WPA-Enterprise with TTLS fails to authenticate (from Windows ok, but Linux fails).
Hello, I'm running WPA-Enterprise with TTLS authentication and LDAP backend. Config was running fine since 1,5 year. Problem is that I cannot authenticate to my network with wpa_supplicant, although I could, and from Windows & Secure2w TTLS wrapper - I can. I use Gentoo and did some upgrades (but nothing special I guess, kernel is the same, and wpa_supplicant also) My eap.conf: eap { default_eap_type = mschapv2 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { private_key_file = ${raddbdir}/certs/radius1.uni.opole.pl.key certificate_file = ${raddbdir}/certs/radius1.uni.opole.pl.pem CA_path = ${raddbdir}/certs/ CA_file = ${raddbdir}/certs/ca.uni.opole.pl.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 check_cert_cn = %{User-Name} #check_crl = yes crl_dir = /etc/raddb/certs proxy_tunneled_request_as_eap = yes } peap { default_eap_type = mschapv2 } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } mschapv2 { } } My wpa_supplicant.conf ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 eapol_version=1 fast_reauth=1 update_config=0 network={ ssid="eduroam" scan_ssid=1 proto=WPA key_mgmt=WPA-EAP pairwise=TKIP eap=TTLS identity="jsyrytczyk@uni.opole.pl" password="mycorrectpassword" ca_cert="/etc/wpa_supplicant/ca.uni.opole.pl.pem" phase2="auth=PAP" } My error: Ready to process requests. rad_recv: Access-Request packet from host 217.173.193.40:4347, id=89, length=205 User-Name = "jsyrytczyk@uni.opole.pl" Framed-MTU = 1400 Called-Station-Id = "0019.a9b5.3a01" Calling-Station-Id = "0002.7258.7f14" Cisco-AVPair = "ssid=eduroam" Service-Type = Login-User Message-Authenticator = 0x2e72d462f1fb588c9674049e6b61e580 EAP-Message = 0x0201001c016a7379727974637a796b40756e692e6f706f6c652e706c NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "461" NAS-Port = 461 NAS-IP-Address = 10.59.223.247 NAS-Identifier = "AP1242_eduroam_CI" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: Looking up realm "uni.opole.pl" for User-Name = "jsyrytczyk@uni.opole.pl" rlm_realm: Found realm "uni.opole.pl" rlm_realm: Proxying request from user jsyrytczyk to realm uni.opole.pl rlm_realm: Adding Realm = "uni.opole.pl" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing 'NAS-Port = 461,Client-IP-Address = 217.173.193.40,NAS-IP-Address = 10.59.223.247,,User-Name = "jsyrytczyk@uni.opole.pl"' rlm_acct_unique: Acct-Unique-Session-ID = "0e208dc42b670eee". modcall[authorize]: module "acct_unique" returns ok for request 0 radius_xlat: 'jsyrytczyk@uni.opole.pl' rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'jsyrytczyk@uni.opole.pl' modcall[authorize]: module "copy.user-name" returns ok for request 0 radius_xlat: '@.*$' rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 'jsyrytczyk@uni.opole.pl' to 'jsyrytczyk' modcall[authorize]: module "strip.user-name" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for jsyrytczyk@uni.opole.pl radius_xlat: '(&(objectClass=VirtualMailAccount) (mail=jsyrytczyk@uni.opole.pl)(accountActive=TRUE)(delete=FALSE))' radius_xlat: 'o=hosting,dc=uo,dc=opole,dc=pl' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 217.173.193.3:389, authentication 0 rlm_ldap: bind as cn=dovecot,dc=uo,dc=opole,dc=pl/hereismyldapdatabasepass to 217.173.193.3:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=hosting,dc=uo,dc=opole,dc=pl, with filter (&(objectClass=VirtualMailAccount)(mail=jsyrytczyk@uni.opole.pl) (accountActive=TRUE)(delete=FALSE)) rlm_ldap: checking if remote access for jsyrytczyk@uni.opole.pl is allowed by dialupAccess rlm_ldap: Password header not found in password {CRYPT}hash for user jsyrytczyk@uni.opole.pl rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password == "{CRYPT}hash" rlm_ldap: looking