On 12/06/2011 11:53 PM, Fabio Prina wrote: > I'm trying to authenticate my office WIFI network > > If in the inner auth I use a AuthBy FILE all works fine but if I use NTLM the > communication stops just after the last Access-Challenge (with a success) > Anyway if I use a wrong password I receive an access-reject > > Do you have any idea ?
The configuration you had included has this: PTLS_PEAPVersion 0 Please make sure this what you really have: EAPTLS_PEAPVersion 0 If this was correct then I know at least one case that has caused this kind of problem. The answer ntlm_auth returns is incorrect and the client thinks RADIUS server has failed MSCHAP-V2 server authentication. The client then immediately stops the authentication process. See for example these for bug description: https://bugzilla.samba.org/show_bug.cgi?id=6563 https://bugs.launchpad.net/ubuntu/+source/samba/+bug/623342 Thanks! Heikki > Cheers > -- > Fabio > > > > <AuthBy FILE> > Filename %D/users > EAPType PEAP > > EAPTLS_CAFile %D/certificates/startssl/ca-startssl.pem > EAPTLS_CertificateFile %D/certificates/startssl/auth2.wtest.it.pem > EAPTLS_PrivateKeyFile %D/certificates/startssl/auth2.wtest.it.pem > EAPTLS_CertificateType PEM > EAPTLS_MaxFragmentSize 1024 > AutoMPPEKeys > EAPAnonymous anonym...@wifi.wtest.it > PTLS_PEAPVersion 0 > > Identifier wtestOfficeWIFI_OUT > </AuthBy> > > > <AuthBy NTLM> > DefaultDomain OFFICE > EAPType MSCHAP-V2 > Identifier wtestOfficeWIFI_IN > </AuthBy> > > ############ > <Handler TunnelledByPEAP=1> > AuthBy wtestOfficeWIFI_IN > </Handler> > > > <Handler Client-Identifier=/wtestWIFI/> > RewriteUsername s/OFFICE\\(.*)/$1/ > > AuthBy wtestOfficeWIFI_OUT > > AcctLogFileName %L/wtest_office/acct_wifi.%Y%m > <Log FILE> > Filename %L/wtest_office/auth_wifi.%Y%m > Trace 3 > </Log> > </Handler> > > > > ######################## > #Tail log > > Code: Access-Request > Identifier: UNDEF > Authentic: <137><129>B<180><232>s<192>)<139>/<150>Y<4><161>O<31> > Attributes: > EAP-Message = > <2><12><0>K<26><2><12><0>J1<201>"<210><217>>l<15><6><130>)<205><156>e<137>X<131><0><0><0><0><0><0><0><0>*<157>m > v<147><29><173>oZ<251>jh<190>)<230>KZ}<175><145><167><174><20><0>OFFICE\Wuser > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > NAS-IP-Address = 10.10.241.14 > NAS-Identifier = "wf15.ftmil" > NAS-Port = 4325 > Calling-Station-Id = "000f.6644.f67d" > User-Name = "anonym...@wifi.wtest.it" > > Tue Dec 6 17:32:50 2011: DEBUG: Handling request with Handler > 'TunnelledByPEAP=1', Identifier '' > Tue Dec 6 17:32:50 2011: DEBUG: Session_db0 Deleting session for > anonym...@wifi.wtest.it, 10.10.241.14, 4325 Tue Dec 6 17:32:50 2011: DEBUG: > do query is: 'delete from RADONLINE where NASIDENTIFIER='10.10.241.14' and > NASPORT='4325' and VIPIDENTIFIER='' and USERNAME='anonym...@wifi.wtest.it'': > Tue Dec 6 17:32:50 2011: DEBUG: Handling with Radius::AuthNTLM: > wtestOfficeWIFI_IN Tue Dec 6 17:32:50 2011: DEBUG: Handling with EAP: code > 2, 12, 75, 26 Tue Dec 6 17:32:50 2011: DEBUG: Response type 26 Tue Dec 6 > 17:32:50 2011: DEBUG: Radius::AuthNTLM looks for match with OFFICE\Wuser > [anonym...@wifi.wtest.it] Tue Dec 6 17:32:50 2011: DEBUG: Radius::AuthNTLM > ACCEPT: : OFFICE\Wuser [anonym...@wifi.wtest.it] Tue Dec 6 17:32:50 2011: > DEBUG: Passing attribute Request-User-Session-Key: Yes Tue Dec 6 17:32:50 > 2011: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes Tue Dec 6 > 17:32:50 2011: DEBUG: Passing attribute LANMAN-Challenge: 298f418cba0abf15 > Tue Dec 6 17:32:50 2011: DEBUG: Passing attribute NT-Response: > 2a9d6d2076931dad6f5afb6a68be29e64b5a7daf91a7ae14 > Tue Dec 6 17:32:50 2011: DEBUG: Passing attribute NT-Domain:: T0ZGSUNF Tue > Dec 6 17:32:50 2011: DEBUG: Passing attribute Username:: > QWRtaW5pc3RyYXRvcg== Tue Dec 6 17:32:50 2011: DEBUG: Received