I've been debugging this for awhile and I still can't find a solution to the problems I'm having. I'm running freeradius in this pattern:
Active Directory <-> MS-CHAP <-> Freeradius <-> Cisco Switch <-> Windows XP SP3 I seem to be getting the error that is described here: http://wiki.freeradius.org/index.php/FAQ#PEAP_or_EAP-TLS_Doesn.27t_Work_with_a_Windows_machine I've run through and created the SSL certificates as described with the Windows OID's and I still seem to be getting the same issues. I have the actual AD authentication setup as described here: http://deployingradius.com/documents/configuration/active_directory.html I've turned off certificate validation on the Windows XP host and still no dice. I ran the EAP debugging as show here: http://deployingradius.com/documents/configuration/eap-problems.html and I have posted the results here: http://www.mythdragon.com/freeradius-debug/ The output of freeradius -X when I attempt a connection is like this: rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=76, length=150 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x0201000b01637374756474 Message-Authenticator = 0x8ffd4ec097ed474d2acfdbd06ce668ec NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 76 to 10.10.10.15 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c6699650575d57e32307d8902b7 Finished request 36. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=77, length=237 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x0202005019800000004616030100410100003d03014a16f9f81d590cd2812aba8c635f832ec313fc9cd6070f2bcdb13efd9f9c8543000010 Message-Authenticator = 0x852be4c5dbca1b2f6653ddaef5525a62 NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c6699650575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 2 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 77 to 10.10.10.15 port 1645 EAP-Message = 0x0103040019c00000089b160301002a0200002603014a16f9f822ffc89286e662e0256b43e66215ad341c85a29e778755224a23e687000009 EAP-Message = 0x301e170d3039303532323138353235395a170d3130303532323138353235395a307c310b3009060355040613024652310f300d060355040e EAP-Message = 0x16e1a3903966209e8ab8733cc6c04e80a7b972a847ad3b172844cfe65eb4080ce9170bc842dfb0a6c747fda85e5890ba53ccf0b16757e60b EAP-Message = 0x4e837b84ca468c64275107fe93f5470153c858eb12e74f02ab7bd52ccf54add01488f9987b9a49a8ba1e8e2208c8ade2a727261a596bb4c4 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c6698640575d57e32307d8902b7 Finished request 37. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=78, length=163 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x020300061900 Message-Authenticator = 0xc8f1baef47c6a3668e41c12b29278edc NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c6698640575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 78 to 10.10.10.15 port 1645 EAP-Message = 0x010403fc194000c245b84f58bde16c300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040814 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d68 EAP-Message = 0x1bdaa4b461fa877807cfeb35b8c7db9a395c24818f3db57dd0f5d6f7c4437d6bf232fd2dccebe6c64210a6c8d380a758d51b5977b844a294 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e31203016 EAP-Message = 0xd38d9387a468419b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669b630575d57e32307d8902b7 Finished request 38. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=79, length=163 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x020400061900 Message-Authenticator = 0xd045350ba1ebd09fc6aa69d033f7e022 NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c669b630575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 79 to 10.10.10.15 port 1645 EAP-Message = 0x010500b51900b36564be63341757208d386f17c173f1915bf196936c35da2bdb889940fc633ab5960046b3e360595d0217ca1c4a587cbc70 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669a620575d57e32307d8902b7 Finished request 39. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=80, length=479 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x0205014019800000013616030101061000010201005abafa67288b1050a9f42c9d521379eaa30a5d7927acaa6d5cb08c696aa724a733a39e EAP-Message = 0xc79943d0ffbb934a2e561395636d71b516c108a409ed05c21403010001011603010020dccd71cdf582fc34be4e949e4a83a8e3cd43b214c2 Message-Authenticator = 0xbd6fecf99a5ff39317b2e3a76ee1ed01 NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c669a620575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 80 to 10.10.10.15 port 1645 EAP-Message = 0x0106003119001403010001011603010020f17c1f67be3975c6810d3764208a8294ab2f5281c3b861884c4cf7cc22a275f8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669d610575d57e32307d8902b7 Finished request 40. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=81, length=163 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x020600061900 Message-Authenticator = 0x04bebaa5f8107e585937873550d1be1b NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c669d610575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 81 to 10.10.10.15 port 1645 EAP-Message = 0x01070020190017030100153af1e2ab4422d8623abc16220825b30286308dd3d8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669c600575d57e32307d8902b7 Finished request 41. