playing with eap2 - access-challenge instead of access-accept
I am playing with eap2 module using libeap.so from the hostapd 0.7.3 stable ( plus Makefile modifications ). I have got it to a stage where it can be instantiated - despite a few other off topic issues. But when I put that 'eap2' in place of 'eap' in the authentication section, nothing happens, eap2 module is not invoked. So I changed it to :- Auth-Type eap { eap2 } The module is then invoked. But I am still not coming close to being able get it to authenticate, because when I tested the simplest case of eap md5, this is what I got from radius debug :- Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group eap {...} CTRL-EVENT-EAP-STARTED 00:00:00:00:00:00 CTRL-EVENT-EAP-PROPOSED-METHOD method=1 CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 ==> Request ++[eap2] returns handled Sending Access-Challenge of id 250 to 127.0.0.1 port 52414 EAP-Message = 0x01d300061920 State = 0xe3c425eb267c641f82d999e1c9808ce1 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 0. Verses this is what I get if I use 'eap' module :- [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 160 to 127.0.0.1 port 50702 EAP-Message = 0x03d30004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "eapmd5" Finished request 1. Seems eap2 is always returning access-challenge while eap is able to complete with access-accept. Is it that the rlm_eap2.c source needs further modifications ? Best regards.
Ming-Ching Tiew wrote:
I am playing with eap2 module using libeap.so from the hostapd 0.7.3 stable ( plus Makefile modifications ). I have got it to a stage where it can be instantiated - despite a few other off topic issues. But when I put that 'eap2' in place of 'eap' in the authentication section, nothing happens, eap2 module is not invoked. So I changed it to :-
Auth-Type eap { eap2 }
The module is then invoked. But I am still not coming close to being able get it to authenticate, because when I tested the simplest case of eap md5, this is what I got from radius debug :-
I haven't used that module in years...
Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group eap {...} CTRL-EVENT-EAP-STARTED 00:00:00:00:00:00 CTRL-EVENT-EAP-PROPOSED-METHOD method=1 CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 ==> Request ++[eap2] returns handled Sending Access-Challenge of id 250 to 127.0.0.1 port 52414 EAP-Message = 0x01d300061920 State = 0xe3c425eb267c641f82d999e1c9808ce1 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 0.
That's PEAP.
Verses this is what I get if I use 'eap' module :-
[eap] Request found, released from the list [eap] EAP/md5
Which is different..
Seems eap2 is always returning access-challenge while eap is able to complete with access-accept. Is it that the rlm_eap2.c source needs further modifications ?
See the FAQ. If the server sends an Access-Challenge and nothing happens... it's because the client (or EAP supplicant) has given up. Don't blame FreeRADIUS. Alan DeKok.
--- On Sat, 9/10/11, Alan DeKok <aland@deployingradius.com> wrote:
Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group eap {...} CTRL-EVENT-EAP-STARTED 00:00:00:00:00:00 CTRL-EVENT-EAP-PROPOSED-METHOD method=1 CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 ==> Request ++[eap2] returns handled Sending Access-Challenge of id 250 to 127.0.0.1 port 52414 EAP-Message = 0x01d300061920 State = 0xe3c425eb267c641f82d999e1c9808ce1 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 0.
That's PEAP.
Thanks for the useful pointer. It's working now.
participants (2)
-
Alan DeKok -
Ming-Ching Tiew