for reply items in directory... rlm_ldap: user jsyrytczyk@uni.opole.pl authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_eap: EAP packet type response id 1 length 28 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 89 to 217.173.193.40 port 4347 EAP-Message = 0x010200311a0102002c10124897b1c632a0dd9edec5d89e10c5bc6a7379727974637a796b40756e692e6f706f6c652e706c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcdc132917ef520c9537ed9cbb1481929 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 217.173.193.40:4347, id=90, length=201 User-Name = "jsyrytczyk@uni.opole.pl" Framed-MTU = 1400 Called-Station-Id = "0019.a9b5.3a01" Calling-Station-Id = "0002.7258.7f14" Cisco-AVPair = "ssid=eduroam" Service-Type = Login-User Message-Authenticator = 0x1290a4533963f73ed925dec295cbefdf EAP-Message = 0x020200060315 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "461" NAS-Port = 461 State = 0xcdc132917ef520c9537ed9cbb1481929 NAS-IP-Address = 10.59.223.247 NAS-Identifier = "AP1242_eduroam_CI" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_realm: Looking up realm "uni.opole.pl" for User-Name = "jsyrytczyk@uni.opole.pl" rlm_realm: Found realm "uni.opole.pl" rlm_realm: Proxying request from user jsyrytczyk to realm uni.opole.pl rlm_realm: Adding Realm = "uni.opole.pl" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing 'NAS-Port = 461,Client-IP-Address = 217.173.193.40,NAS-IP-Address = 10.59.223.247,,User-Name = "jsyrytczyk@uni.opole.pl"' rlm_acct_unique: Acct-Unique-Session-ID = "0e208dc42b670eee". modcall[authorize]: module "acct_unique" returns ok for request 1 radius_xlat: 'jsyrytczyk@uni.opole.pl' rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'jsyrytczyk@uni.opole.pl' modcall[authorize]: module "copy.user-name" returns ok for request 1 radius_xlat: '@.*$' rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 'jsyrytczyk@uni.opole.pl' to 'jsyrytczyk' modcall[authorize]: module "strip.user-name" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for jsyrytczyk@uni.opole.pl radius_xlat: '(&(objectClass=VirtualMailAccount) (mail=jsyrytczyk@uni.opole.pl)(accountActive=TRUE)(delete=FALSE))' radius_xlat: 'o=hosting,dc=uo,dc=opole,dc=pl' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=hosting,dc=uo,dc=opole,dc=pl, with filter (&(objectClass=VirtualMailAccount)(mail=jsyrytczyk@uni.opole.pl) (accountActive=TRUE)(delete=FALSE)) rlm_ldap: checking if remote access for jsyrytczyk@uni.opole.pl is allowed by dialupAccess rlm_ldap: Password header not found in password {CRYPT}hashed for user jsyrytczyk@uni.opole.pl rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password == "{CRYPT}hashed" rlm_ldap: looking for reply items in directory... rlm_ldap: user jsyrytczyk@uni.opole.pl authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 90 to 217.173.193.40 port 4347 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf7496deb8d0573d9ee6c13a2b51ba8bc Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 217.173.193.40:4347, id=91, length=201 User-Name = "jsyrytczyk@uni.opole.pl" Framed-MTU = 1400 Called-Station-Id = "0019.a9b5.3a01" Calling-Station-Id = "0002.7258.7f14" Cisco-AVPair = "ssid=eduroam" Service-Type = Login-User Message-Authenticator = 0xed18d300aabdabba014117f1b2bca527 EAP-Message = 0x020200060315 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "461" NAS-Port = 461 State = 0xf7496deb8d0573d9ee6c13a2b51ba8bc NAS-IP-Address = 10.59.223.247 NAS-Identifier = "AP1242_eduroam_CI" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_realm: Looking up realm "uni.opole.pl" for User-Name = "jsyrytczyk@uni.opole.pl" rlm_realm: Found realm "uni.opole.pl" rlm_realm: Proxying request from user jsyrytczyk to realm uni.opole.pl rlm_realm: Adding Realm = "uni.opole.pl" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 