eap: ERROR: Failed continuing EAP PEAP (25) session.

Stefano Pardini stefanopardini at gmail.com
Tue Aug 2 10:44:31 CEST 2016


The problem was related to the "files" keyword inside the authorize
section of inner-tunnel.
Removing it everything starts to work.

Sorry for the inconvenience.

2016-08-02 10:28 GMT+02:00 Stefano Pardini <stefanopardini at gmail.com>:
> Finally I solved the problem.
> These are my configuration files, hoping that they can be useful for someone.
>
>
>
> *** sites/inner-tunnel
> server inner-tunnel {
>
> listen {
>        ipaddr = 127.0.0.1
>        port = 18120
>        type = auth
> }
>
> authorize {
>     eap {
>         ok = return
>     }
> }
>
> authenticate {
>     Auth-Type MS-CHAP {
>         mschap
>     }
>
>     eap
> }
>
> session {
>     radutmp
> }
>
> post-auth {
>
> }
>
> pre-proxy {
>
> }
>
> post-proxy {
>     eap
> }
>
> }
>
> *** sites/default
> server default {
>
> listen {
>     type = auth
>     ipaddr = *
>     port = 0
>
>     limit {
>           max_connections = 16
>           lifetime = 0
>           idle_timeout = 30
>     }
> }
>
> listen {
>     ipaddr = *
>     port = 0
>     type = acct
>     limit {
>
>     }
> }
>
> authorize {
>     filter_username
>     preprocess
>     auth_log
>     suffix
>
>     eap {
>         ok = return
>     }
> }
>
> authenticate {
>     eap
> }
>
> preacct {
>     preprocess
>     acct_unique
>     suffix
> }
>
> accounting {
>     detail
>     unix
>     exec
>     attr_filter.accounting_response
> }
>
> session {
>
> }
>
> post-auth {
>     update {
>         &reply: += &session-state:
>     }
>
>     files
>
>     remove_reply_message_if_eap
>
>     Post-Auth-Type REJECT {
>         -sql
>         attr_filter.access_reject
>
>         eap
>
>         remove_reply_message_if_eap
>     }
> }
>
> pre-proxy {
>
> }
>
> post-proxy {
>     eap
> }
>
> }
>
> *** modules/ldap
> ldap {
>     server = 'server.testdomain.lan'
>     identity = 'cn=administrator,cn=Users,dc=ad,dc=testdomain,dc=lan'
>     password = p4ss
>     base_dn = 'dc=ad,dc=testdomain,dc=lan'
>     sasl {
>     }
>     update {
>         control:Password-With-Header    += 'unicodePWD'
>         control:            += 'radiusControlAttribute'
>         request:            += 'radiusRequestAttribute'
>         reply:                += 'radiusReplyAttribute'
>     }
>     user {
>         base_dn = "${..base_dn}"
>         filter =
> "(&(objectClass=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"
>         sasl {
>         }
>     }
>     group {
>         base_dn = 'ou=Groups,dc=ad,dc=testdomain,dc=lan'
>         base_dn = "${..base_dn}"
>         filter = '(objectClass=group)'
>         scope = 'sub'
>         name_attribute = cn
>         membership_filter = "(member=%{control:Ldap-UserDn})"
>         membership_attribute = 'memberOf'
>     }
>     profile {
>     }
>     client {
>         base_dn = "${..base_dn}"
>         filter = '(objectClass=radiusClient)'
>         template {
>         }
>         attribute {
>             ipaddr                = 'radiusClientIdentifier'
>             secret                = 'radiusClientSecret'
>         }
>     }
>     accounting {
>         reference = "%{tolower:type.%{Acct-Status-Type}}"
>         type {
>             start {
>                 update {
>                     description := "Online at %S"
>                 }
>             }
>             interim-update {
>                 update {
>                     description := "Last seen at %S"
>                 }
>             }
>             stop {
>                 update {
>                     description := "Offline at %S"
>                 }
>             }
>         }
>     }
>     post-auth {
>         update {
>             description := "Authenticated at %S"
>         }
>     }
>     options {
>         chase_referrals = yes
>         rebind = yes
>         res_timeout = 10
>         srv_timelimit = 3
>         net_timeout = 1
>         idle = 60
>         probes = 3
>         interval = 3
>         ldap_debug = 0x0028
>     }
>     tls {
>     }
>     pool {
