mschap configuration problem

L.P.H. van Belle belle at bazuin.nl
Tue Jul 14 15:01:48 CEST 2020 

XP.. :-/ .. 

Expect more problems... 

But for your XP you can try this, if that doesnt work upgrade to W10 
https://msfn.org/board/topic/178092-enable-tls-11-and-12-in-windows-xp-correctly/ 

And for Win7 this. 
https://manage.accuwebhosting.com/knowledgebase/3008/How-do-I-enable-TLS-12-on-Windows-7.html 


Greetz, 

Louis
 

> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users 
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> ius.org] Namens Piviul
> Verzonden: dinsdag 14 juli 2020 14:54
> Aan: freeradius-users at lists.freeradius.org
> Onderwerp: Re: mschap configuration problem
> 
> L.P.H. van Belle via Freeradius-Users ha scritto il 07/07/20 
> alle 15:18:
> > Is your AD-DC also a samba server ?
> > 
> > Try adding this to smb.conf (globel)
> >          # Add for freeradius support
> >          ntlm auth = mschapv2-and-ntlmv2-only
> After changing ntlm_auth, as you suggest, on the samba AD the problem 
> seems to be solved.
> 
> But now I have another problem using the CA certificate. I 
> would like to 
> use freeradius server to authenticate wifi users on WPA2 enterprise 
> security settings using peap authentication.
> If I configure a linux, win xp and win7 clients using the ca 
> certificate 
> and WPA2 Enterprise auth protocol using PEAP and MSCHAP linux 
> seems to 
> work but win xp and win7 client didn't. On the winxp logs I can find:
> > (30) Found Auth-Type = eap
> > (30) # Executing group from file 
> /etc/freeradius/3.0/sites-enabled/default
> > (30)   authenticate {
> > (30) eap: Expiring EAP session with state 0x1cc2a6451cccbf2e
> > (30) eap: Finished EAP session with state 0x1cc2a6451cccbf2e
> > (30) eap: Previous EAP request found for state 
> 0x1cc2a6451cccbf2e, released from the list
> > (30) eap: Peer sent packet with method EAP PEAP (25)
> > (30) eap: Calling submodule eap_peap to process data
> > (30) eap_peap: Continuing EAP-TLS
> > (30) eap_peap: Peer indicated complete TLS record size will 
> be 77 bytes
> > (30) eap_peap: Got complete TLS record (77 bytes)
> > (30) eap_peap: [eaptls verify] = length included
> > (30) eap_peap: (other): before SSL initialization
> > (30) eap_peap: TLS_accept: before SSL initialization
> > (30) eap_peap: TLS_accept: before SSL initialization
> > (30) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0048] 
> > (30) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal 
> handshake_failure 
> > (30) eap_peap: ERROR: TLS Alert write:fatal:handshake failure
> > tls: TLS_accept: Error in error
> > (30) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): 
> error:1417A0C1:SSL routines:tls_post_process_client_hello:no 
> shared cipher
> > (30) eap_peap: ERROR: System call (I/O) error (-1)
> > (30) eap_peap: ERROR: TLS receive handshake failed during operation
> > (30) eap_peap: ERROR: [eaptls process] = fail
> > (30) eap: ERROR: Failed continuing EAP PEAP (25) session.  
> EAP sub-module failed
> > (30) eap: Sending EAP Failure (code 4) ID 14 length 4
> > (30) eap: Failed in EAP select
> > (30)     [eap] = invalid
> > (30)   } # authenticate = invalid
> > (30) Failed to authenticate the user
> > (30) Using Post-Auth-Type Reject
> 
> and on the win7 client:
> > (14) Found Auth-Type = eap
> > (14) # Executing group from file 
> /etc/freeradius/3.0/sites-enabled/default
> > (14)   authenticate {
> > (14) eap: Expiring EAP session with state 0x211f359d22552ca2
> > (14) eap: Finished EAP session with state 0x211f359d22552ca2
> > (14) eap: Previous EAP request found for state 
> 0x211f359d22552ca2, released from the list
> > (14) eap: Peer sent packet with method EAP PEAP (25)
> > (14) eap: Calling submodule eap_peap to process data
> > (14) eap_peap: Continuing EAP-TLS
> > (14) eap_peap: Peer indicated complete TLS record size will 
> be 7 bytes
> > (14) eap_peap: Got complete TLS record (7 bytes)
> > (14) eap_peap: [eaptls verify] = length included
> > (14) eap_peap: <<< recv TLS 1.2  [length 0002] 
> > (14) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
> > (14) eap_peap: TLS_accept: Need to read more data: error
> > (14) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): 
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
> > (14) eap_peap: In SSL Handshake Phase
> > (14) eap_peap: In SSL Accept mode
> > (14) eap_peap: SSL Application Data
> > (14) eap_peap: ERROR: TLS failed during operation
> > (14) eap_peap: ERROR: [eaptls process] = fail
> > (14) eap: ERROR: Failed continuing EAP PEAP (25) session.  
> EAP sub-module failed
> > (14) eap: Sending EAP Failure (code 4) ID 74 length 4
> > (14) eap: Failed in EAP select
> > (14)     [eap] = invalid
> > (14)   } # authenticate = invalid
> > (14) Failed to authenticate the user
> > (14) Using Post-Auth-Type Reject
> 
> Winxp e win7 client both seems to fail during handshake phase; linux 
> didn't. From successfully linux logs I can find:
> > eap_peap: Peer indicated  complete TLS record size will be 126
> 
> but reading winxp logs I can see:
> > eap_peap: Peer indicated complete TLS record size will be 77 bytes
> 
> and win7:
> > eap_peap: Peer indicated complete TLS record size will be 7 bytes
> 
> 
> 77 or 7 bytes seems to me not to be enought for a TLS record 
> size isn't 
> it? That's the problem?
> 
> Any way can anyone please help me to find why win{xp,7} clients can't 
> communicate using EAP-TLS?
> 
> Best regards
> 
> Piviul
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list