Hello, I'm trying to get 802.1x authentication going using PEAP/MS-CHAPv2 but cant quite get it going (I think I'm pretty cloise though) so I'm hoping someone here can take a look at my debug output below and perhaps offer some helpful advice. Here's the specifics: Ubuntu 7.10, freeRADIUS 1.1.7, Samba 3.0. Note that there are calls to a freeNAC perl module called check_mac that performs mac-auth-bypass vlan assignment for non-802.1x compliant devices.
I've followed the freeNAC instructions and tried some slight variations that I've found posted elsewhere but still not gettting it. I've gotten to the point where I can issue the ntlm_auth command "manually" and authenticate to AD so Samba, Winbind, and Kerberos seem to be OK. When I attempt to get freeRADIUS to do the ntlm_auth for me as described in the freeNAC docs and other web resources like deployingradius.com and the freeradius wiki, I keep getting logon failures. See attached radius debug output below. I'm just attaching the last part of the debug because for one it's quite large and two, it seems to be going well up to a certain point. My EAP-TLS tunnel appears to be getting setup fine but it just act as if my password is wrong. I'm using a Windows XP SP2 client with a recent PEAP patch added and have tried entering username/password/domain both manually and automatically. I am not validating the server cert at this point. Following is the end of the radius debug: . . . rad_recv: Access-Request packet from host 111.111.28.101:1645, id=245, length=264 User-Name = "SANDIA\\mgmitch" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-05-74-43-BD-3F" Calling-Station-Id = "00-0A-E4-23-CD-16" EAP-Message = 0x020800601900170301005590558ffa6f1d6b8a4bad64a0b8958aa4c140f2c145163dc92ee5b73ae341713f0466627a1454f0ad3f787b9ab756c8e07050b693f28f17f721c200525f544119a36d2d30e31ae5db2f44f8636bdc03c4f71a422436 Message-Authenticator = 0xb7b52cd2660e4b2695c96dc035368275 Cisco-NAS-Port = "GigabitEthernet1/4" NAS-Port = 50104 NAS-Port-Type = Ethernet State = 0x5a5253d83424d1e321022fa6ebfd1ece NAS-IP-Address = 111.111.28.101 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 perl_pool: item 0x8062e8a0 asigned new request. Handled so far: 3 found interpetator at address 0x8062e8a0 perl_pool total/active/spare [3/0/3] Unreserve perl at address 0x8062e8a0 modcall[authorize]: module "check_mac" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "SANDIA\mgmitch", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 8 length 96 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020800491a020800443191a4d2d65459406cb3e67baa8f903a120000000000000000fde26c946d2f343603ffe6e34f2ad40987f990c82eeecf550053414e4449415c6d676d69746368 PEAP: Setting User-Name to SANDIA\mgmitch PEAP: Adding old state with 56 ed PEAP: Sending tunneled request EAP-Message = 0x020800491a020800443191a4d2d65459406cb3e67baa8f903a120000000000000000fde26c946d2f343603ffe6e34f2ad40987f990c82eeecf550053414e4449415c6d676d69746368 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "SANDIA\\mgmitch" State = 0x56ed3aacd660b70c9a6a4fde3b0858f9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 perl_pool: item 0x809a4090 asigned new request. Handled so far: 3 found interpetator at address 0x809a4090 perl_pool total/active/spare [3/0/3] Unreserve perl at address 0x809a4090 modcall[authorize]: module "check_mac" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "SANDIA\mgmitch", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 8 length 73 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for mgmitch with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=mgmitch' radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: '--domain=SANDIA' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 8c radius_xlat: '--challenge=3f6d14e36675d931' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=fde26c946d2f343603ffe6e34f2ad40987f990c82eeecf55' Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x80674b80 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 245 to 111.111.28.101 port 1645 EAP-Message = 0x010900261900170301001b05fb2b4d0b7732c23c08f5b0c933d75f9c6e7c894c6f5eb0b85242 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x975785863b043e267c2ca1d79c291dde Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 111.111.28.101:1645, id=246, length=206 User-Name = "SANDIA\\mgmitch" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-05-74-43-BD-3F" Calling-Station-Id = "00-0A-E4-23-CD-16" EAP-Message = 0x020900261900170301001be11c8a187a3a255b0ded0e8a021d224bce90335e6c02dac30ab5e8 Message-Authenticator = 0xa2889de2b2358293a5d30fd95541b61b Cisco-NAS-Port = "GigabitEthernet1/4" NAS-Port = 50104 NAS-Port-Type = Ethernet State = 0x975785863b043e267c2ca1d79c291dde NAS-IP-Address = 111.111.28.101 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 perl_pool: item 0x8012eae0 asigned new request. Handled so far: 4 found interpetator at address 0x8012eae0 perl_pool total/active/spare [3/0/3] Unreserve perl at address 0x8012eae0 modcall[authorize]: module "check_mac" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "SANDIA\mgmitch", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 246 to 111.111.28.101 port 1645 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3 seconds... If anyone can help shed light on this, I would sure appreciate it. Thanks, Mark
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html