EAP-Problem

Florian Prester Florian.Prester at rrze.uni-erlangen.de
Wed Sep 20 10:50:10 CEST 2006


Hi,

 firstly, we are using Freeradius for all kind of authentications - and 
It works very good!! -> Good Job to all of you.

But, lately we have some EAP-Problems mostly with windows-clients.
If a user authenticated correctly, after some time he gets disconnected 
and tries to reauthenticate, but it fails - see Log.

Also I have some questions about eap at all. How should it work 
correctly. because I see up to 10 Authentication-Requests until the 
client is authenticated correctly. For example the client wants to do 
EAP-PEAP (Windows-client), but the radius says EAP-NAK:
      rlm_eap: Request found, released from the list
      rlm_eap: EAP NAK
     rlm_eap: EAP-NAK asked for EAP-Type/peap
      rlm_eap: processing type tls
      rlm_eap_tls: Initiate
      rlm_eap_tls: Start returned 1
      modcall[authenticate]: module "eap" returns handled for request 231
    modcall: leaving group authenticate (returns handled) for request 231
    Sending Access-Challenge ...
    Finished request 231

What does it mean? Can I tune the process?

Thank you all for your answers!
 Best regards
    FLorian Prester


Log:
rad_recv: Access-Request packet from host 131.188.4.190:20000, id=35, 
length=202
        NAS-Port-Id = "2059/1"
        Calling-Station-Id = "00-15-00-01-C0-D1"
        Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF"
        Service-Type = Framed-User
        User-Name = "unrz06"
        State = 0x...
        EAP-Message = 0x...
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "Trapeze"
        NAS-IP-Address = 131.188.4.190
        Message-Authenticator = 0x...
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 228
  modcall[authorize]: module "preprocess" returns ok for request 228
  modcall[authorize]: module "chap" returns noop for request 228
  modcall[authorize]: module "mschap" returns noop for request 228
  rlm_eap: EAP packet type response id 14 length 53
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 228
    users: Matched entry DEFAULT at line 12
  modcall[authorize]: module "files" returns ok for request 228
rlm_ldap: - authorize
  modcall[authorize]: module "ldap" returns ok for request 228
  modcall[authorize]: module "perl" returns ok for request 228
modcall: leaving group authorize (returns updated) for request 228
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 228
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
    (other): SSL negotiation finished successfully
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
SSL Connection Established
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 228
modcall: leaving group authenticate (returns reject) for request 228
auth: Failed to validate the user.
Login incorrect: [unrz06] (from client QRA-MX port 0 cli 00-15-00-01-C0-D1)
Sending Access-Reject of id 35 to 131.188.4.190 port 20000
        EAP-Message = 0x040e0004
        Message-Authenticator = 0x00000000000000000000000000000000
Finished request 228


-- 
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Martensstr. 1
91052 Erlangen
Germany

Tel.: +499131 8527813




More information about the Freeradius-Users mailing list