a newbie testing freeradius need help
jreubens
jennie_susan at yahoo.com
Wed Apr 23 09:33:35 CEST 2008
Hi,
I am newbie trying to test free radius for my master thesis, i installed
free radius two days ago and did some initial testing, the initial test was
through so the radius server is running properly, before i move on i wanted
to test the eap modules, so i tried to test with the help of eapol_test tool
that comes with the wpasupplicant, i cannot succeed i get failure message. i
am really very new to linux and to free radius, can some one help me what i
should do, because i can only move one further with my thesis if and only if
i figure this out.
Thank you for the help, really appreciate any kind of help or suggestion.
Thanks once again, below are my conf files and screen output.
HERE IS MY SCREEN OUTPUT FROM THE RADIUS SERVER
Ready to process requests.
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0x948a064fcafc2f8442938817c4f353d7
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
EAP-Message = 0x010100160410a3803def371cc0ea374b74fd8923747b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x47545c0a47555820cf82ad36ba08594f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060319
State = 0x47545c0a47555820cf82ad36ba08594f
Message-Authenticator = 0x0d125e124530442dfbf043c5d6e55468
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: NAK asked for unsupported type 25
rlm_eap: No common EAP types found.
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client localhost
port 0 cli 02-00-00-00-00-01)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +28
Waking up in 0.9 seconds.
Cleaning up request 1 ID 1 with timestamp +28
Ready to process requests.
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0xfbfadf8ca2d1f2729ac2cabcc17dee20
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
EAP-Message = 0x010100160410fd28d3fff4edc58e80c666087e278736
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x383b40dc383a4460283057087d150429
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060319
State = 0x383b40dc383a4460283057087d150429
Message-Authenticator = 0xc4d3cf883588c4ac6c34a66de5a82aa8
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: NAK asked for unsupported type 25
rlm_eap: No common EAP types found.
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client localhost
port 0 cli 02-00-00-00-00-01)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 2 ID 0 with timestamp +154
Waking up in 0.9 seconds.
Cleaning up request 3 ID 1 with timestamp +154
Ready to process requests.
HERE IS MY SCREEN OUTPUT FROM EAPOL_TEST TOOL
Reading configuration file 'eapol_test.conf.peap'
Line: 1 - start of a new network block
eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00
00
eapol_flags=0 (0x0)
key_mgmt: 0x8
identity - hexdump_ascii(len=8):
74 65 73 74 75 73 65 72 testuser
password - hexdump_ascii(len=8):
70 61 73 73 77 6f 72 64 password
ca_cert - hexdump_ascii(len=33):
2f 75 73 72 2f 6c 6f 63 61 6c 2f 65 74 63 2f 72 /usr/local/etc/r
61 64 64 62 2f 63 65 72 74 73 2f 63 61 2e 70 65 addb/certs/ca.pe
6d m
phase2 - hexdump_ascii(len=13):
61 75 74 68 3d 4d 53 43 48 41 50 56 32 auth=MSCHAPV2
anonymous_identity - hexdump_ascii(len=9):
61 6e 6f 6e 79 6d 6f 75 73 anonymous
Priority group 0
id=0 ssid=''
Authentication server 127.0.0.1:1812
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using anonymous identity - hexdump_ascii(len=9):
61 6e 6f 6e 79 6d 6f 75 73 anonymous
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=14)
TX EAP -> RADIUS - hexdump(len=14): 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75
73
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=9): 61 6e 6f 6e 79
6d 6f 75 73
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=126
Attribute 1 (User-Name) length=11
Value: 'anonymous'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=16
Value: 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73
Attribute 80 (Message-Authenticator) length=18
Value: fb fa df 8c a2 d1 f2 72 9a c2 ca bc c1 7d ee 20
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 80 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=80
Attribute 79 (EAP-Message) length=24
Value: 01 01 00 16 04 10 fd 28 d3 ff f4 ed c5 8e 80 c6 66 08 7e 27 87
36
Attribute 80 (Message-Authenticator) length=18
Value: 9c 1e f2 5d 0e 72 cd 49 88 c9 24 f5 2c bc ae 3a
Attribute 24 (State) length=18
Value: 38 3b 40 dc 38 3a 44 60 28 30 57 08 7d 15 04 29
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server:
EAP-Request-MD5 (4)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: configuration does not allow: vendor 0 method 4
EAP: vendor 0 method 4 not allowed
EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed)
EAP: allowed methods - hexdump(len=1): 19
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 19
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=136
Attribute 1 (User-Name) length=11
Value: 'anonymous'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 02 01 00 06 03 19
Attribute 24 (State) length=18
Value: 38 3b 40 dc 38 3a 44 60 28 30 57 08 7d 15 04 29
Attribute 80 (Message-Authenticator) length=18
Value: c4 d3 cf 88 35 88 c4 ac 6c 34 a6 6d e5 a8 2a a8
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 44 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=1 length=44
Attribute 79 (EAP-Message) length=6
Value: 04 01 00 04
Attribute 80 (Message-Authenticator) length=18
Value: c2 b7 ec 8f d8 87 c9 c1 77 52 2d 40 8a 9e 9a a5
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 1.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=1 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
MPPE keys OK: 0 mismatch: 2
FAILURE
root at ozzy3:/home/jreubens/wpa_supplicant-0.5.10#
HERE IS MY EAPOL_TEST_PEAP CONF FILE
root at ozzy3:/home/jreubens/wpa_supplicant-0.5.10# cat eapol_test.conf.peap
network={
eap=PEAP
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
password="password"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
phase2="auth=MSCHAPV2"
anonymous_identity="anonymous"
}
HERE IS MY EAP.CONF FILE ON RADDB DIR
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
# fragment_size = 1024
# include_length = yes
cipher_list = "DEFAULT"
# make_cert_command = "${certdir}/bootstrap"
}
ttls {
default_eap_type = md5
# allowed values: {no, yes}
copy_request_to_tunnel = no
# allowed values: {no, yes}
use_tunneled_reply = no
#virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
sorry to ask you some naive question, i am really new to this. and one more
question whenever i change something in my eap.conf, users and client.conf
file i kill the existing radiusd running and start a new radiusd, is that
right or is there anyways to restart the radiusd.
Thank you all and thank you for your time,
Regards,
Jreuben
--
View this message in context: http://www.nabble.com/a-newbie-testing-freeradius-need-help-tp16833079p16833079.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list