Re: eap-mschapv2 and radius.log
On 6 Dec 2012, at 11:33, Scott Armitage s.p.armit...@lboro.ac.uk wrote: All, I have noticed a behaviour in the logging and I'm not sure if it is misconfiguration on my part, misunderstanding of the expected behaviour or a bug. If I attempt to log in using EAP-MSCHAPv2 inside of an eap method (e.g. PEAP/EAP-MSCHAPv2) I see Login OK: for the outer EAP regardless of the result of the inner EAP. e.g: Thu Dec 6 11:10:55 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) Thu Dec 6 11:10:55 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) Thu Dec 6 11:10:56 2012 : Auth: Login OK: [anonym...@lboro.ac.uk] (from client pepsi port 0 cli 02-00-00-00-00-01) This means if I have a user with a bad password I get the following in the log: Thu Dec 6 11:21:37 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) As the mschap module is waiting for the user to re-enter their password eventual it times out. Therefore this is the only entry in the log. Which is somewhat confusing, as it has actually failed but the only log entry is Login OK. Has anyone else noticed this behaviour? or have I configured something wrong? Regards Scott Armitage- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry forgot to say. I notice this with both FreeRADIUS Version 2.2.0 and 3.0 Regards Scott signature.asc Description: Message signed with OpenPGP using GPGMail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2 and radius.log
On 6 Dec 2012, at 14:07, Scott Armitage s.p.armit...@lboro.ac.uk wrote: On 6 Dec 2012, at 11:33, Scott Armitage s.p.armit...@lboro.ac.uk wrote: All, I have noticed a behaviour in the logging and I'm not sure if it is misconfiguration on my part, misunderstanding of the expected behaviour or a bug. If I attempt to log in using EAP-MSCHAPv2 inside of an eap method (e.g. PEAP/EAP-MSCHAPv2) I see Login OK: for the outer EAP regardless of the result of the inner EAP. e.g: Thu Dec 6 11:10:55 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) Thu Dec 6 11:10:55 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) Thu Dec 6 11:10:56 2012 : Auth: Login OK: [anonym...@lboro.ac.uk] (from client pepsi port 0 cli 02-00-00-00-00-01) This means if I have a user with a bad password I get the following in the log: Thu Dec 6 11:21:37 2012 : Auth: Login OK: [scott] (from client pepsi port 0 cli 02-00-00-00-00-01 via TLS tunnel) As the mschap module is waiting for the user to re-enter their password eventual it times out. Therefore this is the only entry in the log. Which is somewhat confusing, as it has actually failed but the only log entry is Login OK. Has anyone else noticed this behaviour? or have I configured something wrong? Regards Scott Armitage- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry forgot to say. I notice this with both FreeRADIUS Version 2.2.0 and 3.0 ignore this, I was just being dumb. I had enabled SoH and the first OK is the SoH. signature.asc Description: Message signed with OpenPGP using GPGMail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSCHAPv2 and smbpasswd
Jonathan Black wrote: I've dug around in documentation looking to find out if EAP-MSCHAPv2 can use the smbpasswd file to authenticate wireless clients. Is it possible to have the smbpasswd file authenticate EAP-MSCHAPv2 requests? Thanks! The correct questions are: Q: Can smbpasswd file read passwords? A: Yes Q: Can EAP-MSCHAPv2 use passwords to authenticate users? A: Yes The password lookup stage is separate from the use password to do authentication for a number of reasons. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSCHAPv2 and MPPE key
Stefan Winter wrote:
we're trying to get IKEv2 under Windows 7 going. It can use among others
EAP-MSCHAPv2; notably with EAP wrapper but without TLS.
OK. That's getting to be a more common.
I noticed that rlm_mschap can be configured to calculate and send MPPE
keys, while rlm_eap/types/mschapv2 does not; the two modules seem to be
mostly independent.
Is that something that can easily be added?
Yup.
BTW, a check back with a developer Martin from strongswan.org yielded:
Then I'd assume you are using FreeRADIUS :-).
It does not include the MSK in MSCHAPv2 if used over EAP. IKEv2 however
requires the MSK to calculate the AUTH payload.
OK.
