PC XP SP2 with 802.1x/PEAP authenticate problem

irena grubnic irena.grubnic at st.t-com.hr
Thu Apr 7 16:37:21 CEST 2011



 Hi,

maybe somebody can help me in my attempt to authenticate
supplicant
PC (WinXP SP2 with enabled 802.1x authentication using PEAP and
Authentication Mehtod "Secured password EAP-MSCHAP v2") using
Free RADIUS Version 2.1.10. RADIUS client is ONT (GPON,
802.1x enabled on it's Ethernet port).

I have modified 3 RADIUS configuration files:

***********
1.eap.conf*
***********
deafault_eap_type = peap

***************
2.clients.conf*
***************
Added new client (PC is connected to ONT which further forwards
requests to BLM acting as client).

client 10.223.0.131 {
        ipaddr = 10.223.0.131
        secret          = hello123
        require_message_authenticator = no
        nastype     = other     # localhost isn't usually a
NAS...
}

Secret password "hello123" is also configured on related client
(ONT):

RADIUS proxy address | 100.1.1.1
RADIUS proxy secret  | ont343
RADIUS auth server 1 | 10.223.0.13
RADIUS auth secret 1 | hello123
RADIUS auth port 1   | 1812
RADIUS auth server 2 | 0.0.0.0
RADIUS auth secret 2 | -
RADIUS auth port 2   | 0
RADIUS auth server 3 | 0.0.0.0
RADIUS auth secret 3 | -
RADIUS auth port 3   | 0

********
3.users*
********

Added new entry for PC using its MAC address for credentials:
00:02:a5:f8:70:29 Cleartext-Password := "00:02:a5:f8:70:29"


When I try to authenticate PC by entering its MAC address as user
name/password
RADIUS Access-Reject message is generated by Free RADIUS and in
debug window
following output is obtained:



rad_recv: Access-Request packet from host 10.223.0.131 port
65534, id=71, length=142
        NAS-IP-Address = 100.1.1.1
        NAS-Port-Id = "1.2"
        Framed-MTU = 1024
        User-Name = "00-02-A5-F8-70-29"
        Calling-Station-Id = "00-02-A5-F8-70-29"
        Message-Authenticator =
0xe990ef46d4eaddc9760eff3924f3613e
        EAP-Message =
0x025200160130303a30323a61353a66383a37303a3239
        NAS-Identifier = "PENKALA"
        Ericsson-Attr-101 = 0x4552494353534f4e # Executing
section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "00-02-A5-F8-70-29", looking up
realm NULL [suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 82 length 22 [eap] No EAP
Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP
Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} ->
00-02-A5-F8-70-29
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds Going to the next
request Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 71 to 10.223.0.131 port 65534 Waking
up in 4.9 seconds.
Cleaning up request 0 ID 71 with timestamp +160 Ready to process
requests.

Please can you help me with this issue, I assume I missed
something related to configuration..

BR,
Irena
---------------------- T - C o m - - W e b m a i l ----------------------
    Ova poruka poslana je upotrebom T-Com Webmail usluge
    Uzivajte u shoppingu ne napustajuci udobnost svoga doma!
    http://shopping.tportal.hr




More information about the Freeradius-Users mailing list