Author Topic: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?  (Read 11199 times)

minich.m

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
[Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« on: November 06, 2012, 08:12:51 am »
Hello people,I am a zentyal newbie and I love zentyal :-).

My problem:
I need authenticate users on wireless access points with name and password.
Zentyal: I have configured LDAP, RADIUS, USER, ... test with radtest is OK.
Win 7:  I'm using wpa2 enterprise, AES, I unchecked the "validate Server Certificate"

Here is my log from freeradius:
Code: [Select]
       Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xccb83b9fccbf21df252a1f3abbcc72dc
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 35 to 10.178.201.72 port 60163
        EAP-Message = 0x0107004b190017030100404364e0a23324617752dd1d7a448438a7116d0dea2fb6b1a8d32f8775359bd5f97e058d1d3b0f3ade2da10fcb1eaef2b0f365ce00f9cbacea1aaa8899a712abe9
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x71cc75d474cb6cc96f85852f162d2551
Finished request 29.
Going to the next request
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host 10.178.201.72 port 60843, id=36, length=283
        Service-Type = Framed-User
        Framed-MTU = 1400
        User-Name = "marosminich"
        State = 0x71cc75d474cb6cc96f85852f162d2551
        NAS-Port-Id = "wlan1"
        Calling-Station-Id = "58-94-6B-A5-C3-88"
        Called-Station-Id = "00-0C-42-FC-0E-91:eduroam"
        EAP-Message = 0x0207006b19001703010060d0e2b85a2afd8d9a3d8d1480d3c044fb30936a50005856b2480525285c72c4369dbbdcc89005023f1b562af26369515b6f812a5ba6e6716aa86658250f2586d3f8cff0262044db941ee1edd4b9b02dc3b597fcd7e524dd7c47ffa527fd004843
        Message-Authenticator = 0x16ab74bcf485e99ca2e368cee5ecc6ba
        NAS-Identifier = "MikroTik"
        Vendor-14988-Attr-9 = 0x7a736d6965726f7661737669742e736b
        NAS-IP-Address = 192.168.1.10
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marosminich", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x020700461a020700413143fd4d31764371a413eb1b580a17a0bd00000000000000006488c55e2a46d3f7acb0dda50c2ddfd4c3ab59a2d7f6db28006d61726f736d696e696368
server  {
  PEAP: Setting User-Name to marosminich
Sending tunneled request
        EAP-Message = 0x020700461a020700413143fd4d31764371a413eb1b580a17a0bd00000000000000006488c55e2a46d3f7acb0dda50c2ddfd4c3ab59a2d7f6db28006d61726f736d696e696368
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "marosminich"
        State = 0xccb83b9fccbf21df252a1f3abbcc72dc
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marosminich", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 70
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
  [ldap] Entering ldap_groupcmp()
[files]         expand: dc=skfree,dc=svit -> dc=skfree,dc=svit
[files] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> marosminich
[files]         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=marosminich)
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=skfree,dc=svit, with filter (uid=marosminich)
  [ldap] ldap_release_conn: Release Id: 0
[files] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> marosminich
[files]         expand: (&(objectClass=posixGroup)(member=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(member=marosminich))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=skfree,dc=svit, with filter (&(cn=Wifi)(&(objectClass=posixGroup)(member=marosminich)))
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in uid=marosminich,ou=Users,dc=skfree,dc=svit, with filter (objectclass=*)
  [ldap] performing search in cn=Wifi,ou=Groups,dc=skfree,dc=svit, with filter (cn=Wifi)
rlm_ldap::ldap_groupcmp: User found in group Wifi
  [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 3
++[files] returns ok
[ldap] performing user authorization for marosminich
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> marosminich
[ldap]  expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=marosminich)
[ldap]  expand: dc=skfree,dc=svit -> dc=skfree,dc=svit
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=skfree,dc=svit, with filter (uid=marosminich)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{K5KEY}"
[ldap] looking for reply items in directory...
[ldap] user marosminich authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found unknown header {{K5KEY}}: Not doing anything
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: marosminich
[mschap] Told to do MS-CHAPv2 for marosminich with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [marosminich] (from client 10.178.201.72/32 port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
        Service-Type := Login-User
        MS-CHAP-Error = "\007E=691 R=1"
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        Service-Type := Login-User
        MS-CHAP-Error = "\007E=691 R=1"
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 36 to 10.178.201.72 port 60843
        EAP-Message = 0x0108002b19001703010020a63864ca7dec1c88688800ad5c304a01a969e3b75b7c31eca56f4b4b542366ad
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x71cc75d477c46cc96f85852f162d2551
Finished request 30.
Going to the next request
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host 10.178.201.72 port 44207, id=37, length=219
        Service-Type = Framed-User
        Framed-MTU = 1400
        User-Name = "marosminich"
        State = 0x71cc75d477c46cc96f85852f162d2551
        NAS-Port-Id = "wlan1"
        Calling-Station-Id = "58-94-6B-A5-C3-88"
        Called-Station-Id = "00-0C-42-FC-0E-91:eduroam"
        EAP-Message = 0x0208002b19001703010020300773049b1762b5ffa9a1dabcad9fceeb578fef06accad4edaf3042a0852cb3
        Message-Authenticator = 0xac157b883c779b83d7eecc2d621158fa
        NAS-Identifier = "MikroTik"
        Vendor-14988-Attr-9 = 0x7a736d6965726f7661737669742e736b
        NAS-IP-Address = 192.168.1.10
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marosminich", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [marosminich] (from client 10.178.201.72/32 port 0 cli 58-94-6B-A5-C3-88)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> marosminich
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 31 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.178.201.72 port 44207, id=37, length=219
Waiting to send Access-Reject to client 10.178.201.72/32 port 44207 - ID: 37
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 10.178.201.72 port 44207, id=37, length=219
Waiting to send Access-Reject to client 10.178.201.72/32 port 44207 - ID: 37
Waking up in 0.3 seconds.
Sending delayed reject for request 31
Sending Access-Reject of id 37 to 10.178.201.72 port 44207
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000

