Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - minich.m

Pages: [1]
1
Installation and Upgrades / [Zentyal 3.0] Is PEAP|MSCHAPv2 supported?
« on: November 06, 2012, 08:12:51 am »
Hello people,I am a zentyal newbie and I love zentyal :-).

My problem:
I need authenticate users on wireless access points with name and password.
Zentyal: I have configured LDAP, RADIUS, USER, ... test with radtest is OK.
Win 7:  I'm using wpa2 enterprise, AES, I unchecked the "validate Server Certificate"

Here is my log from freeradius:
Code: [Select]
       Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xccb83b9fccbf21df252a1f3abbcc72dc
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 35 to 10.178.201.72 port 60163
        EAP-Message = 0x0107004b190017030100404364e0a23324617752dd1d7a448438a7116d0dea2fb6b1a8d32f8775359bd5f97e058d1d3b0f3ade2da10fcb1eaef2b0f365ce00f9cbacea1aaa8899a712abe9
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x71cc75d474cb6cc96f85852f162d2551
Finished request 29.
Going to the next request
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host 10.178.201.72 port 60843, id=36, length=283
        Service-Type = Framed-User
        Framed-MTU = 1400
        User-Name = "marosminich"
        State = 0x71cc75d474cb6cc96f85852f162d2551
        NAS-Port-Id = "wlan1"
        Calling-Station-Id = "58-94-6B-A5-C3-88"
        Called-Station-Id = "00-0C-42-FC-0E-91:eduroam"
        EAP-Message = 0x0207006b19001703010060d0e2b85a2afd8d9a3d8d1480d3c044fb30936a50005856b2480525285c72c4369dbbdcc89005023f1b562af26369515b6f812a5ba6e6716aa86658250f2586d3f8cff0262044db941ee1edd4b9b02dc3b597fcd7e524dd7c47ffa527fd004843
        Message-Authenticator = 0x16ab74bcf485e99ca2e368cee5ecc6ba
        NAS-Identifier = "MikroTik"
        Vendor-14988-Attr-9 = 0x7a736d6965726f7661737669742e736b
        NAS-IP-Address = 192.168.1.10
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marosminich", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x020700461a020700413143fd4d31764371a413eb1b580a17a0bd00000000000000006488c55e2a46d3f7acb0dda50c2ddfd4c3ab59a2d7f6db28006d61726f736d696e696368
server  {
  PEAP: Setting User-Name to marosminich
Sending tunneled request
        EAP-Message = 0x020700461a020700413143fd4d31764371a413eb1b580a17a0bd00000000000000006488c55e2a46d3f7acb0dda50c2ddfd4c3ab59a2d7f6db28006d61726f736d696e696368
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "marosminich"
        State = 0xccb83b9fccbf21df252a1f3abbcc72dc
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marosminich", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 70
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
  [ldap] Entering ldap_groupcmp()
[files]         expand: dc=skfree,dc=svit -> dc=skfree,dc=svit
[files] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> marosminich
[files]         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=marosminich)
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=skfree,dc=svit, with filter (uid=marosminich)
  [ldap] ldap_release_conn: Release Id: 0
[files] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> marosminich
[files]         expand: (&(objectClass=posixGroup)(member=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(member=marosminich))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=skfree,dc=svit, with filter (&(cn=Wifi)(&(objectClass=posixGroup)(member=marosminich)))
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in uid=marosminich,ou=Users,dc=skfree,dc=svit, with filter (objectclass=*)
  [ldap] performing search in cn=Wifi,ou=Groups,dc=skfree,dc=svit, with filter (cn=Wifi)
rlm_ldap::ldap_groupcmp: User found in group Wifi
  [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 3
++[files] returns ok
[ldap] performing user authorization for marosminich
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> marosminich
[ldap]  expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=marosminich)
[ldap]  expand: dc=skfree,dc=svit -> dc=skfree,dc=svit
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=skfree,dc=svit, with filter (uid=marosminich)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header == "{K5KEY}"
[ldap] looking for reply items in directory...
[ldap] user marosminich authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found unknown header {{K5KEY}}: Not doing anything
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: marosminich
[mschap] Told to do MS-CHAPv2 for marosminich with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [marosminich] (from client 10.178.201.72/32 port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
        Service-Type := Login-User
        MS-CHAP-Error = "\007E=691 R=1"
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        Service-Type := Login-User
        MS-CHAP-Error = "\007E=691 R=1"
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 36 to 10.178.201.72 port 60843
        EAP-Message = 0x0108002b19001703010020a63864ca7dec1c88688800ad5c304a01a969e3b75b7c31eca56f4b4b542366ad
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x71cc75d477c46cc96f85852f162d2551
Finished request 30.
Going to the next request
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host 10.178.201.72 port 44207, id=37, length=219
        Service-Type = Framed-User
        Framed-MTU = 1400
        User-Name = "marosminich"
        State = 0x71cc75d477c46cc96f85852f162d2551
        NAS-Port-Id = "wlan1"
        Calling-Station-Id = "58-94-6B-A5-C3-88"
        Called-Station-Id = "00-0C-42-FC-0E-91:eduroam"
        EAP-Message = 0x0208002b19001703010020300773049b1762b5ffa9a1dabcad9fceeb578fef06accad4edaf3042a0852cb3
        Message-Authenticator = 0xac157b883c779b83d7eecc2d621158fa
        NAS-Identifier = "MikroTik"
        Vendor-14988-Attr-9 = 0x7a736d6965726f7661737669742e736b
        NAS-IP-Address = 192.168.1.10
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marosminich", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [marosminich] (from client 10.178.201.72/32 port 0 cli 58-94-6B-A5-C3-88)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> marosminich
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 31 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.178.201.72 port 44207, id=37, length=219
Waiting to send Access-Reject to client 10.178.201.72/32 port 44207 - ID: 37
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 10.178.201.72 port 44207, id=37, length=219
Waiting to send Access-Reject to client 10.178.201.72/32 port 44207 - ID: 37
Waking up in 0.3 seconds.
Sending delayed reject for request 31
Sending Access-Reject of id 37 to 10.178.201.72 port 44207
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000

Pages: [1]