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=82, length=191 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x0207002219001703010017d1d78d24d19c44335278dbf3b577ab1dc6e972c1625ac3 Message-Authenticator = 0x0d00514a34760c9ad0353b282e218722 NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c669c600575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 7 length 34 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - chris [peap] Got tunnled request EAP-Message = 0x0207000b01637374756474 server routers-auth { PEAP: Got tunneled identity of chris PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to chris Sending tunneled request EAP-Message = 0x0207000b01637374756474 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "chris" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated [suffix] No '@' in User-Name = "chris", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800201a0108001b101195ce2c24ade78b1cf5aa059c23f088637374756474 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb344cf36b34cd589c33f8244b7aca70a [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800201a0108001b101195ce2c24ade78b1cf5aa059c23f088637374756474 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb344cf36b34cd589c33f8244b7aca70a [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 82 to 10.10.10.15 port 1645 EAP-Message = 0x010800371900170301002c4ea2709917cd595f7940395816d8a688fd6ce44d2213388f7b00bc9c55b555c2957c56f4bd0a9439c9913367 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669f6f0575d57e32307d8902b7 Finished request 42. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=83, length=245 User-Name = "chris" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-XX-XX-XX-XX-XX" Calling-Station-Id = "00-YY-YY-YY-YY-YY" EAP-Message = 0x020800581900170301004d73817b889d4fd7e2bf24fb538ad896be72097e0bc493430d917cf6d552b43ad7eaa6b6bc6cd039067e5ea70ecc Message-Authenticator = 0x11f6fb0bafc3ee1abaabaf02120589cb NAS-Port-Type = Ethernet NAS-Port = 50110 NAS-Port-Id = "GigabitEthernet1/0/10" State = 0x99671c669f6f0575d57e32307d8902b7 NAS-IP-Address = 10.10.10.15 server routers-auth { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 8 length 88 [eap] Continuing tunnel setup. ++[eap] returns ok ++[files] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x020800411a0208003c3152dc3d0f74f672cab9f314e0aa326c86000000000000000035b488c0131cea6672253fe5e9a3b8e54aacc0c341f4 server routers-auth { PEAP: Setting User-Name to chris Sending tunneled request EAP-Message = 0x020800411a0208003c3152dc3d0f74f672cab9f314e0aa326c86000000000000000035b488c0131cea6672253fe5e9a3b8e54aacc0c341f4 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "chris" State = 0xb344cf36b34cd589c33f8244b7aca70a server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated [suffix] No '@' in User-Name = "chris", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 65 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for chris with NT-Password [mschap] No NT-Domain was found in the User-Name. expand: --domain=%{mschap:NT-Domain:-MYDOMAINHERE} -> --domain=MYDOMAINHERE expand: --username=%{mschap:User-Name:-None} -> --username=chris [mschap] mschap2: 11 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4e97ec9325450dea expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=35b488c0131cea6672253fe5e9a3b8e54aacc0c341fae031 Exec-Program output: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207 Exec-Program-Wait: plaintext: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207 Exec-Program: returned: 0 ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d45334443373936373934363834394539454142413430423735354536323236333832314537464639 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb344cf36b24dd589c33f8244b7aca70a [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d45334443373936373934363834394539454142413430423735354536323236333832314537464639 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb344cf36b24dd589c33f8244b7aca70a [peap] Got tunneled Access-Challenge ++[eap] returns handled } # server routers-auth Sending Access-Challenge of id 83 to 10.10.10.15 port 1645 EAP-Message = 0x0109004a1900170301003f9831a816e378081f830ef42917053a509f826145b1c94885404f81f6f05985fbdaed9e0e6a5002ea5d72b9dba9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x99671c669e6e0575d57e32307d8902b7 Finished request 43. Going to the next request Waking up in 4.8 seconds. Cleaning up request 36 ID 76 with timestamp +422 Cleaning up request 37 ID 77 with timestamp +422 Cleaning up request 38 ID 78 with timestamp +422 Cleaning up request 39 ID 79 with timestamp +422 Cleaning up request 40 ID 80 with timestamp +422 Cleaning up request 41 ID 81 with timestamp +422 Cleaning up request 42 ID 82 with timestamp +422 Cleaning up request 43 ID 83 with timestamp +422 Ready to process requests. Any help you guys can give me would be very appreciated. I know this issue has been posted here before, but it seems like the results I'm getting from all the solutions I've seen aren't fixing my problem. Chris Studt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
