problems with authorization PEAP - EAP-MSCHAPv2 clients
Hello, I would like to authorize windows clients access to 3com Baseline Switch 2948 SFP against FreeRADIUS server 2.0.5. Windows are cofigured to use PEAP - EAP-MSCHAPv2. Server certificate was created with bootstrap script (xpextensions are included). I tried windows xp sp3 and linux (wpa_supplicant) client and both cause the same server output and authorization can't pass. Testing tools eapol_test, radeapclient and jRadiusSimulator can pass all tests fine. EAP - MD5 Challenge works fine. Attaching radiusd.conf and radius -X output. Thanks for help. -- Lukas Lisa prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} log_auth = yes run_dir = ${localstatedir}/run/radiusd db_dir = $(raddbdir) libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes ##### proxy ##### # $INCLUDE proxy.conf realm NULL { type = radius authhost = LOCAL accthost = LOCAL secret = ss } ###### clients ###### # $INCLUDE clients.conf client 127.0.0.1 { secret = ss shortname = localhost nastype = other } client 10.1.11.0{ netmask = 24 secret = ss shortname = LAN_clients nastype = other } snmp = no $INCLUDE snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { # $INCLUDE ${confdir}/modules/ #### acct_unique #### acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } ### detail #### detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 header = "%t" } #### files #### files { usersfile = ${confdir}/users #acctusersfile = ${confdir}/acct_users #preproxy_usersfile = ${confdir}/preproxy_users compat = no } #### mschap #### mschap { authtype = MS-CHAP } #### pap #### pap { auto_header = no } #### preprocess #### preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } #### realm #### realm suffix { format = suffix delimiter = "@" } ######## eap ####### eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" #make_cert_command = "${certdir}/bootstrap" fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 #copy_request_to_tunnel = no #use_tunneled_reply = no use_tunneled_reply = yes #virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 proxy_tunneled_request_as_eap = yes #copy_request_to_tunnel = no #use_tunneled_reply = no use_tunneled_reply = yes #virtual_server = "inner-tunnel" } mschapv2 { } } # $INCLUDE sql.conf # $INCLUDE sql/mysql/counter.conf } # instantiate { # exec # expr # expiration # logintime # } # # $INCLUDE policy.conf #### sites enabled #### # $INCLUDE sites-enabled/ authorize { preprocess mschap suffix eap #chap #eap { # ok = return #} #unix files #expiration #logintime #pap } authenticate { Auth-Type PAP { pap } #Auth-Type CHAP { # chap #} Auth-Type MS-CHAP { mschap } #unix eap } preacct { preprocess acct_unique #suffix files } accounting { detail #unix #radutmp #attr_filter.accounting_response } #session { # radutmp #} #post-auth { # exec # Post-Auth-Type REJECT { # attr_filter.access_reject # } #} #pre-proxy { #} #post-proxy { # eap #} FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Jul 29 2008 at 14:10:17 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/snmp.conf including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } log_auth = yes } client 127.0.0.1 { require_message_authenticator = no secret = "ss" shortname = "localhost" nastype = "other" } client 10.1.11.0 { netmask = 24 require_message_authenticator = no secret = "ss" shortname = "LAN_clients" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### realm NULL { authhost = LOCAL accthost = LOCAL } radiusd: #### Instantiating modules #### radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.1.11.254 port 1678, id=86, length=92 NAS-IP-Address = 10.1.11.254 NAS-Port = 13 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-C9-5D-12-E8" User-Name = "pepa" EAP-Message = 0x020100090170657061 Message-Authenticator = 0x6966eee3e16f3dbca48d1d0940ee8092 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pepa", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "pepa" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry pepa at line 63 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 86 to 10.1.11.254 port 1678 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" Tunnel-Type:0 = VLAN EAP-Message = 0x01020016041039cd7461637ef88b1917e73e9f7454c0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc12a17dec12813be64a3903fd78b27a2 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.11.254 port 1678, id=87, length=107 NAS-IP-Address = 10.1.11.254 NAS-Port = 13 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-C9-5D-12-E8" User-Name = "pepa" EAP-Message = 0x020200060319 State = 0xc12a17dec12813be64a3903fd78b27a2 Message-Authenticator = 