EAP-PEAP + Windows 7 with SSO and Password change

c_dornig at gmx.de c_dornig at gmx.de
Thu Apr 5 12:26:53 CEST 2012


Hi,


we would like to use freeradius server for setup port access per 802.1x on wired LAN. The plan is to have a guest-vlan for unauthenticated supplicants and a vlan assignment for authenticated supplicants.

We configured the freeradius Server (Version 2.1.12) to use peap/mschapv2 for user authentication. Each user can have one nativ/untagged VLAN.
So far, the actual configuration works.

Now we would like to use the Single Sign On feature from windows 7 supplicant before the user logged in.
But this seems to work only if the user account is valid.
When the User account is new (with password change on next loggon) or the password has expired, then the freeradius send the MS-CHAP-Error to the supplicant. But why the hell, the windows 7 client do not popup a window for change the password ?

Is that generally not possible (cause EAP-MSCHAPv2) or something missed in config ?

I tried to use freeradius 3.0.0 from git with enabling the passchange feature in the mschap module.
I did all steps from doc/mschap.rst.

The follow Debug is from freeradius 3.0.0:

<snip>
:
:
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8)   group authenticate {
(8)  - entering group authenticate {...}
(8) eap : Request found, released from the list
(8) eap : EAP/mschapv2
(8) eap : processing type mschapv2
(8) mschapv2 : # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) mschapv2 :   group MS-CHAP {
(8) mschapv2 :  - entering group MS-CHAP {...}
(8) mschap : NT Domain delimeter found, should we have enabled with_ntdomain_hack?
(8) mschap : Creating challenge hash with username: DOMAIN\test-user3
(8) mschap : Told to do MS-CHAPv2 for DOMAIN\test-user3 with NT-Password
(8) mschap :    expand: %{Stripped-User-Name} ->
(8) mschap :    ... expanding second conditional
(8) mschap :    expand: %{User-Name} -> DOMAIN\test-user3
(8) mschap :    expand: %{%{User-Name}:-None} -> DOMAIN\test-user3
(8) mschap :    expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=DOMAIN\test-user3
(8) mschap : NT Domain delimeter found, should we have enabled with_ntdomain_hack?
(8) mschap : Creating challenge hash with username: DOMAIN\test-user3
(8) mschap :    expand: %{mschap:Challenge} -> 4b4be3875649ba1a
(8) mschap :    expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=4b4be3875649ba1a
(8) mschap :    expand: %{mschap:NT-Response} -> a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2
(8) mschap :    expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2
Exec-Program output: Password expired (0xc0000648)
Exec-Program-Wait: plaintext: Password expired (0xc0000648)
Exec-Program: returned: 1
(8) mschap : ntlm_auth says password has expired
(8)   [mschap] = reject
rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found.
(8) eap : Handler failed in EAP/mschapv2
(8) eap : Failed in EAP select
(8)   [eap] = invalid
(8) Failed to authenticate the user.
(8) Login incorrect: [DOMAIN\\test-user3/<via Auth-Type = EAP>] (from client switches port 0 via TLS tunnel)
} # server inner-tunnel
(8) peap : Got tunneled reply code 3
        MS-CHAP-Error = "\013E=648 R=0 C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired"
        EAP-Message = 0x040b0004
        Message-Authenticator = 0x00000000000000000000000000000000
(8) peap : Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\013E=648 R=0 C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired"
        EAP-Message = 0x040b0004
        Message-Authenticator = 0x00000000000000000000000000000000
(8) peap : Tunneled authentication was rejected.
(8) peap : FAILURE
(8)   [eap] = handled
Sending Access-Challenge of id 128 to 192.168.15.52 port 2686
        EAP-Message = 0x010c002b190017030100202f2f3b44177589096e8dbced7004dd801b1a777dd1a966acf5dcbde958537403
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7cb2ed6374bef496dfd35c4e86820391
(8) Finished request 8.
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host zzz.aaa.xxx.yyy port 2686, id=129, length=262
        Framed-MTU = 1480
        NAS-IP-Address = zzz.aaa.xxx.yyy
        NAS-Identifier = "SWITCHxxx"
        User-Name = "DOMAIN\\test-user3"
        Service-Type = Framed-User
:
:
:

</snip>

Thanks for any help.
-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de


More information about the Freeradius-Users mailing list