Hi

 

I found out what my problem was.

 

Small error in my XP configuration.

 

Regards,

Torkel

 


Fra: Torkel Mathisen
Sendt: 26. oktober 2005 16:41
Til: 'FreeRadius users mailing list'
Emne: Authentication problems between Cisco Aironet 1100 and freeradius

 

Hi

 

I got some problems getting EAP to work with Cisco Aironet 1100 and Freeradius.

 

I’ve gotten freeradius to work I think and I have configured Cisco Aironet 1100 AP according to Cisco.

(http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml)

(http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c40b6.shtml#NetEAP)

 

When I try to connect too my WLAN with my testuser. (User: testuser, Password: Secret149) it won’t

authenticate.

 

I’ve configured freeradius to use PEAP-MSCHAPv2.

 

Anyone able to help me out?

 

 

Regards,

Torkel

 

This is the log I get when i run radiusd –X:

 

rad_recv: Access-Request packet from host 10.0.0.1:21645, id=65, length=133

        User-Name = "testuser"

        Framed-MTU = 1400

        Called-Station-Id = "000e.8401.cd50"

        Calling-Station-Id = "0011.0a80.41d1"

        Message-Authenticator = 0x194f32c82aa7088f53cdfc8ac8a36151

        EAP-Message = 0x0202000d017465737475736572

        NAS-Port-Type = Wireless-802.11

        NAS-Port = 478

        Service-Type = Framed-User

        NAS-IP-Address = 10.0.0.1

        NAS-Identifier = "testAP"

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 63

  modcall[authorize]: module "preprocess" returns ok for request 63

  modcall[authorize]: module "chap" returns noop for request 63

  modcall[authorize]: module "mschap" returns noop for request 63

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 63

  rlm_eap: EAP packet type response id 2 length 13

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 63

    users: Matched entry testuser at line 90

  modcall[authorize]: module "files" returns ok for request 63

modcall: group authorize returns updated for request 63

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 63

  rlm_eap: EAP Identity

  rlm_eap: processing type tls

  rlm_eap_tls: Initiate

  rlm_eap_tls: Start returned 1

  modcall[authenticate]: module "eap" returns handled for request 63

modcall: group authenticate returns handled for request 63

Sending Access-Challenge of id 65 to 10.0.0.1:21645

        EAP-Message = 0x010300061920

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x67a4b4a551592fcc14469ef9c70a4601

Finished request 63

Going to the next request

--- Walking the entire request list ---

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 10.0.0.1:21645, id=66, length=218

        User-Name = "testuser"

        Framed-MTU = 1400

        Called-Station-Id = "000e.8401.cd50"

        Calling-Station-Id = "0011.0a80.41d1"

        Message-Authenticator = 0xd5957923efcbfe4c3ee547a066e21d0a

        EAP-Message = 0x0203005019800000004616030100410100003d0301435f8f34c71e673ecee95256802f571c6bfa86eaa89728f7d7f782809ef0f82600001600040005000a000900640062000300060013001200630100

        NAS-Port-Type = Wireless-802.11

        NAS-Port = 478

        State = 0x67a4b4a551592fcc14469ef9c70a4601

        Service-Type = Framed-User

        NAS-IP-Address = 10.0.0.1

        NAS-Identifier = "testAP"

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 64

  modcall[authorize]: module "preprocess" returns ok for request 64

  modcall[authorize]: module "chap" returns noop for request 64

  modcall[authorize]: module "mschap" returns noop for request 64

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 64

  rlm_eap: EAP packet type response id 3 length 80

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 64

    users: Matched entry testuser at line 90

  modcall[authorize]: module "files" returns ok for request 64

modcall: group authorize returns updated for request 64

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 64

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/peap

  rlm_eap: processing type peap

  rlm_eap_peap: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls:  Length Included

