Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Freeradius with PEAP (EAP-MSCHAP v2) Problems

820 views
Skip to first unread message

Khurram Jahangir

unread,
Oct 7, 2004, 11:52:21 AM10/7/04
to
Hello Everyone,

I am a new user on this mailing list and I am facing
some problems while trying to use PEAP and freeradius.

The freeradius version that I am using is 1.0.1. The
client is a windows XP machine with SP 2. The
authenticator is an HP 2524 switch.

The error that I get is this one

----------------

Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 8
rlm_mschap: No MS-CHAP-Challenge in the request
modcall[authenticate]: module "mschap" returns
reject for request 8
modcall: group Auth-Type returns reject for request 8
auth: Failed to validate the user.

------------------


users file has the following user

"bob" Auth-Type := MS-CHAP, User-Password == "bob1"
Reply-Message = "Hello, %u"


I tried it without mentioning any Auth-Type and then
the server takes it as CHAP by default and it works.

--------------------

I have following configuration in eap.conf

eap {

default_eap_type = tls

timer_expire = 60

ignore_unknown_eap_types = no

cisco_accounting_username_bug = no

md5 {
}

leap {
}

gtc {
auth_type = PAP
}

tls {
private_key_password = whatever
private_key_file = /etc/1x/khurram.pem

certificate_file = /etc/1x/khurram.pem



CA_file = /etc/1x/root.pem



dh_file = /etc/1x/DH
random_file = /etc/1x/random

peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
}

mschapv2 {
}

}

}


-----------------------------

In eap.conf, under eap, if i change "default_eap_type"
to peap, the I get the following error while running
Radiusd and it crashes

rlm_eap: Loaded and initialized type tls
rlm_eap: No such sub-type for default EAP type peap
radiusd.conf[9]: eap: Module instantiation failed.

-----------------------------

In HP switch, I gave this command to make it work,

aaa authentication port-access chap-radius

--------------------------------

In the XP client, I have chosen Portected EAP (PEAP)
as the EAP type and I also have enabled the root
certificate authority. I have chosen Secured password
(EAP-MSCHAP v2) as the authentication method.

My setup worked fine for EAP-TLS and the certificates
and for MD5 Challange (CHAP).

Below is the debug output of the freeradius with
"default_eap_type = tls"

*********************************
[root@localhost root]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file:
/usr/local/etc/raddb/proxy.conf
Config: including file:
/usr/local/etc/raddb/clients.conf
Config: including file:
/usr/local/etc/raddb/snmp.conf
Config: including file:
/usr/local/etc/raddb/eap.conf
Config: including file:
/usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir =
"/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file =
"/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile =
"/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will
go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean
output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/1x/khurram.pem"

tls: certificate_file = "/etc/1x/khurram.pem"
tls: CA_file = "/etc/1x/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/1x/DH"
tls: random_file = "/etc/1x/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups =
"/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile =
"/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile =
"/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename =
"/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host
10.0.1.20:1024, id=227, length=173
Framed-MTU = 1480
NAS-IP-Address = 10.0.1.20
NAS-Identifier = "Lower_Switch"
User-Name = "bob"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 2
NAS-Port-Type = Ethernet
NAS-Port-Id = "2"
Called-Station-Id = "00-01-e6-bd-7a-22"
Calling-Station-Id = "00-0f-1f-9e-07-49"
Connect-Info = "CONNECT Ethernet 100Mbps Full
duplex"


CHAP-Password = 0x0200000000000000000000000000000000
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok
for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for
request 0
modcall[authorize]: module "mschap" returns noop for
request 0
rlm_realm: No '@' in User-Name = "bob", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for
request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for
request 0
users: Matched bob at 101
radius_xlat: 'Hello, bob'
modcall[authorize]: module "files" returns ok for
request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_mschap: No MS-CHAP-Challenge in the request
modcall[authenticate]: module "mschap" returns
reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---

**********************************


Below is the debug output of the freeradius with
"default_eap_type = peap"


**********************************

[root@localhost root]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file:
/usr/local/etc/raddb/proxy.conf
Config: including file:
/usr/local/etc/raddb/clients.conf
Config: including file:
/usr/local/etc/raddb/snmp.conf
Config: including file:
/usr/local/etc/raddb/eap.conf
Config: including file:
/usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir =
"/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file =
"/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile =
"/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will
go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean
output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/1x/khurram.pem"
tls: certificate_file = "/etc/1x/khurram.pem"
tls: CA_file = "/etc/1x/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/1x/DH"
tls: random_file = "/etc/1x/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
rlm_eap: No such sub-type for default EAP type peap
radiusd.conf[9]: eap: Module instantiation failed.

*********************************

I hope someone will be able to solve my problem.
Probably I am doing something wrong somewhere.

Thanks in advanced for your help.

Best Regards

//Khurram



_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

unread,
Oct 7, 2004, 1:37:24 PM10/7/04
to
Khurram Jahangir <khurram_...@yahoo.com> wrote:
> I am a new user on this mailing list and I am facing
> some problems while trying to use PEAP and freeradius.

Ok...

