eap: ERROR: Failed continuing EAP PEAP (25) session.
Stefano Pardini
stefanopardini at gmail.com
Tue Aug 2 10:44:31 CEST 2016
The problem was related to the "files" keyword inside the authorize
section of inner-tunnel.
Removing it everything starts to work.
Sorry for the inconvenience.
2016-08-02 10:28 GMT+02:00 Stefano Pardini <stefanopardini at gmail.com>:
> Finally I solved the problem.
> These are my configuration files, hoping that they can be useful for someone.
>
>
>
> *** sites/inner-tunnel
> server inner-tunnel {
>
> listen {
> ipaddr = 127.0.0.1
> port = 18120
> type = auth
> }
>
> authorize {
> eap {
> ok = return
> }
> }
>
> authenticate {
> Auth-Type MS-CHAP {
> mschap
> }
>
> eap
> }
>
> session {
> radutmp
> }
>
> post-auth {
>
> }
>
> pre-proxy {
>
> }
>
> post-proxy {
> eap
> }
>
> }
>
> *** sites/default
> server default {
>
> listen {
> type = auth
> ipaddr = *
> port = 0
>
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
>
> listen {
> ipaddr = *
> port = 0
> type = acct
> limit {
>
> }
> }
>
> authorize {
> filter_username
> preprocess
> auth_log
> suffix
>
> eap {
> ok = return
> }
> }
>
> authenticate {
> eap
> }
>
> preacct {
> preprocess
> acct_unique
> suffix
> }
>
> accounting {
> detail
> unix
> exec
> attr_filter.accounting_response
> }
>
> session {
>
> }
>
> post-auth {
> update {
> &reply: += &session-state:
> }
>
> files
>
> remove_reply_message_if_eap
>
> Post-Auth-Type REJECT {
> -sql
> attr_filter.access_reject
>
> eap
>
> remove_reply_message_if_eap
> }
> }
>
> pre-proxy {
>
> }
>
> post-proxy {
> eap
> }
>
> }
>
> *** modules/ldap
> ldap {
> server = 'server.testdomain.lan'
> identity = 'cn=administrator,cn=Users,dc=ad,dc=testdomain,dc=lan'
> password = p4ss
> base_dn = 'dc=ad,dc=testdomain,dc=lan'
> sasl {
> }
> update {
> control:Password-With-Header += 'unicodePWD'
> control: += 'radiusControlAttribute'
> request: += 'radiusRequestAttribute'
> reply: += 'radiusReplyAttribute'
> }
> user {
> base_dn = "${..base_dn}"
> filter =
> "(&(objectClass=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"
> sasl {
> }
> }
> group {
> base_dn = 'ou=Groups,dc=ad,dc=testdomain,dc=lan'
> base_dn = "${..base_dn}"
> filter = '(objectClass=group)'
> scope = 'sub'
> name_attribute = cn
> membership_filter = "(member=%{control:Ldap-UserDn})"
> membership_attribute = 'memberOf'
> }
> profile {
> }
> client {
> base_dn = "${..base_dn}"
> filter = '(objectClass=radiusClient)'
> template {
> }
> attribute {
> ipaddr = 'radiusClientIdentifier'
> secret = 'radiusClientSecret'
> }
> }
> accounting {
> reference = "%{tolower:type.%{Acct-Status-Type}}"
> type {
> start {
> update {
> description := "Online at %S"
> }
> }
> interim-update {
> update {
> description := "Last seen at %S"
> }
> }
> stop {
> update {
> description := "Offline at %S"
> }
> }
> }
> }
> post-auth {
> update {
> description := "Authenticated at %S"
> }
> }
> options {
> chase_referrals = yes
> rebind = yes
> res_timeout = 10
> srv_timelimit = 3
> net_timeout = 1
> idle = 60
> probes = 3
> interval = 3
> ldap_debug = 0x0028
> }
> tls {
> }
> pool {
> start = ${thread[pool].start_servers}
> min = ${thread[pool].min_spare_servers}
> max = ${thread[pool].max_servers}
> spare = ${thread[pool].max_spare_servers}
> uses = 0
> retry_delay = 30
> lifetime = 0
> idle_timeout = 60
> }
> }
>
> *** modules/mschap
> mschap {
> winbind_username = "%{mschap:User-Name}"
> winbind_domain = "TESTDOMAIN"
> pool {
> start = ${thread[pool].start_servers}
> min = ${thread[pool].min_spare_servers}
> max = ${thread[pool].max_servers}
> spare = ${thread[pool].max_spare_servers}
> uses = 0
> retry_delay = 30
> lifetime = 86400
> cleanup_interval = 300
> idle_timeout = 600
> }
> passchange {
> }
> }
>
> *** modules/eap
> eap {
> default_eap_type = peap
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = ${max_requests}
> md5 {
> }
> leap {
> }
> gtc {
> auth_type = Local
> }
> tls-config tls-common {
> certdir = /etc/ssl
> cadir = /etc/ssl/ca
> private_key_file = ${certdir}/radiuswip.server.lan.key
> certificate_file = ${certdir}/radiuswip.server.lan.crt
> ca_file = ${cadir}/ca.crt
> dh_file = ${certdir}/radius.dh
> ca_path = ${cadir}
> cipher_list = "DEFAULT"
> ecdh_curve = "prime256v1"
> cache {
> enable = yes
> max_entries = 255
> }
> verify {
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> }
> }
> tls {
> tls = tls-common
> }
> ttls {
> tls = tls-common
> default_eap_type = md5
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> }
> peap {
> tls = tls-common
> default_eap_type = mschapv2
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> }
> mschapv2 {
> }
> }
>
> 2016-08-01 13:10 GMT+02:00 Stefano Pardini <stefanopardini at gmail.com>:
>> Hi guys.
>>
>> I'm authenticating users against Samba4 using Winbindd (PEAP-MSCHAPv2).
>> With radtest everything is working fine; the user information are
>> correctly extracted and the authentication process is successful.
>>
>> I'm now trying to access through a WiFi client.
>> The access point is configured properly and can communicate with the
>> FreeRADIUS server.
>> But I'm encountering the following error (radiusd -X):
>>
>> (8) eap_peap: Continuing EAP-TLS
>> (8) eap_peap: [eaptls verify] = ok
>> (8) eap_peap: Done initial handshake
>> (8) eap_peap: [eaptls process] = ok
>> (8) eap_peap: Session established. Decoding tunneled attributes
>> (8) eap_peap: PEAP state send tlv success
>> (8) eap_peap: Received EAP-TLV response
>> (8) eap_peap: Client rejected our response. The password is probably incorrect
>> (8) eap_peap: ERROR: We sent a success, but the client did not agree
>> (8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
>> (8) eap: Sending EAP Failure (code 4) ID 232 length 4
>> (8) eap: Failed in EAP select
>> (8) [eap] = invalid
>> (8) } # authenticate = invalid
>> (8) Failed to authenticate the user
>>
>> I made some tests even with eapol_test, using the EAP-MSCHAPv2 config
>> file reported in http://deployingradius.com:
>> decapsulated EAP packet (code=4 id=8 len=4) from RADIUS server: EAP Failure
>>
>> I'm using the following FreeRADIUS version.
>> radiusd: FreeRADIUS Version 3.0.12 (git #ae2f29c), for host
>> x86_64-unknown-linux-gnu, built on Jul 29 2016 at 11:17:40
>> FreeRADIUS Version 3.0.12
>>
>> And the following Samba version (Debian 8.5): 4.2.10.
>>
>> To understand the problem tell me if you need more accurate log.
>> Thanks in advance.
More information about the Freeradius-Users
mailing list