[RADIATOR] PEAP Issue

Adam Bishop Adam.Bishop at ja.net
Tue Feb 1 11:11:58 CST 2011 

OK, the issue is fixed in SAMBA 3.5.6.

It's a horrible, dirty fix, but to get 3.5.6 into 10.04 quickly:

0) Back up smb.conf

1) # aptitude purge samba winbind samba-common

2) add these 2 lines to /etc/apt/sources.lst
deb http://gb.archive.ubuntu.com/ubuntu/ natty main restricted
deb-src http://gb.archive.ubuntu.com/ubuntu/ natty main restricted


3) # aptitude update

4) # aptitude install samba winbind

5) replace smb.conf

6) reboot / restart smbd / nmbd / winbind

7) remove the two lines from /etc/apt/sources.lst

After this, you will need to keep an eye on the ubuntu repository for
security updates - as the packages have been pulled from a different
repository they will not be updated automatically.

If an update is required, add the two lines again and do:
  # aptitude update
  # aptitude install samba winbind

When natty hits stable (some time in april?) I'll make a back port request
for samba, so 3.5.6 might get included in the back ports repository.

Adam Bishop

On 01/02/2011 15:16, "Heikki Vatiainen" <hvn at open.com.au> wrote:

>On 02/01/2011 03:49 PM, Adam Bishop wrote:
>> Encountering an odd issue with MSCHAPv2/PEAP
>> 
>> I have 2 Radiator instances ­ one based on Debian 5, one on Ubuntu
>>10.04LTS.  They share a config file (barring secrets), and the Debian
>>one works fine.  There is a difference in patch level ­ If I remember
>>correctly, the Debian install is a few patches out of date.
>> 
>> The Ubuntu one accepts PAP, TTLS/PAP and TTLS/MSCHAPv2, but
>>PEAP/MSCHAPv2 fails.  The system is authenticated against active
>>directory - ntlm­auth --request-nt-key works.
>> 
>> The only thing that stands out in the proxied trace is the MD5 failure
>>- libdigest­md5-perl is installed (as far as I know) and seems to be
>>used:
>> 
>> root at orps3:/var/log/radiator# lsof -p 1488 | grep -i md5
>> radiusd 1488 root  mem    REG  251,3    18640  525298
>>/usr/lib/perl/5.10.1/auto/Digest/MD5/MD5.so
>> 
>> The direct trace is just weird ­ NTLM_AUTH seems to give the OK, thenŠ
>>Nothing.
>> 
>> Any suggestions anyone has are appreciated.
>
>You should list the EAP types separated by commas, not one per line. If
>you have them one per line, I think the last one is the only type
>Radiator is told to use.
>
>About MD5 failure, the client does like the suggested EAP type
>(MD5-Challenge) and sends a NAK, so that's why there is the failure.
>
>You may want to remove both instances MD5-Challenge EAPType unless you
>know you need it. For PEAP, EAPType MSCHAP-V2 is usually enough.
>
>
>The "then ... Nothing." behaviour after ntlm_auth looks like what was
>seen earlier, and the reason was ntlm_auth returning incorrect values,
>which make the MSCHAPv2 server authentication fail for the client. In
>other words, the client think server failed to authenticate itself and
>the client stop the authentication process.
>
>Please see ntlm_auth thread from last September:
>http://www.open.com.au/pipermail/radiator/2010-September/thread.html#16658
>
>-- 
>Heikki Vatiainen <hvn at open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.


JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG

More information about the radiator mailing list