EAP-MD5 testing with radeapclient and eapol_test
Hi All, I have a proxy setup ( proxy server 192.168.6.134) where users are proxied to home server (192.168.7.40). Host IP address = 192.168.6.181 FreeRADIUS version 2.1.9 User authentication using radclient works fine when I issue following command echo "User-Name=raduser@mytest.com,Password=pass123" | radclient 192.168.6.134 auth testing123 I get following response on my proxy server rad_recv: Access-Accept packet from host 192.168.7.40 port 1812, id=104, length=68 Proxy-State = 0x3737 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x52a505b1000001370001c0a8072801cb4d87ddbf246a0000000000000016 I try the same test to work out with EAP using following command: echo "User-Name=raduser@mytest.com ,Password=pass123,EAP-Code=Response,EAP-Id=210,EAP-Type-Identity= raduser@mytest.com" | radeapclient -x 192.168.6.134 auth testing123 I see following output on proxy server: rad_recv: Access-Request packet from host 192.168.6.181 port 32771, id=108, length=107 User-Name = "raduser@mytest.com" User-Password = "pass123" EAP-Message = 0x02d2001a0172616475736572406e65766973746573742e636f6d Message-Authenticator = 0xe61561c7667d60c2fbc37709b16e8193 Mon Sep 6 06:48:30 2010 : Info: +- entering group authorize {...} Mon Sep 6 06:48:30 2010 : Info: ++[preprocess] returns ok Mon Sep 6 06:48:30 2010 : Info: ++[chap] returns noop Mon Sep 6 06:48:30 2010 : Info: ++[mschap] returns noop Mon Sep 6 06:48:30 2010 : Info: [suffix] Looking up realm "mytest.com" for User-Name = "raduser@mytest.com" Mon Sep 6 06:48:30 2010 : Info: [suffix] Found realm "mytest.com" Mon Sep 6 06:48:30 2010 : Info: [suffix] Adding Stripped-User-Name = "raduser" Mon Sep 6 06:48:30 2010 : Info: [suffix] Adding Realm = "mytest.com" Mon Sep 6 06:48:30 2010 : Info: [suffix] Proxying request from user raduser to realm mytest.com Mon Sep 6 06:48:30 2010 : Info: [suffix] Preparing to proxy authentication request to realm "mytest.com" Mon Sep 6 06:48:30 2010 : Info: ++[suffix] returns updated Mon Sep 6 06:48:30 2010 : Info: [eap] Request is supposed to be proxied to Realm mytest.com. Not doing EAP. Mon Sep 6 06:48:30 2010 : Info: ++[eap] returns noop Mon Sep 6 06:48:30 2010 : Info: ++[unix] returns notfound Mon Sep 6 06:48:30 2010 : Info: [files] users: Matched entry DEFAULT at line 195 Mon Sep 6 06:48:30 2010 : Info: [files] expand: %{User-Name} -> raduser@mytest.com Mon Sep 6 06:48:30 2010 : Info: ++[files] returns ok Mon Sep 6 06:48:30 2010 : Info: ++[expiration] returns noop Mon Sep 6 06:48:30 2010 : Info: ++[logintime] returns noop Mon Sep 6 06:48:30 2010 : Info: ++[pap] returns noop Mon Sep 6 06:48:30 2010 : Info: WARNING: Empty pre-proxy section. Using default return values. Mon Sep 6 06:48:30 2010 : Info: Proxying request 0 to home server 192.168.7.40 port 1812 Sending Access-Request of id 40 to 192.168.7.40 port 1812 User-Name = "raduser" User-Password = "pass123" EAP-Message = 0x02d2001a0172616475736572406e65766973746573742e636f6d Message-Authenticator = 0x00000000000000000000000000000000 NAS-IP-Address = 192.168.6.181 Proxy-State = 0x313038 Mon Sep 6 06:48:30 2010 : Debug: Going to the next request Mon Sep 6 06:48:30 2010 : Debug: Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 192.168.7.40 port 1812, id=40, length=69 Proxy-State = 0x313038 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x52a605b2000001370001c0a8072801cb4d87ddbf246a0000000000000017 Mon Sep 6 06:48:30 2010 : Info: +- entering group post-proxy {...