Not going past "Sending Access-Challenge"
Adam Tauno Williams
awilliam at whitemice.org
Thu Sep 8 21:40:06 CEST 2005
Adam Tauno Williams <E-mail Protected> wrote:
>> I'm trying to setup RADIUS/WPA authentication using PEAP as
>> described in -
>> http://www.ibiblio.org/pub/Linux/docs/HOWTO/8021X-HOWTO - but I
>> never seem to get past the "Sending Access-Challenge" after I enter
>> my username and password on the client. User is simply an entry in
>> the users file with a clear text password. I've gone over the
>> config several times, but nothing jumps out at me as an error
>> message.
Alan DeKok wrote:
> The problem most likely is that the AP isn't seeing the response, or
>it isn't liking the response. Check the IP addresses that the packet
>use, via "tcpdump".
Okay, I've etherealled the connection and I see an "Access-Request" from the WAP
to the RADIUS server, then an "Access-Challenge" from the RADIUS serve to the
WAP, and nothing else. What should the WAP's response to an
"Access-Challenge" response be?
The WAP is 192.168.1.42 and the RADIUS server is 192.168.1.47
No. Time Source Destination Protocol Info
8 0.839425 192.168.1.42 192.168.1.47 RADIUS
Access-Request(1) (id=26, l=133)
Frame 8 (175 bytes on wire, 175 bytes captured)
Ethernet II, Src: noor.morrison.iserv.net (00:0f:3d:43:6a:3c), Dst:
tor.morrison.iserv.net (00:0d:60:0f:fd:4a)
Internet Protocol, Src: 192.168.1.42 (192.168.1.42), Dst: 192.168.1.47
(192.168.1.47)
User Datagram Protocol, Src Port: groove-dpp (1211), Dst Port: radius (1812)
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x1a (26)
Length: 133
Authenticator: 14E77EEE7405E31F02AB6A803EB478A1
Attribute Value Pairs
AVP: l=10 t=User-Name(1): awilliam
AVP: l=6 t=NAS-IP-Address(4): 192.168.1.42
AVP: l=6 t=NAS-Port(5): 0
AVP: l=19 t=Called-Station-Id(30): 00-0F-3D-43-6A-3C
AVP: l=19 t=Calling-Station-Id(31): 00-14-A5-30-BC-27
AVP: l=8 t=NAS-Identifier(32): wap001
AVP: l=6 t=Framed-MTU(12): 1380
AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)
AVP: l=15 t=EAP-Message(79) Last Segment[1]
Length: 13
EAP fragment
Extensible Authentication Protocol
Code: Response (2)
Id: 1
Length: 13
Type: Identity [RFC3748] (1)
Identity (8 bytes): awilliam
AVP: l=18 t=Message-Authenticator(80): 92C34CC691D9BC0D5B49F180B2F4EA59
Length: 16
Message-Authenticator: 92C34CC691D9BC0D5B49F180B2F4EA59
No. Time Source Destination Protocol Info
15 0.842887 192.168.1.47 192.168.1.42 RADIUS
Access-challenge(11) (id=26, l=83)
Frame 15 (125 bytes on wire, 125 bytes captured)
Ethernet II, Src: tor.morrison.iserv.net (00:0d:60:0f:fd:4a), Dst:
noor.morrison.iserv.net (00:0f:3d:43:6a:3c)
Internet Protocol, Src: 192.168.1.47 (192.168.1.47), Dst: 192.168.1.42
(192.168.1.42)
User Datagram Protocol, Src Port: radius (1812), Dst Port: groove-dpp (1211)
Radius Protocol
Code: Access-challenge (11)
Packet identifier: 0x1a (26)
Length: 83
Authenticator: DE3DC989610D986213D85EF526EA47BD
Attribute Value Pairs
AVP: l=19 t=Reply-Message(18): EAPTEST Hello, %u
Length: 17
Reply-Message: EAPTEST Hello, %u
