EAP-PEAP + Windows 7 with SSO and Password change
CD DD
c_dornig at gmx.de
Thu Jun 14 09:46:33 CEST 2012
Hi Phil,
> src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c:
>
> about line 741, maybe this:
>
> pairmove2(&response, &handler->request->reply->vps,
> PW_MSCHAP_ERROR, 0);
>
> ...should be:
>
> pairmove2(&response, &handler->request->reply->vps,
> PW_MSCHAP_ERROR, VENDORSPEC_MICROSOFT);
>
> ?
>
> I don't understand though; I tested this as working, so
>
> Unfortunately my testbed is no longer assembled :o(
your fix works perfectly.
But it have to be:
> PW_MSCHAP_ERROR, VENDORPEC_MICROSOFT);
instead
> PW_MSCHAP_ERROR, VENDORSPEC_MICROSOFT);
<snip>
:
Exec-Program output: Must change password (0xc0000224)
Exec-Program-Wait: plaintext: Must change password (0xc0000224)
Exec-Program: returned: 1
(8) mschap : ntlm_auth says password must change
(8) [mschap] = reject
MSCHAP-Error: ?E=648 R=0 C=07cc36ab334ac36c8af4bc87201b552a V=3 M=Password Expired
Found new challenge from MS-CHAP-Error: err=648 retry=0 challenge=07cc36ab334ac36c8af4bc87201b552a
:
</snip>
The windows client get now the password change Window.
But i still have one issue:
the new passphrase will not changed.
I got: MS-CHAP-NT-Enc-PW with invalid format
here are the output from debug:
<snip>
:
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) group authenticate {
(9) - entering group authenticate {...}
(9) eap : Request found, released from the list
(9) eap : EAP/mschapv2
(9) eap : processing type mschapv2
rlm_eap_mschapv2: password change packet received
rlm_eap_mschapv2: built change password packet
EAP-Message = 0x020f024f1a070f024a7979c8bf7d1f48b508f3a77a6cf40c3b323e89bcd5407e2e5cb01cc46a4b647d1e8fe79e297aa65d676f10889d59b1c80cd7a3298d0c534821973b09
0992bae04d4d23a9d5d8f07f27cb11d98d0d4826d32098afc30bf72d9144cf7eb48961880421962a26877e3a12250621d8121e26041120ce25774a0a4671d1df838f83efb44072540349c518d1679ed8c31782d104b9e8fd27da45f0b130d9b0af78ff02021ce997841fd0bbcd91aaa610575f9a6212b842563b710cb0c8410f47d51a38b3a6d1818909d2fb4735346c8b611b3ba0dde0cf6efa446c2605975e5016c24b30888d918e0b0a03352d7a51d2eee48f14b77b0d
EAP-Message = 0x4a085ae945764de443cd775041a3138f227f90600ec3d8b2cc9648a5144dcb10918bc499d5c939677d1c15fadfbe9761da908e0fe8a864e8e4631b92f26d2ec3f98ba74263bac7072037c42b609f6e163176bafba7f25c5d1e9f4418a517e4d1179701510116215825d33a639a1e83fecf8835482f3f1dcd909fad60c03bd8b6bd7c557df2bcea320a1339dc01f028f0901d10e30119bf2a2b417cb69ab37d5e5223bb02bc506bbc21993f7a659000d12ec6c58153a4fa90679feb094bace85de10626834f59f5c751cf82f8854f862eb850759d4304b64490e752f6ab27b6bfcb90f9eb92559f3b584dca6fd0b77aff1220cbf491fd3c3f6d9b29ed6f
EAP-Message = 0x6220d11763505a3f83f3ba6b811924ec987ba0515d6f99d4b584888d36ab9af03e3f2120bb50aa142cd1843d1b8c6975777c150000000000000000f32ed76d7f602a6fba828238448651148ebe123062e60af10000
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "TEST\\user1"
State = 0x42f25dad43fd47b2696e125eaff8db99
Acct-Multi-Session-Id = "00-A1-B1-4D-D4-78-A1-23-DF-79-F0-B9-4F-D8-55-5F-00-04-FE-67"
Acct-Session-Id = "b82ba75a-00000133"
NAS-Port = 291
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "AP"
NAS-IP-Address = 10.0.1.50
Framed-MTU = 1496
Calling-Station-Id = "A1-23-DF-79-F0-B9"
Called-Station-Id = "00-A1-B1-4D-D4-78"
Service-Type = Framed-User
EAP-Type = MS-CHAP-V2
MS-CHAP-Challenge = 0x07cc36db334dc36c8af4bc87201b552a
MS-CHAP2-CPW = 0x070f515d6f99d4b584888d36ab9af03a3f2120bc50aa142cd1843d1b8c6975777c150000000000000000f32ed76d7f602a6fba828238448651148ebe123062e60af10000
MS-CHAP-NT-Enc-PW += 0x060f00017979c8bf7d1f48b508f3a56a6cf40c3b323e89bcd5407e2e5fb01cc46a4b647d1e8fe79e297aa65d676f10889d59b1c80cd7a3298d0c534821973b090992a7e04d4d23a9d5d8f07f27cb11d98d0d4826d32098afc30bf72d9144cf7eb48961880421962a26877e3a12250621d8121e26041120ce25774a0a4671d1df838f83efb44072540349c518d1679ed8c31782d104b9e8fd27da45f0b130d9b0af78ff02021ce997841fd0bbcd91aaa610575f9a6212b842563b710cb0c8410f47d51a38b3a6d1818909d2fb4735346c8b611b3ba0dde0cf6efa446c2605975e5016c24b30888d918e0b0a03352d7a51d2eee48f14b77b
MS-CHAP-NT-Enc-PW += 0x060f00020d4a085ae945764de443cd775041a3138f211f90600ec3d8b2cc9648a5144dcb10918bc499d5c939677d1c15fadfbe9761da908e0fe8a864e8e4631b92f26d2ec3f98ba74263bac7072037c42b609f6e163176bafba7f25c5d1e9f4418a517e4d1179701510116215825d33a639a1e83fecf8835482f3f1dcd909fad60c03bd8b6bd7c557df2bcea320a1339dc01f028f0901d10e30119bf2a2b417cb69ab37d5e5223bb02bc506bbc21993f7a659000d12ec6c58153a4fa90679feb094bace85de10626834f59f5c751cf82f8854f862eb850759d4304b64490e752f6ab27b6bfcb90f9eb92559f3b584dca6fd0b77aff1220
MS-CHAP-NT-Enc-PW += 0x060f0003cbf491ad3c3f6d9b29ed6f6220d11763505a3f83f3ba6b811924ec987ba0
(9) mschapv2 : # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) mschapv2 : group MS-CHAP {
(9) mschapv2 : - entering group MS-CHAP {...}
(9) mschap : MS-CHAPv2 password change request received
(9) mschap : MS-CHAP-NT-Enc-PW with invalid format
(9) [mschap] = invalid
rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found.
(9) eap : Handler failed in EAP/mschapv2
(9) eap : Failed in EAP select
(9) [eap] = invalid
(9) Failed to authenticate the user.
:
</snip>
thanks,
C.
--
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
More information about the Freeradius-Users
mailing list