Discussion:
PEAP authentication very strange problem! PLEASE HELP
g***@etu.enseeiht.fr
2004-01-14 14:20:26 UTC
Permalink
hello everyone,
I have a very strange problem while I try to do PEAP authentication...
I have successfully made TLS authentication, TTLS also works with secureW2
client, but when I tried to do PEAP authentication, I have a very strange
problem:
I am using a snaphot of freeradius from 2004/01/04 ,my supplicant is
windows XP SP1 with all patch, and when I do PEAP authentication, all is
fine for freeradius : I have an access accept and MPPE received and send
key that are printed out. all seems to be good, my AP (which is cisco ap)
says in the log : "eap authenticated successfull = username ", the same
message that I had when TLS and TTLS worked.
But in the same time, in Windows side, I have already the same message :
"wait for authentication".... and it's not really authenticated because I
can't do a ping or something like that. I dont have the good message :
authentication successfull, which appeared with TLS and TTLS.
But why ??? I really dont understand what is not good here... I think it's
a problem in windows side, don't you think so?? SI it possible ti be a
problem with freeradius or my AP ?? please if someone knows, help me!

Renaud Garelli


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
g***@etu.enseeiht.fr
2004-01-15 08:09:34 UTC
Permalink
Anybody knows about this problem...? please help if you have an idea!!!
thanks a lot
Post by g***@etu.enseeiht.fr
hello everyone,
I have a very strange problem while I try to do PEAP authentication...
I have successfully made TLS authentication, TTLS also works with secureW2
client, but when I tried to do PEAP authentication, I have a very strange
I am using a snaphot of freeradius from 2004/01/04 ,my supplicant is
windows XP SP1 with all patch, and when I do PEAP authentication, all is
fine for freeradius : I have an access accept and MPPE received and send
key that are printed out. all seems to be good, my AP (which is cisco ap)
says in the log : "eap authenticated successfull = username ", the same
message that I had when TLS and TTLS worked.
"wait for authentication".... and it's not really authenticated because I
authentication successfull, which appeared with TLS and TTLS.
But why ??? I really dont understand what is not good here... I think it's
a problem in windows side, don't you think so?? SI it possible ti be a
problem with freeradius or my AP ?? please if someone knows, help me!
Renaud Garelli
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
matt morris
2004-01-15 14:37:57 UTC
Permalink
I read a post from a user named Mike Saywell, stating a similar situation
"Failing Auth because we got a success/fail without TLV."

The file RASTLS.LOG is the WindowsXP log, obtained by setting the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASTLS\EnableFileTracing
flag to 1.

And if you got the same thing from the log, here's the answer to Mike from
I can authenticate with XSupplicant under Linux fine, but Windows fails
apparently with the error "Failing Auth because we got a success/fail
without TLV."
Hmm... it looks like the PEAP module puts the data into a buffer, to
be put into the TLS tunnel, but the tls code never looks for it on
success/failure.
The functions in eap_tls.c, eaptls_success() and eaptls_fail() have
to be updated to look a little more like eaptls_request(). i.e. to
call record_minus(), etc, to grab the data from the buffer, and put it
into the tunnel.
In the peap section I've tried various combinations of the
copy_request_to_tunnel and use_tunneled_reply flags to no avail -
including leaving them unspecified.
That won't work, as the code is just wrong.
Hopefully somebody can spot what is probably a silly mis-configuration
on my part!
Nope.
PEAP probably works on other systems because they don't look for the
"TLV" response code, like they're supposed to. XP does, so it fails
when the PEAP module doesn't supply the TLV.
Alan DeKok.
Hope this helps
Subject: Re: PEAP authentication very strange problem! PLEASE HELP
Date: Thu, 15 Jan 2004 09:09:34 +0100 (MET)
Anybody knows about this problem...? please help if you have an idea!!!
thanks a lot
hello everyone,
I have a very strange problem while I try to do PEAP authentication...
I have successfully made TLS authentication, TTLS also works with
secureW2
client, but when I tried to do PEAP authentication, I have a very
strange
I am using a snaphot of freeradius from 2004/01/04 ,my supplicant is
windows XP SP1 with all patch, and when I do PEAP authentication, all is
fine for freeradius : I have an access accept and MPPE received and send
key that are printed out. all seems to be good, my AP (which is cisco
ap)
says in the log : "eap authenticated successfull = username ", the same
message that I had when TLS and TTLS worked.
"wait for authentication".... and it's not really authenticated because
I
authentication successfull, which appeared with TLS and TTLS.
But why ??? I really dont understand what is not good here... I think
it's
a problem in windows side, don't you think so?? SI it possible ti be a
problem with freeradius or my AP ?? please if someone knows, help me!
Renaud Garelli
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mike Saywell
2004-01-16 02:25:27 UTC
Permalink
It took me a while to figure out what was going on here...