AVP: l=8 t=EAP-Message(79) Last Segment[1]
Length: 6
EAP fragment
Extensible Authentication Protocol
Code: Request (1)
Id: 2
Length: 6
Type: PEAP [Palekar] (25)
Flags(0x20): Start
PEAP version 0
AVP: l=18 t=Message-Authenticator(80): 36719CCCEE09502EA6C644C5EEC62B87
Length: 16
Message-Authenticator: 36719CCCEE09502EA6C644C5EEC62B87
AVP: l=18 t=State(24): 4CA90CA7DE0086900AEB2E8BB35E773A
Length: 16
State: 4CA90CA7DE0086900AEB2E8BB35E773A
No. Time Source Destination Protocol Info
16 0.879314 192.168.1.42 192.168.1.47 RADIUS
Access-Request(1) (id=27, l=218)
Frame 16 (260 bytes on wire, 260 bytes captured)
Ethernet II, Src: noor.morrison.iserv.net (00:0f:3d:43:6a:3c), Dst:
tor.morrison.iserv.net (00:0d:60:0f:fd:4a)
Internet Protocol, Src: 192.168.1.42 (192.168.1.42), Dst: 192.168.1.47
(192.168.1.47)
User Datagram Protocol, Src Port: groove-dpp (1211), Dst Port: radius (1812)
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x1b (27)
Length: 218
Authenticator: FBD53DBF46F4F69697F2427EDE5176A3
Attribute Value Pairs
AVP: l=10 t=User-Name(1): awilliam
AVP: l=6 t=NAS-IP-Address(4): 192.168.1.42
AVP: l=6 t=NAS-Port(5): 0
AVP: l=19 t=Called-Station-Id(30): 00-0F-3D-43-6A-3C
AVP: l=19 t=Calling-Station-Id(31): 00-14-A5-30-BC-27
AVP: l=8 t=NAS-Identifier(32): wap001
AVP: l=6 t=Framed-MTU(12): 1380
AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)
AVP: l=82 t=EAP-Message(79) Last Segment[1]
Length: 80
EAP fragment
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 80
Type: PEAP [Palekar] (25)
Flags(0x80): Length
PEAP version 0
Length: 70
Secure Socket Layer
AVP: l=18 t=State(24): 4CA90CA7DE0086900AEB2E8BB35E773A
Length: 16
State: 4CA90CA7DE0086900AEB2E8BB35E773A
AVP: l=18 t=Message-Authenticator(80): DF3CCA452EF2AF5D0CAA8EB46534127D
Length: 16
Message-Authenticator: DF3CCA452EF2AF5D0CAA8EB46534127D
No. Time Source Destination Protocol Info
23 0.885616 192.168.1.47 192.168.1.42 RADIUS
Access-challenge(11) (id=27, l=1119)
Frame 23 (1161 bytes on wire, 1161 bytes captured)
Ethernet II, Src: tor.morrison.iserv.net (00:0d:60:0f:fd:4a), Dst:
noor.morrison.iserv.net (00:0f:3d:43:6a:3c)
Internet Protocol, Src: 192.168.1.47 (192.168.1.47), Dst: 192.168.1.42
(192.168.1.42)
User Datagram Protocol, Src Port: radius (1812), Dst Port: groove-dpp (1211)
Radius Protocol
Code: Access-challenge (11)
Packet identifier: 0x1b (27)
Length: 1119
Authenticator: 51DB666236DA04D0B72A4E99FAE73956
Attribute Value Pairs
AVP: l=19 t=Reply-Message(18): EAPTEST Hello, %u
Length: 17
Reply-Message: EAPTEST Hello, %u
AVP: l=255 t=EAP-Message(79) Segment[1]
AVP: l=255 t=EAP-Message(79) Segment[2]
AVP: l=255 t=EAP-Message(79) Segment[3]
AVP: l=255 t=EAP-Message(79) Segment[4]
AVP: l=24 t=EAP-Message(79) Last Segment[5]
Length: 22
EAP fragment
Extensible Authentication Protocol
Code: Request (1)
Id: 3
Length: 1034
Type: PEAP [Palekar] (25)
Flags(0xC0): Length More
PEAP version 0
Length: 3974
EAP-TLS Fragments (3974 bytes): #23(1024), #35(1024), #46(1024),
#54(902)
Secure Socket Layer
AVP: l=18 t=Message-Authenticator(80): F4814C72EEE61CD5CEFC53B36B267D4C
