With 2.1.8 and the configuration from http://deployingradius.com/scripts/eapol_test/peap-mschapv2.conf I want to test a radius configuration. The linux server running radius is member of the AD domain, mschap succeeds but finally the authentication fails. freeradius sends Challenges to which eapol_test will not respond. This should not be the behaviour mentioned in eap.conf regarding windows compatibility as eapol_test says:
... EAP-MSCHAPV2: RX identifier 11 mschapv2_id 10 EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL and finally fails. What is going wrong when freeradius says: ++[mschap] returns ok^M MSCHAP Success while eapol_test declares: EAP-MSCHAPV2: Invalid authenticator response in success request ? Thie result is the same whether eapol_test and radius run on the same host or on different machines. Below an extract from radius debug and eapol_test output. The complete logs are at http://tinyurl.com/36wn5lz ... Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for ZZZZZ1EC-TST with NT-Password [mschap] expand: --username=%{mschap:User-Name} -> --username=ZZZZZ1EC-TST [mschap] mschap2: c9 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=8dcf3f854091b5b0 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=32025f3e02109f45a23b3468721d538944af5d633f31afe2 Exec-Program output: NT_KEY: F2203599C0AD93B00507898A198A3698 Exec-Program-Wait: plaintext: NT_KEY: F2203599C0AD93B00507898A198A3698 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b00331a030a002e533d35423746314132333037313436343646314439373138453036333834454238383541454432384246 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6aef51466be44b4f70ee0c4182d406d0 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b00331a030a002e533d35423746314132333037313436343646314439373138453036333834454238383541454432384246 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6aef51466be44b4f70ee0c4182d406d0 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 10 to 127.0.0.1 port 58631 EAP-Message = 0x010b005b19001703010050de110c863ab2d5e21f07b010fc9adbfcda106b35f8cee8549fde8851ad1ba75da7bd114c1481cf7d9edb8adc3b2e4d8d2b5f7e62ba0fcea0b7e8e7e6e3edf45c2a1847d9195e7a0421a854d5ce12a3cf Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3cecf09536e7e9bedf3400a6b087488e Finished request 10. Going to the next request Waking up in 4.5 seconds. eapol_test : ... Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=10 length=149 Attribute 79 (EAP-Message) length=93 Value: 01 0b 00 5b 19 00 17 03 01 00 50 31 9a b2 e5 49 18 04 ab eb 62 5c cc 03 11 93 ba e9 60 5d 66 bc 6b fb 67 97 92 75 f3 cd d7 d7 1b 5b ae bc aa 12 1f c1 a2 a5 41 2a e7 10 11 c1 b9 6f 3d 39 87 04 6e f8 b8 a5 0a a7 9d f8 79 91 cd 6d 3f 32 e1 2e fc df 43 4b 4c 96 99 fc 14 07 2c Attribute 80 (Message-Authenticator) length=18 Value: b0 cf e3 2a 75 f5 18 48 50 99 4b b4 e3 c8 50 70 Attribute 24 (State) length=18 Value: 65 71 c9 7b 6f 7a d0 fc 26 6f 03 8b 5c fc f1 85 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.09 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=11 len=91) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=11 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=91) - Flags 0x00 EAP-PEAP: received 85 bytes encrypted data for Phase 2 EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=47): 1a 03 0a 00 2e 53 3d 35 33 36 46 30 44 42 30 36 42 43 45 36 42 43 37 32 31 34 33 33 37 39 46 39 38 33 35 46 33 41 31 37 38 41 43 46 44 43 39 EAP-PEAP: received Phase 2: code=1 identifier=11 length=51 EAP-PEAP: Phase 2 Request: type=26 EAP-MSCHAPV2: RX identifier 11 mschapv2_id 10 EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: startWhen --> 0 EAPOL test timed out EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE Thanks Norbert Wegener With best regards, Norbert Wegener Siemens AG Siemens IT Solutions and Services SIS GO NW PSU SDC AS&INS Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:[email protected] Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer; Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt, Siegfried Russwurm, Peter Y. Solmssen; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