  eaptls_verify returned 11

    (other): before/accept initialization

    TLS_accept: before/accept initialization

  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello

    TLS_accept: SSLv3 read client hello A

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello

    TLS_accept: SSLv3 write server hello A

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0654], Certificate

    TLS_accept: SSLv3 write certificate A

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone

    TLS_accept: SSLv3 write server done A

    TLS_accept: SSLv3 flush data

    TLS_accept:error in SSLv3 read client certificate A

In SSL Handshake Phase

In SSL Accept mode

  eaptls_process returned 13

  rlm_eap_peap: EAPTLS_HANDLED

  modcall[authenticate]: module "eap" returns handled for request 64

modcall: group authenticate returns handled for request 64

Sending Access-Challenge of id 66 to 10.0.0.1:21645

        EAP-Message = 0x0104040a19c0000006b1160301004a020000460301435f8f1b11c01e5389f06ab782154f3759e70cc9bb2b320d320ab9c656d33f6e205816b685a712ff840d91baa1dbf8b9c0ec209492aecf22425643fafe1541596d00040016030106540b00065000064d0002b3308202af30820218a003020102020900b646b246bff02a86300d06092a864886f70d010104050030818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963

        EAP-Message = 0x617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f7374301e170d3035313032363132333432385a170d3036313032363132333432385a30818b310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a667265657261646975733119301706035504031310526f6f74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f737430819f300d06092a864886f70d010101050003818d0030818902818100eead5285b5e9f7b939a2dfc1b7fef60a

        EAP-Message = 0xbd055de0ba27b2ef81244e0eabad60241727ff5fc724f36147d08ea5f9e3f0110dfb5a2397c3906a00ab8eb28509e4a672b2c948c0b8007785f550b3908c2f49d7a113d6e7198d9606e567fc38be816fb2acf60f18bfe56d0617ff7e651439ce9c8ed40363b5b1e4d0d96f59a468a6650203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810050aa5f1713a5025d21f128094104579eb85a9ded57072baf72b2c0e3fbea766eb53c62e9bc2a5d1bc22f2615cc1fe88487e2d0b7e5eaa045a8ae1734a85f28e6cd70d3340c2a51bfe7b974c13b9a1a4abebe373312d1d4b987e32368

        EAP-Message = 0x1edad7e4a54456fd7989e901485e9f2fcf7e8ed8e57fae97fb2fdd1fba5a50c683b7da7f00039430820390308202f9a003020102020900b646b246bff02a84300d06092a864886f70d010104050030818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f7374301e170d3035313032363132333432335a170d303731303236313233343233

        EAP-Message = 0x5a30818d310b3009060355040613024e4f310d300b06

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0xd8223ab2cc29f1f3ad13843d71797409

Finished request 64

Going to the next request

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 10.0.0.1:21645, id=67, length=144

        User-Name = "testuser"

        Framed-MTU = 1400

        Called-Station-Id = "000e.8401.cd50"

        Calling-Station-Id = "0011.0a80.41d1"

        Message-Authenticator = 0xcc2b18df4d9f3ad232f1d712d0fefa45

        EAP-Message = 0x020400061900

        NAS-Port-Type = Wireless-802.11

        NAS-Port = 478

        State = 0xd8223ab2cc29f1f3ad13843d71797409

        Service-Type = Framed-User

        NAS-IP-Address = 10.0.0.1

        NAS-Identifier = "testAP"

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 65

  modcall[authorize]: module "preprocess" returns ok for request 65

  modcall[authorize]: module "chap" returns noop for request 65

  modcall[authorize]: module "mschap" returns noop for request 65

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 65

  rlm_eap: EAP packet type response id 4 length 6

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 65

    users: Matched entry testuser at line 90

  modcall[authorize]: module "files" returns ok for request 65

modcall: group authorize returns updated for request 65

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 65

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/peap

  rlm_eap: processing type peap

  rlm_eap_peap: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls: Received EAP-TLS ACK message

