Hi, I am sending an Access-Request packet using radeapclient without password,** ** I am giving the following attributes in radeapclient:**** User-Name= "testuser"**** EAP-Code = Response**** EAP-Id = 210**** EAP-Type-Identity = " testuser "**** Message-Authenticator = 0x00**** ** ** ** ** But server is sending Access-Reject to the request.**** Following are the logs of radeapclient:**** ** ** User-Name= "testuser"**** EAP-Code = Response**** EAP-Id = 210**** EAP-Type-Identity = "testuser"**** Message-Authenticator = 0x00**** ** ** ** ** +++> About to send encoded packet:**** User-Name = "testuser"**** EAP-Code = Response**** EAP-Id = 210**** EAP-Type-Identity = "testuser"**** Message-Authenticator = 0x00**** <+++ EAP decoded packet:**** EAP-Message = 0x01d3001604107b44069aa80b67319a536bfd4f8ac713**** Message-Authenticator = 0xb4499f3ee54742d9dd8469980720dcf6**** State = 0x8a52e3488a81e7f33f4b54075fcd3936**** EAP-Id = 211**** EAP-Code = Request**** EAP-Type-MD5 = 0x107b44069aa80b67319a536bfd4f8ac713**** ** ** +++> About to send encoded packet:**** User-Name = "testuser"**** EAP-Code = Response**** EAP-Id = 211**** Message-Authenticator = 0x00000000000000000000000000000000**** EAP-Type-MD5 = 0x10d2c45d5e328b2b2db8bd66c7d171635d**** State = 0x8a52e3488a81e7f33f4b54075fcd3936**** <+++ EAP decoded packet:**** EAP-Message = 0x04d30004**** Message-Authenticator = 0xf6f7e2707ef22ea86a660a4ddce7fb30**** EAP-Id = 211**** EAP-Code = Failure**** ** ** On further investigation, i found an example to test eap-md5 in the source code{ freeradius-2.1.8 } in src/tests**** ** ** Example is :**** ** ** echo 'User-Name = "eapmd5"'**** echo 'Cleartext-Password = "md5md5"'**** echo 'NAS-IP-Address = marajade.sandelman.ottawa.on.ca'**** echo 'EAP-Code = Response'**** echo 'EAP-Id = 210'**** echo 'EAP-Type-Identity = "eapsim'**** echo 'Message-Authenticator = 0'**** echo 'NAS-Port = 0' )**** ** ** ** ** But EAP RFC3579 and RFC2869 states that User-Password should not be part of a radius packet containing EAP-Message attribute,**** ** ** **** it written that “An Access-Request that contains either a User-Password or** ** CHAP-Password or ARAP-Password or one or more EAP-Message attributes**** MUST NOT contain more than one type of those four attributes. If it**** does not contain any of those four attributes, it SHOULD contain a**** Message-Authenticator. If any packet type contains an EAP-Message**** attribute it MUST also contain a Message-Authenticator.”**** ** ** ** ** Please let me know if any specific configuration need to be done on the server so that server sends Access-Accept.**** **** ** ** Thanks in advance. Arpit
Arpit Jain wrote:
I am sending an Access-Request packet using radeapclient without password,
Which is allowed.
But server is sending Access-Reject to the request.
Following are the logs of radeapclient:
So... you're trying to debug the server, but looking at what the client is doing. How about instead running the server in debugging mode, as suggested in the FAQ, README, "man" page, web pages, and daily on this list?
But EAP RFC3579 and RFC2869 states that User-Password should not be part of a radius packet containing EAP-Message attribute,
You're debugging the server by reading the RFCs. Is that right?
Please let me know if any specific configuration need to be done on the server so that server sends Access-Accept.
Read the documentation. It's not hard. Read my web site: http://deployingradius.com If it takes you more than 5 minutes to get an Access-Accept, you're not following instructions. Alan DeKok.
participants (2)
-
Alan DeKok -
Arpit Jain