mrgill

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #1 on: January 08, 2013, 07:25:00 am »
It support
Please install module File Sharing after you install Users and Groups Module it necessary for MSCHAPv2 encryption

_evgen_b

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #2 on: January 31, 2013, 11:49:04 am »
Did not use for freeradius module mscap? But in the module (/etc/freeradius/modules/mscap) path to ntlm_auth is commented. I tried to install winbind4 and uncomment this line:
Code: [Select]
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


Shajtan

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #3 on: February 07, 2013, 01:58:20 pm »
Hellow all! I have same problem: I can't autentificate any of my devices via Zentyal 3.0. It's strange, because I use Zentyal 2.0.22 as Radius-server, and it working good.
I setup Zentyal 3.0, install modules: Network, Firewall, DNS, Events, Logs, NTP, Users and Groups, RADIUS, File Sharing and HTTP Proxy. Firewall, in try to resolve my problem, I setup as "allow-all" in every direction (not help, actually).

Check with radtest is OK, with no protocol defined. Radtest -t mschap - reject autentification, but my old zentyal, 2.0, allow it! I have not find any serious difference in config files in two Zentyal servers, old and new... It's some mistery for me...

 
Code: [Select]

rad_recv: Access-Request packet from host 192.168.1.108 port 1024, id=99, length=298
User-Name = "Shajtan"
NAS-Port = 0
Called-Station-Id = "0A-27-22-F3-0C-AA:TestWiFi"
Calling-Station-Id = "1C-E2-CC-DB-86-BB"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x024100901900170301002097a8b59a5cad91ca90fcb1dc0efeb76ac3bab0d4b57f19c484cae3e392fde9ca17030100602581f1ea8f6f6354706e7a968e0747a747731366f1f83406703223926905072f2ac13662c1edbd790d33190878a9965895b56c688c4524c070b9a5ddbc0b6457e6fbd5bce4cb94c89c18e029be74601f97759fe42be6c24beb9ab7c334b3a183
State = 0xe3b3b3fbe5f2aa05025a29847a4bd19a
Message-Authenticator = 0xcad40f022b43632069706f73f6762fbc
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "Shajtan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 65 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x024100421a0241003d31dd9e103707f60fabca148f60b698b79e00000000000000003c422966dbcfcc8a7de3ae0a8c97cd0909604722904258de005368616a74616e
server  {
  PEAP: Setting User-Name to Shajtan
Sending tunneled request
EAP-Message = 0x024100421a0241003d31dd9e103707f60fabca148f60b698b79e00000000000000003c422966dbcfcc8a7de3ae0a8c97cd0909604722904258de005368616a74616e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "Shajtan"
State = 0x8e86fc7c8ec7e668b0ce18c188fabf98
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "Shajtan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 65 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 3
++[files] returns ok
[ldap] performing user authorization for Shajtan
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> Shajtan
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=Shajtan)
[ldap] expand: dc=loniir-internet,dc=net -> dc=loniir-internet,dc=net
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=loniir-internet,dc=net, with filter (uid=Shajtan)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{K5KEY}"
[ldap] looking for reply items in directory...
[ldap] user Shajtan authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found unknown header {{K5KEY}}: Not doing anything