In its current form, you can't use FreeRADIUS for your setup, my
apologies. One could extend FreeRADIUS to copy over the MPPE keys, but
writing such a patch is not something I can do in a few minutes.
shrug src/modules/rlm_eap/types/rlm_eap_mschap.c, line ~340, there
are 4 calls to pairdelete remove the MPPE keys from the reply.
if (handler-request-parent) {
pairdelete(handler-request-reply-vps, ((311 16) | 7));
...
}
add the if (handler... text. It ensures that the MPPE keys are
deleted only when the module is being called from inside of a TLS tunnel.
I'll put it into 2.1.10, too.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSCHAPv2 and MPPE key
Alan DeKok wrote:
shrug src/modules/rlm_eap/types/rlm_eap_mschap.c, line ~340, there
are 4 calls to pairdelete remove the MPPE keys from the reply.
if (handler-request-parent) {
It's slightly more complicated than that... a better fix is in git,
branch v2.1.x.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSCHAPv2 and MPPE key
Hi, It's slightly more complicated than that... a better fix is in git, branch v2.1.x. The git fix works like a charm! Thanks a for a fix with a time-to-fix of 1 hour :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP mschapv2 Failed to authenticate the user
Hi, Radiusd –X log: ...which is useless because all it shows is the startup stuff.ie we need to see the occurances after the following lines... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. .silence here. this is where we expect to see things to help you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP mschapv2 Failed to authenticate the user
] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 159 to 10.1.3.17 port 1645
EAP-Message =
0x010a002b190017030100202e8d249df8eae2bea8cc7a0715b973aaf3c7b9b75c1c4708cd475c7c41485156
Message-Authenticator = 0x
State = 0x71a07f9a79aa665d779b09e23c4bbcc5
Finished request 18.
Going to the next request
Waking up in 0.7 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=160,
length=219
User-Name = SCxx
Framed-MTU = 1400
Called-Station-Id = 0016.9df4.c3d0
Calling-Station-Id = 001a.73a8.6482
Service-Type = Login-User
Message-Authenticator = 0xb80ea40196f818e93145fa48861f26ee
EAP-Message =
0x020a00501900170301002017fa468115e7a7cf26fb13623a2ae41edea9f192fa65bb84dc1f1a5d1f142a0e17030100208d47a1fdfa3ee6b8b62bde0c18c43d3ad37de55e74d5c99f92509b86f79ab892
NAS-Port-Type = Wireless-802.11
NAS-Port = 1965
State = 0x71a07f9a79aa665d779b09e23c4bbcc5
NAS-IP-Address = 10.1.3.17
NAS-Identifier = apTeste
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = SCxx, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 10 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - SCxx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 19 for 1 seconds
Going to the next request
-Original Message-
From: freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org
[mailto:freeradius-users-bounces+pedrojmalves=gmail@lists.freeradius.org]
On Behalf Of Alan Buxey
Sent: quarta-feira, 19 de Maio de 2010 9:11
To: FreeRadius users mailing list
Subject: Re: EAP mschapv2 Failed to authenticate the user
Hi,
Radiusd –X log:
...which is useless because all it shows is the startup stuff.ie
we need to see the occurances after the following lines...
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
.silence here. this is where we expect to see things to help you
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP mschapv2 Failed to authenticate the user
Pedro Alves wrote: Failed to authenticate users in Active Directory with this message “rlm_eap_mschapv2: Invalid response type 4” Do you know what is a cause of it? It means authentication has failed. Radiusd –X log: With *no* packets. sigh Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSChapV2 Question
Garber, Neal wrote: Is it possible to use PEAP/EAP-MSChapV2 (e.g., from a WinXP supplicant) and authenticate with a local user (i.e., defined in the users file with a Cleartext-Password). I'm thinking this isn't supported, but I thought I'd ask to be sure.. Thanks.. Huh? It's supported. There's no problem. See my web site for EAP howto's that do exactly this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-MSChapV2 Question
Huh? It's supported. There's no problem. See my web site for EAP howto's that do exactly this. Yeah, well I guess I'll blame to many late nights. I jumped the gun in sending the question as I had it working shortly thereafter. Thanks anyway for responding Alan and I hope things are going well for you.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2
