EAP-Problem

Florian Prester Florian.Prester at rrze.uni-erlangen.de
Fri Sep 22 07:50:41 CEST 2006 

K. Hoercher wrote:
> On 9/20/06, Florian Prester <Florian.Prester at rrze.uni-erlangen.de> wrote:
>> Also I have some questions about eap at all. How should it work
>> correctly. because I see up to 10 Authentication-Requests until the
>> client is authenticated correctly. For example the client wants to do
>> EAP-PEAP (Windows-client), but the radius says EAP-NAK:
>>       rlm_eap: Request found, released from the list
>>       rlm_eap: EAP NAK
>>      rlm_eap: EAP-NAK asked for EAP-Type/peap
>>       rlm_eap: processing type tls
>>       rlm_eap_tls: Initiate
>>       rlm_eap_tls: Start returned 1
>>       modcall[authenticate]: module "eap" returns handled for request 
>> 231
>>     modcall: leaving group authenticate (returns handled) for request 
>> 231
>>     Sending Access-Challenge ...
>>     Finished request 231
>>
>> What does it mean? Can I tune the process?
>
> My guess would be, that your default_eap_type in eap.conf is not set
> to peap. So your supplicant (XP) is sending the NAK (not the server,
> it just logs that it got the NAK) to get the server to use peap.
> Depending on your needs you could change it. That's a normal part of
> EAP. As is the sending back and forth of Access-Requests and
> Access-Challenges to negotiate the details inherent to EAP.
>
OK - thanks. So I have to take a deeper look at the eap-process.
But, ...
>> Log:
>> rad_recv: Access-Request packet from host 131.188.4.190:20000, id=35,
>> length=202
>>         NAS-Port-Id = "2059/1"
>>         Calling-Station-Id = "00-15-00-01-C0-D1"
>>         Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF"
>>         Service-Type = Framed-User
>>         User-Name = "unrz06"
>>         State = 0x...
>>         EAP-Message = 0x...
>>         NAS-Port-Type = Wireless-802.11
>>         NAS-Identifier = "Trapeze"
>>         NAS-IP-Address = 131.188.4.190
>>         Message-Authenticator = 0x...
>
> The username looks like a machine name for .uni-erlangen.de. Do you
> intend to use machine authentication? If so, what does a succesful
> request look like? Note, that it seems to only find matching DEFAULT
> entries, so peap would be impossible, as no User-Password is known to
> freeradius. Otherwise, you should check your XP setup to use the
> intended username/password credentials combo.
>
 ... no, that is not a maschine name or something. This a subsequent 
request, after a password has been submitted.
looking a t EAP-Message, Authenticator.. and so on.
But looking back at  the foll request:



ad_recv: Access-Request packet from host 131.188.4.190:20000, id=35, 
length=202
       NAS-Port-Id = "2059/1"
       Calling-Station-Id = "00-15-00-01-C0-D1"
       Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF"
       Service-Type = Framed-User
       User-Name = "unrz06"
       State = 0x...
       EAP-Message = 0x...
       NAS-Port-Type = Wireless-802.11
       NAS-Identifier = "Trapeze"
       NAS-IP-Address = 131.188.4.190
       Message-Authenticator = 0x...
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 228
 modcall[authorize]: module "preprocess" returns ok for request 228
 modcall[authorize]: module "chap" returns noop for request 228
 modcall[authorize]: module "mschap" returns noop for request 228
 rlm_eap: EAP packet type response id 14 length 53
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 228
   users: Matched entry DEFAULT at line 12
 modcall[authorize]: module "files" returns ok for request 228
rlm_ldap: - authorize
 modcall[authorize]: module "ldap" returns ok for request 228
 modcall[authorize]: module "perl" returns ok for request 228
modcall: leaving group authorize (returns updated) for request 228
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 228
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/peap
 rlm_eap: processing type peap
 rlm_eap_peap: Authenticate
 rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
 eaptls_verify returned 11
 rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
   TLS_accept: SSLv3 read finished A
   (other): SSL negotiation finished successfully
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
SSL Connection Established
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
 eaptls_process returned 13
 rlm_eap_peap: EAPTLS_HANDLED
 rlm_eap: Freeing handler
 modcall[authenticate]: module "eap" returns reject for request 228
modcall: leaving group authenticate (returns reject) for request 228
auth: Failed to validate the user.
Login incorrect: [unrz06] (from client QRA-MX port 0 cli 00-15-00-01-C0-D1)
Sending Access-Reject of id 35 to 131.188.4.190 port 20000
       EAP-Message = 0x040e0004
       Message-Authenticator = 0x00000000000000000000000000000000
Finished request 228

I do not get the reason why this request is rejected!
Why does the modules "eap" reject a request? How can I debug eap?
> regards
> K. Hoercher
Thanks and best regards
 
 F.Prester


-- 
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Martensstr. 1
91052 Erlangen
Germany

Tel.: +499131 8527813

More information about the Freeradius-Users mailing list