Thank you to Alan and Matthias for your suggestion. John and I went
through countless configuration iterations and debugs in the 1.0.1 baseline
and the CVS pre 1.0.2 snapshot without success. Lastly, we were successful
when we started clean yesterday with another download of the CVS 1.0.2
snapshot and enabled the ntdomain_hack. Our environment consists of a
Windows XP SP2 supplicant, a Cisco 1100 AP, and freeradius CVS 1.0.2
running on a Solaris 2.8 platform. We are successfully authenticating our
supplicant using PEAP/MSCHAPv2 with WEP. We will now begin performing
various security tests for our application requirements. Thanks to all
who took time to try to help us.
Chris Malitsky
EnRoute Integration and Interoperability Facility
Sr. Network and Systems Engineer
609.485.7921
|---------+------------------------------------------->
| | "Alan DeKok" <[EMAIL PROTECTED]> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | eradius.org |
| | |
| | |
| | 02/01/2005 01:05 PM |
| | Please respond to |
| | freeradius-users |
|---------+------------------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: [email protected]
|
| cc:
|
| Subject: Re: CVS 1.0.2 PEAP MSCHAPv2
|
>------------------------------------------------------------------------------------------------------------------------------|
[EMAIL PROTECTED] wrote:
> We have been unsuccessful in integrating a wireless environment utilizing
a
> Windows XP SP2 supplicant, a Cisco 1100 AP, and a freeradius server
running
> on Solaris 2.8. Specifically, we have been testing the developmental
> version 1.0.2 after using the CVS snapshot suggested by Alan.
That *should* solve MD4 related problems in 1.0.1.
> The expectation of running the developmental 1.0.2 build was to
> correct the errors we experienced. Is there any way we can assist
> debugging this error efficiently?
Try logging in as a simple user *without* a domain name. If that
works, then the problem is the domain name.
The issue is that MSCHAP depends on the "username". For XP, it
sends "DOMAIN\username" in the User-Name attribute. The MSCHAP module
uses the whole User-Name to calculate MSCHAP data, and decides that
the data doesn't match what you sent, so you can't log in.
> rlm_mschap: NT Domain delimeter found, should we have enabled
> with_ntdomain_hack?
Try this suggestion. The rlm_mschap module has the
"with_ntdomain_hack" configuration entry for precisely this situation.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
