RADIUS CONFIGURAÇÃO PEAP/MSCHAPv2

1. RADIUS CONFIGURAÇÃO PEAP/MSCHAPv2

EduardoBelmonte
(usa Slackware)

Enviado em 26/08/2015 - 15:05h

Boa tarde galera, blza ?
Estou tentando configurar um servidor RADIUS autenticando na minha base do LDAP em um ap.
quando conecto com ele pelo meu smarth ele funciona mas somente com a configuração PEAP/GTC ou TTLS/PAP autentica na base e estabelece a conexão, mas preciso configurar ele para PEAP/MSCHAPv2 para autenticação windows, se alguem puder me ajudar, eu agradeço, segue o tutorial que eu estou seguindo e o radiusd -X.
Detalhe: meu LDAP não possui TLS.

http://wiki.brivaldojunior.facom.ufms.br/index.php/FreeRadius

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 10.1.0.249 port 2048, id=162, length=271

        User-Name = "eduardo.xxxx"

        NAS-IP-Address = 10.1.0.249

        NAS-Port = 0

        Called-Station-Id = "64-70-02-44-16-56:__3r"

        Calling-Station-Id = "E4-90-7E-75-55-FA"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 0Mbps 802.11"

        EAP-Message = 0x0208006b190017030100605244fa18a97cefe5286e48103ac0614848c2240a3b33cb3eea3847ae634694b70b978fe83248eac674216e45a716439e21ded9a05eacb5969ecc73c474c36807de40e4396880bd75776397119bd751d915b6caacd5b0a187afc2c9b05102f1a0

        State = 0x0311bf9a0419a64c8fa43dd51798a5f2

        Message-Authenticator = 0xa2bdf5f82385f0910ca3bf4b04a22cb1

# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default

+group authorize {

++[preprocess] = ok

++[chap] = noop

++[mschap] = noop

[suffix] No '@' in User-Name = "eduardo.xxxx", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] = noop

[ntdomain] No '\' in User-Name = "eduardo.xxxx", looking up realm NULL

[ntdomain] No such realm "NULL"

++[ntdomain] = noop

[eap] EAP packet type response id 8 length 107

[eap] Continuing tunnel setup.

++[eap] = ok

+} # group authorize = ok

Found Auth-Type = EAP

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+group authenticate {

[eap] Request found, released from the list

[eap] EAP/peap

[eap] processing type peap

[peap] processing EAP-TLS

[peap] eaptls_verify returned 7 

[peap] Done initial handshake

[peap] eaptls_process returned 7 

[peap] EAPTLS_OK

[peap] Session established.  Decoding tunneled attributes.

[peap] Peap state phase2

[peap] EAP type mschapv2

[peap] Got tunneled request

        EAP-Message = 0x0208004a1a02080045317c69c9814ac058b9f3ec1fb26051bd500000000000000000812e52930d139f9c018946064f9d372fe550d794b5bd6e38006564756172646f2e70657265697261

server  {

[peap] Setting User-Name to eduardo.xxxx

Sending tunneled request

        EAP-Message = 0x0208004a1a02080045317c69c9814ac058b9f3ec1fb26051bd500000000000000000812e52930d139f9c018946064f9d372fe550d794b5bd6e38006564756172646f2e70657265697261

        FreeRADIUS-Proxied-To = 127.0.0.1

        User-Name = "eduardo.xxxxx"

        State = 0x5f7d70975f756a2a1ba794dad71e8734

server inner-tunnel {

# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel

+group authorize {

++[chap] = noop

++[mschap] = noop

[ntdomain] No '\' in User-Name = "eduardo.xxxx", looking up realm NULL

[ntdomain] No such realm "NULL"

++[ntdomain] = noop

++update control {

++} # update control = noop

[eap] EAP packet type response id 8 length 74

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] = updated

++[files] = noop

[ldap] performing user authorization for eduardo.xxxx

[ldap]  expand: (uid=%u) -> (uid=eduardo.xxxxx)

[ldap]  expand: ou=Usuarios,dc=xxxx,dc=com,dc=br -> ou=Usuarios,dc=tntedu,dc=com,dc=br

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in ou=Usuarios,dc=xxxxxdc=com,dc=br, with filter (uid=eduardo.pereira)

[ldap] Password header not found in password {CRYPT}$1$6TlGRzaJ$8Kf310rzDvkD8o2ONgA6y1 for user eduardo.pereira

[ldap] Added User-Password = {CRYPT}$1$6TlGRzaJ$8Kf310rzDvkD8o2ONgA6y1 in check items

[ldap] looking for check items in directory...

  [ldap] userPassword -> User-Password == "{CRYPT}$1$6TlGRzaJ$8Kf310rzDvkD8o2ONgA6y1"

  [ldap] userPassword -> Password-With-Header == "{CRYPT}$1$6TlGRzaJ$8Kf310rzDvkD8o2ONgA6y1"

[ldap] looking for reply items in directory...

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] = ok

++[expiration] = noop

++[logintime] = noop

[pap] WARNING: Auth-Type already set.  Not setting to PAP

++[pap] = noop

+} # group authorize = updated

Found Auth-Type = EAP

# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel

+group authenticate {

[eap] Request found, released from the list

[eap] EAP/mschapv2

[eap] processing type mschapv2

[mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel

[mschapv2] +group MS-CHAP {

[mschap] No Cleartext-Password configured.  Cannot create LM-Password.

[mschap] No Cleartext-Password configured.  Cannot create NT-Password.

[mschap] Creating challenge hash with username: eduardo.xxxx

[mschap] Client is using MS-CHAPv2 for eduardo.pereira, we need NT-Password

[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.

[mschap] FAILED: MS-CHAP2-Response is incorrect

++[mschap] = reject

+} # group MS-CHAP = reject

MSCHAP Failure 

++[eap] = handled

+} # group authenticate = handled

} # server inner-tunnel

[peap] Got tunneled reply code 11

        EAP-Message = 0x010900121a0408000d453d36393120523d31

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x5f7d70975e746a2a1ba794dad71e8734

[peap] Got tunneled reply RADIUS code 11

        EAP-Message = 0x010900121a0408000d453d36393120523d31

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x5f7d70975e746a2a1ba794dad71e8734

[peap] Got tunneled Access-Challenge

++[eap] = handled

+} # group authenticate = handled

Sending Access-Challenge of id 162 to 10.1.0.249 port 2048

        EAP-Message = 0x0109003b19001703010030dd98404fc072f7b92d47dfe2d96bfd4be0684a2f7faa57660a935cadc89a75a29648c2f8d5cb48949c5361f0ab442ed4

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x0311bf9a0b18a64c8fa43dd51798a5f2

Finished request 76.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 68 ID 154 with timestamp +2049

Cleaning up request 69 ID 155 with timestamp +2049

Cleaning up request 70 ID 156 with timestamp +2049

Cleaning up request 71 ID 157 with timestamp +2049

Cleaning up request 72 ID 158 with timestamp +2049

Cleaning up request 73 ID 159 with timestamp +2049

Cleaning up request 74 ID 160 with timestamp +2049

Cleaning up request 75 ID 161 with timestamp +2049

Cleaning up request 76 ID 162 with timestamp +2049

WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

WARNING: !! EAP session for state 0x0311bf9a0b18a64c did not finish!

WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility

WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Ready to process requests.