mein WLAN funktioniert nun schon seit Wochen ohne Probleme: nur eben ohne Windows…
Alle kommen mit WPA2Enterprise ins Netz: nur Windows nicht … wobei, das ist nicht ganz richtig: Windows kommt schon rein, sagt aber: Verbunden, kein Internet
Und es geht auch kein Internet.
In der configdatei
/etc/freeradius/3.0/mods-availible/eap
steht was Aufschlussreiches zu Windows und EAP:
"
COMPATIBILITY
The certificates created using this method are known to be compatible
with ALL operating systems. Some common issues are:
Windows requires certain OIDs in the certificates. If it doesn’t
see them, it will stop doing EAP. The most visible effect is
that the client starts EAP, gets a few Access-Challenge packets,
and then a little while later re-starts EAP. If this happens, see
the FAQ, and the comments in raddb/eap.conf for how to fix it.
Windows requires the root certificates to be on the client PC.
If it doesn’t have them, you will see the same issue as above.
Windows XP post SP2 has a bug where it has problems with
certificate chains. i.e. if the server certificate is an
intermediate one, and not a root one, then authentication will
silently fail, as above.
Some versions of Windows CE cannot handle 4K RSA certificates.
They will (again) silently fail, as above.
In none of these cases will Windows give the end user any
reasonable error message describing what went wrong. This leads
people to blame the RADIUS server. That blame is misplaced.
Certificate chains of more than 64K bytes are known to not work.
This is a problem in FreeRADIUS. However, most clients cannot
handle 64K certificate chains. Most Access Points will shut down
the EAP session after about 50 round trips, while 64K certificate
chains will take about 60 round trips. So don’t use large
certificate chains. They will only work after everyone upgrade
everything in the network.
All other operating systems are known to work with EAP and
FreeRADIUS. This includes Linux, *BSD, Mac OS X, Solaris,
Symbian, along with all known embedded systems, phones, WiFi
devices, etc.
Someone needs to ask Microsoft to please stop making life hard for
their customers.
"
Ich hab Gestern also mal ein neues selbstsigniertes Zertifikat nach den Vorgaben im Verzeichnis /etc/freeradius/3.0/certs/ angelegt und verweise in der eap.conf darauf.
Effekt: alle kommen wie gewohnt rein … nur Windows „silently fails“ … also immernoch „Verbunden, kein INternet“.
Hat jemand eine Idee?
Oder Erfahrung mit der config von freeradius?
arbeitet Dein Windows mit den gleichen routing/DNS/Proxy-Gegebenheiten
wie die anderen, erfolgreich verbundenen clients ?
ichhab extra ein altes Laptop mit Win10 1903 bespielt, damit ich testen
kann …
Ja: die IP ist aus dem gleichen Bereich wie bei meinem Linuxlaptop.
Gateway und DNS sind gleich.
was sagen den die Logs bzw. freeradius, wenn du ihn im Debug-Modus
laufen lässt (|freeradius -X|)?