> modcall: entering group Auth-Type for request 8
> rlm_mschap: No MS-CHAP-Challenge in the request

You set "Auth-Type := MS-CHAP". DON'T DO THAT.

> I tried it without mentioning any Auth-Type and then
> the server takes it as CHAP by default and it works.

Only if the client sends CHAP requests. If it sends EAP requests,
then EAP would work.

> In eap.conf, under eap, if i change "default_eap_type"
> to peap, the I get the following error while running
> Radiusd and it crashes
>
> rlm_eap: Loaded and initialized type tls
> rlm_eap: No such sub-type for default EAP type peap
> radiusd.conf[9]: eap: Module instantiation failed.

Yes... you edited the default "eap.conf" to break it. You put
"peap" and "mschapv2" inside of the "tls" section. They are NOT in
the tls section in the default eap.conf.

Alan DeKok.

Khurram Jahangir

unread,
Oct 7, 2004, 3:55:37 PM10/7/04
to
Hi Alan,

Thanks alot for your reply. I really appreciate that
and it was a great help for me. I took off the
Auth-Type := MS-CHAP from the user bob and also
changed the configuration in the HP switch (aaa
authentication port-access eap-radius).

I think I have moved now one step further as I am not
getting the same errors anynoe.

Now the debug log from Radiusd -X shows the following
messages,

--------------------------------------------

rlm_eap: Loaded and initialized type tls

10.0.1.20:1024, id=247, length=198


Framed-MTU = 1480
NAS-IP-Address = 10.0.1.20
NAS-Identifier = "Lower_Switch"
User-Name = "bob"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 2
NAS-Port-Type = Ethernet
NAS-Port-Id = "2"
Called-Station-Id = "00-01-e6-bd-7a-22"
Calling-Station-Id = "00-0f-1f-9e-07-49"
Connect-Info = "CONNECT Ethernet 100Mbps Full
duplex"

Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "30"
EAP-Message = 0x0201000801626f62
Message-Authenticator =
0x2a46e7fe66f05b17259537e545d6abcc





Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 1


modcall[authorize]: module "preprocess" returns ok

for request 1
modcall[authorize]: module "chap" returns noop for
request 1


modcall[authorize]: module "mschap" returns noop for

request 1


rlm_realm: No '@' in User-Name = "bob", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for

request 1
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP
conversation
modcall[authorize]: module "eap" returns updated for
request 1
users: Matched bob at 100


radius_xlat: 'Hello, bob'
modcall[authorize]: module "files" returns ok for

request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"


Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: No such EAP type peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid
for request 1
modcall: group authenticate returns invalid for
request 1


auth: Failed to validate the user.

Delaying request 1 for 1 seconds

-----------------------------------

I still did not change the eap.conf file as I am not
sure where exactly to add "default_eap_type = peap".

As you suggested in your last message, I should do
"peap" and "mschapv2" inside of TLS. I tried to put
"default_eap_type = peap" under tls like this but I
still got the erros as shown above in Radiusd -X log,

Here is my eap.conf,

eap {

default_eap_type = tls

timer_expire = 60

ignore_unknown_eap_types = no

cisco_accounting_username_bug = no

md5 {
}

leap {
}

gtc {
auth_type = PAP
}

tls {



default_eap_type = peap #### I added this line here ##

private_key_password = whatever
private_key_file = /etc/1x/khurram.pem



certificate_file = /etc/1x/khurram.pem



CA_file = /etc/1x/root.pem



dh_file = /etc/1x/DH
random_file = /etc/1x/random



fragment_size = 1024





peap {

default_eap_type = mschapv2

copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes



}

mschapv2 {
}

}

}


I wonder where exactly should I add this
"default_eap_type = peap" and if "default_eap_type =
mschapv2" is added at the right place in eap.conf or
not. I also am not sure if this is the source of the
problem or not. Your help in this regard will be
highly appreciated.

Best Regards

//Khurram

Ok...

Alan DeKok.



_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

-

Alan DeKok

unread,
Oct 7, 2004, 4:12:34 PM10/7/04
to
Khurram Jahangir <khurram_...@yahoo.com> wrote:
> I still did not change the eap.conf file as I am not
> sure where exactly to add "default_eap_type = peap".

Uh, no. I told you what was wrong, and how to fix it.

> As you suggested in your last message, I should do
> "peap" and "mschapv2" inside of TLS.

Huh? I said to do the COMPLETE OPPOSITE.

> Here is my eap.conf,
...

which is pretty much exactly the same as you had before.

> tls {
>
> default_eap_type = peap #### I added this line here ##

I fail to see why.

> I wonder where exactly should I add this
> "default_eap_type = peap"

Read "eap.conf". It has examples of "default_eap_type", and they
aren't located where you put it.

Alan DeKok.

Khurram Jahangir

unread,
Oct 7, 2004, 5:17:21 PM10/7/04
to
Hi Again,

Sorry it was my mistake and i changed the the eap.conf
file back (the brackets were messed up actually) and
now it is working fine.

Thanks for your help. I found this mailing list to be
very useful.

Regards

//khurram


__________________________________
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now.
http://messenger.yahoo.com

0 new messages