Hi Alan, I understand that you know a lot more than i do. Can you point me to right RFC or draft which tells about the EAP-MSCHAPv2 radius call flow. We are trying to establish an IKEv2 tunnel using the EAP-MSCHAPv2 authentication. We are not using EAP-PEAP, so no certificates involved. We are following the draft-kamath-pppext-eap-mschapv2-01.txthttp://www3.tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-01.txt, RFC 3748, RFC 2869, RFC 3079, RFC 3579. But none of these RFC's talk about the Radius message flow for the EAP-MSCHAPv2. Do you have a sample trace for the EAP-MSCHAPv2 radius call flow. I will really appericiate if you can point me to the right place with the call flow. The problem I am facing is that how will we have the Session Keys which are used to generate the Master Shared Key used for the IKEv2 tunnel establishment. The RFC says that we should get the SEND-KEY and the RECV-KEY from the AAA server. Any help will be greatly appericiated. Cheers, Indira. On Jan 18, 2008 9:35 AM, indira kolli [EMAIL PROTECTED] wrote: I am doing IKEv2 EAP-MSCHAPv2 radius Passthrough. On Jan 18, 2008 1:43 AM, Alan DeKok [EMAIL PROTECTED] wrote: indira kolli wrote: I finally got it working. I missed the reply to the second access-challenge. How could you possibly miss that? If you're using a standard supplicant, that packet should be about 1/10 of a second after the first one. One thing I am still not sure is about MPPE keys. For us we are using only EAP-MSCHAPv2 without peap. The authenticator needs the MPPE keys to authenticate the peer. But in the EAP-MSCAHPv2 Access-Challenge or Access-accept don't see the keys. I see that the keys are generated for MSCHAPv2 but are deleted before the request is sent. Perhaps you could try reading my messages. You were already told that EAP-MSCHAPv2 does not generate the MPPE keys. Even if you changed the server source code, the AP's wouldn't look for the MPPE keys. Even if you fixed the AP's, the supplicants wouldn't use encryption for the wireless links. And you haven't said if you're using this for wireless or wired authentication. I think you're really not clear on what you want to do, how the equipment works, and how the protocols work. I suggest spending time reading more AP documentation before asking EAP-MSCHAPv2 questions on this list. The problem is NOT EAP-MSCHAPv2. The problem is that you don't know what's going on, and as a result, are expecting that EAP-MSCHAPv2 do things it's not supposed to do. Trying to Fix EAP-MSCHAPv2 is a waste of time. Find out why your expectations are wrong, and fix them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2
Hello Alan, I finally got it working. I missed the reply to the second access-challenge. One thing I am still not sure is about MPPE keys. For us we are using only EAP-MSCHAPv2 without peap. The authenticator needs the MPPE keys to authenticate the peer. But in the EAP-MSCAHPv2 Access-Challenge or Access-accept don't see the keys. I see that the keys are generated for MSCHAPv2 but are deleted before the request is sent. Help is very much appreciated. Thank you Indi On Jan 16, 2008 12:09 PM, Alan DeKok [EMAIL PROTECTED] wrote: indira kolli wrote: What is the expected callflow for EAP-MSCAHPv2 Read the specification, or the source code. Access-request Access-Challenge Access-request Access-Accept Why am I getting Access-challenge again You're not saying which supplicant you're using. Let me guess: you're writing your own, and trying to debug it using FreeRADIUS. If that's true, I suggest that you go read the wpa_supplicant source code. It implements EAP-MSCHAPv2 correctly. If you're not writing your own supplicant, then the server is working correctly. You may be surprised that more than one Access-Challenge is being sent, but that is the Way It Works. If you care to know why, go read the source code in rlm_eap_mschapv2.c Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2
Alan DeKok Wrote: No. The bug is different: EAP-MSCHAPv2 is *not* MS-CHAPv2. The MS-CHAP2-Success attribute has no business being in *any* packet that also contains EAP. I've committed a fix for that to CVS head. Thank you verymuch for the response How and when do I get this fix Also does this fix the reply as type Access-Accept instead of Access-challenge or am I interpretting this also wrong Indi - List info/subscribe/unsubscribe? See *http://www.freeradius.org/list/users.html*http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2
indira kolli wrote: Thank you verymuch for the response How and when do I get this fix The web site contains instructions for obtaining code via CVS. Also does this fix the reply as type Access-Accept instead of Access-challenge or am I interpretting this also wrong You are interpreting it wrong. I said that the MS-CHAP2-Success attribute does not belong. I did *not* say that the packet should be Access-Accept instead of Access-Challenge. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2