  rlm_eap_tls: ack handshake fragment handler

  eaptls_verify returned 1

  eaptls_process returned 13

  rlm_eap_peap: EAPTLS_HANDLED

  modcall[authenticate]: module "eap" returns handled for request 65

modcall: group authenticate returns handled for request 65

Sending Access-Challenge of id 67 to 10.0.0.1:21645

        EAP-Message = 0x010502b719000355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f737430819f300d06092a864886f70d010101050003818d0030818902818100bb9dc7f9a6b879ddde091ded35f3137693d1a9fa9d2e2f1e20e1e49c9daf077fd1c4066e8e409eda68baac046ff390baedad93e603fdde73046df106c9c3775eb0e024a2682faf6469e778758b9c782a11ad0dcc25edca8f9efdee96ccc1bc

        EAP-Message = 0x84850d853d4435da9ab22ec6c3dc4e6d9137e0ec36d705c923055aa8b900d833350203010001a381f53081f2301d0603551d0e04160414227f0709429785a3169b9817627cd456d617f2283081c20603551d230481ba3081b78014227f0709429785a3169b9817627cd456d617f228a18193a4819030818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c

        EAP-Message = 0x6f63616c686f7374820900b646b246bff02a84300c0603551d13040530030101ff300d06092a864886f70d0101040500038181001fb7ec3488fd3b6349d6cc33b5c6451ce1c2e8ef8db6f4818cd017991f9649141c1767553c20303e262fec4bb351cda19b403bab78aa37236ffc78dace1a39089ff037eb911a5133bc6b1f0275cc9e68bc4c8f487a4d2cdc8e706134e512d7e715ca81c5a7bb6cc668ca8181e898befeab40773de8f3eb6629ecd2c79d5f74f116030100040e000000

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x6a28407c14613e4bb49a5c41aab60bfd

Finished request 65

Going to the next request

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 10.0.0.1:21645, id=68, length=144

        User-Name = "testuser"

        Framed-MTU = 1400

        Called-Station-Id = "000e.8401.cd50"

        Calling-Station-Id = "0011.0a80.41d1"

        Message-Authenticator = 0x9a39ada2dab238ef570b8dc1dd3f3b6c

        EAP-Message = 0x020500061900

        NAS-Port-Type = Wireless-802.11

        NAS-Port = 478

        State = 0x6a28407c14613e4bb49a5c41aab60bfd

        Service-Type = Framed-User

        NAS-IP-Address = 10.0.0.1

        NAS-Identifier = "testAP"

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 66

  modcall[authorize]: module "preprocess" returns ok for request 66

  modcall[authorize]: module "chap" returns noop for request 66

  modcall[authorize]: module "mschap" returns noop for request 66

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 66

  rlm_eap: EAP packet type response id 5 length 6

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 66

    users: Matched entry testuser at line 90

  modcall[authorize]: module "files" returns ok for request 66

modcall: group authorize returns updated for request 66

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 66

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/peap

  rlm_eap: processing type peap

  rlm_eap_peap: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls: Received EAP-TLS ACK message

  rlm_eap_tls: ack handshake fragment handler

  eaptls_verify returned 1

  eaptls_process returned 13

  rlm_eap_peap: EAPTLS_HANDLED

  modcall[authenticate]: module "eap" returns handled for request 66

modcall: group authenticate returns handled for request 66

Sending Access-Challenge of id 68 to 10.0.0.1:21645

        EAP-Message = 0x010600061900

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x029cb84784a586178ecaa439ab2c98ab

Finished request 66

Going to the next request

Waking up in 6 seconds...

--- Walking the entire request list ---

Cleaning up request 63 ID 65 with timestamp 435f8f1b

Cleaning up request 64 ID 66 with timestamp 435f8f1b

Cleaning up request 65 ID 67 with timestamp 435f8f1b

Cleaning up request 66 ID 68 with timestamp 435f8f1b

Nothing to do.  Sleeping until we see a request.