Adam Tauno Williams <E-mail Protected> wrote:
I'm trying to setup RADIUS/WPA authentication using PEAP as described in - http://www.ibiblio.org/pub/Linux/docs/HOWTO/8021X-HOWTO - but I never seem to get past the "Sending Access-Challenge" after I enter my username and password on the client. User is simply an entry in the users file with a clear text password. I've gone over the config several times, but nothing jumps out at me as an error message. Alan DeKok wrote: The problem most likely is that the AP isn't seeing the response, or it isn't liking the response. Check the IP addresses that the packet use, via "tcpdump".
Okay, I've etherealled the connection and I see an "Access-Request" from the WAP to the RADIUS server, then an "Access-Challenge" from the RADIUS serve to the WAP, and nothing else. What should the WAP's response to an "Access-Challenge" response be? The WAP is 192.168.1.42 and the RADIUS server is 192.168.1.47 No. Time Source Destination Protocol Info 8 0.839425 192.168.1.42 192.168.1.47 RADIUS Access-Request(1) (id=26, l=133) Frame 8 (175 bytes on wire, 175 bytes captured) Ethernet II, Src: noor.morrison.iserv.net (00:0f:3d:43:6a:3c), Dst: tor.morrison.iserv.net (00:0d:60:0f:fd:4a) Internet Protocol, Src: 192.168.1.42 (192.168.1.42), Dst: 192.168.1.47 (192.168.1.47) User Datagram Protocol, Src Port: groove-dpp (1211), Dst Port: radius (1812) Radius Protocol Code: Access-Request (1) Packet identifier: 0x1a (26) Length: 133 Authenticator: 14E77EEE7405E31F02AB6A803EB478A1 Attribute Value Pairs AVP: l=10 t=User-Name(1): awilliam AVP: l=6 t=NAS-IP-Address(4): 192.168.1.42 AVP: l=6 t=NAS-Port(5): 0 AVP: l=19 t=Called-Station-Id(30): 00-0F-3D-43-6A-3C AVP: l=19 t=Calling-Station-Id(31): 00-14-A5-30-BC-27 AVP: l=8 t=NAS-Identifier(32): wap001 AVP: l=6 t=Framed-MTU(12): 1380 AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=15 t=EAP-Message(79) Last Segment[1] Length: 13 EAP fragment Extensible Authentication Protocol Code: Response (2) Id: 1 Length: 13 Type: Identity [RFC3748] (1) Identity (8 bytes): awilliam AVP: l=18 t=Message-Authenticator(80): 92C34CC691D9BC0D5B49F180B2F4EA59 Length: 16 Message-Authenticator: 92C34CC691D9BC0D5B49F180B2F4EA59 No. Time Source Destination Protocol Info 15 0.842887 192.168.1.47 192.168.1.42 RADIUS Access-challenge(11) (id=26, l=83) Frame 15 (125 bytes on wire, 125 bytes captured) Ethernet II, Src: tor.morrison.iserv.net (00:0d:60:0f:fd:4a), Dst: noor.morrison.iserv.net (00:0f:3d:43:6a:3c) Internet Protocol, Src: 192.168.1.47 (192.168.1.47), Dst: 192.168.1.42 (192.168.1.42) User Datagram Protocol, Src Port: radius (1812), Dst Port: groove-dpp (1211) Radius Protocol Code: Access-challenge (11) Packet identifier: 0x1a (26) Length: 83 Authenticator: DE3DC989610D986213D85EF526EA47BD Attribute Value Pairs AVP: l=19 t=Reply-Message(18): EAPTEST Hello, %u Length: 17 Reply-Message: EAPTEST Hello, %u AVP: l=8 t=EAP-Message(79) Last Segment[1] Length: 6 EAP fragment Extensible Authentication