Hello Alan, What is the expected callflow for EAP-MSCAHPv2 Access-request Access-Challenge Access-request Access-Accept Why am I getting Access-challenge again ..Indi On Jan 16, 2008 10:30 AM, Alan DeKok [EMAIL PROTECTED] wrote: indira kolli wrote: Thank you verymuch for the response How and when do I get this fix The web site contains instructions for obtaining code via CVS. Also does this fix the reply as type Access-Accept instead of Access-challenge or am I interpretting this also wrong You are interpreting it wrong. I said that the MS-CHAP2-Success attribute does not belong. I did *not* say that the packet should be Access-Accept instead of Access-Challenge. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2
indira kolli wrote: What is the expected callflow for EAP-MSCAHPv2 Read the specification, or the source code. Access-request Access-Challenge Access-request Access-Accept Why am I getting Access-challenge again You're not saying which supplicant you're using. Let me guess: you're writing your own, and trying to debug it using FreeRADIUS. If that's true, I suggest that you go read the wpa_supplicant source code. It implements EAP-MSCHAPv2 correctly. If you're not writing your own supplicant, then the server is working correctly. You may be surprised that more than one Access-Challenge is being sent, but that is the Way It Works. If you care to know why, go read the source code in rlm_eap_mschapv2.c Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap-mschapv2
Yes - although only as a tunelled method inside EAP-PEAP (I think, I may be wrong). josh. -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Indira Keesara Sent: 15 January 2008 20:31 To: freeradius-users@lists.freeradius.org Subject: eap-mschapv2 Does freeradius support eap-mschapv2 ? JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap-mschapv2
I am looking for EAP-MSCHAPv2 not inside the tunneled EAP-PEAP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Tuesday, January 15, 2008 3:34 PM To: FreeRadius users mailing list Cc: Josh Howlett Subject: RE: eap-mschapv2 Yes - although only as a tunelled method inside EAP-PEAP (I think, I may be wrong). josh. -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Indira Keesara Sent: 15 January 2008 20:31 To: freeradius-users@lists.freeradius.org Subject: eap-mschapv2 Does freeradius support eap-mschapv2 ? JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap-mschapv2
Here is the output Access-request Access-challenge Access-request Access-challenge Access-Request packet from host x.x.x.x port 1812, id=2, length=69 User-Name = user NAS-Identifier = 85 NAS-Port = 118751232 EAP-Message = 0x02090175736572 Message-Authenticator = 0xbffe37f0d2dd6107e5d25819a10268f5 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 94 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 2 to 172.30.89.70 port 1812 EAP-Message = 0x0101001e1a01010019105db375091c330e20cccb6142e519da4775736572 Message-Authenticator = 0x State = 0xabe2000babe31ac677bcdaf79192ae6c Finished request 0. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host x.x.x.x port 1812, id=3, length=141 User-Name = user NAS-Identifier = 85 NAS-Port = 118751232 EAP-Message = 0x0201003f1a0201003a31c9151130261d75a03ee29838e3669b8cfd2c29e77c4ef0d2bcbd892567ddfc6bf99b0f0408c4fa380075736572 State = 0xabe2000babe31ac677bcdaf79192ae6c Message-Authenticator = 0xb3f9ca598decfa00b44e8ebf291e3d5d +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = user, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry user at line 94 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: Told to do MS-CHAPv2 for user with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled Sending Access-Challenge of id 3 to x.x.x.x port 1812 MS-CHAP2-Success = 0x01533d4639363532464544454242333835453533374330333833373941393735313330363134413336 EAP-Message = 0x010200331a0301002e533d4639363532464544454242333835453533374330333833373941393735313330363134413336 Message-Authenticator = 0x State = 0xabe2000baae01ac677bcdaf79192ae6c Finished request 1. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Tuesday, January 15, 2008 3:41 PM To: FreeRadius users mailing list Cc: Josh Howlett Subject: RE: eap-mschapv2 Post the debug ouput (radiusd -X). josh. -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Indira Keesara Sent: 15 January 2008 20:36 To: freeradius-users@lists.freeradius.org Subject: eap-mschapv2 I am using freeradius to test the eap-mschapv2. According to specs To the access-challenge reply radius should sent a access-success with the mppe keys. But what I see is to the reply radius is sending the access-challenge request again with mschap-success similar to the Eap-tls. I am not sure if I missed any configuration. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap-mschapv2
Post the debug ouput (radiusd -X). josh. -Original Message- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Indira Keesara Sent: 15 January 2008 20:36 To: freeradius-users@lists.freeradius.org Subject: eap-mschapv2 I am using freeradius to test the eap-mschapv2. According to specs To the access-challenge reply radius should sent a access-success with the mppe keys. But what I see is to the reply radius is sending the access-challenge request again with mschap-success similar to the Eap-tls. I am not sure if I missed any configuration. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap-mschapv2
auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: Told to do MS-CHAPv2 for user with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled Sending Access-Challenge of id 3 to x.x.x.x port 1812 MS-CHAP2-Success = 0x01533d46393635324645444542423338354535333743303338333739 41393735313330363134413336 EAP-Message = 0x010200331a0301002e533d4639363532464544454242333835453533 374330333833373941393735313330363134413336 Message-Authenticator = 0x State = 0xabe2000baae01ac677bcdaf79192ae6c Finished request 1. That looks like a bug to me. It's a violation of RFC2548: 2.3.3. MS-CHAP2-Success Description This Attribute contains a 42-octet authenticator response string. This string MUST be included in the Message field of the MS-CHAP- V2 Success packet sent from the NAS to the peer. This Attribute is only used in Access-Accept packets. It might be worth checking the logic in the eap-mschap module; it should be pretty obvious to see where it is going wrong. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap-mschapv2
hello, are you using switch like NAS for your configuration. Because for my configuration, i done test over wiireless and its work beautifull. But when i try to use switch to authenticate win-xp client its not work. after the acces-request the server respond acces-reject. can you help me i use EAP-PEAP or EAP-MD just for test thank _ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2
Josh Howlett wrote: ... Sending Access-Challenge of id 3 to x.x.x.x port 1812 MS-CHAP2-Success = ... EAP-Message = ... That looks like a bug to me. It's a violation of RFC2548: No. The bug is different: EAP-MSCHAPv2 is *not* MS-CHAPv2. The MS-CHAP2-Success attribute has no business being in *any* packet that also contains EAP. I've committed a fix for that to CVS head. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-mschapv2
Indira Keesara wrote: I am using freeradius to test the eap-mschapv2. According to specs To the access-challenge reply radius should sent a access-success with the mppe keys. No. EAP-MSCHAPv2 does not supply MPPE keys. What spec are you reading that says it should? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-MSChapv2 authentication
Hi Alan, Thanks for the response. I remove the Auth-Type, but it is still not working. Now I get a new set of errors. I did a radtest bob hello localhost 0 testing123 and the user was able to authenticate. I don't know why it doesn't work for EAP-MSchapv2. Thanks for your help! Below is the debug log: rad_recv: Access-Request packet from host 13.138.136.68:1645, id=155, length=140NAS-IP-Address = 13.138.136.68 NAS-Port = 50003 NAS-Port-Type = Ethernet User-Name = tester Called-Station-Id = 00-0A-B8-39-79-85 Calling-Station-Id = 00-0B-DB-64-9B-A7 Service-Type = Framed-User Framed-MTU = 1500 State = 0x9b24bde92b2edf137fd180df54de624a EAP-Message = 0x021300060315 Message-Authenticator = 0x59b57149b1821c1ec87342e2e04cdbc8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module preprocess returns ok for request 19 modcall[authorize]: module chap returns noop for request 19 modcall[authorize]: module mschap returns noop for request 19 rlm_realm: No '@' in User-Name = tester, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 19 rlm_eap: EAP packet type response id 19 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 19 users: Matched entry tester at line 83 modcall[authorize]: module files returns ok for request 19 modcall: leaving group authorize (returns updated) for request 19 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: No such EAP type ttls rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 19 modcall: leaving group authenticate (returns invalid) for request 19 auth: Failed to validate the user. Delaying request 19 for 1 seconds Finished request 19 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 13.138.136.68:1645, id=155, length=140Sending Access-Reject of id 155 to 13.138.136.68 port 1645 EAP-Message = 0x04130004 Message-Authenticator = 0x --- Walking the entire request list --- Waking up in 1 seconds... This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, September 12, 2006 4:12 PM To: FreeRadius users mailing list Subject: Re: EAP-MSChapv2 authentication Christopher, Paul [EMAIL PROTECTED] wrote: I have a device that uses EAP-MSCHAPv2 (without PEAP) for authentication. I am running freeRadius on Redhat. The device is plugged into a switch which sends the EAP request to the server. I am unable to get the device authenticated with the Radius server. In the users file should the Auth-type be local or MS-Chap? Neither. Don't set Auth-Type at all. The server WILL figure it out. Should I be sending the authentication request to an NT domain or will the username and password in the user file be sufficient? Putting a username and password into the users file will be sufficient. # bob User-Password := hello # EAP-MSCHAPv2 *will* work. See: http://deployingradius.com/documents/configuration/pap.html Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSChapv2 authentication
