Thanks for the response Alan, and sorry.
802.1x authentication is working via PEAP/mschap v2 and ntlm_auth utilizing
Active Directory as a backend. I'm still having problems adding local
accounts into the mix.
I've read the comments from the radiusd.conf file and I guess I still don't
get it.
I've tried this and a few other things in the users file.
test Auth-Type = Local, Password = "testing"
With this set up radtest works See output:
houston:/etc/raddb # radtest test testing houston 43.191.112.164 SECRET
Sending Access-Request of id 207 to 43.191.104.39:1812
User-Name = "test"
User-Password = "testing"
NAS-IP-Address = houston
NAS-Port = 43
rad_recv: Access-Accept packet from host 43.191.104.39:1812, id=207,
length=20
Authentication against the AD backend works from my clients with mschap v2.
But my local users still don't work when sent through mschap.
Any help would be appreciated,
~Brandon
Here is debug output:
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.112.162:2604, id=53,
length=161
User-Name = "test"
Cisco-AVPair = "ssid=sdb5-3"
NAS-IP-Address = 43.191.112.162
Called-Station-Id = "00409641c15f"
Calling-Station-Id = "000d28d00217"
NAS-Identifier = "AP350-41c15f"
NAS-Port = 41
Framed-MTU = 1400
State = 0xc1b4f1f6a1eb428d51588b5a150afaf2
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x020d00061900
Message-Authenticator = 0xc75d85067706046c6b4cd5e9665f68eb
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 10
modcall[authorize]: module "preprocess" returns ok for request 10
modcall[authorize]: module "chap" returns noop for request 10
modcall[authorize]: module "mschap" returns noop for request 10
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 10
users: Matched test at 90
modcall[authorize]: module "files" returns ok for request 10
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 10
rlm_eap: EAP packet type response id 13 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 10
modcall: group authorize returns updated for request 10
rad_check_password: Found Auth-Type Local
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'test'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 10
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 10
modcall: group authenticate returns handled for request 10
Sending Access-Challenge of id 53 to 43.191.112.162:2604
EAP-Message =
0x010e002019001703010015476ada932e352a8179b36b2660a5302ffc14de6212
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x04f23059be33b4ad387d1e4375c7fa73
Finished request 10
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.112.162:2605, id=54,
length=187
User-Name = "test"
Cisco-AVPair = "ssid=sdb5-3"
NAS-IP-Address = 43.191.112.162
Called-Station-Id = "00409641c15f"
Calling-Station-Id = "000d28d00217"
NAS-Identifier = "AP350-41c15f"
NAS-Port = 41
Framed-MTU = 1400
State = 0x04f23059be33b4ad387d1e4375c7fa73
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x020e00201900170301001541861b8157e8d5b41373cfcd48e7814f071adc6a5e
Message-Authenticator = 0x9263ef3e7cd830fc464a1f6d14083894
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 11
modcall[authorize]: module "preprocess" returns ok for request 11
modcall[authorize]: module "chap" returns noop for request 11
modcall[authorize]: module "mschap" returns noop for request 11
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 11
users: Matched test at 90
modcall[authorize]: module "files" returns ok for request 11
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 11
rlm_eap: EAP packet type response id 14 length 32
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 11
modcall: group authorize returns updated for request 11
rad_check_password: Found Auth-Type Local
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'test'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 11
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - test
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled identity of test
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to test
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 11
modcall[authorize]: module "preprocess" returns ok for request 11
modcall[authorize]: module "chap" returns noop for request 11
modcall[authorize]: module "mschap" returns noop for request 11
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 11
users: Matched test at 90
modcall[authorize]: module "files" returns ok for request 11
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 11
rlm_eap: EAP packet type response id 14 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 11
modcall: group authorize returns updated for request 11
rad_check_password: Found Auth-Type Local
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'test'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 11
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 11
modcall: group authenticate returns handled for request 11
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 11
modcall: group authenticate returns handled for request 11
Sending Access-Challenge of id 54 to 43.191.112.162:2605
EAP-Message =
0x010f00351900170301002ac6d26be585be81cf6f350157d85f304e25d6afb778d37204f409
39ae8408de921ebffc6f3e44ddc0ebd9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdb8a2cf83f7f4b1155dd53787c199cbb
Finished request 11
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.112.162:2606, id=55,
length=241
User-Name = "test"
Cisco-AVPair = "ssid=sdb5-3"
NAS-IP-Address = 43.191.112.162
Called-Station-Id = "00409641c15f"
Calling-Station-Id = "000d28d00217"
NAS-Identifier = "AP350-41c15f"
