Alrighty, I've been hitting my head on the wall because of this for a couple days, and
I still havn't figured anything out, so maybe someone else has some information. I
apologize for this long message ahead of time ;)
The setup: We have a Win2k domain (MNU.EDU) with all of our users. Windows Clients
(laptops in this case) use Win2K DC's for login to the domain. We also have an
OpenLDAP server that has the same user accounts in it, and usernames and passwords are
syncronized between the two.
Now, on top of all this, I've got a bunch of Cisco AP's, and a freeradius server.
LEAP and PEAP are our preferred methods of authenticating at this point. Freeradius
is setup to authenticate wireless users against the OpenLDAP server.
On to the problem: I have a couple laptops here. One with Intel Centrino wireless,
one with Atheros a/b miniPCI (both builtin to laptop). Both laptops have a user
account "matt" on them, with the same password as is in our AD controllers and in
OpenLDAP. Both laptops are patched with the same patches from MS (SP1 + Criticals)
and have the same configuration for wireless and basically everything else.
On the both laptops, if I login locally, everything is fine, peap goes off, and
they're authenticated to the network.
On the Centrino laptop, logging into the domain, wireless also comes up.
However, the laptop with the Atheros card in it, when logging into the domain rather
than locally to the laptop, I get this when running with -X:
rad_recv: Access-Request packet from host 10.194.210.255:2046, id=64, length=261
User-Name = "MNU.EDU\\matt"
Cisco-AVPair = "ssid=mnu.edu"
NAS-IP-Address = 10.194.210.255
Called-Station-Id = "00409658876f"
Calling-Station-Id = "00022d59f0fd"
NAS-Identifier = "Cisco-AP350-255"
NAS-Port = 37
Framed-MTU = 1400
State = 0x5f59aa6719deb2ced82c8ed183351946
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x0233005...blah
Message-Authenticator = 0xbd39fb...blah
...
rlm_ldap: performing search in dc=mnu,dc=edu, with filter (uid=matt)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 0x480A0..blah & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 0xC0793..blah & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user matt authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 101
modcall: group authorize returns updated for request 101
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 101
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled attributes.
rlm_eap_peap: EAP type 26
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x023300...blah
PEAP: Adding old state with 5f bb
PEAP: Sending tunneled request
EAP-Message = 0x023300...blah
Freeradius-Proxied-To = 127.0.0.1
User-Name = "MNU.EDU\\matt"
State = 0x5fbb...blah
modcall: entering group authorize for request 101
...
(same LDAP as above)
...
modcall: group authorize returns updated for request 101
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 101
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - mschapv2
rlm_eap: processing type mschapv2
modcall: entering group Auth-Type for request 101
rlm_mschap: Found LM-Password
rlm_mschap: Found NT-Password
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 101
modcall: group Auth-Type returns reject for request 101
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 101
modcall: group authenticate returns reject for request 101
auth: Failed to validate the user.
Login incorrect: [matt/<no User-Password attribute>] (from client localhost port 0)
...
I am using "with_ntdomain_hack = yes" in my configuration. This is really confusing
me as it works on one machine but not another. I'm 99.9% sure this isn't a freeradius
issue per-se, but I'm hoping someone can at least point me in the right direction
(maybe radius needs different configuration from what I have for domain logins ?)
Thanks for any light you can shed on this.
-Matt
MNU Network Administrator
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