} Mon Sep 6 06:48:30 2010 : Info: [force_username] expand: %{User-Name} -> raduser@mytest.com Mon Sep 6 06:48:30 2010 : Debug: force_username: Added attribute User-Name with value 'raduser@mytest.com' Mon Sep 6 06:48:30 2010 : Info: ++[force_username] returns ok Mon Sep 6 06:48:30 2010 : Info: [eap] No pre-existing handler found Mon Sep 6 06:48:30 2010 : Info: ++[eap] returns noop Mon Sep 6 06:48:30 2010 : Info: Found Auth-Type = Accept Mon Sep 6 06:48:30 2010 : Info: Auth-Type = Accept, accepting the user Mon Sep 6 06:48:30 2010 : Info: +- entering group post-auth {...} Mon Sep 6 06:48:30 2010 : Info: ++[exec] returns noop Sending Access-Accept of id 108 to 192.168.6.181 port 32771 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x52a605b2000001370001c0a8072801cb4d87ddbf246a0000000000000017 User-Name = "raduser@mytest.com" When I use eapol_test client to using following command: eapol_test -c /tmp/eapol.conf -a 192.168.6.134 -p 1812 -s testing123 -r 1 eapol.conf is as follows network={ key_mgmt=NONE eap=MD5 identity="raduser@mytest.com" password="pass123" } I see following output on my proxy server: Mon Sep 6 06:53:49 2010 : Info: Proxying request 0 to home server 192.168.7.40 port 1812 Sending Access-Request of id 166 to 192.168.7.40 port 1812 User-Name = "raduser" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200001a0172616475736572406e65766973746573742e636f6d Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Mon Sep 6 06:53:49 2010 : Debug: Going to the next request Mon Sep 6 06:53:49 2010 : Debug: Waking up in 0.9 seconds. rad_recv: Access-Challenge packet from host 192.168.7.40 port 1812, id=166, length=109 Proxy-State = 0x30 Session-Timeout = 6 EAP-Message = 0x0101002304101f3bc497bfe2cfaf507a66218e4dcb01524f4f54544553544c41424144 State = 0x1a2902ae000001370001c0a8072800000003235c233800 Message-Authenticator = 0x467eeb430357cbddf194719353853d80 Mon Sep 6 06:53:49 2010 : Info: +- entering group post-proxy {...} Mon Sep 6 06:53:49 2010 : Info: [force_username] expand: %{User-Name} -> raduser@mytest.com Mon Sep 6 06:53:49 2010 : Debug: force_username: Added attribute User-Name with value 'raduser@mytest.com' Mon Sep 6 06:53:49 2010 : Info: ++[force_username] returns ok Mon Sep 6 06:53:49 2010 : Info: [eap] No pre-existing handler found Mon Sep 6 06:53:49 2010 : Info: ++[eap] returns noop Sending Access-Challenge of id 0 to 192.168.6.181 port 32771 Session-Timeout = 6 EAP-Message = 0x0101002304101f3bc497bfe2cfaf507a66218e4dcb01524f4f54544553544c41424144 State = 0x1a2902ae000001370001c0a8072800000003235c233800 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "raduser@mytest.com" Mon Sep 6 06:53:49 2010 : Info: Finished request 0. Mon Sep 6 06:53:49 2010 : Debug: Going to the next request Mon Sep 6 06:53:49 2010 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.6.181 port 32771, id=1, length=171 User-Name = "raduser@mytest.com" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201001604100ff84736f21760abada91fdb828e888c State = 0x1a2902ae000001370001c0a8072800000003235c233800 Message-Authenticator = 0xe1da93d7d4f4d4b68cf9ef4333a1f8eb Mon Sep 6 06:53:49 2010 : Info: +- entering group authorize {...} Mon Sep 6 06:53:49 2010 : Info: ++[preprocess] returns ok Mon Sep 6 06:53:49 2010 : Info: ++[chap] returns noop Mon Sep 6 06:53:49 2010 : Info: ++[mschap] returns noop Mon Sep 6 06:53:49 2010 : Info: [suffix] Looking up realm "mytest.com" for User-Name = "raduser@mytest.com" Mon Sep 6 06:53:49 2010 : Info: [suffix] Found realm "mytest.com" Mon Sep 6 06:53:49 2010 : Info: [suffix] Adding Stripped-User-Name = "raduser" Mon Sep 6 06:53:49 2010 : Info: [suffix] Adding Realm = "mytest.com" Mon Sep 6 06:53:49 2010 : Info: [suffix] Proxying request from user raduser to realm mytest.com Mon Sep 6 06:53:49 2010 : Info: [suffix] Preparing to proxy authentication request to realm "mytest.com" Mon Sep 6 06:53:49 2010 : Info: ++[suffix] returns updated Mon Sep 6 06:53:49 2010 : Info: [eap] Request is supposed to be proxied to Realm mytest.com. Not doing EAP. Mon Sep 6 06:53:49 2010 : Info: ++[eap] returns noop Mon Sep 6 06:53:49 2010 : Info: ++[unix] returns notfound Mon Sep 6 06:53:49 2010 : Info: [files] users: Matched entry DEFAULT at line 195 Mon Sep 6 06:53:49 2010 : Info: [files] expand: %{User-Name} -> raduser@mytest.com Mon Sep 6 06:53:49 2010 : Info: ++[files] returns ok Mon Sep 6 06:53:49 2010 : Info: ++[expiration] returns noop Mon Sep 6 06:53:49 2010 : Info: ++[logintime] returns noop Mon Sep 6 06:53:49 2010 : Info: ++[pap] returns noop Mon Sep 6 06:53:49 2010 : Info: WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 177 to 192.168.7.40 port 1812 User-Name = "raduser" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201001604100ff84736f21760abada91fdb828e888c State = 0x1a2902ae000001370001c0a8072800000003235c233800 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x31 Mon Sep 6 06:53:49 2010 : Info: Proxying request 1 to home server 192.168.7.40 port 1812 Sending Access-Request of id 177 to 192.168.7.40 port 1812 User-Name = "raduser" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201001604100ff84736f21760abada91fdb828e888c State = 0x1a2902ae000001370001c0a8072800000003235c233800 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x31 Mon Sep 6 06:53:49 2010 : Debug: Going to the next request Mon Sep 6 06:53:49 2010 : Debug: Waking up in 0.9 seconds. rad_recv: Access-Reject packet from host 192.168.7.40 port 1812, id=177, length=47 Proxy-State = 0x31 EAP-Message = 0x04010004 Message-Authenticator = 0x9ce0e5c3b355540c348cbff29f5f40f2 Mon Sep 6 06:53:49 2010 : Info: +- entering group post-proxy {...} Mon Sep 6 06:53:49 2010 : Info: [force_username] expand: %{User-Name} -> raduser@mytest.com Mon Sep 6 06:53:49 2010 : Debug: force_username: Added attribute User-Name with value 'raduser@mytest.com' Mon Sep 6 06:53:49 2010 : Info: ++[force_username] returns ok Mon Sep 6 06:53:49 2010 : Info: [eap] No pre-existing handler found Mon Sep 6 06:53:49 2010 : Info: ++[eap] returns noop Mon Sep 6 06:53:49 2010 : Info: Using Post-Auth-Type Reject Mon Sep 6 06:53:49 2010 : Info: +- entering group REJECT {...} Mon Sep 6 06:53:49 2010 : Info: [attr_filter.access_reject] expand: %{User-Name} -> raduser@mytest.com Mon Sep 6 06:53:49 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11 Mon Sep 6 06:53:49 2010 : Info: ++[attr_filter.access_reject] returns updated Mon Sep 6 06:53:49 2010 : Info: Delaying reject of request 1 for 1 seconds Mon Sep 6 06:53:49 2010 : Debug: Going to the next request Mon Sep 6 06:53:49 2010 : Debug: Waking up in 0.9 seconds. Mon Sep 6 06:53:50 2010 : Info: Sending delayed reject for request 1 Sending Access-Reject of id 1 to 192.168.6.181 port 32771 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 Mon Sep 6 06:53:50 2010 : Debug: Waking up in 3.9 seconds. Mon Sep 6 06:53:54 2010 : Info: Cleaning up request 0 ID 0 with timestamp +48 Mon Sep 6 06:53:54 2010 : Debug: Waking up in 0.9 seconds. Mon Sep 6 06:53:55 2010 : Info: Cleaning up request 1 ID 1 with timestamp +48 Mon Sep 6 06:53:55 2010 : Info: Ready to process requests. I have never succedded with eapol_test. I doubt on NAS-IP-Address attribute in Access=Request which is 127.0.0.1. Can some body point me where am I going wrong? -- Chidanand Gangur Pune.
Chidanand Gangur wrote:
I have a proxy setup ( proxy server 192.168.6.134) where users are proxied to home server (192.168.7.40). Host IP address = 192.168.6.181 FreeRADIUS version 2.1.9 ... I get following response on my proxy server
Why not look on the home server to see what the problem is?
