<div>
<div>Kedar,</div>
<div> </div>
<div>I have used response becoz, I will be sending a EAP-Identity reponse packet to the Radius Server. So the code field is not Request it should be Response.<br> </div></div>
<div>All,</div>
<div> </div>
<div>Thanks for the help. I was able send the EAP message with EAP-Type-Identity field.</div>
<div> </div>
<div>I have got an Access-Challenge response from the server, and the Access-Request sent in response to this challenge is failing (Access-Reject is sent by the server). Below i have given the debug log from the server,</div>
<div>--------------------------------------------------------------------------------------------------------------------------------</div>
<div>rad_recv: Access-Request packet from host <a href="http://127.0.0.1:32825">127.0.0.1:32825</a>, id=60, length=113<br> User-Name = "jrc"<br> User-Password = "jrc"<br> NAS-Identifier = "jrcnas"
<br> NAS-Port-Type = Ethernet<br> CUI = "0"<br> Service-Type = Framed-User<br> Framed-MTU = 1400<br> Calling-Station-Id = "1:1:1:1:1:1"<br> Message-Authenticator = 0xaff453c7f7e3dc3639458de9740366a1
<br> EAP-Message = 0x02d20008016a7263<br> Processing the authorize section of radiusd.conf<br>modcall: entering group authorize for request 1<br> modcall[authorize]: module "preprocess" returns ok for request 1
<br> modcall[authorize]: module "chap" returns noop for request 1<br> modcall[authorize]: module "mschap" returns noop for request 1<br> rlm_realm: No <a href="mailto:'@'">'@'</a> in User-Name = "jrc", looking up realm NULL
<br> rlm_realm: No such realm "NULL"<br> modcall[authorize]: module "suffix" returns noop for request 1<br> rlm_eap: EAP packet type response id 210 length 8<br> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
<br> modcall[authorize]: module "eap" returns updated for request 1<br> users: Matched entry DEFAULT at line 152<br> users: Matched entry jrc at line 179<br> modcall[authorize]: module "files" returns ok for request 1
<br>modcall: leaving group authorize (returns updated) for request 1<br> rad_check_password: Found Auth-Type EAP<br>auth: type "EAP"<br> Processing the authenticate section of radiusd.conf<br>modcall: entering group authenticate for request 1
<br> rlm_eap: EAP Identity<br> rlm_eap: processing type md5<br>rlm_eap_md5: Issuing Challenge<br> modcall[authenticate]: module "eap" returns handled for request 1<br>modcall: leaving group authenticate (returns handled) for request 1
<br>Sending Access-Challenge of id 60 to <a href="http://127.0.0.1">127.0.0.1</a> port 32825<br> CUI = "jrccui"<br> Class = 0x6a7263636c617373<br> State = 0x6a72637374617465<br> Framed-MTU = 1400
<br> Framed-IP-Address = <a href="http://1.2.3.4">1.2.3.4</a><br> Service-Type = Framed-User<br> Session-Timeout = 30<br> MS-MPPE-Send-Key = 0x6a72636d736b<br> MS-MPPE-Recv-Key = 0x6a7263726563766d736b
<br> AAA-Session-Id = "jrcmultisessionid"<br> HA-IP-MIP4 = <a href="http://1.1.1.1">1.1.1.1</a><br> DHCPv4-Server = <a href="http://2.2.2.2">2.2.2.2</a><br> MN-HA-MIP4-KEY = "jrcmipkey"
<br> MN-HA-MIP4-SPI = "jrcmipspi"<br> DHCP-RK = "jrcdhcprk"<br> DHCP-RK-KEY-ID = "jrcdhcpkey"<br> DHCP-RK-LIFETIME = "20"<br> EAP-Message = 0x01d300160410e0ccb378852f7a673815379d2f819db1
