hi J Zakhar wrote:
Having some trouble setting up PEAP with a windows XP workstation, a Cisco 350 AP (upgraded to IOS version 12.2), I am using the default XP Client to set things up. Many moons ago I had LEAP working great, the hard drive on this linux machine failed and it was time to reinstall. Not sure why i'm having such trouble with this.
Mousing over the icon in my task bar Status: Validating Identity is all it ever says while trying to associate. I do however get prompted for my user name and password. Any advice/help would be much appreciated.
unfortunately, imho Windows XP prompts for those before it starts the exchanges. from your log it seems that there is no error on the Freeradius side. FR sends out the Challenge, but the second message from the client (id = 36) looks to me as a repeat of the original Request (id 35). the contents of the EAP-Message are the same. thus it seems that your Windows client is not answering the challenge. Or the access point does not relay the challenge to the Windows client. difficult to say more from what you've given so far. you could try the following: - are you sure that you posted the complete log? - if yes, deactivate Server Validation in the Windows XP PEAP client (only for testing, activate it later) and re-start. see if the authentication gets to a further point. - if that does not change anything, take a look at the Ken Rosner's TLS FAQ (see www.freeradius.org). he describes how you activate EAP debug on Cisco 350 APs. log in into your cisco, activate the EAP Debug level 2 and see what happens - if it relays messages to the user machine. ciao artur
./radiusd -A -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/freeradius/etc/raddb/proxy.conf Config: including file: /usr/local/freeradius/etc/raddb/clients.conf Config: including file: /usr/local/freeradius/etc/raddb/snmp.conf Config: including file: /usr/local/freeradius/etc/raddb/eap.conf Config: including file: /usr/local/freeradius/etc/raddb/sql.conf main: prefix = "/usr/local/freeradius" main: localstatedir = "/usr/local/freeradius/var" main: logdir = "/usr/local/freeradius/var/log/radius" main: libdir = "/usr/local/freeradius/lib" main: radacctdir = "/usr/local/freeradius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/freeradius/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/freeradius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/freeradius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/freeradius/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = yes rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/freeradius/etc/raddb/certs/cert- srv.pem" tls: certificate_file = "/usr/local/freeradius/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/freeradius/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/freeradius/etc/raddb/certs/dh" tls: random_file = "/usr/local/freeradius/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/freeradius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/freeradius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/freeradius/etc/raddb/users" files: acctusersfile = "/usr/local/freeradius/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/freeradius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/freeradius/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.28.42.253:21646 <http://172.28.42.253:21646/>, id=35, length=132 User-Name = "jzakhar" Framed-MTU = 1400 Called-Station-Id = "0040.9647.f2d6" Calling-Station-Id = "000e.9b2e.179a" Message-Authenticator = 0x657f7e3dee2731c4e91f25c395ef47d7 EAP-Message = 0x0202000c016a7a616b686172 NAS-Port-Type = Wireless-802.11 NAS-Port = 312 Service-Type = Framed-User NAS-IP-Address = 172.28.42.253 <http://172.28.42.253/> NAS-Identifier = "apcisco" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' <mailto:'@'> in User-Name = "jzakhar", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched jzakhar at 53 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 35 to 172.28.42.253:21646 <http://172.28.42.253:21646/> EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf730c83b331f347cf002f96adbba538e Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.28.42.253:21646 <http://172.28.42.253:21646/>, id=35, length=132 Sending duplicate reply to client EAP:21646 - ID: 35 Re-sending Access-Challenge of id 35 to 172.28.42.253:21646 <http://172.28.42.253:21646/> --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 35 with timestamp 4315dbd4 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.28.42.253:21646 <http://172.28.42.253:21646/>, id=36, length=132 User-Name = "jzakhar" Framed-MTU = 1400 Called-Station-Id = "0040.9647.f2d6" Calling-Station-Id = "000e.9b2e.179a" Message-Authenticator = 0x843b8ca357e3281d250307dff3caa9e6 EAP-Message = 0x0202000c016a7a616b686172 NAS-Port-Type = Wireless-802.11 NAS-Port = 313 Service-Type = Framed-User NAS-IP-Address = 172.28.42.253 <http://172.28.42.253/> NAS-Identifier = "apcisco" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' <mailto:'@'> in User-Name = "jzakhar", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched jzakhar at 53 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 36 to 172.28.42.253:21646 <http://172.28.42.253:21646/> EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x479ac19253ee20dc4d21810846227fc5 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds...
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html