ich hab hier mal zwei Logins nacheinander: zuerst mein Linuxlaptop (MAC mit AC am Ende), dann das Windowslaptop (MAC mit 88 am Ende, aber erst in der nächsten Nachricht, weil sonst zu lang):
Wed Oct 2 14:27:32 2019 : Debug: (27) Received Access-Request Id 72 from 10.17.15.31:59627 to 10.16.1.1:1812 length 312
Wed Oct 2 14:27:32 2019 : Debug: (27) User-Name = "baumho"
Wed Oct 2 14:27:32 2019 : Debug: (27) NAS-Identifier = "f09fc2fe0e88"
Wed Oct 2 14:27:32 2019 : Debug: (27) Called-Station-Id = "F0-9F-C2-FE-0E-88:LMGSR"
Wed Oct 2 14:27:32 2019 : Debug: (27) NAS-Port-Type = Wireless-802.11
Wed Oct 2 14:27:32 2019 : Debug: (27) Service-Type = Framed-User
Wed Oct 2 14:27:32 2019 : Debug: (27) Calling-Station-Id = "60-67-20-B5-12-AC"
Wed Oct 2 14:27:32 2019 : Debug: (27) Connect-Info = "CONNECT 0Mbps 802.11b"
Wed Oct 2 14:27:32 2019 : Debug: (27) Acct-Session-Id = "B8695F95492C3A28"
Wed Oct 2 14:27:32 2019 : Debug: (27) WLAN-Pairwise-Cipher = 1027076
Wed Oct 2 14:27:32 2019 : Debug: (27) WLAN-Group-Cipher = 1027076
Wed Oct 2 14:27:32 2019 : Debug: (27) WLAN-AKM-Suite = 1027073
Wed Oct 2 14:27:32 2019 : Debug: (27) Framed-MTU = 1400
Wed Oct 2 14:27:32 2019 : Debug: (27) EAP-Message = 0x0251006f15001703030064f6d056a71412327874cb171b5b78a66414a7b4a8cc0cf237b3ed55da13217e560b39f960fb48702dd380a815cf6283b86979b5fca795a32ee3eb7935595e82e3fdbd27a1a073d1f35846ce3755250ae9010eb1bdbb253f756d8b698033669d4f3d266d1b
Wed Oct 2 14:27:32 2019 : Debug: (27) State = 0xeb6007aaed31127e5bc8d5d0acc56213
Wed Oct 2 14:27:32 2019 : Debug: (27) Message-Authenticator = 0x68cccfbd3bd77835609fda0eecd1d6f7
Wed Oct 2 14:27:32 2019 : Debug: (27) session-state: No cached attributes
Wed Oct 2 14:27:32 2019 : Debug: (27) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
Wed Oct 2 14:27:32 2019 : Debug: (27) authorize {
Wed Oct 2 14:27:32 2019 : Debug: (27) policy filter_username {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name) -> TRUE
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ / /) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ / /) -> FALSE
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /@[^@]*@/ ) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /\.\./ ) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /\.\./ ) -> FALSE
Wed Oct 2 14:27:32 2019 : Debug: (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /\.$/) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /\.$/) -> FALSE
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /@\./) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /@\./) -> FALSE
Wed Oct 2 14:27:32 2019 : Debug: (27) } # if (&User-Name) = notfound
Wed Oct 2 14:27:32 2019 : Debug: (27) } # policy filter_username = notfound
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling preprocess (rlm_preprocess)
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from preprocess (rlm_preprocess)
Wed Oct 2 14:27:32 2019 : Debug: (27) [preprocess] = ok
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling chap (rlm_chap)
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from chap (rlm_chap)
Wed Oct 2 14:27:32 2019 : Debug: (27) [chap] = noop
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling mschap (rlm_mschap)
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from mschap (rlm_mschap)
Wed Oct 2 14:27:32 2019 : Debug: (27) [mschap] = noop
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling digest (rlm_digest)
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from digest (rlm_digest)
Wed Oct 2 14:27:32 2019 : Debug: (27) [digest] = noop
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling suffix (rlm_realm)
Wed Oct 2 14:27:32 2019 : Debug: (27) suffix: Checking for suffix after "@"
Wed Oct 2 14:27:32 2019 : Debug: (27) suffix: No '@' in User-Name = "baumho", looking up realm NULL