Length: 16
Message-Authenticator: F4814C72EEE61CD5CEFC53B36B267D4C
AVP: l=18 t=State(24): D338F7D46B55BA06D75A99DAB2F12D57
Length: 16
State: D338F7D46B55BA06D75A99DAB2F12D57
No. Time Source Destination Protocol Info
27 2.062088 192.168.1.42 192.168.1.47 RADIUS
Access-Request(1) (id=28, l=144)
Frame 27 (186 bytes on wire, 186 bytes captured)
Ethernet II, Src: noor.morrison.iserv.net (00:0f:3d:43:6a:3c), Dst:
tor.morrison.iserv.net (00:0d:60:0f:fd:4a)
Internet Protocol, Src: 192.168.1.42 (192.168.1.42), Dst: 192.168.1.47
(192.168.1.47)
User Datagram Protocol, Src Port: groove-dpp (1211), Dst Port: radius (1812)
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x1c (28)
Length: 144
Authenticator: 77439BFA74CDEE8C8B73E043554916F0
Attribute Value Pairs
AVP: l=10 t=User-Name(1): awilliam
AVP: l=6 t=NAS-IP-Address(4): 192.168.1.42
AVP: l=6 t=NAS-Port(5): 0
AVP: l=19 t=Called-Station-Id(30): 00-0F-3D-43-6A-3C
AVP: l=19 t=Calling-Station-Id(31): 00-14-A5-30-BC-27
AVP: l=8 t=NAS-Identifier(32): wap001
AVP: l=6 t=Framed-MTU(12): 1380
AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)
AVP: l=8 t=EAP-Message(79) Last Segment[1]
Length: 6
EAP fragment
Extensible Authentication Protocol
Code: Response (2)
Id: 3
Length: 6
Type: PEAP [Palekar] (25)
Flags(0x0):
PEAP version 0
AVP: l=18 t=State(24): D338F7D46B55BA06D75A99DAB2F12D57
Length: 16
State: D338F7D46B55BA06D75A99DAB2F12D57
AVP: l=18 t=Message-Authenticator(80): 7A8DCF047F1B584608FE71A8EAB584AC
Length: 16
Message-Authenticator: 7A8DCF047F1B584608FE71A8EAB584AC
No. Time Source Destination Protocol Info
35 2.068415 192.168.1.47 192.168.1.42 RADIUS
Access-challenge(11) (id=28, l=1115)
Frame 35 (1157 bytes on wire, 1157 bytes captured)
Ethernet II, Src: tor.morrison.iserv.net (00:0d:60:0f:fd:4a), Dst:
noor.morrison.iserv.net (00:0f:3d:43:6a:3c)
Internet Protocol, Src: 192.168.1.47 (192.168.1.47), Dst: 192.168.1.42
(192.168.1.42)
User Datagram Protocol, Src Port: radius (1812), Dst Port: groove-dpp (1211)
Radius Protocol
Code: Access-challenge (11)
Packet identifier: 0x1c (28)
Length: 1115
Authenticator: 2A5E1665347BA87046D857CAB331686F
Attribute Value Pairs
AVP: l=19 t=Reply-Message(18): EAPTEST Hello, %u
Length: 17
Reply-Message: EAPTEST Hello, %u
AVP: l=255 t=EAP-Message(79) Segment[1]
AVP: l=255 t=EAP-Message(79) Segment[2]
AVP: l=255 t=EAP-Message(79) Segment[3]
AVP: l=255 t=EAP-Message(79) Segment[4]
AVP: l=20 t=EAP-Message(79) Last Segment[5]
Length: 18
EAP fragment
Extensible Authentication Protocol
Code: Request (1)
Id: 4
Length: 1030
Type: PEAP [Palekar] (25)
Flags(0x40): More
PEAP version 0
EAP-TLS Fragments (3974 bytes): #23(1024), #35(1024), #46(1024),
#54(902)
Secure Socket Layer
AVP: l=18 t=Message-Authenticator(80): 755BE6D63AA6F48DC661705F2EE3A5AD
Length: 16
Message-Authenticator: 755BE6D63AA6F48DC661705F2EE3A5AD
AVP: l=18 t=State(24): 6A14161A7B2A4D2A2B0EED6451D7555F
Length: 16
State: 6A14161A7B2A4D2A2B0EED6451D7555F
--
Adam Tauno Williams - http://www.whitemice.org
More information about the Freeradius-Users
mailing list