Mitchell, Mark wrote: > I'm trying to get 802.1x authentication going using PEAP/MS-CHAPv2 but > cant quite get it going (I think I'm pretty cloise though) so I'm hoping > someone here can take a look at my debug output below and perhaps offer > some helpful advice. Here's the specifics: Ubuntu 7.10, freeRADIUS > 1.1.7, Samba 3.0.
I would suggest using v2.0.3, which is much simpler and more flexible. It also has built-in VMPS support, which means there's less need for perl "glue". > Note that there are calls to a freeNAC perl module > called check_mac that performs mac-auth-bypass vlan assignment for > non-802.1x compliant devices. Ah. If you're using freenac, that might explain it. > I've followed the freeNAC instructions and tried some slight variations > that I've found posted elsewhere but still not gettting it. Quite frankly, don't use third-party instructions. They're almost always wrong. The documentation in FreeRADIUS is more up to date, and correct. > I've gotten > to the point where I can issue the ntlm_auth command "manually" and > authenticate to AD so Samba, Winbind, and Kerberos seem to be OK. When I > attempt to get freeRADIUS to do the ntlm_auth for me as described in the > freeNAC docs and other web resources like deployingradius.com and the > freeradius wiki, I keep getting logon failures. See attached radius > debug output below. Running the ntlm_auth command manually means you're giving it clear-text passwords. Running it from FreeRADIUS means it's being given MS-CHAP hashes. The two are different, and add additional complexity. > I'm just attaching the last part of the debug > because for one it's quite large and two, it seems to be going well up > to a certain point. My EAP-TLS tunnel appears to be getting setup fine > but it just act as if my password is wrong. I would suggest not using EAP until you have the MS-CHAP stuff working. See src/tests/mschapv1 for a "known working" MS-CHAP sample. You can do: $ radclient -f src/tests/mschapv1 -xx localhost auth testing123 Of course, you'll have to add user "bob" with password "bob" to Active Directory. But you should be able to test MS-CHAP with a known working sample. ... > Exec-Program-Wait: plaintext: Logon failure (0xc000006d) There isn't much else that FreeRADIUS can do at this point. If the domain is returning failure, that means failure. You could also try putting the cleartext-password for the user into the "users" file. That would tell you if (maybe) the client is broken, and isn't doing MS-CHAP properly. i.e. (1) test PEAP with local user && password (2) test MS-CHAP with bob/bob against ntlm_auth If both work, then the problem is something complicated somewhere in between ntlm_auth, winbind, or Active Directory. And that's pretty hard to track down, to be frank. Active Directory isn't very good about telling even an admin *why* something went wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html