PEAP MSCHAPv2 error..
Mark Holmes
mark.holmes at nuffield.ox.ac.uk
Tue Feb 8 13:45:04 CET 2011
Tested with PAP and radtest, as per http://deployingradius.com/documents/configuration/pap.html
All works OK
Now I want to test from a Windows 7 wireless client using PEAP (MSCHAPv2). The page seems to indicate this should pretty much work with default config.
So:-
I added wireless AP to clients.conf
---------------
client 163.1.40.141 {
secret = testing
}
----------------
Disabled 'Validate server certificate' on the client
Entered bob as username, testing123 as password
I get No such realm 'NULL'
So added
---------------------
realm test {
authhost = LOCAL
accthost = LOCAL
}
To proxy.conf - not sure this is the correct way of resolving a null realm, though.....
----------------
And this time entered bob at test as the username, testing123 as password
Now I get rejected - the following from the debug output looks relevant
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for bob at test with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
I posted the full debug output at http://www.nuffield.ox.ac.uk/scratch2/test-peap.log - as I wasn't sure posting all 900+ lines to this list would be appreciated - or is that OK in future?
The MSCHAP errors are line 901 onwards.
I'm doing something silly, no doubt - but what? Should this config just work out of the box?
Appreciate any help.
Cheers
Mark
More information about the Freeradius-Users
mailing list