eapol_test giving up and win-like error?

NdK ndk.clanbo at gmail.com
Fri Jan 20 11:30:34 CET 2012


Il 19/01/2012 13:01, Phil Mayers ha scritto:

> I'm not sure what the problem is then. From your original post, the
> authentication is failing at the *client*, in the inner EAP section.
> This normally means the final MSCHAP response is invalid, which only
> happens if some crypto has gone wrong somewhere.
But then it should fail immediately, not after a timeout!
And an immediate failure is the result when I *disable*
'with_ntdomain_hack=yes' line in mschap.

No changes even enabling "ntdomain" lines in 'default' and
'inner-tunnel' sites (IIUC those should only detect the domain,
regardless of it being prefix or suffix).

>> Another problem I should fix is the fact that ZS's captive portal passes
>> user at realm credentials instead of realm\user ... rewriting w/ a simple
>> rule in hints file seems to block the rest, so I left it behind, for now.
> You can't alter usernames in EAP. They are usually mixed into the
> challenge/response data, and altering them in-flight means the
> challenge/response will fail.
Ok. I'm not going to change 'em.

> To be honest, there's too much going on in your setup; my advice would
> be to create a new server (running 2.1.12) and use the default setup.
> Test your EAP with eapol_test. Make small changes, storing the config
> into version control at each step. Identify exactly which point the
> failures start happening at.
That's exactly what I've done till now. The failures start when I enable
the auth I need. The problem w/ CP is just an "issue scheduled for later
examination" -- nothing configured yet to fix it.

That's my 'hg diff' output (w/o the certs part) from the base config
(from the tutorial):

diff -r 434b2b3ededc clients.conf
--- a/clients.conf      Mon Jan 16 15:17:07 2012 +0100
+++ b/clients.conf      Fri Jan 20 11:22:45 2012 +0100
@@ -232,3 +232,10 @@
 #              secret = testing123
 #        }
 #}
+
+client 137.204.65.161 {
+       secret = testing123qaz
+}
+client 137.204.65.96 {
+       secret = testing123qaz
+}
diff -r 434b2b3ededc modules/mschap
--- a/modules/mschap    Mon Jan 16 15:17:07 2012 +0100
+++ b/modules/mschap    Fri Jan 20 11:22:45 2012 +0100
@@ -34,6 +34,7 @@
        # corrects for that incorrect behavior.
        #
        #with_ntdomain_hack = no
+       #with_ntdomain_hack = yes

        # The module can perform authentication itself, OR
        # use a Windows Domain Controller.  This configuration
@@ -63,4 +64,7 @@
        # the "best" user name for the request.
        #
        #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
+       ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-%{User-Name:-None}}
--domain=%{%{mschap:NT-Domain}:-PERSONALE}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
+#      ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-%{Stripped-User-Name}:-%{User-Name}}
--domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
+#      ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE}
--username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}}
--password=%{User-Password} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
 }
diff -r 434b2b3ededc modules/ntlm_auth
--- a/modules/ntlm_auth Mon Jan 16 15:17:07 2012 +0100
+++ b/modules/ntlm_auth Fri Jan 20 11:22:45 2012 +0100
@@ -8,5 +8,6 @@
 #
 exec ntlm_auth {
        wait = yes
-       program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
+#      program = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{%{mschap:NT-Domain}:-PERSONALE}
--username=%{mschap:User-Name} --password=%{User-Password}"
+       program = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE}
--username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}}
--password=%{User-Password} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
 }
diff -r 434b2b3ededc sites-available/default
--- a/sites-available/default   Mon Jan 16 15:17:07 2012 +0100
+++ b/sites-available/default   Fri Jan 20 11:22:45 2012 +0100
@@ -116,7 +116,7 @@
        #  the other styles won't be checked.
        #
        suffix
-#      ntdomain
+       ntdomain

        #
        #  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
@@ -306,6 +306,8 @@
 #                      handled  # override the "updated" code from
attr_filter
 #              }
 #      }
+
+#      ntlm_auth
 }


@@ -347,7 +349,7 @@
        #  home server as authentication requests.
 #      IPASS
        suffix
-#      ntdomain
+       ntdomain

        #
        #  Read the 'acct_users' file
diff -r 434b2b3ededc sites-available/inner-tunnel
--- a/sites-available/inner-tunnel      Mon Jan 16 15:17:07 2012 +0100
+++ b/sites-available/inner-tunnel      Fri Jan 20 11:22:45 2012 +0100
@@ -89,7 +89,7 @@
        #  it difficult to bill people for their network activity.
        #
        suffix
-#      ntdomain
+       ntdomain

        #
        #  The "suffix" module takes care of stripping the domain
@@ -231,6 +231,8 @@
 #              ldap
 #      }

+#      ntlm_auth
+
        #
        #  Allow EAP authentication.
        eap


As you can see there are only minimal changes...

BYtE,
 Diego.



More information about the Freeradius-Users mailing list