Re: EAP/TTLS PEAP MSCHAP

permalink · #1 (**permalink**) 04-04-2007

Eshun Benjamin wrote:
> Mac connects but ms windows does not. I am doing server side cert. =

> Error from ms windows.
>
>
> User-Name =3D "testgeneral"
> NAS-IP-Address =3D 10.1.5.26
> Called-Station-Id =3D "0016014d9158"
> Calling-Station-Id =3D "0019e3034ceb"
> NAS-Identifier =3D "0016014d9158"
> NAS-Port =3D 36
> Framed-MTU =3D 1400
> State =3D 0x3d946123f5f422f576bed1eb52863e55
> NAS-Port-Type =3D Wireless-802.11
> EAP-Message =3D =

> 0x0202005019800000004616030100410100003d030146139a edbfdec7d57168bf7fdbe98=
4cfd19f5d1e7c13ee839e4b0a55d34aa866000016000400050 00a0009006400620003000600=
13001200630100
> Message-Authenticator =3D 0x3efce19c566f372e8744589f65d58401
> Wed Apr 4 14:32:48 2007 : Debug: Processing the authorize section =

> of radiusd.conf
> Wed Apr 4 14:32:48 2007 : Debug: modcall: entering group authorize =

> for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling =

> preprocess (rlm_preprocess) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from preprocess (rlm_preprocess) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module =

> "preprocess" returns ok for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling =

> mschap (rlm_mschap) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from mschap (rlm_mschap) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module =

> "mschap" returns noop for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling =

> suffix (rlm_realm) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: rlm_realm: No '@' in User-Name =3D =

> "testgeneral", looking up realm NULL
> Wed Apr 4 14:32:48 2007 : Debug: rlm_realm: No such realm "NULL"
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from suffix (rlm_realm) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module =

> "suffix" returns noop for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling eap =

> (rlm_eap) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: EAP packet type response =

> id 2 length 80
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: No EAP Start, assuming =

> it's an on-going EAP conversation
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from eap (rlm_eap) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "eap" =

> returns updated for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling =

> files (rlm_files) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: users: Matched entry testgeneral =

> at line 216
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from files (rlm_files) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "files" =

> returns ok for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling =

> etc_smbpasswd (rlm_passwd) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from etc_smbpasswd (rlm_passwd) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module =

> "etc_smbpasswd" returns notfound for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling pap =

> (rlm_pap) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: rlm_pap: Found existing Auth-Type, =

> not changing it.
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from pap (rlm_pap) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "pap" =

> returns noop for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modcall: leaving group authorize =

> (returns updated) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: rad_check_password: Found =

> Auth-Type EAP
> Wed Apr 4 14:32:48 2007 : Debug: auth: type "EAP"
> Wed Apr 4 14:32:48 2007 : Debug: Processing the authenticate =

> section of radiusd.conf
> Wed Apr 4 14:32:48 2007 : Debug: modcall: entering group authenticate =

> for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authenticate]: calling =

> eap (rlm_eap) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: Request found, released =

> from the list
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: EAP/peap
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: processing type peap
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_peap: Authenticate
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: processing TLS
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: Length Included
> Wed Apr 4 14:32:48 2007 : Debug: eaptls_verify returned 11
> Wed Apr 4 14:32:48 2007 : Debug: (other): before/accept =

> initialization
> Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: before/accept =

> initialization
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake =

> [length 0041], ClientHello =

> Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: SSLv3 read client =

> hello A
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake =

> [length 004a], ServerHello =

> Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: SSLv3 write server =

> hello A
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake =

> [length 038f], Certificate =

> Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: SSLv3 write =

> certificate A
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake =

> [length 0004], ServerHelloDone =

> Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: SSLv3 write server =

> done A
> Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: SSLv3 flush data
> Wed Apr 4 14:32:48 2007 : Error: TLS_accept:error in SSLv3 read =

> client certificate A
> Wed Apr 4 14:32:48 2007 : Error: rlm_eap: SSL error =

> error:00000000:lib(0):func(0):reason(0)
> Wed Apr 4 14:32:48 2007 : Debug: In SSL Handshake Phase
> Wed Apr 4 14:32:48 2007 : Debug: In SSL Accept mode =

