WPA/RADIUS Problems
Loukas Kalenderidis
loukas at hb.com.au
Fri Sep 1 08:23:17 CEST 2006
On the rare occasions that I post to mailing lists I always forget
something in the first message. This is the error that I get from
Internet Connect on Mac OS X when I connect:
802.1X Authentication has failed.
802.1X is unable to authenticate. It is possible that the
configuration you have provided is invalid. If you are unsure about
what configuration to connect with, check with your network
administrator.
( Error: 1 on port en1 )
Loukas
On 01/09/2006, at 4:12 PM, Loukas Kalenderidis wrote:
> Hi list,
>
> I'm a FreeRADIUS noob, and I've been charged with getting some WiFi
> APs authenticating against an existing FreeRADIUS server being used
> for dialup users. I've configured FreeRADIUS as best I can figure
> from what I've found on the web, but I'm having no success with
> getting WPA to work. I'm using a D-Link 2100AP access point, and a
> Mac OS X 10.4 client. From what I can gather it seems that I might
> have misconfigured FreeRADIUS, based on the error message below.
>
> I've configured a test user as follows:
> pants Auth-Type := Accept
> Tunnel-Type = 13,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-Id = 1
>
> The last 3 lines I found in a tutorial on the web, but I'm not sure
> if they are necessary or not (and commenting them out makes no
> difference).
>
> When I run radtest everything looks OK:
>
> $ radtest pants "" localhost 1 XXXXXX
> Sending Access-Request of id 141 to 127.0.0.1:1812
> User-Name = "pants"
> User-Password = ""
> NAS-IP-Address = newdeewhy
> NAS-Port = 1
> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=141,
> length=35
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "1"
>
> When I try to connect from my Mac OS X client I get the following
> error:
>
>
> And the following appears in the radius.log:
> Fri Sep 1 15:50:59 2006 : Auth: Login OK: [pants] (from client
> testap port 1 cli 00-0D-93-86-48-8E)
> Fri Sep 1 15:51:02 2006 : Error: Authentication reply packet code
> 2 sent to a non-proxy reply port from client testap:1025 - ID 0 :
> IGNORED
>
> Watching the traffic shows the Access-Accept packet being sent back
> to the AP, but confusingly the AP sends an Access-Accept back to
> the RADIUS server! (10.0.0.100 is the AP, 10.0.0.101 is the RADIUS
> server):
>
> # tcpdump -nXi eth1 -s 65535 host 10.0.0.100
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535
> bytes
> 16:08:43.990613 IP 10.0.0.100.1027 > 10.0.0.101.1812: RADIUS,
> Access Request (1), id: 0x00 length: 193
> 0x0000: 4500 00dd 0008 0000 4011 6540 0a00 0064
> E....... at .e@...d
> 0x0010: 0a00 0065 0403 0714 00c9 0613 0100
> 00c1 ...e............
> 0x0020: 3daa 0458 77d9 5edd 5149 6230 7717 7c71
> =..Xw.^.QIb0w.|q
> 0x0030: 5012 091d 4b11 cb44 3587 c0cd d27e c929
> P...K..D5....~.)
> 0x0040: 2bbd 0606 0000 0002 0108 7061 6e74 7300
> +.........pants.
> 0x0050: 0c06 0000 05d0 1e1b 3030 2d31 312d 3935 ........
> 00-11-95
> 0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 -
> DB-37-0B:TestWP
> 0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A..
> 00-0D-93-86-4
> 0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D-
> Link.Acc
> 0x0090: 6573 7320 506f 696e 743d 0600 0000 134d
> ess.Point=.....M
> 0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT.
> 54Mbps.
> 0x00b0: 3830 322e 3131 674f 0c02 0000 0a01 7061
> 802.11gO......pa
> 0x00c0: 6e74 7304 060a 0000 6405 0600 0000 0157
> nts.....d......W
> 0x00d0: 0e53 5441 2070 6f72 7420 2320
> 31 .STA.port.#.1
> 16:08:43.992271 IP 10.0.0.101.1812 > 10.0.0.100.1027: RADIUS,
> Access Accept (2), id: 0x00 length: 35
> 0x0000: 4500 003f 0015 4000 4011 25d1 0a00 0065 E..?.. at .@.
> %....e
> 0x0010: 0a00 0064 0714 0403 002b fc7c 0200 0023 ...d.....
> +.|...#
> 0x0020: a6d5 7da7 33d8 c5a1 b0d4 f206 098f 1394 ..}.
> 3...........
> 0x0030: 4006 0000 000d 4106 0000 0006 5103 31
> @.....A.....Q.1
> 16:08:46.987506 IP 10.0.0.100.1027 > 10.0.0.101.1812: RADIUS,
> Access Accept (2), id: 0x00 length: 35
> 0x0000: 4500 003f 0009 0000 4011 65dd 0a00 0064
> E..?.... at .e....d
> 0x0010: 0a00 0065 0403 0714 002b 1ab7 0200 0023 ...e.....
