rather here:

> Sending Access-Challenge of id 219 to ... port 32769
> Waking up in 2.0 seconds.
> Cleaning up request 0 ID 219 with timestamp +3
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0x3abc7e1c3abf6764 did not finish!
> WARNING: !! Please read
> http://wiki.freeradius.org/Certificate_Compatibility
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Ready to process requests.

The client probably doesn't like the server certificate, and stops
talking to the server.

When you cloned your RADIUS server, did you give the clone a different
certificate afterwards? FreeRADIUS will generate a sample one on first
start. If your client only trusts the old one, it won't talk to the new
one...

Greetings,

Stefan Winter

>
> eap.conf:
>
>     eap {
>         default_eap_type = peap
>         timer_expire     = 60
>         ignore_unknown_eap_types = no
>         cisco_accounting_username_bug = no
>
>         md5 {
>         }
>
>
>         tls {
>             certdir    = /etc/hostcertkey
>             cadir = /etc/cacert
>             dh_file = ${certdir}/dh
>             private_key_file = ${certdir}/roaming.key
>             certificate_file = ${certdir}/roaming.pem
>             CA_file = ${cadir}/chain.txt
>             dh_file = ${certdir}/dh
>             random_file = /dev/urandom
>             fragment_size = 1024
>             include_length = yes
>             check_crl = no
>             cipher_list = "DEFAULT"
>         }
>
>         ttls {
>             default_eap_type = mschapv2
>             copy_request_to_tunnel = yes
>             #use_tunneled_reply = yes
>             virtual_server = "eduroam-inner-tunnel"
>         }
>
>         peap {
>             default_eap_type = mschapv2
>             copy_request_to_tunnel = yes
>             #use_tunneled_reply = yes
>             #proxy_tunneled_request_as_eap = yes
>             virtual_server = "eduroam-inner-tunnel"
>         }
>
>         mschapv2 {
>         }
>     }
>


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110404/246a8ed8/attachment.pgp>

More information about the Freeradius-Users mailing list