EAP-PEAP + Windows 7 with SSO and Password change

CD DD c_dornig at gmx.de
Sun Apr 8 13:05:30 CEST 2012


Hi Alan,


hmm, it seems not working by me.

In the Debug Log you can see, that the radius Server send the CHAP-Error to the Supplicant. And on Windows 7 side, i got an Invalid Login but NOT a Password Change window.
But this should Pop up with enabled passchange feature, right ?

I enabled the passchange config in mschap module without success.

What is wrong there ?


DEBUG LOG:
##########

(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8)   group authenticate {
(8)  - entering group authenticate {...}
(8) eap : Request found, released from the list
(8) eap : EAP/mschapv2
(8) eap : processing type mschapv2
(8) mschapv2 : # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) mschapv2 :   group MS-CHAP {
(8) mschapv2 :  - entering group MS-CHAP {...}
(8) mschap : NT Domain delimeter found, should we have enabled with_ntdomain_hack?
(8) mschap : Creating challenge hash with username: DOMAIN\test-user3
(8) mschap : Told to do MS-CHAPv2 for DOMAIN\test-user3 with NT-Password
(8) mschap :    expand: %{Stripped-User-Name} ->
(8) mschap :    ... expanding second conditional
(8) mschap :    expand: %{User-Name} -> DOMAIN\test-user3
(8) mschap :    expand: %{%{User-Name}:-None} -> DOMAIN\test-user3
(8) mschap :    expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=DOMAIN\test-user3
(8) mschap : NT Domain delimeter found, should we have enabled with_ntdomain_hack?
(8) mschap : Creating challenge hash with username: DOMAIN\test-user3
(8) mschap :    expand: %{mschap:Challenge} -> 4b4be3875649ba1a
(8) mschap :    expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=4b4be3875649ba1a
(8) mschap :    expand: %{mschap:NT-Response} -> a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2
(8) mschap :    expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=a900f8c9381beb68f33a91cc2f1c87bb72970bdd62ece3a2
Exec-Program output: Password expired (0xc0000648)
Exec-Program-Wait: plaintext: Password expired (0xc0000648)
Exec-Program: returned: 1
(8) mschap : ntlm_auth says password has expired
(8)   [mschap] = reject
rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found.
(8) eap : Handler failed in EAP/mschapv2
(8) eap : Failed in EAP select
(8)   [eap] = invalid
(8) Failed to authenticate the user.
(8) Login incorrect: [DOMAIN\\test-user3/<via Auth-Type = EAP>] (from client switches port 0 via TLS tunnel)
} # server inner-tunnel
(8) peap : Got tunneled reply code 3
        MS-CHAP-Error = "\013E=648 R=0 C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired"
        EAP-Message = 0x040b0004
        Message-Authenticator = 0x00000000000000000000000000000000
(8) peap : Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\013E=648 R=0 C=62fa0aad52c662d5b02fcda34542d074 V=3 M=Password Expired"
        EAP-Message = 0x040b0004
        Message-Authenticator = 0x00000000000000000000000000000000
(8) peap : Tunneled authentication was rejected.
(8) peap : FAILURE
(8)   [eap] = handled
Sending Access-Challenge of id 128 to 192.168.15.52 port 2686
        EAP-Message = 0x010c002b190017030100202f2f3b44177589096e8dbced7004dd801b1a777dd1a966acf5dcbde958537403
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7cb2ed6374bef496dfd35c4e86820391
(8) Finished request 8.
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host zzz.aaa.xxx.yyy port 2686, id=129, length=262
        Framed-MTU = 1480
        NAS-IP-Address = zzz.aaa.xxx.yyy
        NAS-Identifier = "SWITCHxxx"
        User-Name = "DOMAIN\\test-user3"
        Service-Type = Framed-User

Thanks a lot,

C.


>CD DD wrote:
>> and how do i get this working ?
>
>  read raddb/mods-available/mschap
>
>  Alan DeKok.
-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de


More information about the Freeradius-Users mailing list