Wed Oct 2 14:27:32 2019 : Debug: (27) suffix: No such realm "NULL"
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from suffix (rlm_realm)
Wed Oct 2 14:27:32 2019 : Debug: (27) [suffix] = noop
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling eap (rlm_eap)
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Peer sent EAP Response (code 2) ID 81 length 111
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Continuing tunnel setup
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from eap (rlm_eap)
Wed Oct 2 14:27:32 2019 : Debug: (27) [eap] = ok
Wed Oct 2 14:27:32 2019 : Debug: (27) } # authorize = ok
Wed Oct 2 14:27:32 2019 : Debug: (27) Found Auth-Type = eap
Wed Oct 2 14:27:32 2019 : Debug: (27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
Wed Oct 2 14:27:32 2019 : Debug: (27) authenticate {
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authenticate]: calling eap (rlm_eap)
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Expiring EAP session with state 0x3ee384dc3fe19e4d
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Finished EAP session with state 0xeb6007aaed31127e
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Previous EAP request found for state 0xeb6007aaed31127e, released from the list
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Peer sent packet with method EAP TTLS (21)
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Calling submodule eap_ttls to process data
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_ttls: Authenticate
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_ttls: Continuing EAP-TLS
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_ttls: Peer sent flags ---
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_ttls: [eaptls verify] = ok
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_ttls: Done initial handshake
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_ttls: [eaptls process] = ok
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_ttls: Session established. Proceeding to decode tunneled attributes
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_ttls: Got tunneled request
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_ttls: EAP-Message = 0x020200411a0202003c31ce711d6c524c1830e5ddd7fee478b0a30000000000000000c82a687251cd5d5d0d484a3a054d7d591b8fa8e166aea306006261756d686f
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_ttls: Sending tunneled request
Wed Oct 2 14:27:32 2019 : Debug: (27) Virtual server inner-tunnel received request
Wed Oct 2 14:27:32 2019 : Debug: (27) EAP-Message = 0x020200411a0202003c31ce711d6c524c1830e5ddd7fee478b0a30000000000000000c82a687251cd5d5d0d484a3a054d7d591b8fa8e166aea306006261756d686f
Wed Oct 2 14:27:32 2019 : Debug: (27) FreeRADIUS-Proxied-To = 127.0.0.1
Wed Oct 2 14:27:32 2019 : Debug: (27) User-Name = "baumho"
Wed Oct 2 14:27:32 2019 : Debug: (27) State = 0x3ee384dc3fe19e4dcc7851e2e427c8b8
Wed Oct 2 14:27:32 2019 : WARNING: (27) Outer and inner identities are the same. User privacy is compromised.
Wed Oct 2 14:27:32 2019 : Debug: (27) server inner-tunnel {
Wed Oct 2 14:27:32 2019 : Debug: (27) session-state: No cached attributes
Wed Oct 2 14:27:32 2019 : Debug: (27) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
Wed Oct 2 14:27:32 2019 : Debug: (27) authorize {
Wed Oct 2 14:27:32 2019 : Debug: (27) policy filter_username {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name) -> TRUE
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ / /) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ / /) -> FALSE
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /@[^@]*@/ ) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /\.\./ ) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /\.\./ ) -> FALSE