Protocol Code: Request (1) Id: 2 Length: 6 Type: PEAP [Palekar] (25) Flags(0x20): Start PEAP version 0 AVP: l=18 t=Message-Authenticator(80): 36719CCCEE09502EA6C644C5EEC62B87 Length: 16 Message-Authenticator: 36719CCCEE09502EA6C644C5EEC62B87 AVP: l=18 t=State(24): 4CA90CA7DE0086900AEB2E8BB35E773A Length: 16 State: 4CA90CA7DE0086900AEB2E8BB35E773A No. Time Source Destination Protocol Info 16 0.879314 192.168.1.42 192.168.1.47 RADIUS Access-Request(1) (id=27, l=218) Frame 16 (260 bytes on wire, 260 bytes captured) Ethernet II, Src: noor.morrison.iserv.net (00:0f:3d:43:6a:3c), Dst: tor.morrison.iserv.net (00:0d:60:0f:fd:4a) Internet Protocol, Src: 192.168.1.42 (192.168.1.42), Dst: 192.168.1.47 (192.168.1.47) User Datagram Protocol, Src Port: groove-dpp (1211), Dst Port: radius (1812) Radius Protocol Code: Access-Request (1) Packet identifier: 0x1b (27) Length: 218 Authenticator: FBD53DBF46F4F69697F2427EDE5176A3 Attribute Value Pairs AVP: l=10 t=User-Name(1): awilliam AVP: l=6 t=NAS-IP-Address(4): 192.168.1.42 AVP: l=6 t=NAS-Port(5): 0 AVP: l=19 t=Called-Station-Id(30): 00-0F-3D-43-6A-3C AVP: l=19 t=Calling-Station-Id(31): 00-14-A5-30-BC-27 AVP: l=8 t=NAS-Identifier(32): wap001 AVP: l=6 t=Framed-MTU(12): 1380 AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=82 t=EAP-Message(79) Last Segment[1] Length: 80 EAP fragment Extensible Authentication Protocol Code: Response (2) Id: 2 Length: 80 Type: PEAP [Palekar] (25) Flags(0x80): Length PEAP version 0 Length: 70 Secure Socket Layer AVP: l=18 t=State(24): 4CA90CA7DE0086900AEB2E8BB35E773A Length: 16 State: 4CA90CA7DE0086900AEB2E8BB35E773A AVP: l=18 t=Message-Authenticator(80): DF3CCA452EF2AF5D0CAA8EB46534127D Length: 16 Message-Authenticator: DF3CCA452EF2AF5D0CAA8EB46534127D No. Time Source Destination Protocol Info 23 0.885616 192.168.1.47 192.168.1.42 RADIUS Access-challenge(11) (id=27, l=1119) Frame 23 (1161 bytes on wire, 1161 bytes captured) Ethernet II, Src: tor.morrison.iserv.net (00:0d:60:0f:fd:4a), Dst: noor.morrison.iserv.net (00:0f:3d:43:6a:3c) Internet Protocol, Src: 192.168.1.47 (192.168.1.47), Dst: 192.168.1.42 (192.168.1.42) User Datagram Protocol, Src Port: radius (1812), Dst Port: groove-dpp (1211) Radius Protocol Code: Access-challenge (11) Packet identifier: 0x1b (27) Length: 1119 Authenticator: 51DB666236DA04D0B72A4E99FAE73956 Attribute Value Pairs AVP: l=19 t=Reply-Message(18): EAPTEST Hello, %u Length: 17 Reply-Message: EAPTEST Hello, %u AVP: l=255 t=EAP-Message(79) Segment[1] AVP: l=255 t=EAP-Message(79) Segment[2] AVP: l=255 t=EAP-Message(79) Segment[3] AVP: l=255 t=EAP-Message(79) Segment[4] AVP: l=24 t=EAP-Message(79) Last Segment[5] Length: 22 EAP fragment Extensible Authentication Protocol Code: Request (1) Id: 3 Length: 1034 Type: PEAP [Palekar] (25) Flags(0xC0): Length More PEAP version 0 Length: 3974 EAP-TLS Fragments (3974 bytes): #23(1024), #35(1024), #46(1024), #54(902) Secure Socket Layer AVP: l=18 t=Message-Authenticator(80): F4814C72EEE61CD5CEFC53B36B267D4C