NAS-Port = 41
Framed-MTU = 1400
State = 0xdb8a2cf83f7f4b1155dd53787c199cbb
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x020f00561900170301004b46b31e9f3feb7d7a73d6dbbfc1561734cd59b746f20ed4265443
d0ea49c6ac5939fd342521be0cc9e40adb7b06620a13a83e25a25518d332413a57faa7126c35
edb458b9df9565e888263f
Message-Authenticator = 0xa82dde033215bf05b67016366294340d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 12
modcall[authorize]: module "preprocess" returns ok for request 12
modcall[authorize]: module "chap" returns noop for request 12
modcall[authorize]: module "mschap" returns noop for request 12
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 12
users: Matched test at 90
modcall[authorize]: module "files" returns ok for request 12
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 12
rlm_eap: EAP packet type response id 15 length 86
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 12
modcall: group authorize returns updated for request 12
rad_check_password: Found Auth-Type Local
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'test'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 12
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to test
PEAP: Adding old state with af e4
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 12
modcall[authorize]: module "preprocess" returns ok for request 12
modcall[authorize]: module "chap" returns noop for request 12
modcall[authorize]: module "mschap" returns noop for request 12
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 12
users: Matched test at 90
modcall[authorize]: module "files" returns ok for request 12
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 12
rlm_eap: EAP packet type response id 15 length 63
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 12
modcall: group authorize returns updated for request 12
rad_check_password: Found Auth-Type Local
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'test'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 12
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 12
rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: f1
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --domain=AM
--username=test --challenge=4cd9c1a15948bb64
--nt-response=0f8afe37aac4a6d8c1f42aae8f2c4582f90e8f33e07877cd'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=AM
--username=test --challenge=4cd9c1a15948bb64
--nt-response=0f8afe37aac4a6d8c1f42aae8f2c4582f90e8f33e07877cd
Exec-Program output: Account locked out (0xc0000234)
Exec-Program-Wait: plaintext: Account locked out (0xc0000234)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 12
modcall: group Auth-Type returns reject for request 12
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 12
modcall: group authenticate returns reject for request 12
auth: Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 12
modcall: group authenticate returns handled for request 12
Sending Access-Challenge of id 55 to 43.191.112.162:2606
EAP-Message =
0x011000261900170301001b97673c8147c0de7d96098d4712e29d1a1a08b322be8f575bebe8
e6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7141e2f3b74cad2180b9d2c7144056fb
Finished request 12
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.112.162:2607, id=56,
length=193
User-Name = "test"
Cisco-AVPair = "ssid=sdb5-3"
NAS-IP-Address = 43.191.112.162
Called-Station-Id = "00409641c15f"
Calling-Station-Id = "000d28d00217"
NAS-Identifier = "AP350-41c15f"
NAS-Port = 41
Framed-MTU = 1400
State = 0x7141e2f3b74cad2180b9d2c7144056fb
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x021000261900170301001b978acbddb8934460bc81621b9c0f8a47c441f00c33520adf657c
97
Message-Authenticator = 0x3f00f080b19cbff1bc2cc8a8a8e2b5ea
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 13
modcall[authorize]: module "preprocess" returns ok for request 13
modcall[authorize]: module "chap" returns noop for request 13
modcall[authorize]: module "mschap" returns noop for request 13
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 13
users: Matched test at 90
modcall[authorize]: module "files" returns ok for request 13
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 13
rlm_eap: EAP packet type response id 16 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 13
modcall: group authorize returns updated for request 13
rad_check_password: Found Auth-Type Local
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'test'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 13
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 13
modcall: group authenticate returns invalid for request 13
auth: Failed to validate the user.
Delaying request 13 for 1 seconds
Finished request 13
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 55 to 43.191.112.164:21657
EAP-Message = 0x04020004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1 seconds..
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Thursday, February 03, 2005 11:29 AM
To: [email protected]
Subject: Re: MSCHAP V2 local
"DeYoung, Brandon" <[EMAIL PROTECTED]> wrote:
> I'm now trying to add a hand full of local accounts, for people/devices
who
> do not have AD accounts. I've tried adding things like this to the
> /etc/raddb/users file:
>
> test Auth-Type := MS-CHAP, User-Password == "testing"
And that will cause problems.
> I've tried a few different derivatives of this but so far couldn't get
> anything to work.
First, see the FAQ about statements like "it doesn't work".
Second, read radiusd.conf, the comments above the "authenticate" section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
