problem in autehtication with EAP-MD5
tnt at kalik.co.yu
tnt at kalik.co.yu
Thu May 31 10:23:18 CEST 2007
Sorry, didn't see the atach. Have you restarted the server since
changing user config? That DEFAULT entry for Framed-User should also
match.
Ivan Kalik
Kalik Informatika ISP
Dana 31/5/2007, "shantanu choudhary" <shantanu_843 at yahoo.co.in> piše:
>this is server side output!!!!
>
>rad_recv: Access-Request packet from host 192.168.2.182:1027, id=4, length=177
> Message-Authenticator = 0x758e436fc2b17672ad389e0ffeca2982
> Service-Type = Framed-User
> User-Name = "testuser"
> Framed-MTU = 1488
> Called-Station-Id = "00-03-7F-09-60-A0:ATH182"
> Calling-Station-Id = "00-03-7F-05-C0-9C"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 54Mbps 802.11g"
> EAP-Message = 0x0204000d017465737475736572
> NAS-IP-Address = 192.168.2.182
> NAS-Port = 1
> NAS-Port-Id = "STA port # 1"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 20
> modcall[authorize]: module "preprocess" returns ok for request 20
> modcall[authorize]: module "chap" returns noop for request 20
> modcall[authorize]: module "mschap" returns noop for request 20
> rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 20
> rlm_eap: EAP packet type response id 4 length 13
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 20
> users: Matched entry testuser at line 155
> modcall[authorize]: module "files" returns ok for request 20
>rlm_pap: Found existing Auth-Type, not changing it.
> modcall[authorize]: module "pap" returns noop for request 20
>modcall: leaving group authorize (returns updated) for request 20
> rad_check_password: Found Auth-Type EAP
>auth: type "EAP"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 20
> rlm_eap: EAP Identity
> rlm_eap: processing type md5
>rlm_eap_md5: Issuing Challenge
> modcall[authenticate]: module "eap" returns handled for request 20
>modcall: leaving group authenticate (returns handled) for request 20
>Sending Access-Challenge of id 4 to 192.168.2.182 port 1027
> EAP-Message = 0x010500160410ef33bbaf01824abdd6b6989b2cc698ec
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x4f68ec51f7791041fc61be6441d9ea92
>Finished request 20
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 6 seconds...
>rad_recv: Access-Request packet from host 192.168.2.182:1027, id=5, length=204
> Message-Authenticator = 0xb98d04dcd12bbaa2dc7f6314231061bc
> Service-Type = Framed-User
> User-Name = "testuser"
> Framed-MTU = 1488
> State = 0x4f68ec51f7791041fc61be6441d9ea92
> Called-Station-Id = "00-03-7F-09-60-A0:ATH182"
> Calling-Station-Id = "00-03-7F-05-C0-9C"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 54Mbps 802.11g"
> EAP-Message = 0x020500160410a221ad85e41c1260d31c5d14036dfce1
> NAS-IP-Address = 192.168.2.182
> NAS-Port = 1
> NAS-Port-Id = "STA port # 1"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 21
> modcall[authorize]: module "preprocess" returns ok for request 21
> modcall[authorize]: module "chap" returns noop for request 21
> modcall[authorize]: module "mschap" returns noop for request 21
> rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 21
> rlm_eap: EAP packet type response id 5 length 22
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 21
> users: Matched entry testuser at line 155
> modcall[authorize]: module "files" returns ok for request 21
>rlm_pap: Found existing Auth-Type, not changing it.
> modcall[authorize]: module "pap" returns noop for request 21
>modcall: leaving group authorize (returns updated) for request 21
> rad_check_password: Found Auth-Type EAP
>auth: type "EAP"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 21
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/md5
> rlm_eap: processing type md5
> rlm_eap: Freeing handler
> modcall[authenticate]: module "eap" returns ok for request 21
>modcall: leaving group authenticate (returns ok) for request 21
>Sending Access-Accept of id 5 to 192.168.2.182 port 1027
> EAP-Message = 0x03050004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "testuser"
>Finished request 21
>Going to the next request
>Waking up in 6 seconds...
>--- Walking the entire request list ---
>
>it is sending an access accept packet!!!