<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x8343fbb52835fa0fb7fb84cab7f7a0db<br>Finished request 1<br>Going to the next request<br>--- Walking the entire request list ---<br>
Waking up in 6 seconds...<br>rad_recv: Access-Request packet from host <a href="http://127.0.0.1:32825">127.0.0.1:32825</a>, id=61, length=155<br> User-Name = "jrc"<br> User-Password = "jrc"
<br> NAS-Identifier = "jrcnas"<br> NAS-Port-Type = Ethernet<br> CUI = "0"<br> Service-Type = Framed-User<br> Framed-MTU = 1400<br> Calling-Station-Id = "1:1:1:1:1:1"
<br> Message-Authenticator = 0x8dc52d59961b5eb7d8789f7cb4dbea5a<br> State = 0x6a72637374617465<br> State = 0x8343fbb52835fa0fb7fb84cab7f7a0db<br> EAP-Message = 0x02d300160410d3ab9cde585da0c10b343d38433fa0db
<br> Processing the authorize section of radiusd.conf<br>modcall: entering group authorize for request 2<br> modcall[authorize]: module "preprocess" returns ok for request 2<br> modcall[authorize]: module "chap" returns noop for request 2
<br> modcall[authorize]: module "mschap" returns noop for request 2<br> rlm_realm: No <a href="mailto:'@'">'@'</a> in User-Name = "jrc", looking up realm NULL<br> rlm_realm: No such realm "NULL"
<br> modcall[authorize]: module "suffix" returns noop for request 2<br> rlm_eap: EAP packet type response id 211 length 22<br> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<br> modcall[authorize]: module "eap" returns updated for request 2
<br> users: Matched entry DEFAULT at line 152<br> users: Matched entry jrc at line 179<br> modcall[authorize]: module "files" returns ok for request 2<br>modcall: leaving group authorize (returns updated) for request 2
<br> rad_check_password: Found Auth-Type EAP<br>auth: type "EAP"<br> Processing the authenticate section of radiusd.conf<br>modcall: entering group authenticate for request 2<br>rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
<br> rlm_eap: Failed in handler<br> modcall[authenticate]: module "eap" returns invalid for request 2<br>modcall: leaving group authenticate (returns invalid) for request 2<br>auth: Failed to validate the user.
<br>Delaying request 2 for 1 seconds<br>Finished request 2<br>Going to the next request<br>Waking up in 6 seconds...<br>rad_recv: Access-Request packet from host <a href="http://127.0.0.1:32825">127.0.0.1:32825</a>, id=61, length=155
<br>Sending Access-Reject of id 61 to <a href="http://127.0.0.1">127.0.0.1</a> port 32825<br>--------------------------------------------------------------------------------------------------------------------------------
</div>
<div> </div>
<div> </div>
<div> </div>
<div>Thanks & Regards,</div>
<div>Govardhana K N<br> </div>
<div><span class="gmail_quote">On 7/16/07, <b class="gmail_sendername">Gaonkar, Kedar</b> <<a href="mailto:kgaonkar@qualcomm.com">kgaonkar@qualcomm.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Why is the Code field of the EAP message 01? Isn't that a REQUEST message? Please correct me if I am wrong, but I thought the RADIUS server should get a Response packet with Code 2 and Type should be 1 (EAP Resp/Identity packet). May be it didnt get the Identity packet, and hence it cannot verify the Identity.