I have never succedded with eapol_test. I doubt on NAS-IP-Address attribute in Access=Request which is 127.0.0.1. Can some body point me where am I going wrong?
You're trying to debug the home server by looking at the proxy. This won't work. Alan DeKok.
Hi, <snip>
Sending Access-Request of id 177 to 192.168.7.40 port 1812
<cut>
rad_recv: Access-Reject packet from host 192.168.7.40 port 1812, id=177, length=47
seems quite simple. the home server that you proxied the request to has rejected it. check the logs on that server to see why - i suspect its because you are stripping the username and thus the EAP stuff wont be right.... you seem to also have that user in your local users file...and you also seem to be setting auth-type to accept - that wont work for EAP alan
I do not have "raduser" configured in my proxy users file. If it is configuration problem on the Home-Server why does it work if I use radeapclient/radclient. I see following on my host on running eapol_test. Whay is NAS-IP-Address set as 127.0.0.1 in this case? Reading configuration file '/tmp/eapol.conf' Line: 1 - start of a new network block key_mgmt: 0x4 eap methods - hexdump(len=16): 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 identity - hexdump_ascii(len=21): 72 61 64 75 73 65 72 40 6e 65 76 69 73 74 65 73 raduser@mytes 74 2e 63 6f 6d t.com password - hexdump_ascii(len=7): 70 61 73 73 31 32 33 pass123 Priority group 0 id=0 ssid='' Authentication server 192.168.6.134:1812 RADIUS local address: 192.168.6.181:32771 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=21): 72 61 64 75 73 65 72 40 6e 65 76 69 73 74 65 73 raduser@mytes 74 2e 63 6f 6d t.com EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=26) TX EAP -> RADIUS - hexdump(len=26): 02 00 00 1a 01 72 61 64 75 73 65 72 40 6e 65 76 69 73 74 65 73 74 2e 63 6f 6d Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=21): 72 61 64 75 73 65 72 40 6e 65 76 69 73 74 65 73 74 2e 63 6f 6d Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=150 Attribute 1 (User-Name) length=23 Value: 'raduser@mytest.com' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=28 Value: 02 00 00 1a 01 72 61 64 75 73 65 72 40 6e 65 76 69 73 74 65 73 74 2e 63 6f 6d Attribute 80 (Message-Authenticator) length=18 Value: cb 60 23 ea b3 e1 3d 7d 11 81 f1 02 53 39 5d e1 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 129 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=129 Attribute 27 (Session-Timeout) length=6 Value: 6 Attribute 79 (EAP-Message) length=37 Value: 01 01 00 23 04 10 b3 70 ee 1c 3c 59 73 f5 a2 4e 77 b7 a2 4d cb 01 52 4f 4f 54 54 45 53 54 4c 41 42 41 44 Attribute 24 (State) length=25 Value: 1a 35 02 b4 00 00 01 37 00 01 c0 a8 07 28 00 00 00 03 23 5c 23 3e 00 Attribute 80 (Message-Authenticator) length=18 Value: d8 fb 71 20 d9 1c ca 4d 61 a5 7d 7a e6 34 0c 4b Attribute 1 (User-Name) length=23 Value: 'raduser@mytest.com' STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=1 len=35) from RADIUS server: EAP-Request-MD5 (4) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: Initialize selected EAP method: vendor 0 method 4 (MD5) CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected EAP: EAP entering state METHOD EAP-MD5: Challenge - hexdump(len=16): b3 70 ee 1c 3c 59 73 f5 a2 4e 77 b7 a2 4d cb 01 EAP-MD5: Generating Challenge Response EAP-MD5: Response - hexdump(len=16): 26 f7 be 54 fc 4a 29 80 58 5c a6 65 69 02 2d 21 EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=22) TX EAP -> RADIUS - hexdump(len=22): 02 01 00 16 04 10 26 f7 be 54 fc 4a 29 80 58 5c a6 65 69 02 2d 21 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=1 length=171 Attribute 1 (User-Name) length=23 Value: 'raduser@mytest.com' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=24 Value: 02 01 00 16 04 10 26 f7 be 54 fc 4a 29 80 58 5c a6 65 69 02 2d 21 Attribute 24 (State) length=25 Value: 1a 35 02 b4 00 00 01 37 00 01 c0 a8 07 28 00 00 00 03 23 5c 23 3e 00 Attribute 80 (Message-Authenticator) length=18 Value: 74 44 82 76 ad 4a 69 3f 63 5d 39 6e 92 19 c1 53 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 44 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=1 length=44 Attribute 79 (EAP-Message) length=6 Value: 04 01 00 04 Attribute 80 (Message-Authenticator) length=18 Value: 8f 2f ea 83 e9 df 05 6e 4b 01 be ee 65 a9 fc 6f STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 1.00 sec RADIUS packet matching with station decapsulated EAP packet (code=4 id=1 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state DISCARD EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RECEIVE EAPOL: EAP key not available EAP: deinitialize previously used EAP method (4, MD5) at EAP deinit MPPE keys OK: 0 mismatch: 1 FAILURE Thanks, Chidanand On Mon, Sep 6, 2010 at 1:45 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
<snip>
Sending Access-Request of id 177 to 192.168.7.40 port 1812
<cut>
rad_recv: Access-Reject packet from host 192.168.7.40 port 1812, id=177, length=47
seems quite simple. the home server that you proxied the request to has rejected it. check the logs on that server to see why - i suspect its because you are stripping the username and thus the EAP stuff wont be right....