2 rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent rlm_acct_unique: Hashing 'NAS-Port = 461,Client-IP-Address = 217.173.193.40,NAS-IP-Address = 10.59.223.247,,User-Name = "jsyrytczyk@uni.opole.pl"' rlm_acct_unique: Acct-Unique-Session-ID = "0e208dc42b670eee". modcall[authorize]: module "acct_unique" returns ok for request 2 radius_xlat: 'jsyrytczyk@uni.opole.pl' rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'jsyrytczyk@uni.opole.pl' modcall[authorize]: module "copy.user-name" returns ok for request 2 radius_xlat: '@.*$' rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 'jsyrytczyk@uni.opole.pl' to 'jsyrytczyk' modcall[authorize]: module "strip.user-name" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for jsyrytczyk@uni.opole.pl radius_xlat: '(&(objectClass=VirtualMailAccount) (mail=jsyrytczyk@uni.opole.pl)(accountActive=TRUE)(delete=FALSE))' radius_xlat: 'o=hosting,dc=uo,dc=opole,dc=pl' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=hosting,dc=uo,dc=opole,dc=pl, with filter (&(objectClass=VirtualMailAccount)(mail=jsyrytczyk@uni.opole.pl) (accountActive=TRUE)(delete=FALSE)) rlm_ldap: checking if remote access for jsyrytczyk@uni.opole.pl is allowed by dialupAccess rlm_ldap: Password header not found in password {CRYPT}hashed for user jsyrytczyk@uni.opole.pl rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password == "{CRYPT}hashed" rlm_ldap: looking for reply items in directory... rlm_ldap: user jsyrytczyk@uni.opole.pl authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall[authorize]: module "files" returns notfound for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 2 modcall: leaving group authenticate (returns invalid) for request 2 auth: Failed to validate the user. Login incorrect: [jsyrytczyk@uni.opole.pl] (from client UniNet port 461 cli 0002.7258.7f14) Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 6 seconds... Freeradius writes my password is incorrect, but of course it is correct. It also complains about bad {crypt} header, but it performs well with it when using Windows. Anyway, when I pass correct header or change it to any other in radiusd.conf it changes nothing. I substituted all passwords of course. -- Syrytczyk Janusz - Administrator serwerów Centrum Informatyczne Uniwersytetu Opolskiego Nr telefonu: +48 77 452-70-91 E-mail: jsyrytczyk@uni.opole.pl -- Syrytczyk Janusz - Administrator serwerów Centrum Informatyczne Uniwersytetu Opolskiego Nr telefonu: +48 77 452-70-91 E-mail: jsyrytczyk@uni.opole.pl
Hi,
network={ ssid="eduroam" scan_ssid=1 proto=WPA key_mgmt=WPA-EAP pairwise=TKIP eap=TTLS identity="jsyrytczyk@uni.opole.pl" password="mycorrectpassword" ca_cert="/etc/wpa_supplicant/ca.uni.opole.pl.pem" phase2="auth=PAP" }
depending on driver etc - i'd ditch the pairwise line, the rest of it looks sane. if it works with other platforms then it looks and smells like a wpa_supplicant / linux driver issue alan
Monday 24 September 2007 12:38:28 A.L.M.Buxey@lboro.ac.uk napisał(a):
Hi,
network={ ssid="eduroam" scan_ssid=1 proto=WPA key_mgmt=WPA-EAP pairwise=TKIP eap=TTLS identity="jsyrytczyk@uni.opole.pl" password="mycorrectpassword" ca_cert="/etc/wpa_supplicant/ca.uni.opole.pl.pem" phase2="auth=PAP" }
depending on driver etc - i'd ditch the pairwise line, the rest of it looks sane. if it works with other platforms then it looks and smells like a wpa_supplicant / linux driver issue