>my user file is like this:-
>its an attachment(users)
>thanks for ur help,
>
>regards
>shantanu
>
>tnt at kalik.co.yu wrote: Client output isn't showing Access-Accept packet content. Post radiusd
>-X output and your users file.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>
>Dana 31/5/2007, "shantanu choudhary" piše:
>
>>hello,
>>this is my client side output:
>>Authentication with 00:03:7f:09:60:a0 timed out.
>>Added BSSID 00:03:7f:09:60:a0 into blacklist
>>State: ASSOCIATED -> DISCONNECTED
>>wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)
>>WEXT: Operstate: linkmode=-1, operstate=5
>>wpa_driver_wext_disassociate
>>No keys have been configured - skip key clearing
>>EAPOL: External notification - portEnabled=0
>>EAPOL: SUPP_PAE entering state DISCONNECTED
>>EAPOL: SUPP_BE entering state INITIALIZE
>>EAP: EAP entering state DISABLED
>>EAPOL: External notification - portValid=0
>>Setting scan request: 0 sec 0 usec
>>State: DISCONNECTED -> SCANNING
>>Starting AP scan (specific SSID)
>>Scan SSID - hexdump_ascii(len=6):
>> 41 54 48 31 38 32 ATH182
>>RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
>>Wireless event: cmd=0x8b15 len=20
>>Wireless event: new AP: 00:00:00:00:00:00
>>BSSID 00:03:7f:09:60:a0 blacklist count incremented to 2
>>CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
>>wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0
>>wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0
>>wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0
>>wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0
>>wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0
>>State: SCANNING -> DISCONNECTED
>>wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)
>>WEXT: Operstate: linkmode=-1, operstate=5
>>EAPOL: External notification - portEnabled=0
>>EAPOL: External notification - portValid=0
>>RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
>>RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added
>>RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
>>Wireless event: cmd=0x8b19 len=8
>>Received 1844 bytes of scan results (7 BSSes)
>>Scan results: 7
>>Selecting BSS from priority group 0
>>0: 00:03:7f:09:60:7e ssid='ATH183' wpa_ie_len=0 rsn_ie_len=22 caps=0x11
>> skip - SSID mismatch
>>1: 00:03:7f:09:60:a0 ssid='ATH182' wpa_ie_len=0 rsn_ie_len=26 caps=0x11
>> skip - blacklisted
>>2: 00:18:0a:01:0f:31 ssid='AUKBC_MESH' wpa_ie_len=0 rsn_ie_len=0 caps=0x1
>> skip - no WPA/RSN IE
>>3: 00:a0:f8:ce:7d:18 ssid='symbol3' wpa_ie_len=0 rsn_ie_len=0 caps=0x1
>> skip - no WPA/RSN IE
>>4: 00:03:7f:09:60:15 ssid='AUKBC4' wpa_ie_len=0 rsn_ie_len=0 caps=0x1
>> skip - no WPA/RSN IE
>>5: 00:18:0a:01:03:fe ssid='AUKBC_MESH' wpa_ie_len=0 rsn_ie_len=0 caps=0x1
>> skip - no WPA/RSN IE
>>6: 00:18:0a:01:07:34 ssid='AUKBC_MESH' wpa_ie_len=0 rsn_ie_len=0 caps=0x1
>> skip - no WPA/RSN IE
>>No APs found - clear blacklist and try again
>>Removed BSSID 00:03:7f:09:60:a0 from blacklist (clear)
>>Selecting BSS from priority group 0
>>0: 00:03:7f:09:60:7e ssid='ATH183' wpa_ie_len=0 rsn_ie_len=22 caps=0x11
>> skip - SSID mismatch
>>1: 00:03:7f:09:60:a0 ssid='ATH182' wpa_ie_len=0 rsn_ie_len=26 caps=0x11
>> selected based on RSN IE
>>Trying to associate with 00:03:7f:09:60:a0 (SSID='ATH182' freq=2437 MHz)
>>Cancelling scan request
>>WPA: clearing own WPA/RSN IE
>>Automatic auth_alg selection: 0x1
>>RSN: using IEEE 802.11i/D9.0
>>WPA: Selected cipher suites: group 8 pairwise 24 key_mgmt 1 proto 2