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: Shajtan
[mschap] Told to do MS-CHAPv2 for Shajtan with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [Shajtan] (from client 192.168.1.0/24 port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "AE=691 R=1"
EAP-Message = 0x04410004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "AE=691 R=1"
EAP-Message = 0x04410004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 99 to 192.168.1.108 port 1024
EAP-Message = 0x0142002b190017030100206a2abce931280de058b058af5f98a2011a98c3a1caadaefee11123f12ea1d58f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe3b3b3fbe4f1aa05025a29847a4bd19a
Finished request 16.
Going to the next request
rad_recv: Access-Request packet from host 192.168.1.108 port 1024, id=100, length=234
User-Name = "Shajtan"
NAS-Port = 0
Called-Station-Id = "0A-27-22-F3-0C-AA:TestWiFi"
Calling-Station-Id = "1C-E2-CC-DB-86-BB"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0242005019001703010020fddddbe20028f0219a501e20d8a035364ecc394167910ba756e0861fcae3830e1703010020ea1479ec0058d99c08665f74673bdcb1a94e2e7cb15b8627a0e6da15dc99a5ce
State = 0xe3b3b3fbe4f1aa05025a29847a4bd19a
Message-Authenticator = 0xf591a3731e17336d106f79faece2cc20
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "Shajtan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 66 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [Shajtan] (from client 192.168.1.0/24 port 0 cli 1C-E2-CC-DB-86-BB)
Using Post-Auth-Type Reject


_evgen_b

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #4 on: February 07, 2013, 06:20:12 pm »
Hellow all! I have same problem: I can't autentificate any of my devices via Zentyal 3.0. It's strange, because I use Zentyal 2.0.22 as Radius-server, and it working good. ...
Hello. Show me please
Code: [Select]
cat /etc/freeradius/modules/mscap
from your Zentyal 2.0.22 and 3.0. Especially interested line:
Code: [Select]
ntlm_auth =
I think that the module mschap don't configured in Zentyal 3.0

----
Sorry for my bad English.
« Last Edit: February 07, 2013, 06:23:35 pm by _evgen_b »

nicozen

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #5 on: February 07, 2013, 06:49:01 pm »
I have the exact same issue.

It seems indeed that NTLM_auth is not configured properly.
The line is still commented with default settings of freeradius (#ntlm_auth = "/path/to/ntlm_auth ...")

Thanks correct this or to let me know what should be the path to NTLM_auth when using Zentyal 3.0

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #6 on: February 07, 2013, 08:14:45 pm »
Ticket 5946 http://trac.zentyal.org/ticket/5946  covers this.  I submitted it awhile ago and it was just accepted this last week.  I don't have any more details as to when it will be resolved at this time.  Possibly a developer will pop in and comment.

<edit>  I kept my 2.2 system around as a virtual machine.  I currently have my 3.0 system Radius server pointing to the ldap server on my old system as a work around.  This might be useful information to some.
« Last Edit: February 07, 2013, 08:16:50 pm by half_life »

Shajtan

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #7 on: February 11, 2013, 11:56:41 am »
2 _evgen_b: yes, ntlm_auth is commented in /etc/freeradius/modules/mschap . But, there is same settings in /etc/freeradius/modules/mschap on Zentyal 2.0 server, and all works good. How mschap works on old Zentyal and dosnt work in new version, with same settings?