Wed Oct 2 14:27:32 2019 : Debug: (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /\.$/) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /\.$/) -> FALSE
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /@\./) {
Wed Oct 2 14:27:32 2019 : Debug: (27) if (&User-Name =~ /@\./) -> FALSE
Wed Oct 2 14:27:32 2019 : Debug: (27) } # if (&User-Name) = notfound
Wed Oct 2 14:27:32 2019 : Debug: (27) } # policy filter_username = notfound
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling chap (rlm_chap)
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from chap (rlm_chap)
Wed Oct 2 14:27:32 2019 : Debug: (27) [chap] = noop
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling mschap (rlm_mschap)
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from mschap (rlm_mschap)
Wed Oct 2 14:27:32 2019 : Debug: (27) [mschap] = noop
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling suffix (rlm_realm)
Wed Oct 2 14:27:32 2019 : Debug: (27) suffix: Checking for suffix after "@"
Wed Oct 2 14:27:32 2019 : Debug: (27) suffix: No '@' in User-Name = "baumho", looking up realm NULL
Wed Oct 2 14:27:32 2019 : Debug: (27) suffix: No such realm "NULL"
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from suffix (rlm_realm)
Wed Oct 2 14:27:32 2019 : Debug: (27) [suffix] = noop
Wed Oct 2 14:27:32 2019 : Debug: (27) update control {
Wed Oct 2 14:27:32 2019 : Debug: (27) &Proxy-To-Realm := LOCAL
Wed Oct 2 14:27:32 2019 : Debug: (27) } # update control = noop
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling eap (rlm_eap)
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Peer sent EAP Response (code 2) ID 2 length 65
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from eap (rlm_eap)
Wed Oct 2 14:27:32 2019 : Debug: (27) [eap] = updated
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling files (rlm_files)
Wed Oct 2 14:27:32 2019 : Debug: (27) files: users: Matched entry DEFAULT at line 175
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from files (rlm_files)
Wed Oct 2 14:27:32 2019 : Debug: (27) [files] = ok
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling expiration (rlm_expiration)
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from expiration (rlm_expiration)
Wed Oct 2 14:27:32 2019 : Debug: (27) [expiration] = noop
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling logintime (rlm_logintime)
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from logintime (rlm_logintime)
Wed Oct 2 14:27:32 2019 : Debug: (27) [logintime] = noop
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: calling pap (rlm_pap)
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authorize]: returned from pap (rlm_pap)
Wed Oct 2 14:27:32 2019 : Debug: (27) [pap] = noop
Wed Oct 2 14:27:32 2019 : Debug: (27) } # authorize = updated
Wed Oct 2 14:27:32 2019 : Debug: (27) Found Auth-Type = eap
Wed Oct 2 14:27:32 2019 : Debug: (27) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
Wed Oct 2 14:27:32 2019 : Debug: (27) authenticate {
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authenticate]: calling eap (rlm_eap)
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Expiring EAP session with state 0x3ee384dc3fe19e4d
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Finished EAP session with state 0x3ee384dc3fe19e4d
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Previous EAP request found for state 0x3ee384dc3fe19e4d, released from the list
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Peer sent packet with method EAP MSCHAPv2 (26)
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Calling submodule eap_mschapv2 to process data
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_mschapv2: authenticate {
