PC XP SP2 with 802.1x/PEAP authenticate problem

igrubnic irena.grubnic at st.t-com.hr
Fri Apr 8 14:39:15 CEST 2011 

hi alan,
tnank you for reply.i google/found how to configure pc according to ch.4:

http://h17007.www1.hp.com/docs/interoperability/Microsoft/4AA2-1531EEE.pdf

on pc i have pop-up window which asks for credentials (username and pwd) and
for pc i have defined following entry (deleted old one including mac):

gponpc3 Cleartext-Password := "pw4gponpc3"

it works (as expected) with radtest check:
bash-3.2$ sudo radtest gponpc3 pw4gponpc3 127.0.0.1 0 testing123
Sending Access-Request of id 108 to 127.0.0.1 port 1812
        User-Name = "gponpc3"
        User-Password = "pw4gponpc3"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=108,
length=20

but when i enter that username/pwd on pc again same debug output obtained:

Ready to process requests.
rad_recv: Access-Request packet from host 10.223.0.131 port 65534, id=16,
length=132
        NAS-IP-Address = 100.1.1.1
        NAS-Port-Id = "1.2"
        Framed-MTU = 1024
        User-Name = "00-02-A5-F8-70-29"
        Calling-Station-Id = "00-02-A5-F8-70-29"
        Message-Authenticator = 0x9ea1afaf433c44fbe0e5197d6a2a0292
        EAP-Message = 0x0279000c0167706f6e706333
        NAS-Identifier = "PENKALA"
        Ericsson-Attr-101 = 0x4552494353534f4e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "00-02-A5-F8-70-29", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 121 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> 00-02-A5-F8-70-29
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 16 to 10.223.0.131 port 65534
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.223.0.131 port 65534, id=16,
length=132
Sending duplicate reply to client 10.223.0.131 port 65534 - ID: 16
Sending Access-Reject of id 16 to 10.223.0.131 port 65534
Waking up in 4.7 seconds.
Cleaning up request 0 ID 16 with timestamp +44
Ready to process requests.


it seems that authenticator has field User-Name = "00-02-A5-F8-70-29" set
according
to RFC 3580, ch.3.1, regardles of what i define in users file:

3.1.  User-Name

   In IEEE 802.1X, the Supplicant typically provides its identity via an
   EAP-Response/Identity message.  Where available, the Supplicant
   identity is included in the User-Name attribute, and included in the
   RADIUS Access-Request and Access-Reply messages as specified in
   [RFC2865] and [RFC3579].

   Alternatively, as discussed in [RFC3579] Section 2.1., the User-Name   
<------
   attribute may contain the Calling-Station-ID value, which is set to    
<------
   the Supplicant MAC address.                                            
<------

please can u comment again? 

i have captured 2 wireshark traces:
-between server and authenticator
-between authenticator and supplicant

from wireshark trace (RADIUS_AUTH_SUPPLICANT.pcap) it can be observed that 
identity obtained from PC is gponpc3 (username i entered in pop-up window).
please let me know
if u r interested to see those ws traces and how i can post it to you?
 
thank u in advance,
irena


--
View this message in context: http://freeradius.1045715.n5.nabble.com/PC-XP-SP2-with-802-1x-PEAP-authenticate-problem-tp4288722p4290719.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list