PEAP, Freeradius and Cisco AP 350
Artur Hecker
hecker at enst.fr
Wed Aug 31 23:07:29 CEST 2005
hi
J Zakhar wrote:
> Having some trouble setting up PEAP with a windows XP workstation, a
> Cisco 350 AP (upgraded to IOS version 12.2), I am using the default XP
> Client to set things up. Many moons ago I had LEAP working great, the
> hard drive on this linux machine failed and it was time to reinstall.
> Not sure why i'm having such trouble with this.
>
> Mousing over the icon in my task bar Status: Validating Identity is all
> it ever says while trying to associate. I do however get prompted for my
> user name and password. Any advice/help would be much appreciated.
unfortunately, imho Windows XP prompts for those before it starts the
exchanges.
from your log it seems that there is no error on the Freeradius side. FR
sends out the Challenge, but the second message from the client (id =
36) looks to me as a repeat of the original Request (id 35). the
contents of the EAP-Message are the same.
thus it seems that your Windows client is not answering the challenge.
Or the access point does not relay the challenge to the Windows client.
difficult to say more from what you've given so far. you could try the
following:
- are you sure that you posted the complete log?
- if yes, deactivate Server Validation in the Windows XP PEAP client
(only for testing, activate it later) and re-start. see if the
authentication gets to a further point.
- if that does not change anything, take a look at the Ken Rosner's TLS
FAQ (see www.freeradius.org). he describes how you activate EAP debug on
Cisco 350 APs. log in into your cisco, activate the EAP Debug level 2
and see what happens - if it relays messages to the user machine.
ciao
artur
>
> ./radiusd -A -X
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/freeradius/etc/raddb/proxy.conf
> Config: including file: /usr/local/freeradius/etc/raddb/clients.conf
> Config: including file: /usr/local/freeradius/etc/raddb/snmp.conf
> Config: including file: /usr/local/freeradius/etc/raddb/eap.conf
> Config: including file: /usr/local/freeradius/etc/raddb/sql.conf
> main: prefix = "/usr/local/freeradius"
> main: localstatedir = "/usr/local/freeradius/var"
> main: logdir = "/usr/local/freeradius/var/log/radius"
> main: libdir = "/usr/local/freeradius/lib"
> main: radacctdir = "/usr/local/freeradius/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/usr/local/freeradius/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/freeradius/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = yes
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will go away soon.
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/local/freeradius/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = yes
> mschap: require_strong = yes
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: authtype = "MS-CHAP"
> mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "(null)"
> unix: group = "(null)"
> unix: radwtmp = "/usr/local/freeradius/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
> eap: default_eap_type = "peap"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = yes
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file = "/usr/local/freeradius/etc/raddb/certs/cert-
> srv.pem"
> tls: certificate_file =
> "/usr/local/freeradius/etc/raddb/certs/cert-srv.pem"
> tls: CA_file = "/usr/local/freeradius/etc/raddb/certs/demoCA/cacert.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "/usr/local/freeradius/etc/raddb/certs/dh"
> tls: random_file = "/usr/local/freeradius/etc/raddb/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "(null)"
> rlm_eap: Loaded and initialized type tls
> peap: default_eap_type = "mschapv2"
> peap: copy_request_to_tunnel = no
> peap: use_tunneled_reply = no
> peap: proxy_tunneled_request_as_eap = yes
> rlm_eap: Loaded and initialized type peap
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
> preprocess: huntgroups = "/usr/local/freeradius/etc/raddb/huntgroups"
> preprocess: hints = "/usr/local/freeradius/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
> realm: ignore_null = no
> Module: Instantiated realm (suffix)
> Module: Loaded files
> files: usersfile = "/usr/local/freeradius/etc/raddb/users"
> files: acctusersfile = "/usr/local/freeradius/etc/raddb/acct_users"
> files: preproxy_usersfile =
> "/usr/local/freeradius/etc/raddb/preproxy_users"
> files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile =
> "/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename = "/usr/local/freeradius/var/log/radius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on authentication *:1812
> Listening on accounting *:1813
> Listening on proxy *:1814
> Ready to process requests.
> rad_recv: Access-Request packet from host 172.28.42.253:21646
> <http://172.28.42.253:21646/>, id=35, length=132
> User-Name = "jzakhar"
> Framed-MTU = 1400
> Called-Station-Id = "0040.9647.f2d6"
> Calling-Station-Id = "000e.9b2e.179a"
> Message-Authenticator = 0x657f7e3dee2731c4e91f25c395ef47d7
> EAP-Message = 0x0202000c016a7a616b686172
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 312
> Service-Type = Framed-User
> NAS-IP-Address = 172.28.42.253 <http://172.28.42.253/>
> NAS-Identifier = "apcisco"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' <mailto:'@'> in User-Name = "jzakhar", looking up
> realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: EAP packet type response id 2 length 12
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 0
> users: Matched jzakhar at 53
> modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns updated for request 0
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module "eap" returns handled for request 0
> modcall: group authenticate returns handled for request 0
> Sending Access-Challenge of id 35 to 172.28.42.253:21646
> <http://172.28.42.253:21646/>
> EAP-Message = 0x010300061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf730c83b331f347cf002f96adbba538e
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 172.28.42.253:21646
> <http://172.28.42.253:21646/>, id=35, length=132
> Sending duplicate reply to client EAP:21646 - ID: 35
> Re-sending Access-Challenge of id 35 to 172.28.42.253:21646
> <http://172.28.42.253:21646/>
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 35 with timestamp 4315dbd4
> Nothing to do. Sleeping until we see a request.
> rad_recv: Access-Request packet from host 172.28.42.253:21646
> <http://172.28.42.253:21646/>, id=36, length=132
> User-Name = "jzakhar"
> Framed-MTU = 1400
> Called-Station-Id = "0040.9647.f2d6"
> Calling-Station-Id = "000e.9b2e.179a"
> Message-Authenticator = 0x843b8ca357e3281d250307dff3caa9e6
> EAP-Message = 0x0202000c016a7a616b686172
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 313
> Service-Type = Framed-User
> NAS-IP-Address = 172.28.42.253 <http://172.28.42.253/>
> NAS-Identifier = "apcisco"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
> modcall[authorize]: module "preprocess" returns ok for request 1
> modcall[authorize]: module "chap" returns noop for request 1
> modcall[authorize]: module "mschap" returns noop for request 1
> rlm_realm: No '@' <mailto:'@'> in User-Name = "jzakhar", looking up
> realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 1
> rlm_eap: EAP packet type response id 2 length 12
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 1
> users: Matched jzakhar at 53
> modcall[authorize]: module "files" returns ok for request 1
> modcall: group authorize returns updated for request 1
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module "eap" returns handled for request 1
> modcall: group authenticate returns handled for request 1
> Sending Access-Challenge of id 36 to 172.28.42.253:21646
> <http://172.28.42.253:21646/>
> EAP-Message = 0x010300061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x479ac19253ee20dc4d21810846227fc5
> Finished request 1
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
>
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list