> +.....#
> 0x0020: 3daa 0458 77d9 5edd 5149 6230 7717 7c71
> =..Xw.^.QIb0w.|q
> 0x0030: 4006 0000 000d 4106 0000 0006 5103 31
> @.....A.....Q.1
> 16:08:48.382840 IP 10.0.0.100.1027 > 10.0.0.101.1812: RADIUS,
> Access Request (1), id: 0x01 length: 193
> 0x0000: 4500 00dd 000a 0000 4011 653e 0a00 0064
> E....... at .e>...d
> 0x0010: 0a00 0065 0403 0714 00c9 bedd 0101
> 00c1 ...e............
> 0x0020: 0489 1566 53aa 5f00 1842 47e4 38e0
> 661d ...fS._..BG.8.f.
> 0x0030: 5012 46a9 7407 9185 bbc4 4d10 7445 1df2
> P.F.t.....M.tE..
> 0x0040: 301d 0606 0000 0002 0108 7061 6e74 7300
> 0.........pants.
> 0x0050: 0c06 0000 05d0 1e1b 3030 2d31 312d 3935 ........
> 00-11-95
> 0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 -
> DB-37-0B:TestWP
> 0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A..
> 00-0D-93-86-4
> 0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D-
> Link.Acc
> 0x0090: 6573 7320 506f 696e 743d 0600 0000 134d
> ess.Point=.....M
> 0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT.
> 54Mbps.
> 0x00b0: 3830 322e 3131 674f 0c02 0100 0a01 7061
> 802.11gO......pa
> 0x00c0: 6e74 7304 060a 0000 6405 0600 0000 0157
> nts.....d......W
> 0x00d0: 0e53 5441 2070 6f72 7420 2320
> 31 .STA.port.#.1
> 16:08:48.384472 IP 10.0.0.101.1812 > 10.0.0.100.1027: RADIUS,
> Access Accept (2), id: 0x01 length: 35
> 0x0000: 4500 003f 0016 4000 4011 25d0 0a00 0065 E..?.. at .@.
> %....e
> 0x0010: 0a00 0064 0714 0403 002b e581 0201 0023 ...d.....
> +.....#
> 0x0020: fcf6 b690 11e0 81d6 d8ca 90b4 c0f3
> 833e ...............>
> 0x0030: 4006 0000 000d 4106 0000 0006 5103 31
> @.....A.....Q.1
> 16:08:51.370904 IP 10.0.0.100.1027 > 10.0.0.101.1812: RADIUS,
> Access Accept (2), id: 0x01 length: 35
> 0x0000: 4500 003f 000b 0000 4011 65db 0a00 0064
> E..?.... at .e....d
> 0x0010: 0a00 0065 0403 0714 002b 0eb4 0201 0023 ...e.....
> +.....#
> 0x0020: 0489 1566 53aa 5f00 1842 47e4 38e0
> 661d ...fS._..BG.8.f.
> 0x0030: 4006 0000 000d 4106 0000 0006 5103 31
> @.....A.....Q.1
> 16:09:02.626769 IP 10.0.0.100.1028 > 10.0.0.101.1812: RADIUS,
> Access Request (1), id: 0x00 length: 193
> 0x0000: 4500 00dd 000c 0000 4011 653c 0a00 0064
> E....... at .e<...d
> 0x0010: 0a00 0065 0404 0714 00c9 03eb 0100
> 00c1 ...e............
> 0x0020: 32b4 2a4d 2ac5 2831 0ba6 120d 3064 6cf9 2.*M*.
> (1....0dl.
> 0x0030: 5012 f943 27f4 f8c4 d74c b014 6c59 69e2
> P..C'....L..lYi.
> 0x0040: bc6d 0606 0000 0002 0108 7061 6e74
> 7300 .m........pants.
> 0x0050: 0c06 0000 05d0 1e1b 3030 2d31 312d 3935 ........
> 00-11-95
> 0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 -
> DB-37-0B:TestWP
> 0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A..
> 00-0D-93-86-4
> 0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D-
> Link.Acc
> 0x0090: 6573 7320 506f 696e 743d 0600 0000 134d
> ess.Point=.....M
> 0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT.
> 54Mbps.
> 0x00b0: 3830 322e 3131 674f 0c02 0000 0a01 7061
> 802.11gO......pa
> 0x00c0: 6e74 7304 060a 0000 6405 0600 0000 0157
> nts.....d......W
> 0x00d0: 0e53 5441 2070 6f72 7420 2320
> 31 .STA.port.#.1
> 16:09:02.628391 IP 10.0.0.101.1812 > 10.0.0.100.1028: RADIUS,
> Access Accept (2), id: 0x00 length: 35
> 0x0000: 4500 003f 0017 4000 4011 25cf 0a00 0065 E..?.. at .@.
