(RADIATOR) PEAP ms-chap-v2 "Desired EAP type 25 not permitted"

Mike McCauley mikem at open.com.au
Wed Jun 11 07:58:34 CDT 2003


Hello,

You did not send you configuration file: it makes it much easier for us to 
diagnose problems if you send your configuration file (ne secrets)

It looks like you have your EAPType set to just MSCHAP-V2, and the client is 
trying to the do the outer authetiocaiton PEAP first.

You probably need to set your EAPType to 

EAPType PEAP,MSCHAP-V2

See goodies/eap_peap.cfg for examples on how to configure for PEAP.

Cheers.


On Wed, 11 Jun 2003 09:55 pm, Mobic.com wrote:
> Hi
>
> I am testing different eap methods, and I have successfully tested:
>
> eap-md5
> eap-tls
> eap-ttls (ms-chap-v2)
>
> using the Odyssey supplicant.
>
> But I have problems testing peap (ms-chap-v2), the log says "Access
> rejected for testUser: Desired EAP type 25 not permitted" (se log file
> below).
>
> I am using the eap_multi.cfg configuration and the demo certificates. I am
> using the Zyxel B-1000 AP.
>
> Any ideas how to resolv this?
>
> This is what I get from the log:
>
> Code:       Access-Request
> Identifier: 227
> Authentic:  Q<236>o<156>GjC<226><150>e<179><16><30><251>Ba
> Attributes:
> 	User-Name = "testUser"
> 	NAS-IP-Address = 195.134.48.28
> 	NAS-Identifier = "WI_test"
> 	Framed-MTU = 1496
> 	Called-Station-Id = "00-a0-c5-37-3e-62:Wireless"
> 	Calling-Station-Id = "00-04-75-df-ae-e3"
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	EAP-Message = <2>)<0><6><13><0>
> 	Message-Authenticator =
> 8}<150><137><138><239><232><29><136><14>><21>;<243><241><6>
>
> Wed Jun 11 12:54:08 2003: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Wed Jun 11 12:54:08 2003: DEBUG: Rewrote user name to testUser
> Wed Jun 11 12:54:08 2003: DEBUG:  Deleting session for testUser,
> 195.134.48.28,
> Wed Jun 11 12:54:08 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Jun 11 12:54:08 2003: DEBUG: Handling with EAP: code 2, 41, 6
> Wed Jun 11 12:54:08 2003: DEBUG: Response type 13
> Wed Jun 11 12:54:08 2003: DEBUG: Radius::AuthFILE looks for match with
> testUser
> Wed Jun 11 12:54:08 2003: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Jun 11 12:54:08 2003: DEBUG: Access accepted for testUser
> Wed Jun 11 12:54:08 2003: DEBUG: Packet dump:
> *** Sending to 195.134.48.28 port 1026 ....
> Code:       Access-Accept
> Identifier: 227
> Authentic:  Q<236>o<156>GjC<226><150>e<179><16><30><251>Ba
> Attributes:
> 	EAP-Message = <3>)<0><4>
> 	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Jun 11 12:54:35 2003: DEBUG: Packet dump:
> *** Received from 195.134.48.28 port 1026 ....
> Code:       Access-Request
> Identifier: 228
> Authentic:  Z<208><199><142><252>5<139>d<199><187><213>w<127><203>40
> Attributes:
> 	User-Name = "testUser"
> 	NAS-IP-Address = 195.134.48.28
> 	NAS-Identifier = "WI_test"
> 	Framed-MTU = 1496
> 	Called-Station-Id = "00-a0-c5-37-3e-62:Wireless"
> 	Calling-Station-Id = "00-04-75-df-ae-e3"
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	EAP-Message = <2>*<0><13><1>testUser
> 	Message-Authenticator =
> <130><194><168>'<178><146><147><156><142>x+<189><190><18>'*
>
> Wed Jun 11 12:54:35 2003: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Wed Jun 11 12:54:35 2003: DEBUG: Rewrote user name to testUser
> Wed Jun 11 12:54:35 2003: DEBUG:  Deleting session for testUser,
> 195.134.48.28,
> Wed Jun 11 12:54:35 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Jun 11 12:54:35 2003: DEBUG: Handling with EAP: code 2, 42, 13
> Wed Jun 11 12:54:35 2003: DEBUG: Response type 1
> Wed Jun 11 12:54:35 2003: DEBUG: Access challenged for testUser: EAP
> MSCHAP-V2 Challenge
> Wed Jun 11 12:54:35 2003: DEBUG: Packet dump:
> *** Sending to 195.134.48.28 port 1026 ....
> Code:       Access-Challenge
> Identifier: 228
> Authentic:  Z<208><199><142><252>5<139>d<199><187><213>w<127><203>40
> Attributes:
> 	EAP-Message =
> <1>+<0>/<26><1>+<0>*<16>G4<193>lC:<216><191><12><189><133>|<244><22>!<227>i
>n novasjon.mobinor.no
> 	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Jun 11 12:54:35 2003: DEBUG: Packet dump:
> *** Received from 195.134.48.28 port 1026 ....
> Code:       Access-Request
> Identifier: 229
> Authentic:  <164><254>}w<153><236>?M<139><166><149>/<254><239><180><253>
> Attributes:
> 	User-Name = "testUser"
> 	NAS-IP-Address = 195.134.48.28
> 	NAS-Identifier = "WI_test"
> 	Framed-MTU = 1496
> 	Called-Station-Id = "00-a0-c5-37-3e-62:Wireless"
> 	Calling-Station-Id = "00-04-75-df-ae-e3"
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	EAP-Message = <2>+<0><6><3><25>
> 	Message-Authenticator =
> <180>h<24><219>a<149>,<159><201><249><236>rk<<161><28>
>
> Wed Jun 11 12:54:35 2003: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Wed Jun 11 12:54:35 2003: DEBUG: Rewrote user name to testUser
> Wed Jun 11 12:54:35 2003: DEBUG:  Deleting session for testUser,
> 195.134.48.28,
> Wed Jun 11 12:54:35 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Jun 11 12:54:35 2003: DEBUG: Handling with EAP: code 2, 43, 6
> Wed Jun 11 12:54:35 2003: DEBUG: Response type 3
> Wed Jun 11 12:54:35 2003: INFO: EAP Nak desires type 25
> Wed Jun 11 12:54:35 2003: INFO: Access rejected for testUser: Desired EAP
> type 25 not permitted
> Wed Jun 11 12:54:35 2003: DEBUG: Packet dump:
> *** Sending to 195.134.48.28 port 1026 ....
> Code:       Access-Reject
> Identifier: 229
> Authentic:  <164><254>}w<153><236>?M<139><166><149>/<254><239><180><253>
> Attributes:
> 	Reply-Message = "Request Denied"
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list