attribute: . > Tue Dec 6 17:32:50 2011: DEBUG: Received attribute: Authenticated: Yes Tue > Dec 6 17:32:50 2011: DEBUG: Received attribute: LANMAN-Session-Key: > 7BBE0E4BDAF2DBA3 Tue Dec 6 17:32:50 2011: DEBUG: Received attribute: > User-Session-Key: 0EF1975AD0D4DA6A2C2586C26B3AA205 Tue Dec 6 17:32:50 2011: > DEBUG: Received attribute: . > Tue Dec 6 17:32:50 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: > Success Tue Dec 6 17:32:50 2011: DEBUG: AuthBy NTLM result: CHALLENGE, EAP > MSCHAP V2 Challenge: Success Tue Dec 6 17:32:50 2011: DEBUG: Access > challenged for anonym...@wifi.wtest.it: EAP MSCHAP V2 Challenge: Success Tue > Dec 6 17:32:50 2011: DEBUG: Returned PEAP tunnelled packet dump: > Code: Access-Challenge > Identifier: UNDEF > Authentic: <137><129>B<180><232>s<192>)<139>/<150>Y<4><161>O<31> > Attributes: > EAP-Message = > <1><13><0>=<26><3><12><0>8S=1D80B53D82D30962031491DA6547DAC863B2D602 M=success > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > > Tue Dec 6 17:32:50 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication > redispatched to a Handler Tue Dec 6 17:32:50 2011: DEBUG: AuthBy FILE > result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler > Tue Dec 6 17:32:50 2011: DEBUG: Access challenged for Wuser: EAP PEAP inner > authentication redispatched to a Handler Tue Dec 6 17:32:50 2011: DEBUG: > Packet dump: > *** Sending to 10.10.241.14 port 1645 .... > Code: Access-Challenge > Identifier: 209 > Authentic: <237><158><241>LFp<169>8<132><245><9><182><136>w<170><15> > Attributes: > EAP-Message = > <1><13><0>T<25><0><23><3><1><0>IZ<173><239>C<133>W<169>1lZ<235>^R<200><248>P<28><178><169><195>3<199><196><11><243>9<158><252><163>D<195>/<236>R<252><225>W<6>X+<224>8x_<169><133><197><200><178>:#<137>o<2><19><224><141><136>q<22><217>Lk<154><172><197>Zw:<182><148><203> > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > > Questa e-mail e gli allegati possono essere confidenziali, riservati e / o > protetti ai sensi di legge. Se avete ricevuto questa e-mail per errore, non > essendone destinatari, siete pregati di informare il mittente con l'invio di > una risposta e-mail all'indirizzo di cui sopra e quindi eliminare il > messaggio e la vostra risposta dal sistema. Se non siete destinatari della > presente email siete obbligati a non utilizzare, divulgare, distribuire, > copiare, stampare o fare conto sul contenuto di questa e-mail. Eventuali > pareri o opinioni contenute nella presente email sono esclusivamente > riferibili all'autore. Eventuali dichiarazioni rilasciate e/o intenzioni > espresse nella presente comunicazione non riflettono necessariamente la > posizione di Easynet. In nessun modo il contenuto della presente email potrà > creare obbligazioni per Easynet o per le società del gruppo Easynet se non > confermate da un contratto formale sottoscritto da Easynet. Qualsiasi cifra o > importo indicati nella p resente e-mail deve essere considerata una mera citazione ed è soggetto a variazioni. Easynet pone in essere controlli approfonditi allo scopo di eliminare qualsiasi minaccia tipo virus o simili; nondimeno i destinatari devono a loro volta scansionare questa e-mail e gli eventuali allegati allo scopo di rilevare minacce tipo virus o simili. Easynet non rilascia alcuna garanzia circa l'assenza di virus in questa e-mail o negli allegati. Nel rispetto delle norme vigenti per garantire la protezione dei nostri clienti e dei nostri Partner potremo monitorare e controllare le e-mail inviate da e verso i nostri server. Easynet Italia S.p.A. Viale Fulvio Testi, 7 Milano, I-20159, Italy www.easynet.com Registro Imprese Milano Cod. Fisc e P. IVA 13028980152 REA 1607597 Capitale Sociale 800.000 € i.v. Socio unico EGHL (UK) Limited > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
