eap: ERROR: Failed continuing EAP PEAP (25) session.
Stefano Pardini
stefanopardini at gmail.com
Tue Aug 2 10:28:15 CEST 2016
Finally I solved the problem.
These are my configuration files, hoping that they can be useful for someone.
*** sites/inner-tunnel
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
eap {
ok = return
}
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
}
*** sites/default
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
auth_log
suffix
eap {
ok = return
}
}
authenticate {
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail
unix
exec
attr_filter.accounting_response
}
session {
}
post-auth {
update {
&reply: += &session-state:
}
files
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
pre-proxy {
}
post-proxy {
eap
}
}
*** modules/ldap
ldap {
server = 'server.testdomain.lan'
identity = 'cn=administrator,cn=Users,dc=ad,dc=testdomain,dc=lan'
password = p4ss
base_dn = 'dc=ad,dc=testdomain,dc=lan'
sasl {
}
update {
control:Password-With-Header += 'unicodePWD'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
user {
base_dn = "${..base_dn}"
filter =
"(&(objectClass=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"
sasl {
}
}
group {
base_dn = 'ou=Groups,dc=ad,dc=testdomain,dc=lan'
base_dn = "${..base_dn}"
filter = '(objectClass=group)'
scope = 'sub'
name_attribute = cn
membership_filter = "(member=%{control:Ldap-UserDn})"
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
template {
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
*** modules/mschap
mschap {
winbind_username = "%{mschap:User-Name}"
winbind_domain = "TESTDOMAIN"
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
passchange {
}
}
*** modules/eap
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
leap {
}
gtc {
auth_type = Local
}
tls-config tls-common {
certdir = /etc/ssl
cadir = /etc/ssl/ca
private_key_file = ${certdir}/radiuswip.server.lan.key
certificate_file = ${certdir}/radiuswip.server.lan.crt
ca_file = ${cadir}/ca.crt
dh_file = ${certdir}/radius.dh
ca_path = ${cadir}
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
2016-08-01 13:10 GMT+02:00 Stefano Pardini <stefanopardini at gmail.com>:
> Hi guys.
>
> I'm authenticating users against Samba4 using Winbindd (PEAP-MSCHAPv2).
> With radtest everything is working fine; the user information are
> correctly extracted and the authentication process is successful.
>
> I'm now trying to access through a WiFi client.
> The access point is configured properly and can communicate with the
> FreeRADIUS server.
> But I'm encountering the following error (radiusd -X):
>
> (8) eap_peap: Continuing EAP-TLS
> (8) eap_peap: [eaptls verify] = ok
> (8) eap_peap: Done initial handshake
> (8) eap_peap: [eaptls process] = ok
> (8) eap_peap: Session established. Decoding tunneled attributes
> (8) eap_peap: PEAP state send tlv success
> (8) eap_peap: Received EAP-TLV response
> (8) eap_peap: Client rejected our response. The password is probably incorrect
> (8) eap_peap: ERROR: We sent a success, but the client did not agree
> (8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
> (8) eap: Sending EAP Failure (code 4) ID 232 length 4
> (8) eap: Failed in EAP select
> (8) [eap] = invalid
> (8) } # authenticate = invalid
> (8) Failed to authenticate the user
>
> I made some tests even with eapol_test, using the EAP-MSCHAPv2 config
> file reported in http://deployingradius.com:
> decapsulated EAP packet (code=4 id=8 len=4) from RADIUS server: EAP Failure
>
> I'm using the following FreeRADIUS version.
> radiusd: FreeRADIUS Version 3.0.12 (git #ae2f29c), for host
> x86_64-unknown-linux-gnu, built on Jul 29 2016 at 11:17:40
> FreeRADIUS Version 3.0.12
>
> And the following Samba version (Debian 8.5): 4.2.10.
>
> To understand the problem tell me if you need more accurate log.
> Thanks in advance.
More information about the Freeradius-Users
mailing list