FW: PEAP MSCHAPv2 error..

Mark Holmes mark.holmes at nuffield.ox.ac.uk
Tue Feb 8 14:49:06 CET 2011 

Ah - do I need to be authenticating against something like AD that does MS-CHAP?

I have AD here and that is the eventual goal, but trying to change as little as possible and keep it simple to begin with...

Mark

-----Original Message-----
From: freeradius-users-bounces+mark.holmes=nuffield.ox.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac.uk at lists.freeradius.org] On Behalf Of Mark Holmes
Sent: 08 February 2011 12:45
To: FreeRadius users mailing list
Subject: PEAP MSCHAPv2 error..

Tested with PAP and radtest, as per http://deployingradius.com/documents/configuration/pap.html  

All works OK


Now I want to test from a Windows 7 wireless client using PEAP (MSCHAPv2).  The page seems to indicate this should pretty much work with default config.

So:-

I added wireless AP to clients.conf

---------------
client 163.1.40.141 {
                secret = testing
         }
----------------

Disabled 'Validate server certificate' on the client

Entered bob as username, testing123 as password
 
I get No such realm 'NULL'

So added

---------------------
realm test {
authhost = LOCAL
accthost = LOCAL
}

To proxy.conf - not sure this is the correct way of resolving a null realm, though.....
----------------

And this time entered bob at test as the username, testing123 as password 

Now I get rejected - the following from the debug output looks relevant


[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for bob at test with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject       
[eap] Freeing handler     
++[eap] returns reject 
Failed to authenticate the user.
} # server inner-tunnel    
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\010E=691 R=1"
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\010E=691 R=1"       
        EAP-Message = 0x04080004             
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE           


I posted the full debug output at http://www.nuffield.ox.ac.uk/scratch2/test-peap.log - as I wasn't sure posting all 900+ lines to this list would be appreciated - or is that OK in future?

The MSCHAP errors are line 901 onwards.

I'm doing something silly, no doubt - but what?  Should this config just work out of the box?

Appreciate any help.

Cheers

Mark






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list