Turns out the problem was not as Alan suspected. Seems that a return
value got tweaked during a re-structuring of the code.

Anyway here's the (very small) patch:

--- peap.c.orig Fri Jan 16 02:01:45 2004
+++ peap.c Fri Jan 16 02:02:03 2004
@@ -267,7 +267,7 @@
DEBUG2(" PEAP: Tunneled authentication was successful.");
t->status = PEAP_STATUS_SENT_TLV_SUCCESS;
eappeap_success(handler, tls_session);
- rcode = RLM_MODULE_OK;
+ rcode = RLM_MODULE_HANDLED;

/*
* If we've been told to use the attributes from

I only spotted the change when comparing a version I checked out from
november which worked ok. I'm not sure if the change was intentional,
but reversing it gets PEAP working again for me.

Oh btw has something changed in the configure/makefiles recently?
Just that to compile TLS/TTLS support I currently have to run:

./configure --with-openssl-includes=/usr/include/ --with-openssl-libraries=/usr/lib/

It's only started happening recently, perhaps it's something weird in
my setup, I'm too tired to care right now ;)

Cheers,

Mike
Post by matt morris
I read a post from a user named Mike Saywell, stating a similar situation
"Failing Auth because we got a success/fail without TLV."
The file RASTLS.LOG is the WindowsXP log, obtained by setting the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASTLS\EnableFileTracing
flag to 1.
And if you got the same thing from the log, here's the answer to Mike from
I can authenticate with XSupplicant under Linux fine, but Windows fails
apparently with the error "Failing Auth because we got a success/fail
without TLV."
Hmm... it looks like the PEAP module puts the data into a buffer, to
be put into the TLS tunnel, but the tls code never looks for it on
success/failure.
The functions in eap_tls.c, eaptls_success() and eaptls_fail() have
to be updated to look a little more like eaptls_request(). i.e. to
call record_minus(), etc, to grab the data from the buffer, and put it
into the tunnel.
In the peap section I've tried various combinations of the
copy_request_to_tunnel and use_tunneled_reply flags to no avail -
including leaving them unspecified.
That won't work, as the code is just wrong.
Hopefully somebody can spot what is probably a silly mis-configuration
on my part!
Nope.
PEAP probably works on other systems because they don't look for the
"TLV" response code, like they're supposed to. XP does, so it fails
when the PEAP module doesn't supply the TLV.
Alan DeKok.
Hope this helps
Subject: Re: PEAP authentication very strange problem! PLEASE HELP
Date: Thu, 15 Jan 2004 09:09:34 +0100 (MET)
Anybody knows about this problem...? please help if you have an idea!!!
thanks a lot
hello everyone,
I have a very strange problem while I try to do PEAP authentication...
I have successfully made TLS authentication, TTLS also works with
secureW2
client, but when I tried to do PEAP authentication, I have a very
strange
I am using a snaphot of freeradius from 2004/01/04 ,my supplicant is
windows XP SP1 with all patch, and when I do PEAP authentication, all is
fine for freeradius : I have an access accept and MPPE received and send
key that are printed out. all seems to be good, my AP (which is cisco
ap)
says in the log : "eap authenticated successfull = username ", the same
message that I had when TLS and TTLS worked.
"wait for authentication".... and it's not really authenticated because
I
authentication successfull, which appeared with TLS and TTLS.
But why ??? I really dont understand what is not good here... I think
it's
a problem in windows side, don't you think so?? SI it possible ti be a
problem with freeradius or my AP ?? please if someone knows, help me!
Renaud Garelli
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
g***@etu.enseeiht.fr
2004-01-16 08:32:22 UTC
Permalink
hi!
I would like to test your patch but I don't know where I must put it!
Should I have to create a file and put your patch inside? and the file
must be put in which directory?
thanks a lot!