I try to uncomment ntlm_auth, with path /ust/bin/ntlm_auth, and now I have this message:
Code: [Select]
/usr/bin/ntlm_auth: /usr/lib/i386-linux-gnu/libwbclient.so.0: no version information available (required by /usr/lib/i386-linux-gnu/samba/liblibsmb.so)

p2492

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #8 on: February 25, 2013, 12:18:18 am »
Hello Forum,
i am new here and not so familiar with linux and Zentyal.
Zentyal is a great solution but the fact that Radius dont work makes me unhappy....
Trying to get Radius work i have the following detected:
1. Zentyal Radius "out of the Box" => failed
2. Uncomment ntlm_auth, with path /ust/bin/ntlm_auth
2a. Try to Login with WLAN Client: User "test" Pass. "1234" => Login failed
3. Go to the User Corner change the Pass. for User "test" (take the same , "1234")
3a. Try to Login with WLAN Client: User "test" Pass "1234" => Login OK (!)
I dont understand what happens, but it works. (I have reproduced the issue for multiple users)
This isn´t a solution statement but i hope it can help find the real reason.

anomaly

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #9 on: March 05, 2013, 05:30:33 am »
Did not use for freeradius module mscap? But in the module (/etc/freeradius/modules/mscap) path to ntlm_auth is commented. I tried to install winbind4 and uncomment this line:
Code: [Select]
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


Many thanks -- this did it for me!

sandeepnagra

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #10 on: May 15, 2013, 04:19:05 pm »
Did not use for freeradius module mscap? But in the module (/etc/freeradius/modules/mscap) path to ntlm_auth is commented. I tried to install winbind4 and uncomment this line:
Code: [Select]
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


Many thanks -- this did it for me!

Hi Anomaly,

I am facing the same issue with Zentyal 3.0.20 installation. Could you please provide steps on how did you installed winbind4 to fix this issue. I have already uncomment the path to ntlm_auth from (/etc/freeradius/modules/mschap) file.

Also, it seems that in _evgen_b's post there was a typo in the file as the file present under /etc/freeradius/modules/ is 'mschap' and not 'mscap'.

Your help in this regard would be highly appreciated.

shariqkhan1

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #11 on: July 25, 2013, 06:03:58 am »
Hi!

Did you manage to figure this out. I have removed the # but I still have the same problem. Can anyone show the steps taken to resolve this.

Thanks.

papimigas

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
    • PapiMigas
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #12 on: August 11, 2013, 12:39:17 pm »
Hi everyone

After 4 days, coffee and 3 new installations I made this f*** RADIUS server work for me :P

To make it I installed almost every modules somehow related to network, made Zentyal server as DC controller, configured DHCP and DNS, created users and then configured RADIUS.
I commented out the line from /etc/freeradius/modules/mschap (and changed path) as mentioned here.

On Android worked on the fly. Under Windows had to change some things as mentioned here: http://forum.zentyal.org/index.php?topic=8336.0

Thank you everyone that somehow shared your experiences and workarounds.


PapiMigas
« Last Edit: August 12, 2013, 02:58:02 am by papimigas »

ap1821

  • Zen Monk
  • **
  • Posts: 72
  • Karma: +4/-0
    • View Profile
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #13 on: February 17, 2014, 03:36:44 pm »
I'm still using 3.0 here and cant authorize neither of my devices using WPA Enterprise. Stadart PAP radtest works well. Any solutions? Havent tried to uncomment that line yet, but it's only related to mschap right?

edit:managed to successfully do a test using radtest -t mschap, does this mean mschapv2 will also work?
« Last Edit: February 17, 2014, 06:45:51 pm by ap1821 »

stm999999999

  • Zen Warrior
  • ***
  • Posts: 101
  • Karma: +3/-0
    • View Profile
Re: [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« Reply #14 on: February 17, 2014, 11:53:06 pm »
I hope so - if you can use Radius for WLAN successfuly, can you tell me how? :-)