you seem to also have that user in your local users file...and you also seem to be setting auth-type to accept - that wont work for EAP
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Chidanand Gangur Pune.
hi, I will repeat the advice given before - look at the logs of the RADIUS server which is actually doing the authentication. you cannot get joy anywhere else. alan
At present I have removed Proxy from my set up and have directly connected my host to AD (IIS server) I have configured "raduser" on it I have added my host IP as its RADIUS client and on issuing following command eapol_test -c /tmp/eapol.conf -a 192.168.7.40 -p 1812 -s testing123 My home server is an Microsoft IIS server, all I get from its logs is following: 127.0.0.1,raduser,09/06/2010,18:42:57,IAS,ROOTTESTLABAD,4128,192.168.6.134,4,127.0.0.1,31,02-00-00-00-00-01,12,1400,61,19,77,CONNECT 11Mbps 802.11b,4108,192.168.6.134,4116,0,4155,1,4154,dot1x,25,311 1 192.168.7.40 09/06/2010 13:08:43 6,4129,MYTEST\raduser,4127,5,4149,test-dot1x,4132,MD5-Challenge,4130, mytest.com/Users/raduser,4136,1,4142,0 127.0.0.1,raduser,09/06/2010,18:42:57,IAS,ROOTTESTLABAD,4128,192.168.6.134,25,311 1 192.168.7.40 09/06/2010 13:08:43 6,4132,MD5-Challenge,4130, mytest.com/Users/raduser,4149,test-dot1x,4108,192.168.6.134,4116,0,4127,5,4155,1,4154,dot1x,4129,MYTEST\raduser,4136,3,4142,19 When I repeat same test with freeRADIUS as my home server everything works fine. I have run out of ideas please guide me. Thanks, Chidanand On Mon, Sep 6, 2010 at 4:02 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
hi,
I will repeat the advice given before - look at the logs of the RADIUS server which is actually doing the authentication. you cannot get joy anywhere else.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Chidanand Gangur Pune.
On 09/06/2010 03:00 PM, Chidanand Gangur wrote:
At present I have removed Proxy from my set up and have directly connected my host to AD (IIS server)
This isn't a FreeRadius question. Ask on an NPS/IAS server mailing list. But... From distant memory, MD5 password support requires "reversible password encryption" to be enabled - a domain-wide option I think - and then for you to change the users passwords, so that AD can generate the new crypt. You should investigate this. FreeRadius can't help you.
Thanks Phil, I would definitely explore on the pointer you mentioned. I am sorry folks to ask IIS question on this mailing list I was little frustrated. Thanks, Chidanand On Mon, Sep 6, 2010 at 10:17 PM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 09/06/2010 03:00 PM, Chidanand Gangur wrote:
At present I have removed Proxy from my set up and have directly connected my host to AD (IIS server)
This isn't a FreeRadius question. Ask on an NPS/IAS server mailing list.
But...
From distant memory, MD5 password support requires "reversible password encryption" to be enabled - a domain-wide option I think - and then for you to change the users passwords, so that AD can generate the new crypt.
You should investigate this. FreeRadius can't help you.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Chidanand Gangur Pune.
participants (4)
-
Alan Buxey -
Alan DeKok -
Chidanand Gangur -
Phil Mayers