renaud
Post by Mike Saywell
It took me a while to figure out what was going on here...
Turns out the problem was not as Alan suspected. Seems that a return
value got tweaked during a re-structuring of the code.
--- peap.c.orig Fri Jan 16 02:01:45 2004
+++ peap.c Fri Jan 16 02:02:03 2004
@@ -267,7 +267,7 @@
DEBUG2(" PEAP: Tunneled authentication was successful.");
t->status = PEAP_STATUS_SENT_TLV_SUCCESS;
eappeap_success(handler, tls_session);
- rcode = RLM_MODULE_OK;
+ rcode = RLM_MODULE_HANDLED;
/*
* If we've been told to use the attributes from
I only spotted the change when comparing a version I checked out from
november which worked ok. I'm not sure if the change was intentional,
but reversing it gets PEAP working again for me.
Oh btw has something changed in the configure/makefiles recently?
./configure --with-openssl-includes=/usr/include/
--with-openssl-libraries=/usr/lib/
It's only started happening recently, perhaps it's something weird in
my setup, I'm too tired to care right now ;)
Cheers,
Mike
Post by matt morris
I read a post from a user named Mike Saywell, stating a similar situation
"Failing Auth because we got a success/fail without TLV."
The file RASTLS.LOG is the WindowsXP log, obtained by setting the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASTLS\EnableFileTracing
flag to 1.
And if you got the same thing from the log, here's the answer to Mike from
I can authenticate with XSupplicant under Linux fine, but Windows
fails
apparently with the error "Failing Auth because we got a success/fail
without TLV."
Hmm... it looks like the PEAP module puts the data into a buffer, to
be put into the TLS tunnel, but the tls code never looks for it on
success/failure.
The functions in eap_tls.c, eaptls_success() and eaptls_fail() have
to be updated to look a little more like eaptls_request(). i.e. to
call record_minus(), etc, to grab the data from the buffer, and put it
into the tunnel.
In the peap section I've tried various combinations of the
copy_request_to_tunnel and use_tunneled_reply flags to no avail -
including leaving them unspecified.
That won't work, as the code is just wrong.
Hopefully somebody can spot what is probably a silly mis-configuration
on my part!
Nope.
PEAP probably works on other systems because they don't look for the
"TLV" response code, like they're supposed to. XP does, so it fails
when the PEAP module doesn't supply the TLV.
Alan DeKok.
Hope this helps
Subject: Re: PEAP authentication very strange problem! PLEASE HELP
Date: Thu, 15 Jan 2004 09:09:34 +0100 (MET)
Anybody knows about this problem...? please help if you have an idea!!!
thanks a lot
hello everyone,
I have a very strange problem while I try to do PEAP
authentication...
I have successfully made TLS authentication, TTLS also works with
secureW2
client, but when I tried to do PEAP authentication, I have a very
strange
I am using a snaphot of freeradius from 2004/01/04 ,my supplicant is
windows XP SP1 with all patch, and when I do PEAP authentication, all
is
fine for freeradius : I have an access accept and MPPE received and
send
key that are printed out. all seems to be good, my AP (which is cisco
ap)
says in the log : "eap authenticated successfull = username ", the
same
message that I had when TLS and TTLS worked.
But in the same time, in Windows side, I have already the same
"wait for authentication".... and it's not really authenticated
because
I
can't do a ping or something like that. I dont have the good message
authentication successfull, which appeared with TLS and TTLS.
But why ??? I really dont understand what is not good here... I think
it's
a problem in windows side, don't you think so?? SI it possible ti be
a
problem with freeradius or my AP ?? please if someone knows, help me!
Renaud Garelli
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mike Saywell
2004-01-16 11:52:17 UTC
Permalink
The file is in src/modules/rlm_eap/types/rlm_eap_peap

Just change line 267 as shown :)