<br><br>Regards<br>- Kedar Gaonkar<br><br><br>Date: Mon, 16 Jul 2007 15:58:57 +0000 (GMT)<br>From: Eshun Benjamin <<a href="mailto:bkeshun@yahoo.fr">bkeshun@yahoo.fr</a>><br>Subject: Re : How to configure EAP Identity in
1.1.3<br>To: FreeRadius users mailing list<br> <<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>Message-ID: <<a href="mailto:952625.72889.qm@web26009.mail.ukl.yahoo.com">
952625.72889.qm@web26009.mail.ukl.yahoo.com</a>><br>Content-Type: text/plain; charset="iso-8859-1"<br><br>Check on your AP, client.conf and naslist<br><br>==================================================<br>
Benjamin K. Eshun<br><br>----- Message d'origine ----<br>De : Govardhana K N <<a href="mailto:govardhan.nagarajaiah@gmail.com">govardhan.nagarajaiah@gmail.com</a>><br>? : FreeRadius users mailing list <<a href="mailto:freeradius-users@lists.freeradius.org">
freeradius-users@lists.freeradius.org</a>><br>Envoy? le : Lundi, 16 Juillet 2007, 13h28mn 28s<br>Objet : How to configure EAP Identity in 1.1.3<br><br>I changed it but the same error is still coming.<br><br><br>On 7/16/07, Eshun Benjamin <
<a href="mailto:bkeshun@yahoo.fr">bkeshun@yahoo.fr</a>> wrote:<br><br><br>You have misconfigured the Nas-Identifier<br><br>> govardhana Nas-Identifier == nas, Nas-Port-Type == 15<br><br>You have NAS-Identifier = "jrcnas"
<br><br>==================================================<br><br><br>Benjamin K. Eshun<br><br><br><br>----- Message d'origine ----<br>De : Govardhana K N <<br><a href="mailto:govardhan.nagarajaiah@gmail.com">govardhan.nagarajaiah@gmail.com
</a>><br>? : FreeRadius <<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>><br>Envoy? le : Lundi, 16 Juillet 2007, 12h24mn 09s<br>Objet : How to configure EAP Identity in
1.1.3<br><br><br><br>Hi,<br><br><br><br>I was trying to configure FreeRadius server with EAP authentication. AS mentioned in "eap.conf", I didn't change the Auth-Type, but I was sending a EAP message, and Message-Authenticator attributes in Access-Request. When i tried sending an Access-Request with EAP-Message, I got the following error "rlm_eap: Identity Unknown, authentication failed".
<br><br><br><br><br>How to configure the Identity for EAP?<br><br><br><br>debug log from server:<br><br>---------------------------------<br><br>Starting - reading configuration files ...<br>reread_config: reading radiusd.conf
<br>Config: including file: /etc/freeradius/proxy.conf<br>Config: including file: /etc/freeradius/clients.conf<br>Config: including file: /etc/freeradius/snmp.conf<br><br>Config: including file: /etc/freeradius/eap.conf
<br>Config: including file: /etc/freeradius/sql.conf<br>main: prefix = "/usr"<br>main: localstatedir = "/var"<br>main: logdir = "/var/log/freeradius"<br><br>main: libdir = "/usr/lib/freeradius"
<br>main: radacctdir = "/var/log/freeradius/radacct"<br>main: hostname_lookups = no<br>main: max_request_time = 30<br>main: cleanup_delay = 5<br>main: max_requests = 1024<br><br>main: delete_blocked_requests = 0
<br>main: port = 1812<br>main: allow_core_dumps = no<br>main: log_stripped_names = yes<br>main: log_file = "/var/log/freeradius/radius.log"<br>main: log_auth = no<br>main: log_auth_badpass = no<br><br>main: log_auth_goodpass = no
<br>main: pidfile = "/var/run/freeradius/freeradius.pid"<br>main: bind_address =<br><a href="http://127.0.0.1">127.0.0.1</a> IP address [<a href="http://127.0.0.1">127.0.0.1</a>]<br>main: user = "freerad"
<br>main: group = "freerad"<br><br>main: usercollide = no<br>main: lower_user = "no"<br>main: lower_pass = "no"<br>main: nospace_user = "no"<br>main: nospace_pass = "no"<br>
main: checkrad = "/usr/sbin/checkrad"<br><br>main: proxy_requests = no<br>proxy: retry_delay = 5<br>proxy: retry_count = 3<br>proxy: synchronous = no<br>proxy: default_fallback = yes<br>proxy: dead_time = 120<br>
