Looks like you're right with the PEAP/SAMBA issue, seems to be a broken SAMBA version.
Not sure how I'm going to solve this without an OS switch or compiling from source - looking at the original thread, the password hash gained from ntlm_auth needs to be hashed a second time? Would simply patching in a round of hashing correct this? Adam Bishop On 01/02/2011 15:16, "Heikki Vatiainen" <[email protected]> wrote: >On 02/01/2011 03:49 PM, Adam Bishop wrote: >> Encountering an odd issue with MSCHAPv2/PEAP >> >> I have 2 Radiator instances one based on Debian 5, one on Ubuntu >>10.04LTS. They share a config file (barring secrets), and the Debian >>one works fine. There is a difference in patch level If I remember >>correctly, the Debian install is a few patches out of date. >> >> The Ubuntu one accepts PAP, TTLS/PAP and TTLS/MSCHAPv2, but >>PEAP/MSCHAPv2 fails. The system is authenticated against active >>directory - ntlmauth --request-nt-key works. >> >> The only thing that stands out in the proxied trace is the MD5 failure >>- libdigestmd5-perl is installed (as far as I know) and seems to be >>used: >> >> root@orps3:/var/log/radiator# lsof -p 1488 | grep -i md5 >> radiusd 1488 root mem REG 251,3 18640 525298 >>/usr/lib/perl/5.10.1/auto/Digest/MD5/MD5.so >> >> The direct trace is just weird NTLM_AUTH seems to give the OK, thenŠ >>Nothing. >> >> Any suggestions anyone has are appreciated. > >You should list the EAP types separated by commas, not one per line. If >you have them one per line, I think the last one is the only type >Radiator is told to use. > >About MD5 failure, the client does like the suggested EAP type >(MD5-Challenge) and sends a NAK, so that's why there is the failure. > >You may want to remove both instances MD5-Challenge EAPType unless you >know you need it. For PEAP, EAPType MSCHAP-V2 is usually enough. > > >The "then ... Nothing." behaviour after ntlm_auth looks like what was >seen earlier, and the reason was ntlm_auth returning incorrect values, >which make the MSCHAPv2 server authentication fail for the client. In >other words, the client think server failed to authenticate itself and >the client stop the authentication process. > >Please see ntlm_auth thread from last September: >http://www.open.com.au/pipermail/radiator/2010-September/thread.html#16658 > > > >-- >Heikki Vatiainen <[email protected]> > >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >NetWare etc. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