Mike
Post by g***@etu.enseeiht.fr
hi!
I would like to test your patch but I don't know where I must put it!
Should I have to create a file and put your patch inside? and the file
must be put in which directory?
thanks a lot!
renaud
Post by Mike Saywell
It took me a while to figure out what was going on here...
Turns out the problem was not as Alan suspected. Seems that a return
value got tweaked during a re-structuring of the code.
--- peap.c.orig Fri Jan 16 02:01:45 2004
+++ peap.c Fri Jan 16 02:02:03 2004
@@ -267,7 +267,7 @@
DEBUG2(" PEAP: Tunneled authentication was successful.");
t->status = PEAP_STATUS_SENT_TLV_SUCCESS;
eappeap_success(handler, tls_session);
- rcode = RLM_MODULE_OK;
+ rcode = RLM_MODULE_HANDLED;
/*
* If we've been told to use the attributes from
I only spotted the change when comparing a version I checked out from
november which worked ok. I'm not sure if the change was intentional,
but reversing it gets PEAP working again for me.
Oh btw has something changed in the configure/makefiles recently?
./configure --with-openssl-includes=/usr/include/
--with-openssl-libraries=/usr/lib/
It's only started happening recently, perhaps it's something weird in
my setup, I'm too tired to care right now ;)
Cheers,
Mike
Post by matt morris
I read a post from a user named Mike Saywell, stating a similar situation
"Failing Auth because we got a success/fail without TLV."
The file RASTLS.LOG is the WindowsXP log, obtained by setting the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASTLS\EnableFileTracing
flag to 1.
And if you got the same thing from the log, here's the answer to Mike from
I can authenticate with XSupplicant under Linux fine, but Windows
fails
apparently with the error "Failing Auth because we got a success/fail
without TLV."
Hmm... it looks like the PEAP module puts the data into a buffer, to
be put into the TLS tunnel, but the tls code never looks for it on
success/failure.
The functions in eap_tls.c, eaptls_success() and eaptls_fail() have
to be updated to look a little more like eaptls_request(). i.e. to
call record_minus(), etc, to grab the data from the buffer, and put it
into the tunnel.
In the peap section I've tried various combinations of the
copy_request_to_tunnel and use_tunneled_reply flags to no avail -
including leaving them unspecified.
That won't work, as the code is just wrong.
Hopefully somebody can spot what is probably a silly mis-configuration
on my part!
Nope.
PEAP probably works on other systems because they don't look for the
"TLV" response code, like they're supposed to. XP does, so it fails
when the PEAP module doesn't supply the TLV.
Alan DeKok.
Hope this helps
Subject: Re: PEAP authentication very strange problem! PLEASE HELP
Date: Thu, 15 Jan 2004 09:09:34 +0100 (MET)
Anybody knows about this problem...? please help if you have an idea!!!
thanks a lot
hello everyone,
I have a very strange problem while I try to do PEAP
authentication...
I have successfully made TLS authentication, TTLS also works with
secureW2
client, but when I tried to do PEAP authentication, I have a very
strange
I am using a snaphot of freeradius from 2004/01/04 ,my supplicant is
windows XP SP1 with all patch, and when I do PEAP authentication, all
is
fine for freeradius : I have an access accept and MPPE received and
send
key that are printed out. all seems to be good, my AP (which is cisco
ap)
says in the log : "eap authenticated successfull = username ", the
same
message that I had when TLS and TTLS worked.
But in the same time, in Windows side, I have already the same
"wait for authentication".... and it's not really authenticated
because
I
can't do a ping or something like that. I dont have the good message
authentication successfull, which appeared with TLS and TTLS.
But why ??? I really dont understand what is not good here... I think
it's
a problem in windows side, don't you think so?? SI it possible ti be
a
problem with freeradius or my AP ?? please if someone knows, help me!
Renaud Garelli
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2004-01-19 01:33:10 UTC
Permalink
Post by Mike Saywell
Turns out the problem was not as Alan suspected. Seems that a return
value got tweaked during a re-structuring of the code.
Ah... that's probably my fault. Sorry.
The change results in the magic PEAP "success" TLV being returned to
the client, and *then* an Access-Accept. The result is similar to
what I had said before about fixing the problem.

