freeradius-1.0.4 and MAC address authentication w/ win xp supplicant
I am running freeradius-1.0.4 on SLES10, XP supplicant and Cisco Aironet 1200 AP. My goal is to authenticate against the "users" file and use WEP with eap-tls. I am trying to support Windows CE, and PEAP is not an option. users: 0213dec2114a Auth-Type:=Accept Service-Type = Framed-User, Tunnel-Private-Group-ID := 116, Tunnel-Medium-Type := IEEE-802 eap.conf: eap { default_eap_type = tls tls { private_key_password = secret private_key_file = ${raddbdir}/certs/private/radius.key certificate_file = /etc/raddb/certs/radius.crt # Trusted Root CA list CA_file = /etc/raddb/certs/CA.crt dh_file = ${raddbdir}/certs/dh random_file = /etc/raddb/certs/random fragment_size = 1024 include_length = yes } } radiusd.conf: authorize { auth_log files eap } authenticate { eap } I have uploaded both the CA andd certificate file to the supplicant, as trusted certificates. For some reason, I continue to see the balloon from windows indicating that a valid certificate could not be found for comparison. I have followed the PDF instructions found in EAPTLS.pdf. Here is a sample of my radiusd -X -s logs: rad_recv: Access-Request packet from host 192.168.214.99:1645, id=39, length=115 User-Name = "0213dec2114a" User-Password = "Qp\203e\206%\010`\256\243\203u;\362\321\017" Called-Station-Id = "0014.6a73.6110" Calling-Station-Id = "0213.dec2.114a" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 551 NAS-IP-Address = 192.168.214.99 NAS-Identifier = "AP-99" rad_rmspace_pair: User-Password now 'Qp?d?%?`?u;?' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 radius_xlat: '/var/log/radius/radius-MAC/radacct/auth-detail-20070829' rlm_detail: /var/log/radius/radius-MAC/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radius-MAC/radacct//auth-detail-20070829 modcall[authorize]: module "auth_log" returns ok for request 2 users: Matched entry 0213dec2114a at line 38 modcall[authorize]: module "files" returns ok for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 2 radius_xlat: '/var/log/radius/radius-MAC/radacct/reply-detail-20070829' rlm_detail: /var/log/radius/radius-MAC/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radius-MAC/radacct/reply-detail-20070829 modcall[post-auth]: module "reply_log" returns ok for request 2 modcall: group post-auth returns ok for request 2 Sending Access-Accept of id 39 to 192.168.214.99:1645 Service-Type = Framed-User Tunnel-Private-Group-Id:0 := "116" Tunnel-Medium-Type:0 := IEEE-802 Finished request 2 Going to the next request --- Walking the entire request list --- ...this transaction is repeated over and over and over again. I have also tried commenting out all instances of "eap" from radiusd.conf, hoping to do non-wep mac address authentication, as a list effort. I then remove WEP support from the supplicant and Cisco AP. While freeradius reports "access-accept", the supplicant hangs on obtaining an ip address (with no related logs shown on my dhcp server) and the cisco AP reports "GMT: %DOT11-7-AUTH_FAILED: Station 0213.dec2.114a Authentication failed" --johnk
On Wed, 2007-08-29 at 11:41 -0500, John C. Koen wrote:
I am running freeradius-1.0.4 on SLES10, XP supplicant and Cisco Aironet 1200 AP.
My goal is to authenticate against the "users" file and use WEP with eap-tls. I am trying to support Windows CE, and PEAP is not an option.
There's so much wrong I don't know where to begin.
users: 0213dec2114a Auth-Type:=Accept Service-Type = Framed-User, Tunnel-Private-Group-ID := 116, Tunnel-Medium-Type := IEEE-802
This looks like a mac-address-based authentication, not EAP. You can't force Auth-Type to Accept for EAP. EAP is a challenge-response protocol, and the server needs to do it's thing for the client to function. Remove the Auth-Type if you're trying to do EAP. Please also be aware that most NASes will require the "Tunnel-Type = VLAN" reply attribute for VLAN assignment.
eap.conf: eap { default_eap_type = tls tls { private_key_password = secret private_key_file = ${raddbdir}/certs/private/radius.key certificate_file = /etc/raddb/certs/radius.crt
# Trusted Root CA list CA_file = /etc/raddb/certs/CA.crt
dh_file = ${raddbdir}/certs/dh random_file = /etc/raddb/certs/random fragment_size = 1024 include_length = yes } }
radiusd.conf: authorize { auth_log files eap }
authenticate { eap }
I have uploaded both the CA andd certificate file to the supplicant, as trusted certificates. For some reason, I continue to see the balloon from windows indicating that a valid certificate could not be found for comparison. I have followed the PDF instructions found in EAPTLS.pdf.
Here is a sample of my radiusd -X -s logs:
rad_recv: Access-Request packet from host 192.168.214.99:1645, id=39, length=115 User-Name = "0213dec2114a" User-Password = "Qp\203e\206%\010`\256\243\203u;\362\321\017" Called-Station-Id = "0014.6a73.6110" Calling-Station-Id = "0213.dec2.114a" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 551 NAS-IP-Address = 192.168.214.99 NAS-Identifier = "AP-99"
This is not an EAP authentication; your NAS (wireless AP) is not doing EAP. Make it do EAP if you want to do EAP.
rad_rmspace_pair: User-Password now 'Qp?d?%?`?u;?' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 radius_xlat: '/var/log/radius/radius-MAC/radacct/auth-detail-20070829' rlm_detail: /var/log/radius/radius-MAC/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radius-MAC/radacct//auth-detail-20070829 modcall[authorize]: module "auth_log" returns ok for request 2 users: Matched entry 0213dec2114a at line 38 modcall[authorize]: module "files" returns ok for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 2 radius_xlat: '/var/log/radius/radius-MAC/radacct/reply-detail-20070829' rlm_detail: /var/log/radius/radius-MAC/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radius-MAC/radacct/reply-detail-20070829 modcall[post-auth]: module "reply_log" returns ok for request 2 modcall: group post-auth returns ok for request 2 Sending Access-Accept of id 39 to 192.168.214.99:1645 Service-Type = Framed-User Tunnel-Private-Group-Id:0 := "116" Tunnel-Medium-Type:0 := IEEE-802 Finished request 2 Going to the next request --- Walking the entire request list ---
...this transaction is repeated over and over and over again.
I have also tried commenting out all instances of "eap" from radiusd.conf, hoping to do non-wep mac address authentication, as a list effort. I then remove WEP support from the supplicant and Cisco AP. While freeradius reports "access-accept", the supplicant hangs on obtaining an ip address (with no related logs shown on my dhcp server) and the cisco AP reports "GMT: %DOT11-7-AUTH_FAILED: Station 0213.dec2.114a Authentication failed"
--johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
John C. Koen -
Phil Mayers