Length: 16 Message-Authenticator: F4814C72EEE61CD5CEFC53B36B267D4C AVP: l=18 t=State(24): D338F7D46B55BA06D75A99DAB2F12D57 Length: 16 State: D338F7D46B55BA06D75A99DAB2F12D57 No. Time Source Destination Protocol Info 27 2.062088 192.168.1.42 192.168.1.47 RADIUS Access-Request(1) (id=28, l=144) Frame 27 (186 bytes on wire, 186 bytes captured) Ethernet II, Src: noor.morrison.iserv.net (00:0f:3d:43:6a:3c), Dst: tor.morrison.iserv.net (00:0d:60:0f:fd:4a) Internet Protocol, Src: 192.168.1.42 (192.168.1.42), Dst: 192.168.1.47 (192.168.1.47) User Datagram Protocol, Src Port: groove-dpp (1211), Dst Port: radius (1812) Radius Protocol Code: Access-Request (1) Packet identifier: 0x1c (28) Length: 144 Authenticator: 77439BFA74CDEE8C8B73E043554916F0 Attribute Value Pairs AVP: l=10 t=User-Name(1): awilliam AVP: l=6 t=NAS-IP-Address(4): 192.168.1.42 AVP: l=6 t=NAS-Port(5): 0 AVP: l=19 t=Called-Station-Id(30): 00-0F-3D-43-6A-3C AVP: l=19 t=Calling-Station-Id(31): 00-14-A5-30-BC-27 AVP: l=8 t=NAS-Identifier(32): wap001 AVP: l=6 t=Framed-MTU(12): 1380 AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=8 t=EAP-Message(79) Last Segment[1] Length: 6 EAP fragment Extensible Authentication Protocol Code: Response (2) Id: 3 Length: 6 Type: PEAP [Palekar] (25) Flags(0x0): PEAP version 0 AVP: l=18 t=State(24): D338F7D46B55BA06D75A99DAB2F12D57 Length: 16 State: D338F7D46B55BA06D75A99DAB2F12D57 AVP: l=18 t=Message-Authenticator(80): 7A8DCF047F1B584608FE71A8EAB584AC Length: 16 Message-Authenticator: 7A8DCF047F1B584608FE71A8EAB584AC No. Time Source Destination Protocol Info 35 2.068415 192.168.1.47 192.168.1.42 RADIUS Access-challenge(11) (id=28, l=1115) Frame 35 (1157 bytes on wire, 1157 bytes captured) Ethernet II, Src: tor.morrison.iserv.net (00:0d:60:0f:fd:4a), Dst: noor.morrison.iserv.net (00:0f:3d:43:6a:3c) Internet Protocol, Src: 192.168.1.47 (192.168.1.47), Dst: 192.168.1.42 (192.168.1.42) User Datagram Protocol, Src Port: radius (1812), Dst Port: groove-dpp (1211) Radius Protocol Code: Access-challenge (11) Packet identifier: 0x1c (28) Length: 1115 Authenticator: 2A5E1665347BA87046D857CAB331686F Attribute Value Pairs AVP: l=19 t=Reply-Message(18): EAPTEST Hello, %u Length: 17 Reply-Message: EAPTEST Hello, %u AVP: l=255 t=EAP-Message(79) Segment[1] AVP: l=255 t=EAP-Message(79) Segment[2] AVP: l=255 t=EAP-Message(79) Segment[3] AVP: l=255 t=EAP-Message(79) Segment[4] AVP: l=20 t=EAP-Message(79) Last Segment[5] Length: 18 EAP fragment Extensible Authentication Protocol Code: Request (1) Id: 4 Length: 1030 Type: PEAP [Palekar] (25) Flags(0x40): More PEAP version 0 EAP-TLS Fragments (3974 bytes): #23(1024), #35(1024), #46(1024), #54(902) Secure Socket Layer AVP: l=18 t=Message-Authenticator(80): 755BE6D63AA6F48DC661705F2EE3A5AD Length: 16 Message-Authenticator: 755BE6D63AA6F48DC661705F2EE3A5AD AVP: l=18 t=State(24): 6A14161A7B2A4D2A2B0EED6451D7555F Length: 16 State: 6A14161A7B2A4D2A2B0EED6451D7555F -- Adam Tauno Williams - http://www.whitemice.org