I'll apply the patch on Monday.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2004-01-19 19:10:26 UTC
Permalink
Post by Mike Saywell
Turns out the problem was not as Alan suspected. Seems that a return
value got tweaked during a re-structuring of the code.
Added, thanks.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
g***@etu.enseeiht.fr
2004-01-16 08:25:12 UTC
Permalink
Thanks for your help!
But I think it not exactly the same problem that I have:
In my problem, I have a Access ACCEPT from the freeradius serveur, with a
successful authentication ( MPPE key received and send are printed on
freeradius side and seems to be OK)
The Access point also print in his logs : "authentication EAP sucessful =
username"
But it seems that Windows XP doesn't understand!! It is again and again
bloked on "authentication waiting"
My question is : is it possible that the problem could come from
freeradius or not? do you think freeradius is good and my problem is on
windows side?? (XP Sp1 with all patch)
Thanks!!
renaud
Post by matt morris
I read a post from a user named Mike Saywell, stating a similar situation
"Failing Auth because we got a success/fail without TLV."
The file RASTLS.LOG is the WindowsXP log, obtained by setting the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASTLS\EnableFileTracing
flag to 1.
And if you got the same thing from the log, here's the answer to Mike from
I can authenticate with XSupplicant under Linux fine, but Windows fails
apparently with the error "Failing Auth because we got a success/fail
without TLV."
Hmm... it looks like the PEAP module puts the data into a buffer, to
be put into the TLS tunnel, but the tls code never looks for it on
success/failure.
The functions in eap_tls.c, eaptls_success() and eaptls_fail() have
to be updated to look a little more like eaptls_request(). i.e. to
call record_minus(), etc, to grab the data from the buffer, and put it
into the tunnel.
In the peap section I've tried various combinations of the
copy_request_to_tunnel and use_tunneled_reply flags to no avail -
including leaving them unspecified.
That won't work, as the code is just wrong.
Hopefully somebody can spot what is probably a silly mis-configuration
on my part!
Nope.
PEAP probably works on other systems because they don't look for the
"TLV" response code, like they're supposed to. XP does, so it fails
when the PEAP module doesn't supply the TLV.
Alan DeKok.
Hope this helps
Subject: Re: PEAP authentication very strange problem! PLEASE HELP
Date: Thu, 15 Jan 2004 09:09:34 +0100 (MET)
Anybody knows about this problem...? please help if you have an idea!!!
thanks a lot
hello everyone,
I have a very strange problem while I try to do PEAP authentication...
I have successfully made TLS authentication, TTLS also works with
secureW2
client, but when I tried to do PEAP authentication, I have a very
strange
I am using a snaphot of freeradius from 2004/01/04 ,my supplicant is
windows XP SP1 with all patch, and when I do PEAP authentication, all
is
fine for freeradius : I have an access accept and MPPE received and
send
key that are printed out. all seems to be good, my AP (which is cisco
ap)
says in the log : "eap authenticated successfull = username ", the
same
message that I had when TLS and TTLS worked.
But in the same time, in Windows side, I have already the same message
"wait for authentication".... and it's not really authenticated
because
I
authentication successfull, which appeared with TLS and TTLS.
But why ??? I really dont understand what is not good here... I think
it's
a problem in windows side, don't you think so?? SI it possible ti be a
problem with freeradius or my AP ?? please if someone knows, help me!
Renaud Garelli
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
matt morris
2004-01-18 02:54:14 UTC
Permalink
Hello, Mike. Just a verification: So you replaced "rcode = RLM_MODULE_OK;"
with "rcode = RLM_MODULE_HANDLED;"? I tried that and the winxp supplicant
can indeed connect successfully. However, the user was not prompted for the
username and password on subsequent reboots and can still get access to the
internet after that one successful login. Is that an expected result? (My
desired result should be the user get prompted to authenticate everytime
he/she reboots or loads up winxp in order to gain access. Is that an ip
least time problem, or a cookie/temp file problem or the modifed peap
module's problem?