proxy: post_proxy_authorize = no<br>proxy: wake_all_if_all_dead = no<br><br>security: max_attributes = 200<br>security: reject_delay = 1<br>security: status_server = no<br>main: debug_level = 0<br>read_config_files: reading dictionary
<br>read_config_files: reading naslist<br>Using deprecated naslist file. Support for this will go away soon.<br><br>read_config_files: reading clients<br>read_config_files: reading realms<br>radiusd: entering modules setup
<br>Module: Library search path is /usr/lib/freeradius<br>Module: Loaded exec<br>exec: wait = no<br>exec: program = "(null)"<br><br>exec: input_pairs = "request"<br>exec: output_pairs = "(null)"
<br>exec: packet_type = "(null)"<br>Module: Instantiated exec (exec)<br>Module: Loaded expr<br>Module: Instantiated expr (expr)<br><br>Module: Loaded PAP<br>pap: encryption_scheme = "crypt"<br>Module: Instantiated pap (pap)
<br>Module: Loaded CHAP<br>Module: Instantiated chap (chap)<br>Module: Loaded MS-CHAP<br>mschap: use_mppe = yes<br>mschap: require_encryption = no<br><br>mschap: require_strong = no<br>mschap: with_ntdomain_hack = no<br>mschap: passwd = "(null)"
<br>mschap: ntlm_auth = "(null)"<br>Module: Instantiated mschap (mschap)<br>Module: Loaded System<br><br>unix: cache = no<br>unix: passwd = "/etc/passwd"<br>unix: shadow = "/etc/shadow"<br>unix: group = "/etc/group"
<br>unix: radwtmp = "/var/log/freeradius/radwtmp"<br>unix: usegroup = no<br><br>unix: cache_reload = 600<br>Module: Instantiated unix (unix)<br>Module: Loaded eap<br>eap: default_eap_type = "md5"<br>eap: timer_expire = 60
<br>eap: ignore_unknown_eap_types = no<br>eap: cisco_accounting_username_bug = no<br><br>rlm_eap: Loaded and initialized type md5<br>rlm_eap: Loaded and initialized type leap<br>gtc: challenge = "Password: "<br>
gtc: auth_type = "PAP"<br>rlm_eap: Loaded and initialized type gtc<br>mschapv2: with_ntdomain_hack = no<br><br>rlm_eap: Loaded and initialized type mschapv2<br>Module: Instantiated eap (eap)<br>Module: Loaded preprocess
<br>preprocess: huntgroups = "/etc/freeradius/huntgroups"<br>preprocess: hints = "/etc/freeradius/hints"<br><br>preprocess: with_ascend_hack = no<br>preprocess: ascend_channels_per_line = 23<br>preprocess: with_ntdomain_hack = no
<br>preprocess: with_specialix_jetstream_hack = no<br>preprocess: with_cisco_vsa_hack = no<br><br>preprocess: with_alvarion_vsa_hack = no<br>Module: Instantiated preprocess (preprocess)<br>Module: Loaded realm<br>realm: format = "suffix"
<br>realm: delimiter = "@"<br>realm: ignore_default = no<br><br>realm: ignore_null = no<br>Module: Instantiated realm (suffix)<br>Module: Loaded files<br>files: usersfile = "/etc/freeradius/users"<br>files: acctusersfile = "/etc/freeradius/acct_users"
<br>files: preproxy_usersfile = "/etc/freeradius/preproxy_users"<br><br>files: compat = "no"<br>Module: Instantiated files (files)<br>Module: Loaded Acct-Unique-Session-Id<br>acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
<br><br>Module: Instantiated acct_unique (acct_unique)<br>Module: Loaded detail<br>detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br>detail: detailperm = 384<br>detail: dirperm = 493
<br><br>detail: locking = no<br>Module: Instantiated detail (detail)<br>Module: Loaded radutmp<br>radutmp: filename = "/var/log/freeradius/radutmp"<br>radutmp: username = "%{User-Name}"<br>radutmp: case_sensitive = yes
<br><br>radutmp: check_with_nas = yes<br>radutmp: perm = 384<br>radutmp: callerid = yes<br>Module: Instantiated radutmp (radutmp)<br>Listening on authentication<br><a href="http://127.0.0.1:1812">127.0.0.1:1812</a><br>Listening on accounting
<a href="http://127.0.0.1:1813">127.0.0.1:1813</a><br>Ready to process requests.<br>rad_recv: Access-Request packet from host<br><a href="http://127.0.0.1:32813">127.0.0.1:32813</a>, id=179, length=95<br> User-Name = "jrc"
