PEAP MSCHAPv2 error..

Mark Holmes mark.holmes at nuffield.ox.ac.uk
Tue Feb 8 13:45:04 CET 2011


Tested with PAP and radtest, as per http://deployingradius.com/documents/configuration/pap.html  

All works OK


Now I want to test from a Windows 7 wireless client using PEAP (MSCHAPv2).  The page seems to indicate this should pretty much work with default config.

So:-

I added wireless AP to clients.conf

---------------
client 163.1.40.141 {
                secret = testing
         }
----------------

Disabled 'Validate server certificate' on the client

Entered bob as username, testing123 as password
 
I get No such realm 'NULL'

So added

---------------------
realm test {
authhost = LOCAL
accthost = LOCAL
}

To proxy.conf - not sure this is the correct way of resolving a null realm, though.....
----------------

And this time entered bob at test as the username, testing123 as password 

Now I get rejected - the following from the debug output looks relevant


[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for bob at test with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject       
[eap] Freeing handler     
++[eap] returns reject 
Failed to authenticate the user.
} # server inner-tunnel    
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\010E=691 R=1"
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\010E=691 R=1"       
        EAP-Message = 0x04080004             
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE           


I posted the full debug output at http://www.nuffield.ox.ac.uk/scratch2/test-peap.log - as I wasn't sure posting all 900+ lines to this list would be appreciated - or is that OK in future?

The MSCHAP errors are line 901 onwards.

I'm doing something silly, no doubt - but what?  Should this config just work out of the box?

Appreciate any help.

Cheers

Mark









More information about the Freeradius-Users mailing list