Freeradius not authenticating Wireless Clients

Seann Clark nombrandue at tsukinokage.net
Wed Sep 30 16:56:49 CEST 2009 

All,

    I am having problems with my freeradius server for the past 24 
hours, which seems that the radius server isn't authenticating EAP-TLS 
clients from my wireless network. I am looking for a little advice from 
the local subject matter experts. I am running a Vista and an XP home 
client right now, both worked, I rebuilt the Vista machine and wasn't 
able to authenticate. my WAP tends to not service Radius requests when 
the radius server goes away for whatever reasons, and the fix is just to 
cycle power on it. It is a WRT54GS by Linksys, and after the last power 
cycle, it just doesn't authenticate clients anymore. If it is the WAP, I 
am wondering what suggestions people have for a good WAP that is stable 
and runs WPA2 Enterprise? What I am seeing from Radiusd on Debug mode is:

rad_recv: Access-Request packet from host 192.168.10.10 port 1784, id=1, 
length=152
        User-Name = "mizu.tsukinokage.net"
        NAS-IP-Address = 192.168.10.10
        Called-Station-Id = "001c10486288"
        Calling-Station-Id = "0014a5a6a5cc"
        NAS-Identifier = "001c10486288"
        NAS-Port = 15
        Framed-MTU = 1400
        State = 0x639a9b23609f96504f388f2c9ad13fd9
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020500060d00
        Message-Authenticator = 0x1f961b8013c153936ae43b6773041886
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 5 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.10.10 port 1784
        EAP-Message = 
0x010603940d8000000b767587a713825ca119ce08932bbe4020c901ad46aeebce040fa4d3117a1fa50d80f5fb10f57fac4df7c4f0d7faee4bebbcfed4e6f57361f5e9cc9deb2dda9bd3b180b4c2ba44dbad255360dc7ea5458f996ccad8a9898c9e0b68ecb3d25bd7a162389ca470f3570486595ff691f067db5465ac15e3ed0203010001a382012530820121301d0603551d0e041604141cb898aede20e0af4cdf6b2d9318d91ea47fa5143081f10603551d230481e93081e680141cb898aede20e0af4cdf6b2d9318d91ea47fa514a181c2a481bf3081bc310b30090603550406130255533111300f060355040813084e65627261736b61310e300c06
        EAP-Message = 
0x0355040713054f6d6168613120301e060355040a13175473756b696e6f6b61676520456e746572707269736573311c301a060355040b13134e6574776f726b20456e67696e656572696e67311f301d060355040313166861727568692e7473756b696e6f6b6167652e6e65743129302706092a864886f70d010901161a6e6f6d6272616e647565407473756b696e6f6b6167652e6e65748209009ea0873a2fb16562300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004ccbaf1b8a85e6584c42c610702d25ed5b9477e6a5a4382285f588a3e657584a57c5367ef65881080835111345c094b944d1681af38ee4d20a
        EAP-Message = 
0xe72024114c87ac199a1565d4928aa71274d1111b9c62136dc6f2dbbf8d0d8f0112907aa7ee4c8a51915d8c8ba4012ebe8d015a0d4634d48ef74410f9ad3eefb19c5b2c0107caab3e856575ef8946ed1bd854200b3996bb85939db7c1611d599bc8f4c0b0dfd421126ba709d1cfcf741f0e72963d6e081c46bdc1b7f17d1d26fdf5f23961044e4730dad2e25c96f87457e14c4f97b531745cc5a26e6e63a184d4c02833fa26160ae8edb8ec189286dc4dddeea81a08d871bf8e94d8215838b4f1c825f114a1dd8816030100ce0d0000c602010200c100bf3081bc310b30090603550406130255533111300f060355040813084e65627261736b61310e30
        EAP-Message = 
0x0c060355040713054f6d6168613120301e060355040a13175473756b696e6f6b61676520456e746572707269736573311c301a060355040b13134e6574776f726b20456e67696e656572696e67311f301d060355040313166861727568692e7473756b696e6f6b6167652e6e65743129302706092a864886f70d010901161a6e6f6d6272616e647565407473756b696e6f6b6167652e6e65740e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x639a9b23679c96504f388f2c9ad13fd9
Finished request 67.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.10 port 1786, id=1, 
length=152
        User-Name = "mizu.tsukinokage.net"
        NAS-IP-Address = 192.168.10.10
        Called-Station-Id = "001c10486288"
        Calling-Station-Id = "0014a5a6a5cc"
        NAS-Identifier = "001c10486288"
        NAS-Port = 15
        Framed-MTU = 1400
        State = 0x639a9b23679c96504f388f2c9ad13fd9
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020600060d00
        Message-Authenticator = 0x0bafacf4ec9889421fde967080dbc63d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 6 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.10.10 port 1786
        EAP-Message = 0x0107000a0d8000000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x639a9b23669d96504f388f2c9ad13fd9
Finished request 68.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 63 ID 1 with timestamp +594
Cleaning up request 64 ID 1 with timestamp +594
Cleaning up request 65 ID 1 with timestamp +594
Cleaning up request 66 ID 1 with timestamp +594
Cleaning up request 67 ID 1 with timestamp +594
Cleaning up request 68 ID 1 with timestamp +594
Ready to process requests.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5544 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090930/4af53a89/attachment.bin>

More information about the Freeradius-Users mailing list