>>WPA: clearing AP WPA IE
>>WPA: set AP RSN IE - hexdump(len=26): 30 18 01 00 00 0f ac 02 02 00 00 0f ac 02 00 0f ac 04 01 00 00 0f ac 01 01 00
>>WPA: using GTK TKIP
>>WPA: using PTK CCMP
>>WPA: using KEY_MGMT 802.1X
>>WPA: Set own WPA IE default - hexdump(len=22): 30 14 01 00 00 0f ac 02 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00
>>No keys have been configured - skip key clearing
>>wpa_driver_wext_set_drop_unencrypted
>>State: DISCONNECTED -> ASSOCIATING
>>wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)
>>WEXT: Operstate: linkmode=-1, operstate=5
>>wpa_driver_wext_associate
>>Setting authentication timeout: 10 sec 0 usec
>>EAPOL: External notification - portControl=Auto
>>RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
>>Wireless event: cmd=0x8b06 len=8
>>RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
>>Wireless event: cmd=0x8b04 len=12
>>RTM_NEWLINK: operstate=0 ifi_flags=0x1003 ([UP])
>>Wireless event: cmd=0x8b1a len=14
>>RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP])
>>Wireless event: cmd=0x8b15 len=20
>>Wireless event: new AP: 00:03:7f:09:60:a0
>>State: ASSOCIATING -> ASSOCIATED
>>wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)
>>WEXT: Operstate: linkmode=-1, operstate=5
>>Associated to a new BSS: BSSID=00:03:7f:09:60:a0
>>No keys have been configured - skip key clearing
>>Associated with 00:03:7f:09:60:a0
>>WPA: Association event - clear replay counter
>>EAPOL: External notification - portEnabled=0
>>EAPOL: External notification - portValid=0
>>EAPOL: External notification - portEnabled=1
>>EAPOL: SUPP_PAE entering state CONNECTING
>>EAPOL: SUPP_BE entering state IDLE
>>EAP: EAP entering state INITIALIZE
>>EAP: deinitialize previously used EAP method (4, MD5) at INITIALIZE
>>EAP: EAP entering state IDLE
>>Setting authentication timeout: 10 sec 0 usec
>>Cancelling scan request
>>RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP])
>>RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added
>>RX EAPOL from 00:03:7f:09:60:a0
>>RX EAPOL - hexdump(len=9): 01 00 00 05 01 00 00 05 01
>>Setting authentication timeout: 70 sec 0 usec
>>EAPOL: Received EAP-Packet frame
>>EAPOL: SUPP_PAE entering state RESTART
>>EAP: EAP entering state INITIALIZE
>>EAP: EAP entering state IDLE
>>EAPOL: SUPP_PAE entering state AUTHENTICATING
>>EAPOL: SUPP_BE entering state REQUEST
>>EAPOL: getSuppRsp
>>EAP: EAP entering state RECEIVED
>>EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
>>EAP: EAP entering state IDENTITY
>>CTRL-EVENT-EAP-STARTED EAP authentication started
>>EAP: EAP-Request Identity data - hexdump_ascii(len=0):
>>EAP: using real identity - hexdump_ascii(len=8):
>> 74 65 73 74 75 73 65 72 testuser
>>EAP: EAP entering state SEND_RESPONSE
>>EAP: EAP entering state IDLE
>>EAPOL: SUPP_BE entering state RESPONSE
>>EAPOL: txSuppRsp
>>TX EAPOL - hexdump(len=17): 01 00 00 0d 02 00 00 0d 01 74 65 73 74 75 73 65 72
>>EAPOL: SUPP_BE entering state RECEIVE
>>RX EAPOL from 00:03:7f:09:60:a0
>>RX EAPOL - hexdump(len=26): 01 00 00 16 01 01 00 16 04 10 6d db 12 c2 ff 1f c6 22 64 45 01 07 f9 73 8b 14
>>EAPOL: Received EAP-Packet frame
>>EAPOL: SUPP_BE entering state REQUEST
>>EAPOL: getSuppRsp
>>EAP: EAP entering state RECEIVED
>>EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0
>>EAP: EAP entering state GET_METHOD
>>EAP: Initialize selected EAP method: vendor 0 method 4 (MD5)
>>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected
>>EAP: EAP entering state METHOD
>>EAP-MD5: Challenge - hexdump(len=16): 6d db 12 c2 ff 1f c6 22 64 45 01 07 f9 73 8b 14
>>EAP-MD5: Generating Challenge Response
>>EAP-MD5: Response - hexdump(len=16): e8 5f fa a3 fe 5d 10 a6 4a 65 11 6d f0 25 19 35
>>EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC
>>EAP: EAP entering state SEND_RESPONSE
>>EAP: EAP entering state IDLE
>>EAPOL: SUPP_BE entering state RESPONSE
>>EAPOL: txSuppRsp
>>TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 e8 5f fa a3 fe 5d 10 a6 4a 65 11 6d f0 25 19 35
>>EAPOL: SUPP_BE entering state RECEIVE
>>RX EAPOL from 00:03:7f:09:60:a0
>>RX EAPOL - hexdump(len=8): 01 00 00 04 04 01 00 04
>>EAPOL: Received EAP-Packet frame
>>EAPOL: SUPP_BE entering state REQUEST
>>EAPOL: getSuppRsp
>>EAP: EAP entering state RECEIVED
>>EAP: Received EAP-Failure
>>EAP: EAP entering state DISCARD
>>EAP: EAP entering state IDLE
>>EAPOL: SUPP_BE entering state RECEIVE
>>EAPOL: startWhen --> 0
>>EAPOL: authWhile --> 0
>>EAPOL: SUPP_BE entering state TIMEOUT
>>EAPOL: SUPP_PAE entering state CONNECTING
>>EAPOL: SUPP_BE entering state IDLE
>>RX EAPOL from 00:03:7f:09:60:a0
>>RX EAPOL - hexdump(len=9): 01 00 00 05 01 02 00 05 01
>>EAPOL: Received EAP-Packet frame
>>EAPOL: SUPP_PAE entering state RESTART
>>EAP: EAP entering state INITIALIZE
>>EAP: deinitialize previously used EAP method (4, MD5) at INITIALIZE
>>EAP: EAP entering state IDLE
>>EAPOL: SUPP_PAE entering state AUTHENTICATING
>>EAPOL: SUPP_BE entering state REQUEST
>>EAPOL: getSuppRsp
>>EAP: EAP entering state RECEIVED
>>EAP: Received EAP-Request id=2 method=1 vendor=0 vendorMethod=0
>>EAP: EAP entering state IDENTITY
>>CTRL-EVENT-EAP-STARTED EAP authentication started
>>EAP: EAP-Request Identity data - hexdump_ascii(len=0):
>>EAP: using real identity - hexdump_ascii(len=8):
>> 74 65 73 74 75 73 65 72 testuser
>>EAP: EAP entering state SEND_RESPONSE
>>EAP: EAP entering state IDLE
>>EAPOL: SUPP_BE entering state RESPONSE
>>EAPOL: txSuppRsp
>>TX EAPOL - hexdump(len=17): 01 00 00 0d 02 02 00 0d 01 74 65 73 74 75 73 65 72
>>EAPOL: SUPP_BE entering state RECEIVE
>>RX EAPOL from 00:03:7f:09:60:a0
>>RX EAPOL - hexdump(len=26): 01 00 00 16 01 03 00 16 04 10 68 c8 ea 0c 97 f7 11 d3 f3 2a cd 62 8c 37 4d 40
>>EAPOL: Received EAP-Packet frame
>>EAPOL: SUPP_BE entering state REQUEST
>>EAPOL: getSuppRsp
>>EAP: EAP entering state RECEIVED
>>EAP: Received EAP-Request id=3 method=4 vendor=0 vendorMethod=0
>>EAP: EAP entering state GET_METHOD
>>EAP: Initialize selected EAP method: vendor 0 method 4 (MD5)
>>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected
>>EAP: EAP entering state METHOD
>>EAP-MD5: Challenge - hexdump(len=16): 68 c8 ea 0c 97 f7 11 d3 f3 2a cd 62 8c 37 4d 40
>>EAP-MD5: Generating Challenge Response
>>EAP-MD5: Response - hexdump(len=16): 03 76 fc e7 ce bc 66 b6 cd 50 2a 73 b3 cf eb 93
>>EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC
>>EAP: EAP entering state SEND_RESPONSE
>>EAP: EAP entering state IDLE
>>EAPOL: SUPP_BE entering state RESPONSE
>>EAPOL: txSuppRsp
>>TX EAPOL - hexdump(len=26): 01 00 00 16 02 03 00 16 04 10 03 76 fc e7 ce bc 66 b6 cd 50 2a 73 b3 cf eb 93
>>EAPOL: SUPP_BE entering state RECEIVE
>>RX EAPOL from 00:03:7f:09:60:a0
>>RX EAPOL - hexdump(len=8): 01 00 00 04 04 03 00 04
>>EAPOL: Received EAP-Packet frame
>>EAPOL: SUPP_BE entering state REQUEST
>>EAPOL: getSuppRsp
>>EAP: EAP entering state RECEIVED