TIA
Subject: [PATCH] Re: PEAP authentication very strange problem! PLEASE HELP
Date: Fri, 16 Jan 2004 02:25:27 +0000
It took me a while to figure out what was going on here...
Turns out the problem was not as Alan suspected. Seems that a return
value got tweaked during a re-structuring of the code.
--- peap.c.orig Fri Jan 16 02:01:45 2004
+++ peap.c Fri Jan 16 02:02:03 2004
@@ -267,7 +267,7 @@
DEBUG2(" PEAP: Tunneled authentication was successful.");
t->status = PEAP_STATUS_SENT_TLV_SUCCESS;
eappeap_success(handler, tls_session);
- rcode = RLM_MODULE_OK;
+ rcode = RLM_MODULE_HANDLED;
/*
* If we've been told to use the attributes from
I only spotted the change when comparing a version I checked out from
november which worked ok. I'm not sure if the change was intentional,
but reversing it gets PEAP working again for me.
Oh btw has something changed in the configure/makefiles recently?
./configure --with-openssl-includes=/usr/include/
--with-openssl-libraries=/usr/lib/
It's only started happening recently, perhaps it's something weird in
my setup, I'm too tired to care right now ;)
Cheers,
Mike
Post by matt morris
I read a post from a user named Mike Saywell, stating a similar
situation
Post by matt morris
"Failing Auth because we got a success/fail without TLV."
The file RASTLS.LOG is the WindowsXP log, obtained by setting the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASTLS\EnableFileTracing
flag to 1.
And if you got the same thing from the log, here's the answer to Mike
from
Post by matt morris
I can authenticate with XSupplicant under Linux fine, but Windows
fails
Post by matt morris
apparently with the error "Failing Auth because we got a success/fail
without TLV."
Hmm... it looks like the PEAP module puts the data into a buffer, to
be put into the TLS tunnel, but the tls code never looks for it on
success/failure.
The functions in eap_tls.c, eaptls_success() and eaptls_fail() have
to be updated to look a little more like eaptls_request(). i.e. to
call record_minus(), etc, to grab the data from the buffer, and put it
into the tunnel.
In the peap section I've tried various combinations of the
copy_request_to_tunnel and use_tunneled_reply flags to no avail -
including leaving them unspecified.
That won't work, as the code is just wrong.
Hopefully somebody can spot what is probably a silly mis-configuration
on my part!
Nope.
PEAP probably works on other systems because they don't look for the
"TLV" response code, like they're supposed to. XP does, so it fails
when the PEAP module doesn't supply the TLV.
Alan DeKok.
Hope this helps
Subject: Re: PEAP authentication very strange problem! PLEASE HELP
Date: Thu, 15 Jan 2004 09:09:34 +0100 (MET)
Anybody knows about this problem...? please help if you have an idea!!!
thanks a lot
hello everyone,
I have a very strange problem while I try to do PEAP
authentication...
Post by matt morris
I have successfully made TLS authentication, TTLS also works with
secureW2
client, but when I tried to do PEAP authentication, I have a very
strange
I am using a snaphot of freeradius from 2004/01/04 ,my supplicant is
windows XP SP1 with all patch, and when I do PEAP authentication, all
is
Post by matt morris
fine for freeradius : I have an access accept and MPPE received and
send
Post by matt morris
key that are printed out. all seems to be good, my AP (which is cisco
ap)
says in the log : "eap authenticated successfull = username ", the
same
Post by matt morris
message that I had when TLS and TTLS worked.
But in the same time, in Windows side, I have already the same
"wait for authentication".... and it's not really authenticated
because
Post by matt morris
I
can't do a ping or something like that. I dont have the good message
authentication successfull, which appeared with TLS and TTLS.
But why ??? I really dont understand what is not good here... I think
it's
a problem in windows side, don't you think so?? SI it possible ti be
a
Post by matt morris
problem with freeradius or my AP ?? please if someone knows, help me!
Renaud Garelli
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
Post by matt morris
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mike Saywell
2004-01-18 15:33:20 UTC
Permalink
Hmm,

I guess Windows is just caching the details, I'm not sure though.

Infact that does seem to be the case:

See http://support.microsoft.com/default.aspx?scid=kb;en-us;828996

Article 823731 contains instructions on how to remove the cache, however
it sounds like you would have to do that every time:

"There is no option that you can configure in Windows XP to prevent the
operating system from storing your credentials."