0xa707c2539eb95c1920974e7a99366818 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pepa", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "pepa" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated users: Matched entry pepa at line 63 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 87 to 10.1.11.254 port 1678 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" Tunnel-Type:0 = VLAN EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc12a17dec0290ebe64a3903fd78b27a2 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.11.254 port 1678, id=88, length=213 NAS-IP-Address = 10.1.11.254 NAS-Port = 13 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-C9-5D-12-E8" User-Name = "pepa" EAP-Message = 0x0203007019800000006616030100610100005d03014905f33e53294d50e965048da5c85d5a54078b2ca1eca3ede7dd82bebb20cd2e203ab15972a43e9953c3140d9f8068bc75e2eff3a94af4b2a7bbf43fde181f93ce001600040005000a000900640062000300060013001200630100 State = 0xc12a17dec0290ebe64a3903fd78b27a2 Message-Authenticator = 0xa80ad48264377d85ed6cca3d48beb8a8 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pepa", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "pepa" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: EAP packet type response id 3 length 112 rlm_eap: Continuing tunnel setup. ++[eap] returns ok users: Matched entry pepa at line 63 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 102 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 88 to 10.1.11.254 port 1678 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" Tunnel-Type:0 = VLAN EAP-Message = 0x0104040019c0000008bb160301004a0200004603014905f340ca71458a4f8eef21bef0a72853f3d1431af934867c4c847bab632ca920ed2b962c1a418d7eeb9a84e10a8291d32e29821fc64642d9787a9b7bfa0a041d000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038313031333136313335375a170d3039313031333136313335375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b89c61b7b2480f72d2438a52212f4ebb8ab8bf94fe0b25bc3de955b7175f EAP-Message = 0x45766a706a40b5170baf82cfc8622479a835169b94891b5e435c45b942a9ca833bbe1509f09831cd7e17d71110ee5a050221ca79216e9a09a537f2696a3126a3c4684a2b8f641abede9eb178859679ac7c16ece760ad637d31c0b0ce2b49f70f74b9d5168bc40d96a5c6b2e59c139fdaf5e06d71064cf8a28af40e1749a6c97441513fb1b1e5cb1d7db8d1b31217b5c5bc29622d75ce017da3a12227587946bb3345d6fe14af05d16b476782315851ecd00e070c17f8938985f8e0e64c2f49ec0b70495745447c7f8d94d58949b358214a0fc085dbe2acde64fb164cb57e902481a70203010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d010104050003820101002d7a145511474c09898d85ec8157862965467bcb83ebc6af106c06584f73b42e9dfcff6d8e2c85dad3e8bc710db690ba6a465ea6a36dbc35ed5a968a2a5deeb6f61ccf3a5d9c5b3a655f97596fd49114dba554e5cf4e7320b1507688e82b4206017050dfbb4860a1a827e027141625f91bb9db31bdf479c107fb72fcf30fd284d35677e1df77d283992e0af591db69620ee16168031d61f449853f2561a06c7467b5e87bc9c9af007e0b994059218f8a574269471b0bbf65048523c1d33d82512b61f38d6042f6b9ec083e83ab8d68b1404af602cc8dd5004448d6b28e6fe00b5973b4a0d67d EAP-Message = 0xf5cc5ef0da4ee34196020d2d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc12a17dec32e0ebe64a3903fd78b27a2 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.11.254 port 1678, id=89, length=107 NAS-IP-Address = 10.1.11.254 NAS-Port = 13 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-C9-5D-12-E8" User-Name = "pepa" EAP-Message = 0x020400061900 State = 0xc12a17dec32e0ebe64a3903fd78b27a2 Message-Authenticator = 0xab4f01388e23132589dadf9f65db9679 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pepa", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "pepa" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok users: Matched entry pepa at line 63 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 89 to 10.1.11.254 port 1678 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" Tunnel-Type:0 = VLAN EAP-Message = 0x010503fc194030dd35e7732524f5bee6b4c97d820004ab308204a73082038fa003020102020900d78413b623ba23d7300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038313031333136313335365a170d3038313131323136313335365a308193310b30090603 EAP-Message = 0x55040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d5c7e3aa2abb3f430ac169b53b66e9a22718e126dba0470333185c8b96365de4d7c54bee4451027b619c27169275f0eba07c2de1f8548abd6fbb7170d59a1897fa47d868769403f60ff2d368db47f8 EAP-Message = 0xd37f6eca5998f6ffea4c956948b9ea9527d2e052da8c186bffc415d4e57cfa758f66802777defc4503850d21c42ee6a0ac0babb38cd65bb4f1355a81632c92c71ffeb0037949dd944dfc5569cb81403987cda1c95378f709c00ef31b5076097db8959481ed465a1014615013ad809e00028a58f2d852fb975720dbcb0ce32f0d6c56a4231e5297b92ab698914750a2b4571b7bee836c400ed21dceeb7dec88bb170d0b9bdc04d641e498cf64278b1374d90203010001a381fb3081f8301d0603551d0e04160414727a098357bfd22b4680cfb84356363747a750483081c80603551d230481c03081bd8014727a098357bfd22b4680cfb84356363747a7 