> Wed Apr 4 14:32:48 2007 : Debug: eaptls_process returned 13
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_peap: EAPTLS_HANDLED
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authenticate]: returned =

> from eap (rlm_eap) for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authenticate]: module =

> "eap" returns handled for request 74
> Wed Apr 4 14:32:48 2007 : Debug: modcall: leaving group authenticate =

> (returns handled) for request 74
> Sending Access-Challenge of id 0 to 10.1.5.26 port 2048
> EAP-Message =3D =

> 0x010303f21900160301004a02000046030146139af0c3e704 b47f4b6b436a8b07d916c60=
b21a951af6c2918a39cadca6aa22013971c62e79c9f9f6e232 f6d035b7705438843f46c8e38=
f788750500db6621bf000400160301038f0b00038b00038800 038530820381308202eaa0030=
20102020900e8e427c494215d09300d06092a864886f70d010 1050500308188310b30090603=
550406130244453110300e060355040813075361636873656e 3110300e06035504071307447=
2657364656e3110300e060355040a13074d50492d434247311 1300f060355040b1308436f6d=
7075746572310f300d06035504031306736572766572311f30 1d06092a86
> EAP-Message =3D =

> 0x4886f70d010901161061646d696e406d70692d6362672e64 65301e170d3037303332343=
131313731395a170d3130303332333131313731395a3081883 10b3009060355040613024445=
3110300e060355040813075361636873656e3110300e060355 040713074472657364656e311=
0300e060355040a13074d50492d4342473111300f060355040 b1308436f6d7075746572310f=
300d06035504031306736572766572311f301d06092a864886 f70d010901161061646d696e4=
06d70692d6362672e646530819f300d06092a864886f70d010 101050003818d003081890281=
8100ac1158639bcdf711751f54bdf25c666d6f3a532967a7cb a624a5167b
> EAP-Message =3D =

> 0xfb5c89d5a3f9d86fe9a7a2b0899925a4373725bed9eb20d4 1f05019541ee096201bb57b=
8f01646ac62884f36d54ea32620a11c760e769ace49d8d7dc4 2b3ba35c6d410b2fddbc2d689=
536f66646e94f594b516cb5b312f96f562529bcd7015540fd2 be7d0203010001a381f03081e=
d301d0603551d0e041604141acd4d6d72dc026df7d0a5e77ea 636e2c9bcfd4f3081bd060355=
1d230481b53081b280141acd4d6d72dc026df7d0a5e77ea636 e2c9bcfd4fa1818ea4818b308=
188310b30090603550406130244453110300e0603550408130 75361636873656e3110300e06=
0355040713074472657364656e3110300e060355040a13074d 50492d4342
> EAP-Message =3D =

> 0x473111300f060355040b1308436f6d7075746572310f300d 06035504031306736572766=
572311f301d06092a864886f70d010901161061646d696e406 d70692d6362672e6465820900=
e8e427c494215d09300c0603551d13040530030101ff300d06 092a864886f70d01010505000=
38181009e5e89fa8a5e26ce9710bfde499a2b36d412f5acff4 0b544eec4839a67b768e6a778=
a5b8d54c8ad8b3ec8f438e96e0740103cbdb3e64c751e722e2 c3538dccac3a993b94824ba4e=
48ba40ebc5c7b37c5c6048616f3b10d7f3d4b23cd84cd1e3e4 b318e75d4fcd637ee1b5f263c=
d4adb006a80f62639825f6fb1a284e254a89be16030100040e 000000
> Message-Authenticator =3D 0x00000000000000000000000000000000
> State =3D 0x4e138cc588a831123b8c899c1e03c4fc
> Wed Apr 4 14:32:48 2007 : Debug: Finished request 74
> Wed Apr 4 14:32:48 2007 : Debug: Going to the next request
> Wed Apr 4 14:32:48 2007 : Debug: rl_next: returning NULL
> Wed Apr 4 14:32:48 2007 : Debug: Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 10.1.5.26:2048, id=3D0, length=
=3D143
> User-Name =3D "testgeneral"
> NAS-IP-Address =3D 10.1.5.26
> Called-Station-Id =3D "0016014d9158"
> Calling-Station-Id =3D "0019e3034ceb"
> NAS-Identifier =3D "0016014d9158"
> NAS-Port =3D 36
> Framed-MTU =3D 1400
> State =3D 0x4e138cc588a831123b8c899c1e03c4fc
> NAS-Port-Type =3D Wireless-802.11
> EAP-Message =3D 0x020300061900
> Message-Authenticator =3D 0xf89ebcfef5ea8e2a15b9fc63884890df
> Wed Apr 4 14:32:48 2007 : Debug: Processing the authorize section =

