EAP-MSChapv2 authentication

Discussion:

Christopher, Paul

2006-09-12 14:50:17 UTC

I have a device that uses EAP-MSCHAPv2 (without PEAP) for authentication. I am running freeRadius on Redhat. The device is plugged into a switch which sends the EAP request to the server. I am unable to get the device authenticated with the Radius server. In the users file should the Auth-type be local or MS-Chap? Should I be sending the authentication request to an NT domain or will the username and password in the user file be sufficient?
Any documentation or insight would be very helpful and greatly appreciated! Below is the radius debug output.
Thanks, Paul.

rad_recv: Access-Request packet from host 13.138.136.68:1645, id=226, length=127 NAS-IP-Address = 13.138.136.68
NAS-Port = 50003
NAS-Port-Type = Ethernet
User-Name = "tester"
Called-Station-Id = "00-0A-B8-39-79-85"
Calling-Station-Id = "00-00-AA-6E-78-F6"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0201000b01746573746572
Message-Authenticator = 0x7836b28d762411aa9dcd27ff0d70d047
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: EAP packet type response id 1 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched entry tester at line 82
modcall[authorize]: module "files" returns ok for request 8
modcall: leaving group authorize (returns updated) for request 8
rad_check_password: Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Delaying request 8 for 1 seconds
Finished request 8

This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you

Alan DeKok

2006-09-12 20:11:34 UTC

Permalink

Post by Christopher, Paul
I have a device that uses EAP-MSCHAPv2 (without PEAP) for
authentication. I am running freeRadius on Redhat. The device is plugged
into a switch which sends the EAP request to the server. I am unable to
get the device authenticated with the Radius server. In the users file
should the Auth-type be local or MS-Chap?

Neither. Don't set Auth-Type at all. The server WILL figure it out.

Post by Christopher, Paul
Should I be sending the authentication request to an NT domain or
will the username and password in the user file be sufficient?

Putting a username and password into the "users" file will be
sufficient.

#
bob User-Password := "hello"

#

EAP-MSCHAPv2 *will* work. See:

http://deployingradius.com/documents/configuration/pap.html

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Christopher, Paul

2006-09-13 17:46:50 UTC

Permalink

Hi Alan,
Thanks for the response. I remove the Auth-Type, but it is still not working. Now I get a new set of errors. I did a radtest bob hello localhost 0 testing123 and the user was able to authenticate. I don't know why it doesn't work for EAP-MSchapv2. Thanks for your help! Below is the debug log:

rad_recv: Access-Request packet from host 13.138.136.68:1645, id=155, length=140 NAS-IP-Address = 13.138.136.68
NAS-Port = 50003
NAS-Port-Type = Ethernet
User-Name = "tester"
Called-Station-Id = "00-0A-B8-39-79-85"
Calling-Station-Id = "00-0B-DB-64-9B-A7"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x9b24bde92b2edf137fd180df54de624a
EAP-Message = 0x021300060315
Message-Authenticator = 0x59b57149b1821c1ec87342e2e04cdbc8
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 19
modcall[authorize]: module "preprocess" returns ok for request 19
modcall[authorize]: module "chap" returns noop for request 19
modcall[authorize]: module "mschap" returns noop for request 19
rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 19
rlm_eap: EAP packet type response id 19 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 19
users: Matched entry tester at line 83
modcall[authorize]: module "files" returns ok for request 19
modcall: leaving group authorize (returns updated) for request 19
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: No such EAP type ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 19
modcall: leaving group authenticate (returns invalid) for request 19
auth: Failed to validate the user.
Delaying request 19 for 1 seconds
Finished request 19
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 13.138.136.68:1645, id=155, length=140Sending Access-Reject of id 155 to 13.138.136.68 port 1645
EAP-Message = 0x04130004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 1 seconds...

This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you

-----Original Message-----
From: freeradius-users-bounces+paul.christopher=***@lists.freeradius.org [mailto:freeradius-users-bounces+paul.christopher=***@lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Tuesday, September 12, 2006 4:12 PM
To: FreeRadius users mailing list
Subject: Re: EAP-MSChapv2 authentication

Post by Christopher, Paul
I have a device that uses EAP-MSCHAPv2 (without PEAP) for
authentication. I am running freeRadius on Redhat. The device is
plugged into a switch which sends the EAP request to the server. I am
unable to get the device authenticated with the Radius server. In the
users file should the Auth-type be local or MS-Chap?