EAP-Message = 0x5048a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900d78413b623ba23d7300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007bc90ed54235fc8c171f1876f27b34541a67b82ace8367522ce93522a6fb72f32d7cb470fa649dc44a5aa5c1e1c7947235b3 EAP-Message = 0xe494691a8395c6a4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc12a17dec22f0ebe64a3903fd78b27a2 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.11.254 port 1678, id=90, length=107 NAS-IP-Address = 10.1.11.254 NAS-Port = 13 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-C9-5D-12-E8" User-Name = "pepa" EAP-Message = 0x020500061900 State = 0xc12a17dec22f0ebe64a3903fd78b27a2 Message-Authenticator = 0x7dcfbca510f5d2afadbcb2d4022e9fac +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pepa", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "pepa" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: EAP packet type response id 5 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok users: Matched entry pepa at line 63 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 90 to 10.1.11.254 port 1678 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" Tunnel-Type:0 = VLAN EAP-Message = 0x010600d51900b7cdda23960c130380f9fd68693b47ea5a21a0f40c232669cd2bceb27a0b050b728fac4d99abcfa01c89c25fb3bfa0126752307379f601d9a397917fc4d3028e76786a30fe41c6b7a56caa8dcef2e11d11b68c946050f859ade7048e7b7f24d1a0457bd59203f675643e45356023ef33a54a2479086258bb16bf47f06843f999d1c1d01fb7c776b1f46ea8b5ba2971871573f8732f62320df5ac4e5c114fe52ec0090dd9ab84451c6eb8a5c9ce1fe683c12a2a6ede934e245c78a07318af10b5cafa7995b1fa16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc12a17dec52c0ebe64a3903fd78b27a2 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.11.254 port 1678, id=91, length=423 NAS-IP-Address = 10.1.11.254 NAS-Port = 13 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-C9-5D-12-E8" User-Name = "pepa" EAP-Message = 0x0206014019800000013616030101061000010201003bca0f75f1f302a91302341697a459f3f961bead4d54bf79199b56dea8f01d88ef5ef77c7ecdb2b4d18fbfb7b397181be165926b963737ac0c7f7051221ae0b8ff6f36bff1348c349f1b9f1b076d3cec038d72c0f4665815d6fec1830db190f9ba42b9d74190dba1807b40a1974dcfc6ea6cb9f04bde43b7a7086019ede4f760de013f8bfef8f5353e72ea42be2bf013771f6ca320c97c2ab7063c6917d8035848adb11d59a8adf020f1cd38eaad6df5e8b044551d3246fb8d28860904c4a1e85658cfc2ac3274c15e2c242f4ff7aa9e2c2bf39bc6e727ce638c551e07d71558127926c9787f9116 EAP-Message = 0x29b89554fcb8b5f83c86729c02f7372fc289e3387f984dbe1403010001011603010020cfb473a793569c59b602e68442c0e06084d4bebed0231fd225b852aa2905ae47 State = 0xc12a17dec52c0ebe64a3903fd78b27a2 Message-Authenticator = 0x206d99bfc01aa0eb76cf7d74f9ebea80 +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pepa", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "pepa" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns ok rlm_eap: EAP packet type response id 6 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok users: Matched entry pepa at line 63 ++[files] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 310 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 91 to 10.1.11.254 port 1678 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" Tunnel-Type:0 = VLAN EAP-Message = 0x0107003119001403010001011603010020ff7e97bac4dc133a2c7f1372d480d9069a8ef3cc9c305ec508719bde15f64e0b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc12a17dec42d0ebe64a3903fd78b27a2 Finished request 5. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 86 with timestamp +22 Cleaning up request 1 ID 87 with timestamp +22 Cleaning up request 2 ID 88 with timestamp +22 Cleaning up request 3 ID 89 with timestamp +22 Cleaning up request 4 ID 90 with timestamp +22 Cleaning up request 5 ID 91 with timestamp +22 Ready to process requests. pepa Cleartext-Password := "zdepa" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 1, Tunnel-Type = VLAN, DEFAULT Auth-Type = Local Fall-Through = 1
I am not an expert on this but I think here is the problem. Under *eap* you have this: ######## eap ####### eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no I think you want to change it to: ######## eap ####### eap { default_eap_type = *mschapv2* timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no That seem to work for me. Give it a try. I have test FR 2.1.1 with that configuration. Client is Win XP SP3 Lukas Lisa wrote:
Hello, I would like to authorize windows clients access to 3com Baseline Switch 2948 SFP against FreeRADIUS server 2.0.5.
Windows are cofigured to use PEAP - EAP-MSCHAPv2. Server certificate was created with bootstrap script (xpextensions are included).
I tried windows xp sp3 and linux (wpa_supplicant) client and both cause the same server output and authorization can't pass. Testing tools eapol_test, radeapclient and jRadiusSimulator can pass all tests fine.
EAP - MD5 Challenge works fine.
Attaching radiusd.conf and radius -X output. Thanks for help.
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for reply. I tried to change default_eap_type in main eap section but it doesn't work. I tried also dozens combinations of configuration but authorization process doesn't continue after establishing SSL tunnel and sending Access Challenge to the 3com switch Lukas Lisa Madwifi Wireless wrote:
I am not an expert on this but I think here is the problem. Under *eap* you have this:
######## eap ####### eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no
I think you want to change it to:
######## eap ####### eap { default_eap_type = *mschapv2* timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no
That seem to work for me. Give it a try. I have test FR 2.1.1 with that configuration. Client is Win XP SP3
Lukas Lisa wrote:
Hello, I would like to authorize windows clients access to 3com Baseline Switch 2948 SFP against FreeRADIUS server 2.0.5.
Windows are cofigured to use PEAP - EAP-MSCHAPv2. Server certificate was created with bootstrap script (xpextensions are included).
I tried windows xp sp3 and linux (wpa_supplicant) client and both cause the same server output and authorization can't pass. Testing tools eapol_test, radeapclient and jRadiusSimulator can pass all tests fine.
EAP - MD5 Challenge works fine.
I would like to authorize windows clients access to 3com Baseline Switch 2948 SFP against FreeRADIUS server 2.0.5.
Windows are cofigured to use PEAP - EAP-MSCHAPv2. Server certificate was created with bootstrap script (xpextensions are included).
I tried windows xp sp3 and linux (wpa_supplicant) client and both cause the same server output and authorization can't pass. Testing tools eapol_test, radeapclient and jRadiusSimulator can pass all tests fine.
Your supplicant has issues then. Examine eapol.log file (XP): http://technet.microsoft.com/en-us/library/bb457018.aspx Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
I would like to authorize windows clients access to 3com Baseline Switch 2948 SFP against FreeRADIUS server 2.0.5.
Windows are cofigured to use PEAP - EAP-MSCHAPv2. Server certificate was created with bootstrap script (xpextensions are included).
I tried windows xp sp3 and linux (wpa_supplicant) client and both cause the same server output and authorization can't pass. Testing tools eapol_test, radeapclient and jRadiusSimulator can pass all tests fine.
Your supplicant has issues then. Examine eapol.log file (XP):
Thanks for hint, but i can see the same radiusd -X output when I am trying authorize from Linux box with wpa_supplicant. authorization process doesn't continue after establishing SSL tunnel and sending Access Challenge to the 3com switch no matter what supplicant is used. Lukas Lisa
Ivan Kalik Kalik Informatika ISP
I tried windows xp sp3 and linux (wpa_supplicant) client and both cause the same server output and authorization can't pass. Testing tools eapol_test, radeapclient and jRadiusSimulator can pass all tests fine.
Your supplicant has issues then. Examine eapol.log file (XP):
Thanks for hint, but i can see the same radiusd -X output when I am trying authorize from Linux box with wpa_supplicant.
wpa_supplicant also has logs. It won't hurt to look. Testing tools work so it's going to be some supplicant issue. Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
I tried windows xp sp3 and linux (wpa_supplicant) client and both cause the same server output and authorization can't pass. Testing tools eapol_test, radeapclient and jRadiusSimulator can pass all tests fine.
Your supplicant has issues then. Examine eapol.log file (XP):
http://technet.microsoft.com/en-us/library/bb457018.aspx Thanks for hint, but i can see the same radiusd -X output when I am trying authorize from Linux box with wpa_supplicant.
wpa_supplicant also has logs. It won't hurt to look. Testing tools work so it's going to be some supplicant issue.
yes, it has logs. I am not able to recognize where is problem from them. You can take a look into my wpa_supplicant logs. In my opinion is probable point of failure in authenticator (3com switch) thank you Lukas Lisa ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=root ap_scan=0 eapol_version=1 fast_reauth=1 network={ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X #key_mgmt=WPA-EAP pairwise=CCMP TKIP group=CCMP TKIP identity="pepa" password="zdepa" #anonymous_identity="anonymous" ca_cert="/tmp/ca2.pem" phase1="peaplabel=0" phase2="auth=MSCHAPV2" } Associated with 01:80:c2:00:00:03 CTRL-EVENT-EAP-FAILURE EAP authentication failed CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0) CTRL-EVENT-TERMINATING - signal 2 received Initializing interface 'eth0' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A' Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' -> '/etc/wpa_supplicant/wpa_supplicant.conf' Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' ctrl_interface='/var/run/wpa_supplicant' ctrl_interface_group='root' (DEPRECATED) ap_scan=0 eapol_version=1 fast_reauth=1 Line: 18 - start of a new network block eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00 eapol_flags=0 (0x0) key_mgmt: 0x8 pairwise: 0x18 group: 0x18 identity - hexdump_ascii(len=4): 70 65 70 61 pepa password - hexdump_ascii(len=5): [REMOVED] anonymous_identity - hexdump_ascii(len=9): 61 6e 6f 6e 79 6d 6f 75 73 anonymous ca_cert - hexdump_ascii(len=12): 2f 74 6d 70 2f 63 61 32 2e 70 65 6d /tmp/ca2.pem phase1 - hexdump_ascii(len=11): 70 65 61 70 6c 61 62 65 6c 3d 30 peaplabel=0 phase2 - hexdump_ascii(len=13): 61 75 74 68 3d 4d 53 43 48 41 50 56 32 auth=MSCHAPV2 Priority group 0 id=0 ssid='' Initializing interface (2) 'eth0' EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portEnabled=0 EAPOL: External notification - portValid=0 wpa_driver_wired_init: Added multicast membership with packet socket Own MAC address: 00:1e:c9:5d:12:e8 Setting scan request: 0 sec 100000 usec ctrl_interface_group=0 (from group name 'root') Added interface eth0 EAPOL: External notification - portControl=Auto Already associated with a configured network - generating associated event Association info event State: DISCONNECTED -> ASSOCIATED Associated to a new BSS: BSSID=01:80:c2:00:00:03 No keys have been configured - skip key clearing Network configuration found for the current AP WPA: clearing AP WPA IE WPA: clearing AP RSN IE WPA: clearing own WPA/RSN IE EAPOL: External notification - portControl=Auto Associated with 01:80:c2:00:00:03 WPA: Association event - clear replay counter EAPOL: External notification - portEnabled=0 EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Cancelling scan request EAPOL: startWhen --> 0 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: txStart TX EAPOL - hexdump(len=4): 01 01 00 00 RX EAPOL from 00:10:18:58:36:10 RX EAPOL - hexdump(len=46): 01 00 00 04 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: Workaround for unexpected identifier field in EAP Success: reqId=0 lastId=-1 (these are supposed to be same) EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE RX EAPOL from 00:10:18:58:36:10 RX EAPOL - hexdump(len=46): 01 00 00 05 01 01 00 05 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using anonymous identity - hexdump_ascii(len=9): 61 6e 6f 6e 79 6d 6f 75 73 anonymous EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=18): 01 00 00 0e 02 01 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73 EAPOL: SUPP_BE entering state RECEIVE EAPOL: authWhile --> 0 EAPOL: startWhen --> 0 EAPOL: SUPP_BE entering state TIMEOUT EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAPOL: startWhen --> 0 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: txStart TX EAPOL - hexdump(len=4): 01 01 00 00 RX EAPOL from 00:10:18:58:36:10 RX EAPOL - hexdump(len=46): 01 00 00 05 01 02 00 05 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=2 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using anonymous identity - hexdump_ascii(len=9): 61 6e 6f 6e 79 6d 6f 75 73 anonymous EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=18): 01 00 00 0e 02 02 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:10:18:58:36:10 RX EAPOL - hexdump(len=46): 01 00 00 16 01 03 00 16 04 10 b9 db 2e e2 88 89 d0 97 5a 15 8a 78 66 7c 2c 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=3 method=4 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: configuration does not allow: vendor 0 method 4 EAP: vendor 0 method 4 not allowed EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed) EAP: allowed methods - hexdump(len=1): 19 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=10): 01 00 00 06 02 03 00 06 03 19 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:10:18:58:36:10 RX EAPOL - hexdump(len=46): 01 00 00 06 01 04 00 06 19 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=4 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP) EAP-PEAP: Phase2 EAP types - hexdump(len=8): 00 00 00 00 1a 00 00 00 TLS: Trusted root certificate(s) loaded CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected EAP: EAP entering state METHOD SSL: Received packet(len=6) - Flags 0x20 EAP-PEAP: Start (server ver=0, own ver=1) EAP-PEAP: Using PEAP version 0 SSL: (where=0x10 ret=0x1) SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:before/connect initialization SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write client hello A SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server hello A SSL: SSL_connect - want more data SSL: 105 bytes pending from ssl_out SSL: 105 bytes left to be sent out (of total 105 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=115): 01 00 00 6f 02 04 00 6f 19 00 16 03 01 00 64 01 00 00 60 03 01 49 08 67 0d 68 c4 97 7c 0f 75 00 6f 4b 02 6e 4e e7 bc a4 fb 42 bc ee 42 29 05 b4 a4 4c 2d 39 9f 00 00 32 00 39 00 38 00 35 00 88 00 87 00 84 00 16 00 13 00 0a 00 33 00 32 00 2f 00 45 00 44 00 41 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 02 01 00 00 04 00 23 00 00 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:10:18:58:36:10 RX EAPOL - hexdump(len=1028): 01 00 04 00 01 05 04 00 19 c0 00 00 0a cd 16 03 01 00 4a 02 00 00 46 03 01 49 08 58 ff 3d 75 e7 7a c2 14 ff 9b 42 82 f4 66 08 e9 8c 84 52 ad 9f 63 d8 89 df 73 8a f4 65 49 20 e8 e6 9e f0 be 0c 5b 47 89 be 83 22 b4 4d d1 1a 7a d4 f5 38 84 df 58 77 09 18 65 2c 98 df ba 96 00 39 00 16 03 01 08 5e 0b 00 08 5a 00 08 57 00 03 a6 30 82 03 a2 30 82 02 8a a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 13 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 13 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 13 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 63 6f 6d 31 26 30 24 06 03 55 04 03 13 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 30 38 31 30 31 33 31 36 31 33 35 37 5a 17 0d 30 39 31 30 31 33 31 36 31 33 35 37 5a 30 7c 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 13 06 52 61 64 69 75 73 31 15 30 13 06 03 55 04 0a 13 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 23 30 21 06 03 55 04 03 13 1a 45 78 61 6d 70 6c 65 20 53 65 72 76 65 72 20 43 65 72 