Christopher, Paul [EMAIL PROTECTED] wrote: Thanks for the response. I remove the Auth-Type, but it is still not working. Now I get a new set of errors. I did a radtest bob hello localhost 0 testing123 and the user was able to authenticate. Because PAP authentication is simple, and doesn't involve EAP. I don't know why it doesn't work for EAP-MSchapv2. Thanks for your help! Below is the debug log: ... rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: No such EAP type ttls Uh... what part of that message is unclear? The client isn't doing EAP-MSCHAPv2. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSChapv2 authentication
Hi, rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: No such EAP type ttls only a guess - but the above line seems to be the big clue here. have you configured your eap.conf correctly...and did you build from source? if from source, did you check that configure passed by without failing on anything...eg no OpenSSL dev headers etc? you have to have the certificates part in eap.conf sorted, or ttls wont work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSChapv2 authentication
Hi, rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: No such EAP type ttls Uh... what part of that message is unclear? The client isn't doing EAP-MSCHAPv2. indeed, looks like EAP-TTLS with MSCHAPv2 inside the tunnel. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-MSChapv2 authentication
Hi Alan, Thanks for your response. I don't understand what you mean by 'did you build from source?' Please explain. I did not generate any certs. I didn't think EAP-MSChapv2 needed certificates. Paul. This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] dius.org] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 13, 2006 3:22 PM To: FreeRadius users mailing list Subject: Re: EAP-MSChapv2 authentication Hi, rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: No such EAP type ttls only a guess - but the above line seems to be the big clue here. have you configured your eap.conf correctly...and did you build from source? if from source, did you check that configure passed by without failing on anything...eg no OpenSSL dev headers etc? you have to have the certificates part in eap.conf sorted, or ttls wont work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-MSChapv2 authentication
Paul, I think what Alan was getting at is that Your client asked for EAP-TTLS, not EAP-MSChapV2. This might be the root of your problem. If you Intend to do MSChapV2 inside of TTLS Tunnels, you MUST setup a certificate. This is make quite clear in the eap.conf file, that TTLS is dependant on TLS being setup. What is your user source? (users file, passwd file, LDAP, Active Directory) I ask because MSChapV2 is incompatable with a few of these sources. -Original Message- rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: No such EAP type ttls - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSChapv2 authentication
Hi, Hi Alan, Thanks for your response. I don't understand what you mean by 'did you build from source?' Please explain. I did not generate any certs. I didn't think EAP-MSChapv2 needed certificates. build from source - did you download the freeradius-1.1.3.tar.gz and then extract it, run ./configure, make, make install etc not built from source - did you simply apt-get install freeradius or yum install freeradius etc. PS if a gentoo user, if you 'emerge freeradius' I would class that as building from source ;-) the next question is are you really doing raw EAP-MSCHAPv2 - this isnt too common (on this list anyway) the error log you posted clearly hinted at EAP-TTLS ... so any MSCHAPv2 would be in the tunnel. if you have this form of EAP then the TLS section must be working...as the first few lines of eap.conf clearly state. otherwise it 'just wont work'(tm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-MSChapv2 authentication
Christopher, Paul [EMAIL PROTECTED] wrote: I have a device that uses EAP-MSCHAPv2 (without PEAP) for authentication. I am running freeRadius on Redhat. The device is plugged into a switch which sends the EAP request to the server. I am unable to get the device authenticated with the Radius server. In the users file should the Auth-type be local or MS-Chap? Neither. Don't set Auth-Type at all. The server WILL figure it out. Should I be sending the authentication request to an NT domain or will the username and password in the user file be sufficient? Putting a username and password into the users file will be sufficient. # bob User-Password := hello # EAP-MSCHAPv2 *will* work. See: http://deployingradius.com/documents/configuration/pap.html Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