>>EAP: Received EAP-Failure
>>EAP: EAP entering state DISCARD
>>EAP: EAP entering state IDLE
>>EAPOL: SUPP_BE entering state RECEIVE
>>EAPOL: startWhen --> 0
>>EAPOL: authWhile --> 0
>>EAPOL: SUPP_BE entering state TIMEOUT
>>EAPOL: SUPP_PAE entering state CONNECTING
>>EAPOL: SUPP_BE entering state IDLE
>>RX EAPOL from 00:03:7f:09:60:a0
>>RX EAPOL - hexdump(len=9): 01 00 00 05 01 04 00 05 01
>>EAPOL: Received EAP-Packet frame
>>EAPOL: SUPP_PAE entering state RESTART
>>EAP: EAP entering state INITIALIZE
>>EAP: deinitialize previously used EAP method (4, MD5) at INITIALIZE
>>EAP: EAP entering state IDLE
>>EAPOL: SUPP_PAE entering state AUTHENTICATING
>>EAPOL: SUPP_BE entering state REQUEST
>>EAPOL: getSuppRsp
>>EAP: EAP entering state RECEIVED
>>EAP: Received EAP-Request id=4 method=1 vendor=0 vendorMethod=0
>>EAP: EAP entering state IDENTITY
>>CTRL-EVENT-EAP-STARTED EAP authentication started
>>EAP: EAP-Request Identity data - hexdump_ascii(len=0):
>>EAP: using real identity - hexdump_ascii(len=8):
>> 74 65 73 74 75 73 65 72 testuser
>>EAP: EAP entering state SEND_RESPONSE
>>EAP: EAP entering state IDLE
>>EAPOL: SUPP_BE entering state RESPONSE
>>
>>
>>the problem is i am getting EAP-FAILURE on client side even when server is giving ACCESS-ACCEPT!!!!
>>i am not able to figure out the problem output of server is same as that in earlier mail,
>>one more thing what will be end message of this, will it be authentication or association? When i run GUI for supplicant it is showing associated not authenticated! is it end of connection and after it should i get an IP from that AP, even if i try for DHCP i am not able to get an IP!!!!
>>it is all messed up, please do reply for this prob!!!
>>regards
>>shantanu
>>
>>tnt at kalik.co.yu wrote: Well, now you dont have any IP address in your accept packet. Not a
>>problem if you are doing DHCP. Otherwise you need to return IP address,
>>netmask, MTU, Service-Type, DNS servers etc.
>>
>>Leave that Framed-User DEFAULT entry alone - it should be there. You need
>>to add stuff to your user config:
>>
>>testuser Cleartext-Password:=yourpassword
>> Framed-IP-Address=1.2.3.4
>> Framed-MTU=yourMTU
>> Framed-IP-Netmask=255.255.255.255
>>etc.
>>
>>Ivan Kalik
>>Kalik Informatika ISP
>>
>>
>>Dana 30/5/2007, "shantanu choudhary" piše:
>>
>>--- snip ---
>>>Sending Access-Accept of id 2 to 192.168.2.182 port 1028
>>> EAP-Message = 0x03020004
>>> Message-Authenticator = 0x00000000000000000000000000000000
>>> User-Name = "testuser"
>>>Finished request 1
>>>Going to the next request
>>>Waking up in 6 seconds...
>>>--- Walking the entire request list ---
>>>Cleaning up request 0 ID 1 with timestamp 465d506e
>>>Cleaning up request 1 ID 2 with timestamp 465d506e
>>>Nothing to do. Sleeping until we see a request.
>>>
>>>it is sending ACCESS ACCEPT but no access reject or failure!!!!
>>>and when i try to check AP statistics from server it is showing an entry for AUTHENTICATION FAILURE!!!!!!!
>>>
>>>sorry for disturbing u again n again but can u help me out????
>>>please!!
>>>shantanu
>>>
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>>
>>
>>
>>---------------------------------
>> Did you know? You can CHAT without downloading messenger. Know how!
>>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
>
>
>---------------------------------
> Download prohibited? No problem! CHAT from any browser, without download.
>
More information about the Freeradius-Users
mailing list