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_mschapv2: modsingle[authenticate]: calling mschap (rlm_mschap)
Wed Oct 2 14:27:32 2019 : Debug: (27) mschap: Creating challenge hash with username: baumho
Wed Oct 2 14:27:32 2019 : Debug: (27) mschap: Client is using MS-CHAPv2
Wed Oct 2 14:27:32 2019 : Debug: (27) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=BZPF --require-membership-of=BZPF\wifi --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
Wed Oct 2 14:27:32 2019 : Debug: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
Wed Oct 2 14:27:32 2019 : Debug: Parsed xlat tree:
Wed Oct 2 14:27:32 2019 : Debug: literal --> --username=
Wed Oct 2 14:27:32 2019 : Debug: XLAT-IF {
Wed Oct 2 14:27:32 2019 : Debug: attribute --> Stripped-User-Name
Wed Oct 2 14:27:32 2019 : Debug: }
Wed Oct 2 14:27:32 2019 : Debug: XLAT-ELSE {
Wed Oct 2 14:27:32 2019 : Debug: XLAT-IF {
Wed Oct 2 14:27:32 2019 : Debug: attribute --> User-Name
Wed Oct 2 14:27:32 2019 : Debug: }
Wed Oct 2 14:27:32 2019 : Debug: XLAT-ELSE {
Wed Oct 2 14:27:32 2019 : Debug: literal --> None
Wed Oct 2 14:27:32 2019 : Debug: }
Wed Oct 2 14:27:32 2019 : Debug: }
Wed Oct 2 14:27:32 2019 : Debug: (27) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
Wed Oct 2 14:27:32 2019 : Debug: (27) mschap: --> --username=baumho
Wed Oct 2 14:27:32 2019 : Debug: --challenge=%{%{mschap:Challenge}:-00}
Wed Oct 2 14:27:32 2019 : Debug: Parsed xlat tree:
Wed Oct 2 14:27:32 2019 : Debug: literal --> --challenge=
Wed Oct 2 14:27:32 2019 : Debug: XLAT-IF {
Wed Oct 2 14:27:32 2019 : Debug: xlat --> mschap
Wed Oct 2 14:27:32 2019 : Debug: {
Wed Oct 2 14:27:32 2019 : Debug: literal --> Challenge
Wed Oct 2 14:27:32 2019 : Debug: }
Wed Oct 2 14:27:32 2019 : Debug: }
Wed Oct 2 14:27:32 2019 : Debug: XLAT-ELSE {
Wed Oct 2 14:27:32 2019 : Debug: literal --> 00
Wed Oct 2 14:27:32 2019 : Debug: }
Wed Oct 2 14:27:32 2019 : Debug: (27) mschap: Creating challenge hash with username: baumho
Wed Oct 2 14:27:32 2019 : Debug: (27) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
Wed Oct 2 14:27:32 2019 : Debug: (27) mschap: --> --challenge=00049bed3e100bcd
Wed Oct 2 14:27:32 2019 : Debug: --nt-response=%{%{mschap:NT-Response}:-00}
Wed Oct 2 14:27:32 2019 : Debug: Parsed xlat tree:
Wed Oct 2 14:27:32 2019 : Debug: literal --> --nt-response=
Wed Oct 2 14:27:32 2019 : Debug: XLAT-IF {
Wed Oct 2 14:27:32 2019 : Debug: xlat --> mschap
Wed Oct 2 14:27:32 2019 : Debug: {
Wed Oct 2 14:27:32 2019 : Debug: literal --> NT-Response
Wed Oct 2 14:27:32 2019 : Debug: }
Wed Oct 2 14:27:32 2019 : Debug: }
Wed Oct 2 14:27:32 2019 : Debug: XLAT-ELSE {
Wed Oct 2 14:27:32 2019 : Debug: literal --> 00
Wed Oct 2 14:27:32 2019 : Debug: }
Wed Oct 2 14:27:32 2019 : Debug: (27) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
Wed Oct 2 14:27:32 2019 : Debug: (27) mschap: --> --nt-response=c82a687251cd5d5d0d484a3a054d7d591b8fa8e166aea306
Wed Oct 2 14:27:32 2019 : Debug: (27) mschap: Program returned code (0) and output 'NT_KEY: 080502FA45DA99D415BF829B0861A1C0'
Wed Oct 2 14:27:32 2019 : Debug: (27) mschap: Adding MS-CHAPv2 MPPE keys
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authenticate]: returned from mschap (rlm_mschap)
Wed Oct 2 14:27:32 2019 : Debug: (27) [mschap] = ok
Wed Oct 2 14:27:32 2019 : Debug: (27) } # authenticate = ok
Wed Oct 2 14:27:32 2019 : Debug: (27) MSCHAP Success
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Sending EAP Request (code 1) ID 3 length 51
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: EAP session adding &reply:State = 0x3ee384dc3ce09e4d
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authenticate]: returned from eap (rlm_eap)
Wed Oct 2 14:27:32 2019 : Debug: (27) [eap] = handled
Wed Oct 2 14:27:32 2019 : Debug: (27) } # authenticate = handled
