Hi.
I'm quite a newbie, so please keep it simple.
I have been fighting with this for the past 10 hours!
I am trying to do PEAP authentication (without certificates) where a
client (Windows XP/Vista) gains WPA wi-fi access with a username and
password using FreeRADIUS (v2.1.4) as the RADIUS server on Ubuntu
Linux 8.10.
I have gotten as far as compiling FreeRADIUS with SSL/TLS support and
getting a Windows client to gain WPA access where his username/pass is
in the "/etc/freeradius/users" file. I'm not interested in doing any
LDAP or Active Directory stuff (don't want to use ntlm_auth), so
obviously "MS-CHAP-Use-NTLM-Auth := No" was included with the
user/pass in the "/etc/freeradius/users" file. And as I said, the
client could gain Wi-fi WPA access using PEAP authentication.
However, I would like to manage usernames and passwords in a MySQL database.
The relevant part of the MySQL schema that I have been trying is as follows:
radcheck (id,username,attribute,op,value)
radreply (id,username,attribute,op,value)
I have configured FreeRADIUS to talk to MySQL using various tutorials
on the internet and have confirmed this works with the "radtest" shell
command (I get an accept-accept back for any users in the "radcheck"
table.
So to try do it with PEAP authentication I inserted the following in the tables.
INSERT INTO radcheck (username,attribute,op,value) VALUES
('user1','Cleartext-Password',':=','pass1')
INSERT INTO radreply (username,attribute,op,value) VALUES
('user1','MS-CHAP-Use-NTLM-Auth',':=','No')
Note how I have included "MS-CHAP-Use-NTLM-Auth := No" as a reply
attribute. But, no matter what I do, this does not allow a client to
authenticate.
freeradius debug (with -X switch) gives me the following (I've only
included the parts which I think are relevant:
..................
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'user1' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'user1' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username
= 'user8' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
..................
EAP-Message =
0x0108001f1a0108001a1025124f5e6a8bc7778687e657b729c16b7573657238
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x31f7332531ff293ae0350b28678bf4db
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x0108001f1a0108001a1025124f5e6a8bc7778687e657b729c16b7573657238
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x31f7332531ff293ae0350b28678bf4db
[peap] Got tunneled Access-Challenge
++[eap] returns handled
...................
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for user1 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
..................
The parts that gives away the fact that the "MS-CHAP-Use-NTLM-Auth :=
No" is not being read from the database:
1) no users are found in the "SELECT FROM radreply" query
2) underneath "[peap] Got tunneled reply code 11" there is no
"MS-CHAP-Use-NTLM-Auth := No" as there is when a user is authenticated
from the "users" file.
3) The fact that I cannot get the client to gain access!
I really don't know what to do from this point. I haven't included any
of my freeradius configuration files because I really don't know which
ones to include. So if you want to see them just let me know which
ones you want.
Thanks in advance
Doron
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