> of radiusd.conf
> Wed Apr 4 14:32:48 2007 : Debug: modcall: entering group authorize =

> for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling =

> preprocess (rlm_preprocess) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from preprocess (rlm_preprocess) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module =

> "preprocess" returns ok for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling =

> mschap (rlm_mschap) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from mschap (rlm_mschap) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module =

> "mschap" returns noop for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling =

> suffix (rlm_realm) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: rlm_realm: No '@' in User-Name =3D =

> "testgeneral", looking up realm NULL
> Wed Apr 4 14:32:48 2007 : Debug: rlm_realm: No such realm "NULL"
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from suffix (rlm_realm) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module =

> "suffix" returns noop for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling eap =

> (rlm_eap) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: EAP packet type response =

> id 3 length 6
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: No EAP Start, assuming =

> it's an on-going EAP conversation
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from eap (rlm_eap) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "eap" =

> returns updated for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling =

> files (rlm_files) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: users: Matched entry testgeneral =

> at line 216
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from files (rlm_files) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "files" =

> returns ok for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling =

> etc_smbpasswd (rlm_passwd) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from etc_smbpasswd (rlm_passwd) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module =

> "etc_smbpasswd" returns notfound for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling pap =

> (rlm_pap) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: rlm_pap: Found existing Auth-Type, =

> not changing it.
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned =

> from pap (rlm_pap) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "pap" =

> returns noop for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modcall: leaving group authorize =

> (returns updated) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: rad_check_password: Found =

> Auth-Type EAP
> Wed Apr 4 14:32:48 2007 : Debug: auth: type "EAP"
> Wed Apr 4 14:32:48 2007 : Debug: Processing the authenticate =

> section of radiusd.conf
> Wed Apr 4 14:32:48 2007 : Debug: modcall: entering group authenticate =

> for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authenticate]: calling =

> eap (rlm_eap) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: Request found, released =

> from the list
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: EAP/peap
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: processing type peap
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_peap: Authenticate
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: processing TLS
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: Received EAP-TLS ACK =

> message
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: ack handshake =

> fragment handler
> Wed Apr 4 14:32:48 2007 : Debug: eaptls_verify returned 1
> Wed Apr 4 14:32:48 2007 : Debug: eaptls_process returned 13
> Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_peap: EAPTLS_HANDLED
> Wed Apr 4 14:32:48 2007 : Debug: modsingle[authenticate]: returned =

> from eap (rlm_eap) for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modcall[authenticate]: module =

> "eap" returns handled for request 75
> Wed Apr 4 14:32:48 2007 : Debug: modcall: leaving group authenticate =

> (returns handled) for request 75
>
> =

> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
>
> Benjamin K. Eshun
>
>
> D=E9couvrez une nouvelle fa=E7on d'obtenir des r=E9ponses =E0 toutes vos =

> questions ! Profitez des connaissances, des opinions et des =

> exp=E9riences des internautes sur Yahoo! Questions/R=E9ponses =

> <http://fr.rd.yahoo.com/evt=3D42054/*http://fr.answers.yahoo.com>.
> ------------------------------------------------------------------------
>
> - =

> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users=
..html
Your sever side certificate needs to have special OIDS, which the peap =

section of the eap.conf file warns you about. Windows will check that =

these OIDS are present in the certificate sent from the server, if they =

are not it will fail silently.

- =

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.h=
tml

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode