bad radtest results with eap/peap mschap

Michel Villeneuve Michel.Villeneuve at univ-brest.fr
Thu May 4 16:29:43 CEST 2017 

  Thanks Alan

Yes  I did that
in the defaut server I put in the post-auth, a condition depending of my
realm like
if (    &reply:Realm != "mydomain.ex" ) {
                update {
                 &reply:Tunnel-Private-Group-Id := 143
                }
                }
elsif ( ....

and It works, in the inner-tunnerl I put condition to specifiy a VLAN
according to LDAP-attribute ( only for internal users ) like :

if (&outer.session-state:LDAP-Desc == "employee") {
                update outer.session-state {
                        &Tunnel-Private-Group-Id :=
142
                        }
                }
        elsif (......

and It works too.
If I try with eapol_test    :    eapol_test -c eapol_student  -p1812
-smysecret -r1

with eapol_stutdent =
network={ eap=PEAP
eapol_flags=0
key_mgmt=IEEE8021X
identity="teststudent at univ-brest.fr"
password="a1z2e3r4*"
phase2="auth=MSCHAPV2"
}

It works

I joined the first debug (radius -X ) of this command  and the results for
eapol_test is :........
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): a4 c1 e3 f6 68 80 9a 8e c5 65 69 44 dd 1a
70 10 b6 f6 69 53 53 17 b4 a2 14 8d f1 66 2d aa 72 fa
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 2  mismatch: 0
SUCCESS

But If I try

[root at freeradius-3-a test]#  radtest -t mschap  teststudent 'a1z2e3r4*' 
127.0.0.1:18120 0  mysecret
Sent Access-Request Id 176 from 0.0.0.0:40417 to 127.0.0.1:18120 length 137
User-Name = "teststudent"
MS-CHAP-Password = "a1z2e3r4*"
NAS-IP-Address = 195.83.247.135
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "a1z2e3r4*"
MS-CHAP-Challenge = 0xb835226cb6ade5e0
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000008062fbf5061e27dcc5038f6ad7105d9486d9df3efc9813c5
Received Access-Reject Id 176 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject

I joined the second debug file too. It's the same result for internal or
external users, it failed.

I would like to understand why I got this error with radtest even  if it
works well with wifi device or eapol_test.

I noticed that  when I configured steps by steps my radius, at the
beginning , I didn't affected a VLAN in the  default and  inner-tunnel. I
didn't configure  the post_auth section and so I didn't use update
outer.session-state and update block.
At this time, my tests with a device, eapol_test and radtest with the same
command line worked, when I added the
option to update block in the inner-tunnel

update {
                &outer.session-state: += &reply:
        }
+
update outer.session-state {
                MS-MPPE-Encryption-Policy......

my tests failed with the radtest command and still worked withe the device
and eapo_test.
So I have a doubt with my configuration any advice will be appreciate.
I would like to be sure of my configuration before using it in production
or can I used it like that.

Michel

Quoting Alan Buxey <alan.buxey at gmail.com>:

> PEAP etc use inner-tunnel,  radtest is just a PAP or MSCHAP method,
> without any EAP so it doesnt use inner-tunnel....and therefore will
> use whatever auth methods you only have in the outer phase (in
> 'default' server with a default install) - you could try using eg
> eapol_test (part of wpa_supplicant) - or, use radtest against the
> direct
> inner-tunnel listener - read the inner-tunnel config..it has a listen
> on localhost 18121 or 18120 or such.... direct your radtest to that.
>
> note that this config wont work if you have real external users (ie
> users that you proxy off to a remote RADIUS server - eg in eduroam -
> for that you need to also look at setting VLANs in the post-auth outer
> phase (or dont assign a VLAN and hope your kit drops people correctly
> onto a predefined default vlan.
>
> alan
>
> On 28 April 2017 at 22:06, Michel Villeneuve
> <Michel.Villeneuve at univ-brest.fr> wrote:
>> Hi,
>>
>> I use freeradius-3.0.12 on centos 7.3 with an openldap 2.4 and a samba
>> attribute EAP / PEAP authentication MSCHAPV2.
>>
>> I want to authentificate and authorize  users according to  their
>> attribute on the LDAP.
>> I created an attribute LDAP-Desc mapped with the field
>> eduPersonPrimaryAffilation on my LDAP.
>> I want to put user on specific VLAN if they are students, employee ....
>> or
>> outer people.
>>
>> For that I use in the inner-tunnel the capabilities to return AVP like
>> Tunnel-Private-Group-Id with the good value .
>>
>> It's work very well, for internal and also for external people. I tested
>> also the realm
>> value in the default server and I put also the good
>> Tunnel-Private-Group-Id
>> depending
>> the value of realm. It's work  with device like smartphone, pc ... and
>> also with the command.
>>
>> eapol_test -c afile  -p1812 -smysecret -r1
>>
>> Everything seems good but not  when I use radtest command
>>
>> I can't authentificate internal or external people with the test command
>> radtest
>>
>> [root at freeradius-3-a test]# radtest 'teststudent'  'a1z2e3r4*'
localhost
>> 1812 mysecret
>>
>> Sent Access-Request Id 154 from 0.0.0.0:54585 to 127.0.0.1:1812 length
81
>>         User-Name = "teststudent"
>>         User-Password = "a1z2e3r4*"
>>         NAS-IP-Address = 195.83.247.135
>>         NAS-Port = 1812
>>         Message-Authenticator = 0x00
>>         Cleartext-Password = "a1z2e3r4*"
>> Received Access-Reject Id 154 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
>> (0) -: Expected Access-Accept got Access-Reject
>>
>> nor
>>
>> radtest -t mschap 'teststudent'  'a1z2e3r4*' 127.0.0.1:18120 1 mysecret
>>
>> I got
>> ot at freeradius-3-a test]#  radtest -t mschap 'teststudent'  'secret'
>> 127.0.0.1:18120 1 mysecret
>> Sent Access-Request Id 129 from 0.0.0.0:34088 to 127.0.0.1:18120 length
>> 137
>>         User-Name = "teststudent"
>>         MS-CHAP-Password = "a1z2e3r4*"
>>         NAS-IP-Address = 195.83.247.135
>>         NAS-Port = 1
>>         Message-Authenticator = 0x00
>>         Cleartext-Password = "secret"
>>         MS-CHAP-Challenge = 0x3a7dd0c59a922170
>>         MS-CHAP-Response =
>>
0x0001000000000000000000000000000000000000000000000000ae872e407e206d5579b1515fbf4e92f594e5c5e66739c6e7
>> Received Access-Reject Id 129 from 127.0.0.1:18120 to 0.0.0.0:0 length
20
>> (0) -: Expected Access-Accept got Access-Reject
>>
>>   Perhaps the problem comes from /etc/raddb/mods-enabled/mschap files
>> and I tried differents values with no good results.
>>
>> mschap {
>>         with_ntdomain_hack = no
>>         #authtype = MS-CHAP
>>         allow_retry = yes
>>         use_mppe=yes
>>         require_encryption = yes
>>         require_strong = yes
>>         .....
>> I am not sure about the good values needing for this section.
>> I would like to have an advice before using this configuration in
>> production environment.
>>
>> here a debug with a Successful results
>>
>> Thanks in advance for you help
>>
>> PS:
>> sorry for my  english I hope it's comprehensible.
>> --
>> Michel Villeneuve
>> Tel 02 98 01 71 61
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
> -List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-- 
Michel Villeneuve
Tel 02 98 01 71 61

More information about the Freeradius-Users mailing list