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pairwise=TKIP should be ok as it worked previously. Well, I'm pretty positive that I haven't changed anything serious in my system (I checked emerge history via genlop -l). Driver is zd1211rw which hasn't been changed since its from kernel which I use one month or so. Wpa_supplicant is the same. I'm positive also that this worked one week ago, when I was responsible to provide wifi all around my campus (I was running with this notebook checking connectivity all around my a..). So now I'm going insane because I'haven't touch enything and Freeradius/wpa_supplicant just stopped working. I would really like to know what those logs means?? why my pass is incorrect, when it is both virtually and in windows too?? -- Syrytczyk Janusz - Administrator serwerów Centrum Informatyczne Uniwersytetu Opolskiego Nr telefonu: +48 77 452-70-91 E-mail: jsyrytczyk@uni.opole.pl
Janusz Syrytczyk wrote:
Problem is that I cannot authenticate to my network with wpa_supplicant, although I could, and from Windows & Secure2w TTLS wrapper - I can. I use Gentoo and did some upgrades (but nothing special I guess, kernel is the same, and wpa_supplicant also) ... Ready to process requests. < deleted> EAP-Message = 0x020200060315 ... rlm_eap: EAP-NAK asked for EAP-Type/ttls
So the server starts EAP-TTLS:
Sending Access-Challenge of id 90 to 217.173.193.40 port 4347 EAP-Message = 0x010300061520
The server increments the EAP id (byte 2 of the EAP-Message)
rad_recv: Access-Request packet from host 217.173.193.40:4347, id=91, length=201 ... EAP-Message = 0x020200060315
And the supplicant responds with an EAP NAK, sating "No, I want EAP-TTLS". Either the AP is broken, or the supplicant is broken. The supplicant SHOULD NOT send back a NAK for something it just asked for. It should also increment the EAP id field (byte 2). Instead, it re-uses the EAP Id. If the AP is broken, then it's the one that decides to NOT send the EAP-TTLS start to the supplicant. Instead, it just echoes back the NAK that the supplicant previously sent. Check the supplicant logs. If it's really sending the NAK twice, then it is broken. If it's sending the NAK once, then the AP is broken. Alan DeKok.
Monday 24 September 2007 13:30:45 Alan DeKok napisał(a):
Janusz Syrytczyk wrote:
Problem is that I cannot authenticate to my network with wpa_supplicant, although I could, and from Windows & Secure2w TTLS wrapper - I can. I use Gentoo and did some upgrades (but nothing special I guess, kernel is the same, and wpa_supplicant also)
...
Ready to process requests.
< deleted>
EAP-Message = 0x020200060315
...
rlm_eap: EAP-NAK asked for EAP-Type/ttls
So the server starts EAP-TTLS:
Sending Access-Challenge of id 90 to 217.173.193.40 port 4347 EAP-Message = 0x010300061520
The server increments the EAP id (byte 2 of the EAP-Message)
rad_recv: Access-Request packet from host 217.173.193.40:4347, id=91, length=201
...
EAP-Message = 0x020200060315
And the supplicant responds with an EAP NAK, sating "No, I want EAP-TTLS".
Either the AP is broken, or the supplicant is broken. The supplicant SHOULD NOT send back a NAK for something it just asked for. It should also increment the EAP id field (byte 2). Instead, it re-uses the EAP Id.
If the AP is broken, then it's the one that decides to NOT send the EAP-TTLS start to the supplicant. Instead, it just echoes back the NAK that the supplicant previously sent.
Check the supplicant logs. If it's really sending the NAK twice, then it is broken. If it's sending the NAK once, then the AP is broken.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK, I need to check my logs, but at once I tried changing AP... and it worked. So I assume you're right, and now I will try to debug my supplicant and if it goes right - change AP config (which is Cisco AP1242). Partly solved, I'll post more comments later. -- Syrytczyk Janusz - Administrator serwerów Centrum Informatyczne Uniwersytetu Opolskiego Nr telefonu: +48 77 452-70-91 E-mail: jsyrytczyk@uni.opole.pl
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Janusz Syrytczyk -
Janusz Syrytczyk