> %....e
> 0x0010: 0a00 0064 0714 0404 002b 310c 0200 0023 ...d.....
> +1....#
> 0x0020: 0f90 831a 311e 14e3 2b1e ce7b 7b42 5bdd ....1...
> +..{{B[.
> 0x0030: 4006 0000 000d 4106 0000 0006 5103 31
> @.....A.....Q.1
> 16:09:05.620998 IP 10.0.0.100.1028 > 10.0.0.101.1812: RADIUS,
> Access Accept (2), id: 0x00 length: 35
> 0x0000: 4500 003f 000d 0000 4011 65d9 0a00 0064
> E..?.... at .e....d
> 0x0010: 0a00 0065 0404 0714 002b 6f69 0200 0023 ...e.....
> +oi...#
> 0x0020: 32b4 2a4d 2ac5 2831 0ba6 120d 3064 6cf9 2.*M*.
> (1....0dl.
> 0x0030: 4006 0000 000d 4106 0000 0006 5103 31
> @.....A.....Q.1
> 16:09:06.912295 IP 10.0.0.100.1028 > 10.0.0.101.1812: RADIUS,
> Access Request (1), id: 0x01 length: 193
> 0x0000: 4500 00dd 000e 0000 4011 653a 0a00 0064
> E....... at .e:...d
> 0x0010: 0a00 0065 0404 0714 00c9 efec 0101
> 00c1 ...e............
> 0x0020: 25b0 0c0b 4bde 0758 193b 59e7 19fb 7f5e
> %...K..X.;Y....^
> 0x0030: 5012 8626 e5d6 1f1e 6d3f ca86 5fd6 5f64
> P..&....m?.._._d
> 0x0040: 9e83 0606 0000 0002 0108 7061 6e74
> 7300 ..........pants.
> 0x0050: 0c06 0000 05d0 1e1b 3030 2d31 312d 3935 ........
> 00-11-95
> 0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 -
> DB-37-0B:TestWP
> 0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A..
> 00-0D-93-86-4
> 0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D-
> Link.Acc
> 0x0090: 6573 7320 506f 696e 743d 0600 0000 134d
> ess.Point=.....M
> 0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT.
> 54Mbps.
> 0x00b0: 3830 322e 3131 674f 0c02 0100 0a01 7061
> 802.11gO......pa
> 0x00c0: 6e74 7304 060a 0000 6405 0600 0000 0157
> nts.....d......W
> 0x00d0: 0e53 5441 2070 6f72 7420 2320
> 31 .STA.port.#.1
> 16:09:06.913952 IP 10.0.0.101.1812 > 10.0.0.100.1028: RADIUS,
> Access Accept (2), id: 0x01 length: 35
> 0x0000: 4500 003f 0018 4000 4011 25ce 0a00 0065 E..?.. at .@.
> %....e
> 0x0010: 0a00 0064 0714 0404 002b 43c4 0201 0023 ...d.....
> +C....#
> 0x0020: b02e 5ba5 c0a4 59b4 ee06 063d 6d18 0f23 ..
> [...Y....=m..#
> 0x0030: 4006 0000 000d 4106 0000 0006 5103 31
> @.....A.....Q.1
> 16:09:07.627117 arp who-has 10.0.0.100 tell 10.0.0.101
> 0x0000: 0001 0800 0604 0001 0080 c8cf df7e
> 0a00 .............~..
> 0x0010: 0065 0000 0000 0000 0a00 0064 .e.........d
> 16:09:07.627526 arp reply 10.0.0.100 is-at 00:11:95:db:37:0b
> 0x0000: 0001 0800 0604 0002 0011 95db 370b
> 0a00 ............7...
> 0x0010: 0064 0080 c8cf df7e 0a00 0065 0000
> 0000 .d.....~...e....
> 0x0020: 0000 0000 0000 0000 0000 0000
> 0000 ..............
> 16:09:09.904367 IP 10.0.0.100.1028 > 10.0.0.101.1812: RADIUS,
> Access Accept (2), id: 0x01 length: 35
> 0x0000: 4500 003f 000f 0000 4011 65d7 0a00 0064
> E..?.... at .e....d
> 0x0010: 0a00 0065 0404 0714 002b 4903 0201 0023 ...e.....
> +I....#
> 0x0020: 25b0 0c0b 4bde 0758 193b 59e7 19fb 7f5e
> %...K..X.;Y....^
> 0x0030: 4006 0000 000d 4106 0000 0006 5103 31
> @.....A.....Q.1
>
> Anybody know what is going on here? What have I misconfigured?
>
> Thanks,
> Loukas
>
>
> -List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
More information about the Freeradius-Users
mailing list