Hi,
I have a strange problem. I try to authenticate users againts AD, it's
seems to be a typical deployment of freeradius.
But it's works randomly.
When it's don't works , the mschap/NTLM auth success, the server send a
access-challenge, I see on the cisco aironet the access-challenge come
back to the client and no reply from the client and the connection stucks:
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for host/MRSLAP03571.domain.priv
with NT-Password
expand: --username=%{mschap:User-Name:-None} -> --username=MRSLAP03571$
expand: %{mschap:NT-Domain} -> DOMAIN
expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN} -> --domain=DOMAIN
mschap2: 60
expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=923aaffd82c69093
expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=a7e9503bed0bfedf055e9e32e241e391ccb0dd649fe09bbe
Exec-Program output: NT_KEY: 2254EC3D1B726196286DA65965D5D411
Exec-Program-Wait: plaintext: NT_KEY: 2254EC3D1B726196286DA65965D5D411
Exec-Program: returned: 0
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
PEAP: Got tunneled reply RADIUS code 11
EAP-Message =
0x010b00331a030a002e533d34423436443245344135353939434637453443423233353641343546393836333932393945373637
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe713faa1e618e0bc40c4047c03951291
PEAP: Processing from tunneled session code 0x1e9e490 11
EAP-Message =
0x010b00331a030a002e533d34423436443245344135353939434637453443423233353641343546393836333932393945373637
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe713faa1e618e0bc40c4047c03951291
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
} # server inner-tunnel
Sending Access-Challenge of id 103 to <AIRONET CISCO> port 1645
EAP-Message =
0x010b004a1900170301003fd5c3f845006343c8072ae98874a3df6bc8c3594e045b31fe7220a5c44b269eac3e3cdf6f48de5d3066feeb70a8f1d958e6b25c5f7ead1fa5c9064b89cc24a6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5d184007551359eef79a3370536543a0
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 95 with timestamp +56
Cleaning up request 1 ID 96 with timestamp +56
Cleaning up request 2 ID 97 with timestamp +56
I have already checked the XP extension is present on the certificate
server:
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
##################################################
#
# !!!!! WARNINGS for Windows compatibility !!!!!
#
##################################################
#
# If you see the server send an Access-Challenge,
# and the client never sends another Access-Request,
# then
#
# STOP!
#
# The server certificate has to have special OID's
# in it, or else the Microsoft clients will silently
# fail. See the "scripts/xpextensions" file for
# details, and the following page:
#
# http://support.microsoft.com/kb/814394/en-
I use :
freeradius 2.0.4
samba 3.2.5
cisco aironet 1240
I have tried other version of samba: 3.2.15 and 3.4.8 and freeradius 2.1.8
The samba / winbbind stuff seems to work correctly ( Tests wbinfo,
ntlm_auth OK)
I have the same issue with other XP / windows 7 supplicants.
I think I have checked correctly the howto:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I don't think I'm the first with the same problem so please help me
before I'm going crazy :)
Thanks a lot for any information.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
