hi everyody!
i am trying to make a secure wireless access using PEAP, but i have a
problem during authentication.
I had sucessfully configured TLS module, and it seems to work fine.
But when i try to authenticate with a windows supplicant using
mschapv2, there is a problem.
i read in file eap.conf
#
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
when will freeradius support this "incompatible" implementation of
ms-chapv2?
is this incompatible implementation of MS-CHAPv2 in EAP by Cisco my
problem?
what can i do?
bash-2.05# radiusd -v
radiusd: FreeRADIUS Version 1.0.1, for host , built on Jan 13 2005 at 12:25:42
Copyright (C) 2000-2003 The FreeRADIUS server project.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Radius logs
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/filer/PKI/radius/radius_wireless_privatekey.pem"
tls: certificate_file = "/filer/PKI/signed_requests/radius_wireless_cert.pem"
tls: CA_file = "/filer/PKI/ca_cert.pem"
tls: private_key_password = "xxxxxxx"
tls: dh_file = "/filer/PKI/radius/dh"
tls: random_file = "/filer/PKI/radius/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "%{User-Name}"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "tls"
peap: copy_request_to_tunnel = yes
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.190.0.5:21646, id=43, length=128
User-Name = "test"
Framed-MTU = 1400
Called-Station-Id = "0040.96a0.7fb7"
Calling-Station-Id = "000d.ed26.469e"
Service-Type = Login-User
Message-Authenticator = 0x46e6b94921874309aae57cf2886507eb
EAP-Message = 0x020200090174657374
NAS-Port-Type = Wireless-802.11
NAS-Port = 2954
NAS-IP-Address = 10.190.0.5
NAS-Identifier = "Aironet01"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 152
users: Matched test at 226
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 43 to 10.190.0.5:21646
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8ecc16a56d3b8e32dda565e54110087d
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.190.0.5:21646, id=44, length=217
User-Name = "test"
Framed-MTU = 1400
Called-Station-Id = "0040.96a0.7fb7"
Calling-Station-Id = "000d.ed26.469e"
Service-Type = Login-User
Message-Authenticator = 0xeae41b402959ca6ecdfdcb9c05bfd46f
EAP-Message =
0x0203005019800000004616030100410100003d030141e66b6185303e3e8f622652fd06b51165ee228e57af1a5bb6dbaac7873f3f9800001600040005000a000900640062000300060013001200630100
NAS-Port-Type = Wireless-802.11
NAS-Port = 2954
State = 0x8ecc16a56d3b8e32dda565e54110087d
NAS-IP-Address = 10.190.0.5
NAS-Identifier = "Aironet01"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 3 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched DEFAULT at 152
users: Matched test at 226
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 04d5], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 44 to 10.190.0.5:21646
EAP-Message =
0x0104040a19c000000532160301004a02000046030141e66cd5299aff0610947f1d9a73da35e66beb9e4d858a907df6cd0114eb811b20363ae79aaf7ef0be250e9c3bdf69f0f160a38d50b904a1acc619b048cf3c9dd400040016030104d50b0004d10004ce0002603082025c308201c5a00302010202010d300d06092a864886f70d0101040500306f3121301f06035504031418636572746966696361646f5f7261697a5f77616e61646f6f310b3009060355040613024553312b302906092a864886f70d010901161c6578702e7365677572696461644065732e77616e61646f6f2e636f6d3110300e060355040a130757616e61646f6f301e170d30
EAP-Message =
0x35303131333131333932325a170d3135303131313131333932325a3067311830160603550403140f7261646975735f776972656c657373310b3009060355040613024553312c302a06092a864886f70d010901161d616c666f6e736f2e6c617a61726f4065732e77616e61646f6f2e636f6d3110300e060355040a130757616e61646f6f30819f300d06092a864886f70d010101050003818d0030818902818100f54d8427fc5c8c50599b19569e179e51c8187fd4cbef6180884a54ea020d6d82a7237a3f8af7e706caa45f578dc76b6bad0f2a1f749a0bc346c966cf60dc3dcbfedc10c2d9865a8f4a6342b45825602292ee668f4c29c566ca49aca9
EAP-Message =
0x8fa49f640bc703905032174d12260bb7a9f1a0d9d102a5957199462d85f33612a505dac70203010001a310300e300c0603551d13040530030101ff300d06092a864886f70d010104050003818100b72c220657d6cae5c0e7224bd279bda8680c43df3754bbd7600f25eeb2103e29a9531c579336ae9bb90d96cd888b9dfcae96ba3a617a054bce47a40b5e1a53bf5844b0e4ed13cd312440e9b756b2d66f991ea39178a0dedc15f14bc324442300a027ba6596eb6e5ac56155ecfbfcbc8ed5eb00048a9e98d42a5d56e9128594ca00026830820264308201cda003020102020100300d06092a864886f70d0101040500306f3121301f06035504031418
EAP-Message =