I guess you could cludge it so that the cache is removed every time the
machine boots. Or use Linux ;)

Cheers,

Mike
Post by matt morris
Hello, Mike. Just a verification: So you replaced "rcode = RLM_MODULE_OK;"
with "rcode = RLM_MODULE_HANDLED;"? I tried that and the winxp supplicant
can indeed connect successfully. However, the user was not prompted for the
username and password on subsequent reboots and can still get access to the
internet after that one successful login. Is that an expected result? (My
desired result should be the user get prompted to authenticate everytime
he/she reboots or loads up winxp in order to gain access. Is that an ip
least time problem, or a cookie/temp file problem or the modifed peap
module's problem?
TIA
Subject: [PATCH] Re: PEAP authentication very strange problem! PLEASE HELP
Date: Fri, 16 Jan 2004 02:25:27 +0000
It took me a while to figure out what was going on here...
Turns out the problem was not as Alan suspected. Seems that a return
value got tweaked during a re-structuring of the code.
--- peap.c.orig Fri Jan 16 02:01:45 2004
+++ peap.c Fri Jan 16 02:02:03 2004
@@ -267,7 +267,7 @@
DEBUG2(" PEAP: Tunneled authentication was successful.");
t->status = PEAP_STATUS_SENT_TLV_SUCCESS;
eappeap_success(handler, tls_session);
- rcode = RLM_MODULE_OK;
+ rcode = RLM_MODULE_HANDLED;
/*
* If we've been told to use the attributes from
I only spotted the change when comparing a version I checked out from
november which worked ok. I'm not sure if the change was intentional,
but reversing it gets PEAP working again for me.
Oh btw has something changed in the configure/makefiles recently?
./configure --with-openssl-includes=/usr/include/
--with-openssl-libraries=/usr/lib/
It's only started happening recently, perhaps it's something weird in
my setup, I'm too tired to care right now ;)
Cheers,
Mike
Post by matt morris
I read a post from a user named Mike Saywell, stating a similar
situation
Post by matt morris
"Failing Auth because we got a success/fail without TLV."
The file RASTLS.LOG is the WindowsXP log, obtained by setting the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASTLS\EnableFileTracing
flag to 1.
And if you got the same thing from the log, here's the answer to Mike
from
Post by matt morris
I can authenticate with XSupplicant under Linux fine, but Windows
fails
Post by matt morris
apparently with the error "Failing Auth because we got a success/fail
without TLV."
Hmm... it looks like the PEAP module puts the data into a buffer, to
be put into the TLS tunnel, but the tls code never looks for it on
success/failure.
The functions in eap_tls.c, eaptls_success() and eaptls_fail() have
to be updated to look a little more like eaptls_request(). i.e. to
call record_minus(), etc, to grab the data from the buffer, and put it
into the tunnel.
In the peap section I've tried various combinations of the
copy_request_to_tunnel and use_tunneled_reply flags to no avail -
including leaving them unspecified.
That won't work, as the code is just wrong.
Hopefully somebody can spot what is probably a silly mis-configuration
on my part!
Nope.
PEAP probably works on other systems because they don't look for the
"TLV" response code, like they're supposed to. XP does, so it fails
when the PEAP module doesn't supply the TLV.
Alan DeKok.
Hope this helps
Subject: Re: PEAP authentication very strange problem! PLEASE HELP
Date: Thu, 15 Jan 2004 09:09:34 +0100 (MET)
Anybody knows about this problem...? please help if you have an idea!!!
thanks a lot
hello everyone,
I have a very strange problem while I try to do PEAP
authentication...
Post by matt morris
I have successfully made TLS authentication, TTLS also works with
secureW2
client, but when I tried to do PEAP authentication, I have a very
strange
I am using a snaphot of freeradius from 2004/01/04 ,my supplicant is
windows XP SP1 with all patch, and when I do PEAP authentication, all
is
Post by matt morris
fine for freeradius : I have an access accept and MPPE received and
send
Post by matt morris
key that are printed out. all seems to be good, my AP (which is cisco
ap)
says in the log : "eap authenticated successfull = username ", the
same
Post by matt morris
message that I had when TLS and TTLS worked.
But in the same time, in Windows side, I have already the same
"wait for authentication".... and it's not really authenticated
because
Post by matt morris
I
can't do a ping or something like that. I dont have the good message
authentication successfull, which appeared with TLS and TTLS.
But why ??? I really dont understand what is not good here... I think
it's
a problem in windows side, don't you think so?? SI it possible ti be
a
Post by matt morris
problem with freeradius or my AP ?? please if someone knows, help me!
Renaud Garelli
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
Post by matt morris
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...