Wed Oct 2 14:27:32 2019 : Debug: (27) } # server inner-tunnel
Wed Oct 2 14:27:32 2019 : Debug: (27) Virtual server sending reply
Wed Oct 2 14:27:32 2019 : Debug: (27) EAP-Message = 0x010300331a0302002e533d46353841464144383441353535363938363830323142443536453830373537453237424645343539
Wed Oct 2 14:27:32 2019 : Debug: (27) Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 2 14:27:32 2019 : Debug: (27) State = 0x3ee384dc3ce09e4dcc7851e2e427c8b8
Wed Oct 2 14:27:32 2019 : Debug: (27) eap_ttls: Got tunneled Access-Challenge
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: Sending EAP Request (code 1) ID 82 length 99
Wed Oct 2 14:27:32 2019 : Debug: (27) eap: EAP session adding &reply:State = 0xeb6007aaec32127e
Wed Oct 2 14:27:32 2019 : Debug: (27) modsingle[authenticate]: returned from eap (rlm_eap)
Wed Oct 2 14:27:32 2019 : Debug: (27) [eap] = handled
Wed Oct 2 14:27:32 2019 : Debug: (27) } # authenticate = handled
Wed Oct 2 14:27:32 2019 : Debug: (27) Using Post-Auth-Type Challenge
Wed Oct 2 14:27:32 2019 : Debug: (27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
Wed Oct 2 14:27:32 2019 : Debug: (27) Challenge { ... } # empty sub-section is ignored
Wed Oct 2 14:27:32 2019 : Debug: (27) session-state: Nothing to cache
Wed Oct 2 14:27:32 2019 : Debug: (27) Sent Access-Challenge Id 72 from 10.16.1.1:1812 to 10.17.15.31:59627 length 0
Wed Oct 2 14:27:32 2019 : Debug: (27) EAP-Message = 0x015200631580000000591703030054bc81a2d2253c68f4b3c602d823deb5b71b60ef228d0f89118adf0e639cd15f0415c0731cbd4d6a8b5f4612697bdb6f942a28f60acc3587db6b118b127fc7a72df017a8e56ea2438b5194954eaf4d00425221d514
Wed Oct 2 14:27:32 2019 : Debug: (27) Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 2 14:27:32 2019 : Debug: (27) State = 0xeb6007aaec32127e5bc8d5d0acc56213
Wed Oct 2 14:27:32 2019 : Debug: (27) Finished request
Was auffällt ist diese Meldung:
WARNING: (27) Outer and inner identities are the same. User privacy is compromised.
Die steht aber bei beiden Loginversuchen.
Es sind ja auch beide eigentlich erfolgreich.
Ich hab aber jetzt herausgefunden, weswegen Windows nicht ins Internet kommt (siehe anderer Post: derhier ist bei weitem lang genug).
arbeitet Dein Windows mit den gleichen routing/DNS/Proxy-Gegebenheiten
wie die anderen, erfolgreich verbundenen clients ?
ich meinte, dass dem so ist: aber ich war Heute 2 Stunden in der Schule um Tests zu machen.
meine Tests brachten auch noch etwas Licht in die ganze Sache.
Ich hatte es nach ein wenig hin und her geschafft, dass die opnsense wieder logdateien anlegte: das hatte sie nämlich am 10 Sept aufgehört (warum auch immer).
Die Livelogs waren überraschend langweilig … weil sich ja nix änderte.
Erst nachdem ich die logdateien gelöscht hatte (knopf in den Livelogs) ging wieder was: und siehe da: linux ist grün und Windwos Rot (Blocked)… wait vor it … weil linux über OPT1 (WLAN) kommt und Windows über LAN … (siehe Bilder unten).
Aber warum?
Linux geht durch den inneren Tunnel und Windows nicht?
Aber wie kommt dann Windows ins LAN? Es hat doch vorher schon aus OPT1 eine IP Bekommen (172.16.x.y).
Wer steckt das Windows den nach LAN?
Das kann doch nur der AP machen: der sitzt in beiden Netzwerken.
Warum macht der den sowas?
Das hat er doch früher nicht gemacht?
hallo holger,
bei uns funzt wlan mit freeradius auch nicht, da kenne ich aber die techn. details nicht. kommen bei dir mobile devices (android, iphone, ipdad) rein? das würde mir vorerst schonmal genügen…
gruß,
hendrik
bei uns funzt wlan mit freeradius auch nicht, da kenne ich aber die
techn. details nicht. kommen bei dir mobile devices (android, iphone,
ipdad) rein? das würde mir vorerst schonmal genügen…
ja: ohne Probleme.
Bei Dominik und Rainer kommen auch die Windows Dinger rein: bei mir noch
nicht.