First of all, thanks for your help. radiusd.conf - eap section : .... .... eap { default_eap_type = ttls md5 { } mschapv2 { } tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 pem_file_type = yes include_length = yes CA_path = ${db_dir}/certs CA_file = ${db_dir}/certs/rootca.pem certificate_file = ${db_dir}/certs/server.pem private_key_file = ${db_dir}/certs/server-key.pem random_file = ${db_dir}/certs/random dh_file = ${db_dir}/certs/dh check_crl = no verify_depth = 0 cipher_list = "DEFAULT" } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 } } ----- users file: the first line reads: testuser Cleartext-Password := "testpw" Reply-Message = "Hello, %{User-Name}" -------- then, i type: eapol_test -c md5.conf -s testing123 ; I'm using md5.conf from here: http://deployingradius.com/scripts/eapol_test/ Find below radiusd -X output: Starting - reading configuration files ... including configuration file ..\etc\raddb/radiusd.conf including configuration file ../etc/raddb/clients.conf including configuration file ../etc/raddb/policy.conf including dictionary file ..\etc\raddb/dictionary main { name = "radiusd" prefix = ".." localstatedir = "../var" sbindir = "../sbin" logdir = "../var/log/radius" run_dir = "../var/run/radiusd" libdir = "../lib" radacctdir = "../var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "../var/run/radiusd/radiusd.pid" checkrad = "../sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 30 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 300 status_check_timeout = 4 } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file ..\etc\raddb/radiusd.conf Module: Linked to module rlm_expr Module: Instantiating module "expr" from file ..\etc\raddb/radiusd.conf } radiusd: #### Loading Virtual Servers #### server { # from file ..\etc\raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file ..\etc\raddb/radiusd.conf Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file ..\etc\raddb/radiusd.conf Module: Linked to module rlm_eap Module: Instantiating module "eap" from file ..\etc\raddb/radiusd.conf Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "auth_log" from file ..\etc\raddb/radiusd.conf Module: Linked to module rlm_files Module: Instantiating module "files" from file ..\etc\raddb/radiusd.conf Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file ..\etc\raddb/radiusd.conf Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file ..\etc\raddb/radiusd.conf } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. # Executing section authorize from file ..\etc\raddb/radiusd.conf +- entering group authorize {...} [auth_log] ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20111017.log ++[auth_log] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[mschap] returns noop ++[files] returns noop [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file ..\etc\raddb/radiusd.conf +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Finished request 0. Going to the next request Waking up in 4.10 seconds. # Executing section authorize from file ..\etc\raddb/radiusd.conf +- entering group authorize {...} [auth_log] ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20111017.log ++[auth_log] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[mschap] returns noop ++[files] returns noop [eap] EAP packet type response id 1 length 216 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] TLS_accept: SSLv3 read client hello A [ttls] TLS_accept: SSLv3 write server hello A [ttls] TLS_accept: SSLv3 write certificate A [ttls] TLS_accept: SSLv3 write key exchange A [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A [ttls] eaptls_process returned 13 ++[eap] returns handled Finished request 1. Going to the next request Waking up in 4.7 seconds. Waking up in 4.4 seconds. Waking up in 1.4 seconds. Cleaning up request 0 ID 0 with timestamp +27 Waking up in 0.2 seconds. Cleaning up request 1 ID 1 with timestamp +27 Ready to process requests. Ready to process requests. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 58118, id=0, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0xfe5e2cea30ed69e3ebb5597d9c677bcf Sending Access-Challenge of id 0 to 127.0.0.1 port 58118 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x26b3a7ae26b2b26bc177f1c70c867315 rad_recv: Access-Request packet from host 127.0.0.1 port 58118, id=1, length=346 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100d8150016030100cd010000c903014e9bf235ba7f9efdc193f071e50186c14a010f47a15bd3e3897a7fd552820b8c00005cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 State = 0x26b3a7ae26b2b26bc177f1c70c867315 Message-Authenticator = 0xc51bb1dac6f978b85e3f41a1357b4ca0 Sending Access-Challenge of id 1 to 127.0.0.1 port 58118 EAP-Message = 0x0102040015c000000dc116030100310200002d03014e9bf2356d72da691120cc7a5be6fa242c914777e7a6cddfadb8e39923496e78000039000005ff010001001603010beb0b000be7000be400065f3082065b30820543a003020102020102300d06092a864886f70d01010505003081dd310b3009060355040613024742310f300d060355040813064c6f6e646f6e311430120603550407130b576573746d696e73746572311c301a060355040a13134d617465415220495420536f6c7574696f6e7331173015060355040b130e504b49204465706172746d656e7431223020060355040313195465737420526f6f7420434120284672656552414449 EAP-Message = 0x5553293120301e060355040d13175465737420526f6f744341204365727469666963617465311d301b06092a864886f70d010901160e696e666f406d61746561722e6575310b3009060355040513023031301e170d3131313031363134323735325a170d3132313031353134323735325a3081f2312330210603550403131a554b57494e3230303852322e636f72702e6d61746561722e657531123010060a0992268993f22c64011916024555311d301b06092a864886f70d010901160e696e666f406d61746561722e6575310b3009060355040613024742310f300d060355040813064c6f6e646f6e311430120603550407130b576573746d696e73 EAP-Message = 0x74657231163014060355040b130d4954204465706172746d656e74311630140603550405130d554b4c4f4e444f4e535256303131343032060355040d132b5465737420536572766572204365727469666963617465202850454150202d20467265655241444955532930819f300d06092a864886f70d010101050003818d0030818902818100d0912be92981af2f9ee8e1c827c30b70a9710463fbe052bde41c7a96af52bc770a83daa7bbc286da3beff1f7f71394c806f0214b2b1fae41aafb045efc1e49b5a70082fd2eace9f7c098dbea777b6bd8d6d80c99d42a2a6184f763756838faff97048737f92bdbc41cd803e12ed17cc4cfed295797d6f6 EAP-Message = 0xdb799f5bbc4b53ce810203010001a38202913082028d300f0603551d130101ff04053003020100300e0603551d0f0101ff0404030203f8301d0603551d0e04160414c7c514ad16237701f629bf2c1d18c24c8186188f3082010b0603551d23048201023081ff80148c042872c8603f29a58ac14fdb9a62ff9aadc3faa181e3a481e03081dd310b3009060355040613024742310f300d060355040813064c6f6e646f6e311430120603550407130b576573746d696e73746572311c301a060355040a13134d617465415220495420536f6c7574696f6e7331173015060355040b130e504b49204465706172746d656e7431223020060355040313195465 EAP-Message = 0x737420526f6f742043412028 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x26b3a7ae27b1b26bc177f1c70c867315 ---------- I've tried almost everything. I'd appreciate any pointers/help here. Is there any other tool I could use instead of eapol_test? Thanks again. Sergio.
Date: Mon, 17 Oct 2011 09:30:32 +0100 From: A.L.M.Buxey@lboro.ac.uk To: tim.sylvester@networkradius.com; freeradius-users@lists.freeradius.org CC: sfhacker@hotmail.com Subject: Re: EAP Testing - Newbie
hi,
...please dont send eapol_test output - send the output from radiusd -X
from the log sent it looks like the client isnt get a response from the server (note the 3 default timeouts at the end....)
alan