I am trying to speak between my Freeradius server and a Cisco WLSE. I am seeing EAP timeouts while WLSE is trying to authenticate through Freeradius. I have setup the AAA details (server,port,username,password,eap protocol) in the WLSE, and enabled fault tracking, so that polling is able to take place. The WDS Master router has no problems authenticating, it is the WLSE that I am having problems getting authenticated. AP-70#show wlccp wnm status WNM IP Address : 192.168.254.5 Status : NOT AUTHENTICATED AP-70#show wlccp wds MAC: 0014.6a77.1604, IP-ADDR: 192.168.254.70 , Priority: 254 Interface BVI1, State: Administratively StandAlone - ACTIVE AP Count: 43 , MN Count: 9 == The WLSE is speaking with freeradius: (output from tcpdump) 17:40:36.415982 IP wlse.southwestern.edu.32815 > radius.southwestern.edu.radius: rad-access-req 132 [id 3] Attr[ User{wlseacct} NAS_ipaddr{wlse.southwestern.edu} Called_station{ABBAABBAABBA} [|radius] 17:40:36.422513 IP radius.southwestern.edu.radius > wlse.southwestern.edu.32815: rad-access-cha 92 [id 3] Attr[ [|radius] 17:40:36.423393 IP wlse.southwestern.edu.32815 > radius.southwestern.edu.radius: rad-access-req 125 [id 3] Attr[ User{wlseacct} NAS_ipaddr{wlse.southwestern.edu} Called_station{ABBAABBAABBA} [|radius] 17:40:42.433507 IP radius.southwestern.edu.radius > wlse.southwestern.edu.32815: rad-access-reject 20 [id 3] == == ...and the output from Freeradius rad_recv: Access-Request packet from host 192.168.254.10:32815, id=3, length=132 User-Name = "wlseacct" NAS-IP-Address = 192.168.254.10 Called-Station-Id = "ABBAABBAABBA" Calling-Station-Id = "ABBAABBAABBA" NAS-Identifier = "Cisco Secure II" NAS-Port = 29 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000d01776c736561636374 Message-Authenticator = 0x586aa1b877caeafd3956095cf718be31 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 180 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 180 radius_xlat: 'wlseacct' rlm_sql (sql): sql_set_user escaped user --> 'wlseacct' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'wlseacct' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'wlseacct' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'wlseacct' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'wlseacct' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module "sql" returns ok for request 180 modcall: group authorize returns updated for request 180 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 180 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 180 modcall: group authenticate returns handled for request 180 Sending Access-Challenge of id 3 to 192.168.254.10:32815 EAP-Message = 0x010100221a0101001d10b063da2c8f5c52273cd537b0c09d69e5776c736561636374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8c90735921dd51b22bc8ef97379845b8 Finished request 180 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.254.10:32815, id=3, length=125 User-Name = "wlseacct" NAS-IP-Address = 192.168.254.10 Called-Station-Id = "ABBAABBAABBA" Calling-Station-Id = "ABBAABBAABBA" NAS-Identifier = "Cisco Secure II" NAS-Port = 29 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060311 Message-Authenticator = 0x070f8a208866000f797e64be5bd48f48 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 181 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 181 radius_xlat: 'wlseacct' rlm_sql (sql): sql_set_user escaped user --> 'wlseacct' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'wlseacct' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'wlseacct' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'wlseacct' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'wlseacct' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 181 modcall: group authorize returns updated for request 181 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 181 rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 181 modcall: group authenticate returns invalid for request 181 auth: Failed to validate the user. rad_lowerpair: User-Name now 'wlseacct' rad_rmspace_pair: User-Name now 'wlseacct' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 181 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 181 radius_xlat: 'wlseacct' rlm_sql (sql): sql_set_user escaped user --> 'wlseacct' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'wlseacct' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'wlseacct' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'wlseacct' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'wlseacct' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 181 modcall: group authorize returns updated for request 181 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 181 rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 181 modcall: group authenticate returns invalid for request 181 auth: Failed to validate the user. Delaying request 181 for 1 seconds Finished request 181 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Sending Access-Reject of id 3 to 192.168.254.10:32815 Cleaning up request 181 ID 3 with timestamp 42fa8264 Nothing to do. Sleeping until we see a request. == I have read in places that there are patches, that may fix my issue. Are these patches my solution, and where can I get the most recent version? --johnk
jck-freeradius@southwestern.edu wrote:
I am trying to speak between my Freeradius server and a Cisco WLSE. I am seeing EAP timeouts while WLSE is trying to authenticate through Freeradius.
Short summary: the supplicant is broken.
Sending Access-Challenge of id 3 to 192.168.254.10:32815 EAP-Message = 0x010100221a0101001d10b063da2c8f5c52273cd537b0c09d69e5776c736561636374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8c90735921dd51b22bc8ef97379845b8 ... rad_recv: Access-Request packet from host 192.168.254.10:32815, id=3, length=125 User-Name = "wlseacct" NAS-IP-Address = 192.168.254.10 Called-Station-Id = "ABBAABBAABBA" Calling-Station-Id = "ABBAABBAABBA" NAS-Identifier = "Cisco Secure II" NAS-Port = 29 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060311 Message-Authenticator = 0x070f8a208866000f797e64be5bd48f48
The client is sending a NACK, and asking for another EAP type. But it's changing the EAP ID in a broken way, which means that the AP doesn't add the State attribute from the previous challenge. In the last packet, FreeRADIUS is seeing the middle of a conversation, without any way to know what the conversation was about. The supplicant is broken. Use another one. Alan DeKok.
On Thu, Aug 11, 2005 at 07:02:19PM -0400, Alan DeKok wrote:
jck-freeradius@southwestern.edu wrote:
I am trying to speak between my Freeradius server and a Cisco WLSE. I am seeing EAP timeouts while WLSE is trying to authenticate through Freeradius.
Short summary: the supplicant is broken.
Sending Access-Challenge of id 3 to 192.168.254.10:32815 EAP-Message = 0x010100221a0101001d10b063da2c8f5c52273cd537b0c09d69e5776c736561636374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8c90735921dd51b22bc8ef97379845b8 ... rad_recv: Access-Request packet from host 192.168.254.10:32815, id=3, length=125 User-Name = "wlseacct" NAS-IP-Address = 192.168.254.10 Called-Station-Id = "ABBAABBAABBA" Calling-Station-Id = "ABBAABBAABBA" NAS-Identifier = "Cisco Secure II" NAS-Port = 29 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060311 Message-Authenticator = 0x070f8a208866000f797e64be5bd48f48
The client is sending a NACK, and asking for another EAP type. But it's changing the EAP ID in a broken way, which means that the AP doesn't add the State attribute from the previous challenge.
In the last packet, FreeRADIUS is seeing the middle of a conversation, without any way to know what the conversation was about.
The supplicant is broken. Use another one.
I am stuck using WLSE. Are there plans on an "official" fix in Freeradius, to work with whatever is broken in WLSE? Cisco APs are only good if you have decent management. --johnk
jck-freeradius@southwestern.edu wrote:
I am stuck using WLSE. Are there plans on an "official" fix in Freeradius, to work with whatever is broken in WLSE?
As I said:
it's changing the EAP ID in a broken way, which means that the AP doesn't add the State attribute from the previous challenge.
Fixing FreeRADIUS won't help. The AP just isn't sending the information FreeRADIUS needs. And the ONLY way to make the AP send the correct information is to fix the supplicant. Alan DeKok.
participants (2)
-
Alan DeKok -
jck-freeradius@southwestern.edu