Neither. Don't set Auth-Type at all. The server WILL figure it out.

Post by Christopher, Paul
Should I be sending the authentication request to an NT domain or
will the username and password in the user file be sufficient?

Putting a username and password into the "users" file will be sufficient.

#
bob User-Password := "hello"

#

EAP-MSCHAPv2 *will* work. See:

http://deployingradius.com/documents/configuration/pap.html

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2006-09-13 17:47:32 UTC

Permalink

Post by Christopher, Paul
Thanks for the response. I remove the Auth-Type, but it is still not
working. Now I get a new set of errors. I did a radtest bob hello
localhost 0 testing123 and the user was able to authenticate.

Because PAP authentication is simple, and doesn't involve EAP.

Post by Christopher, Paul
I don't know why it doesn't work for EAP-MSchapv2. Thanks for your

...

Post by Christopher, Paul
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: No such EAP type ttls

Uh... what part of that message is unclear?

The client isn't doing EAP-MSCHAPv2.

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

A***@lboro.ac.uk

2006-09-13 19:23:09 UTC

Permalink

Hi,

Post by Alan DeKok

Post by Christopher, Paul
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: No such EAP type ttls

Uh... what part of that message is unclear?
The client isn't doing EAP-MSCHAPv2.

indeed, looks like EAP-TTLS with MSCHAPv2 inside the tunnel.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

A***@lboro.ac.uk

2006-09-13 19:22:20 UTC

Permalink

Hi,

Post by Christopher, Paul
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: No such EAP type ttls

only a guess - but the above line seems to be the big clue here.
have you configured your eap.conf correctly...and did you build from
source? if from source, did you check that configure passed by without
failing on anything...eg no OpenSSL dev headers etc? you have to
have the certificates part in eap.conf sorted, or ttls wont work.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Christopher, Paul

2006-09-13 19:43:12 UTC

Permalink

Hi Alan,
Thanks for your response. I don't understand what you mean by 'did you
build from source?' Please explain. I did not generate any certs. I
didn't think EAP-MSChapv2 needed certificates.
Paul.

This e-mail message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential information. Any
unauthorized review, use, disclosure or distribution is prohibited. If
you are not the intended recipient(s) please contact the sender by reply
e-mail and destroy all copies of the original message. Thank you
-----Original Message-----
From:
freeradius-users-bounces+paul.christopher=***@lists.freeradius.org
[mailto:freeradius-users-bounces+paul.christopher=***@lists.freera
dius.org] On Behalf Of ***@lboro.ac.uk
Sent: Wednesday, September 13, 2006 3:22 PM
To: FreeRadius users mailing list
Subject: Re: EAP-MSChapv2 authentication

Hi,

Post by Christopher, Paul
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: No such EAP type ttls

King, Michael

2006-09-13 20:16:38 UTC

Permalink

Paul,

I think what Alan was getting at is that Your client asked for EAP-TTLS,
not EAP-MSChapV2. This might be the root of your problem.

If you Intend to do MSChapV2 inside of TTLS Tunnels, you MUST setup a
certificate. This is make quite clear in the eap.conf file, that TTLS
is dependant on TLS being setup.

What is your user source? (users file, passwd file, LDAP, Active
Directory) I ask because MSChapV2 is incompatable with a few of these
sources.

Post by Christopher, Paul
-----Original Message-----

Post by Christopher, Paul
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: No such EAP type ttls

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

A***@lboro.ac.uk

2006-09-13 22:04:33 UTC

Permalink

Hi,

Post by Christopher, Paul
Hi Alan,
Thanks for your response. I don't understand what you mean by 'did you
build from source?' Please explain. I did not generate any certs. I
didn't think EAP-MSChapv2 needed certificates.

build from source - did you download the freeradius-1.1.3.tar.gz
and then extract it, run ./configure, make, make install etc

not built from source - did you simply apt-get install freeradius
or yum install freeradius etc.

PS if a gentoo user, if you 'emerge freeradius' I would class that as building
from source ;-)

the next question is are you really doing raw EAP-MSCHAPv2 - this isnt too
common (on this list anyway....) the error log you posted clearly hinted
at EAP-TTLS ... so any MSCHAPv2 would be in the tunnel. if you have
this form of EAP then the TLS section must be working...as the first
few lines of eap.conf clearly state. otherwise it 'just wont work'(tm)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html