0x636572746966696361646f5f7261697a5f77616e61646f6f310b3009060355040613024553312b302906092a864886f70d010901161c6578702e7365677572696461644065732e77616e61646f6f2e636f6d3110300e060355040a130757616e61646f6f301e170d3035303131323132353233315a170d3135303131303132353233315a306f3121301f06035504031418636572746966696361646f5f7261697a5f77616e61646f6f310b3009060355040613024553312b302906092a864886f70d010901161c6578702e7365677572696461644065732e77616e61646f6f2e636f6d3110300e060355040a130757616e61646f6f30819f300d06092a
EAP-Message = 0x864886f70d010101050003818d0030818902818100e6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x43715d9ec0c501ba5ad3483f32dd4bff
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.190.0.5:21646, id=45, length=143
User-Name = "test"
Framed-MTU = 1400
Called-Station-Id = "0040.96a0.7fb7"
Calling-Station-Id = "000d.ed26.469e"
Service-Type = Login-User
Message-Authenticator = 0x5defb592a317db0ec1a716edd7f608fd
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 2954
State = 0x43715d9ec0c501ba5ad3483f32dd4bff
NAS-IP-Address = 10.190.0.5
NAS-Identifier = "Aironet01"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched DEFAULT at 152
users: Matched test at 226
modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 45 to 10.190.0.5:21646
EAP-Message =
0x010501381900e2a4371cb19eef09949ed27397c6c01c553e51a0769ee3419ea9ff07002c736ae8e6290f4639c193bf64922b590d903d540e9b9e2eb3c72247d3a1327d55a4bf0008dd35ad8403597fcdbb274deb4a7c62c0ec335bd9b73f67bd64b9464707c2ea07804c043be9080fb6f880b512cfa7fd35c1242bb0a718387959ef5975ff0203010001a310300e300c0603551d13040530030101ff300d06092a864886f70d0101040500038181004b0736ba7544d3c1ef1ede4fbf3ca29fcc684ec6f4b1e357d0d1c323b00fffa2bcb9f50ab440c8b7ceeb744f6c83555e3b83dd4d4a7f10c94265aedf737de947ba09fc3aa1a86b9a4d353a9952be
EAP-Message =
0xe801aae84a17706de83fa8330decfcffff7f968a20bcade00ba54d43cb239db5cf2cfc874f552721d1733962c8a5c7355a6316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x997ac151c97d32ab5f706983b0ee76f8
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.190.0.5:21646, id=46, length=329
User-Name = "test"
Framed-MTU = 1400
Called-Station-Id = "0040.96a0.7fb7"
Calling-Station-Id = "000d.ed26.469e"
Service-Type = Login-User
Message-Authenticator = 0xf5b23e042ec31634ce44908b7c02ec13
EAP-Message =
0x020500c01980000000b616030100861000008200806359a580f75fbcbca98157acb4c5099a56719034db3e59101a3b112533c6b4809159f49b76cf543248fefea10bf1ca062d453b501ddc75cf2e3daadf712ade0e1e5b24080c08467086ffe9f73332ac574d54dfdfc6680ff04f712c8102dbf403a2ca551e7291748aa54f60da64a9d1950051c3f9b28128d6fcfe9a7edb152b0f1403010001011603010020ee3a9afc72bb33eb19182f5ad9ba839051c50014a2f2e581abc65aabaab8ef3c
NAS-Port-Type = Wireless-802.11
NAS-Port = 2954
State = 0x997ac151c97d32ab5f706983b0ee76f8
NAS-IP-Address = 10.190.0.5
NAS-Identifier = "Aironet01"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 5 length 192
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched DEFAULT at 152
users: Matched test at 226
modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 46 to 10.190.0.5:21646
EAP-Message =
0x01060031190014030100010116030100201be33eeaf2cc343494a02f9e6febcbf093d59c69c28c6900e6001e8ca404a1dc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3c788dad52913aeacf2028373ac9e6bf
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.190.0.5:21646, id=47, length=170
User-Name = "test"
Framed-MTU = 1400
Called-Station-Id = "0040.96a0.7fb7"
Calling-Station-Id = "000d.ed26.469e"
Service-Type = Login-User
Message-Authenticator = 0xe3db94ef3616ad5798bedd891edab7f8
EAP-Message =
0x020600211980000000171503010012b7f0f5ab498e65d76b114b222c4596d1a59a
NAS-Port-Type = Wireless-802.11
NAS-Port = 2954
State = 0x3c788dad52913aeacf2028373ac9e6bf
NAS-IP-Address = 10.190.0.5
NAS-Identifier = "Aironet01"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 6 length 33
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched DEFAULT at 152
users: Matched test at 226
modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
rlm_eap_peap: No data inside of the tunnel.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 4
modcall: group authenticate returns invalid for request 4
auth: Failed to validate the user.
Login incorrect: [test/<no User-Password attribute>] (from client ap port 2954
cli 000d.ed26.469e)
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--
#####################################
Alfonso Lazaro Tellez <[EMAIL PROTECTED]>
c\Ribera del Sena s/n Tfono: 912020000
Edificio APOT
Campo de las Naciones (Madrid)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