<br> NAS-Identifier = "jrcnas"<br><br> NAS-Port-Type = Ethernet<br> CUI = "0"<br> Service-Type = Framed-User<br> Framed-MTU = 1400<br> Calling-Station-Id = "1:1:1:1:1:1"
<br> EAP-Message = 0x01100008016a7263<br><br> Message-Authenticator = 0x64c5851b699cd2c027877bbb94fe7f8b<br>Processing the authorize section of radiusd.conf<br>modcall: entering group authorize for request 0<br>
modcall[authorize]: module "preprocess" returns ok for request 0<br><br>modcall[authorize]: module "chap" returns noop for request 0<br>modcall[authorize]: module "mschap" returns noop for request 0
<br> rlm_realm: No<br>'@' in User-Name = "jrc", looking up realm NULL<br> rlm_realm: No such realm "NULL"<br>modcall[authorize]: module "suffix" returns noop for request 0<br>rlm_eap: EAP packet type request id 16 length 8
<br><br>rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<br>modcall[authorize]: module "eap" returns updated for request 0<br> users: Matched entry DEFAULT at line 152<br> users: Matched entry jrc at line 178
<br><br>modcall[authorize]: module "files" returns ok for request 0<br>modcall: leaving group authorize (returns updated) for request 0<br>rad_check_password: Found Auth-Type EAP<br>auth: type "EAP"<br>
<br>Processing the authenticate section of radiusd.conf<br>modcall: entering group authenticate for request 0<br>rlm_eap: Identity Unknown, authentication failed<br>rlm_eap: Failed in handler<br>modcall[authenticate]: module "eap" returns invalid for request 0
<br><br>modcall: leaving group authenticate (returns invalid) for request 0<br>auth: Failed to validate the user.<br>Delaying request 0 for 1 seconds<br>Finished request 0<br>Going to the next request<br>--- Walking the entire request list ---
<br><br>Waking up in 1 seconds...<br>--- Walking the entire request list ---<br>Waking up in 1 seconds...<br>--- Walking the entire request list ---<br>Sending Access-Reject of id 179 to<br><a href="http://127.0.0.1">127.0.0.1
</a> port 32813<br>Waking up in 4 seconds...<br>--- Walking the entire request list ---<br>Cleaning up request 0 ID 179 with timestamp 469b9233<br>Nothing to do. Sleeping until we see a request.<br><br><br><br>debug log from Client:
<br><br>-------------------------------------<br><br>cheux301:/home/govardhana# radeapclient -x localhost auth jrcsecret <access-request<br><br>+++> About to send encoded packet:<br> User-Name = "jrc"
<br> NAS-Identifier = "jrcnas"<br> NAS-Port-Type = Ethernet<br> CUI = "0"<br> Service-Type = Framed-User<br><br> Framed-MTU = 1400<br> Calling-Station-Id = "1:1:1:1:1:1"
<br> EAP-Message = 0x01100008016a7263<br> Message-Authenticator = 0x00<br>Sending Access-Request of id 179 to<br><a href="http://127.0.0.1">127.0.0.1</a> port 1812<br> User-Name = "jrc"<br> NAS-Identifier = "jrcnas"
<br> NAS-Port-Type = Ethernet<br> CUI = "0"<br> Service-Type = Framed-User<br> Framed-MTU = 1400<br><br> Calling-Station-Id = "1:1:1:1:1:1"<br> EAP-Message = 0x01100008016a7263
<br> Message-Authenticator = 0x00000000000000000000000000000000<br>rad_recv: Access-Reject packet from host<br><a href="http://127.0.0.1:1812">127.0.0.1:1812</a>, id=179, length=20<br>rlm_eap: EAP-Message not found<br>
<+++ EAP decoded packet:<br><br><br><br><br>Thanks & Regards,<br><br>Govardhana K N<br><br><br><br><br><br><br><br>--<br>With Regards,<br>Govardhana K N<br><br><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">
http://www.freeradius.org/list/users.html</a><br><br><br><br><br><br><br><br><br><br>Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail<br><br>-<br><br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">
http://www.freeradius.org/list/users.html</a><br><br><br><br><br><br>--<br>With Regards,<br>Govardhana K N<br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html
</a><br><br><br><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br><br></blockquote></div><br><br clear="all"><br>-- <br>With Regards,
<br>Govardhana K N