On 10/04/2011 12:57, James J J Hooper wrote:
On 10/04/2011 12:39, James J J Hooper wrote:
On 10/04/2011 12:16, James J J Hooper wrote:
On 10/04/2011 07:03, Alan DeKok wrote:
James J J Hooper wrote:
I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
Failure packet, should be an EAP *request* (currently it's EAP
failure)??
Yes, thanks.
Also, args to pairmove2 are wrong way around, as attached.
After that last change (p4.txt.gz), I think it's now doing the right thing:
* wpa_supplicant output matches Phil's (against W2k8 NPS), with the
exception that M=... is always present.
* With allow_retry = no, XP pop's up the usual 'enter credentials...'
bubble, and box.
* With allow_retry = yes, XP pops a "click to process credentials" bubble,
then a "type your password again" box:
http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png
...Although, when you correct the password in the 'allow_retry = yes"
popup, I don't think FR has got the bit to handle that yet:
Found Auth-Type = eduroamalieneap-bris-sha-ca
# Executing group from file
/usr/local/etc/raddb/sites-enabled/eduroamalien-inner
+- entering group eduroamalieneap-bris-sha-ca {...}
[eduroamalieneap-bris-sha-ca] Request found, released from the list
[eduroamalieneap-bris-sha-ca] EAP/mschapv2
[eduroamalieneap-bris-sha-ca] processing type mschapv2
rlm_eap_mschapv2: Unexpected response received << ***
[eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2
[eduroamalieneap-bris-sha-ca] Failed in EAP select
++[eduroamalieneap-bris-sha-ca] returns invalid
Failed to authenticate the user.
Login incorrect: [jh176...@bris.ac.uk] (from client JamesJJ port 256 cli
00-1a-4d-35-b0-5a via TLS tunnel)
} # server eduroamalien-inner
[peap] Got tunneled reply code 3
EAP-Message = 0x040c0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x040c0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
I think it needs two things now:
1)
Something like:
@@ -433,8 +433,8 @@ static int mschapv2_authenticate(void *arg,
EAP_HANDLER *handler)
* a challenge.
*/
case PW_EAP_MSCHAPV2_RESPONSE:
- if (data->code != PW_EAP_MSCHAPV2_CHALLENGE) {
- radlog(L_ERR, "rlm_eap_mschapv2: Unexpected
response received");
+ if ((data->code != PW_EAP_MSCHAPV2_CHALLENGE) &&
(data->code != PW_EAP_MSCHAPV2_FAILURE)) {
+ radlog(L_ERR, "rlm_eap_mschapv2: Unexpected
response received: %d", data->code);
return 0;
}
... because the response to our MSCHAPV2_FAILURE seems to be a
MSCHAPV2_FAILURE
2)
if (inst->retry_msg) {
snprintf(buffer + 9, sizeof(buffer), " C=");
for (i = 0; i < 16; i++) {
snprintf(buffer + 12 + i*2,
sizeof(buffer), "%02x",
fr_rand() & 0xff);
}
This C=<random> needs to be saved and eventually make it's way in to
data->challenge so that the line lower down:
memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);
has the correct challenge, and can then process the clients "retry" correctly?
(help, I havn't managed to work out the mechanism from the current
challenge generation bits yet!)
-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