>         start = ${thread[pool].start_servers}
>         min = ${thread[pool].min_spare_servers}
>         max = ${thread[pool].max_servers}
>         spare = ${thread[pool].max_spare_servers}
>         uses = 0
>         retry_delay = 30
>         lifetime = 0
>         idle_timeout = 60
>     }
> }
>
> *** modules/mschap
> mschap {
>     winbind_username = "%{mschap:User-Name}"
>     winbind_domain = "TESTDOMAIN"
>     pool {
>         start = ${thread[pool].start_servers}
>         min = ${thread[pool].min_spare_servers}
>         max = ${thread[pool].max_servers}
>         spare = ${thread[pool].max_spare_servers}
>         uses = 0
>         retry_delay = 30
>         lifetime = 86400
>         cleanup_interval = 300
>         idle_timeout = 600
>     }
>     passchange {
>     }
> }
>
> *** modules/eap
> eap {
>     default_eap_type = peap
>     timer_expire     = 60
>     ignore_unknown_eap_types = no
>     cisco_accounting_username_bug = no
>     max_sessions = ${max_requests}
>     md5 {
>     }
>     leap {
>     }
>     gtc {
>         auth_type = Local
>     }
>     tls-config tls-common {
>         certdir = /etc/ssl
>         cadir = /etc/ssl/ca
>         private_key_file = ${certdir}/radiuswip.server.lan.key
>         certificate_file = ${certdir}/radiuswip.server.lan.crt
>         ca_file = ${cadir}/ca.crt
>         dh_file = ${certdir}/radius.dh
>         ca_path = ${cadir}
>         cipher_list = "DEFAULT"
>         ecdh_curve = "prime256v1"
>         cache {
>             enable = yes
>             max_entries = 255
>         }
>         verify {
>         }
>         ocsp {
>             enable = no
>             override_cert_url = yes
>             url = "http://127.0.0.1/ocsp/"
>         }
>     }
>     tls {
>         tls = tls-common
>     }
>     ttls {
>         tls = tls-common
>         default_eap_type = md5
>         copy_request_to_tunnel = no
>         use_tunneled_reply = no
>         virtual_server = "inner-tunnel"
>     }
>     peap {
>         tls = tls-common
>         default_eap_type = mschapv2
>         copy_request_to_tunnel = no
>         use_tunneled_reply = no
>         proxy_tunneled_request_as_eap = yes
>         virtual_server = "inner-tunnel"
>     }
>     mschapv2 {
>     }
> }
>
> 2016-08-01 13:10 GMT+02:00 Stefano Pardini <stefanopardini at gmail.com>:
>> Hi guys.
>>
>> I'm authenticating users against Samba4 using Winbindd (PEAP-MSCHAPv2).
>> With radtest everything is working fine; the user information are
>> correctly extracted and the authentication process is successful.
>>
>> I'm now trying to access through a WiFi client.
>> The access point is configured properly and can communicate with the
>> FreeRADIUS server.
>> But I'm encountering the following error (radiusd -X):
>>
>> (8) eap_peap: Continuing EAP-TLS
>> (8) eap_peap: [eaptls verify] = ok
>> (8) eap_peap: Done initial handshake
>> (8) eap_peap: [eaptls process] = ok
>> (8) eap_peap: Session established.  Decoding tunneled attributes
>> (8) eap_peap: PEAP state send tlv success
>> (8) eap_peap: Received EAP-TLV response
>> (8) eap_peap: Client rejected our response.  The password is probably incorrect
>> (8) eap_peap: ERROR: We sent a success, but the client did not agree
>> (8) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
>> (8) eap: Sending EAP Failure (code 4) ID 232 length 4
>> (8) eap: Failed in EAP select
>> (8)     [eap] = invalid
>> (8)   } # authenticate = invalid
>> (8) Failed to authenticate the user
>>
>> I made some tests even with eapol_test, using the EAP-MSCHAPv2 config
>> file reported in http://deployingradius.com:
>> decapsulated EAP packet (code=4 id=8 len=4) from RADIUS server: EAP Failure
>>
>> I'm using the following FreeRADIUS version.
>> radiusd: FreeRADIUS Version 3.0.12 (git #ae2f29c), for host
>> x86_64-unknown-linux-gnu, built on Jul 29 2016 at 11:17:40
>> FreeRADIUS Version 3.0.12
>>
>> And the following Samba version (Debian 8.5): 4.2.10.
>>
>> To understand the problem tell me if you need more accurate log.
>> Thanks in advance.


More information about the Freeradius-Users mailing list