74 69 66 69 63 61 74 65 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 63 6f 6d 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 b8 9c 61 b7 b2 48 0f 72 d2 43 8a 52 21 2f 4e bb 8a b8 bf 94 fe 0b 25 bc 3d e9 55 b7 17 5f 45 76 6a 70 6a 40 b5 17 0b af 82 cf c8 62 24 79 a8 35 16 9b 94 89 1b 5e 43 5c 45 b9 42 a9 ca 83 3b be 15 09 f0 98 31 cd 7e 17 d7 11 10 ee 5a 05 02 21 ca 79 21 6e 9a 09 a5 37 f2 69 6a 31 26 a3 c4 68 4a 2b 8f 64 1a be de 9e b1 78 85 96 79 ac 7c 16 ec e7 60 ad 63 7d 31 c0 b0 ce 2b 49 f7 0f 74 b9 d5 16 8b c4 0d 96 a5 c6 b2 e5 9c 13 9f da f5 e0 6d 71 06 4c f8 a2 8a f4 0e 17 49 a6 c9 74 41 51 3f b1 b1 e5 cb 1d 7d b8 d1 b3 12 17 b5 c5 bc 29 62 2d 75 ce 01 7d a3 a1 22 27 58 79 46 bb 33 45 d6 fe 14 af 05 d1 6b 47 67 82 31 58 51 ec d0 0e 07 0c 17 f8 93 89 85 f8 e0 e6 4c 2f 49 ec 0b 70 49 57 45 44 7c 7f 8d 94 d5 89 49 b3 58 21 4a 0f c0 85 db e2 ac de 64 fb 16 4c b5 7e 90 24 81 a7 02 03 01 00 01 a3 17 30 15 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 82 01 01 00 2d 7a 14 55 11 47 4c 09 89 8d 85 ec 81 57 86 29 65 46 7b cb 83 eb c6 af 10 6c 06 58 4f 73 b4 2e 9d fc ff 6d 8e 2c 85 da d3 e8 bc 71 0d b6 90 ba 6a 46 5e a6 a3 6d bc 35 ed 5a 96 8a 2a 5d ee b6 f6 1c cf 3a 5d 9c 5b 3a 65 5f 97 59 6f d4 91 14 db a5 54 e5 cf 4e 73 20 b1 50 76 88 e8 2b 42 06 01 70 50 df bb 48 60 a1 a8 27 e0 27 14 16 25 f9 1b b9 db 31 bd f4 79 c1 07 fb 72 fc f3 0f d2 84 d3 56 77 e1 df 77 d2 83 99 2e 0a f5 91 db 69 62 0e e1 61 68 03 1d 61 f4 49 85 3f 25 61 a0 6c 74 67 b5 e8 7b c9 c9 af 00 7e 0b 99 40 59 21 8f 8a 57 42 69 47 1b 0b bf 65 04 85 23 c1 d3 3d 82 51 2b 61 f3 8d 60 42 f6 b9 ec 08 3e 83 ab 8d 68 b1 40 4a f6 02 cc 8d d5 00 44 48 d6 b2 8e 6f e0 0b 59 73 b4 a0 d6 7d f5 cc 5e f0 da 4e e3 41 96 02 0d 2d EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=5 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=1024) - Flags 0xc0 SSL: TLS Message Length: 2765 SSL: Need 1751 bytes more input data SSL: Building ACK EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=10): 01 00 00 06 02 05 00 06 19 00 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:10:18:58:36:10 RX EAPOL - hexdump(len=1024): 01 00 03 fc 01 06 03 fc 19 40 30 dd 35 e7 73 25 24 f5 be e6 b4 c9 7d 82 00 04 ab 30 82 04 a7 30 82 03 8f a0 03 02 01 02 02 09 00 d7 84 13 b6 23 ba 23 d7 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 13 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 13 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 13 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 63 6f 6d 31 26 30 24 06 03 55 04 03 13 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 30 38 31 30 31 33 31 36 31 33 35 36 5a 17 0d 30 38 31 31 31 32 31 36 31 33 35 36 5a 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 13 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 13 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 13 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 63 6f 6d 31 26 30 24 06 03 55 04 03 13 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 d5 c7 e3 aa 2a bb 3f 43 0a c1 69 b5 3b 66 e9 a2 27 18 e1 26 db a0 47 03 33 18 5c 8b 96 36 5d e4 d7 c5 4b ee 44 51 02 7b 61 9c 27 16 92 75 f0 eb a0 7c 2d e1 f8 54 8a bd 6f bb 71 70 d5 9a 18 97 fa 47 d8 68 76 94 03 f6 0f f2 d3 68 db 47 f8 d3 7f 6e ca 59 98 f6 ff ea 4c 95 69 48 b9 ea 95 27 d2 e0 52 da 8c 18 6b ff c4 15 d4 e5 7c fa 75 8f 66 80 27 77 de fc 45 03 85 0d 21 c4 2e e6 a0 ac 0b ab b3 8c d6 5b b4 f1 35 5a 81 63 2c 92 c7 1f fe b0 03 79 49 dd 94 4d fc 55 69 cb 81 40 39 87 cd a1 c9 53 78 f7 09 c0 0e f3 1b 50 76 09 7d b8 95 94 81 ed 46 5a 10 14 61 50 13 ad 80 9e 00 02 8a 58 f2 d8 52 fb 97 57 20 db cb 0c e3 2f 0d 6c 56 a4 23 1e 52 97 b9 2a b6 98 91 47 50 a2 b4 57 1b 7b ee 83 6c 40 0e d2 1d ce eb 7d ec 88 bb 17 0d 0b 9b dc 04 d6 41 e4 98 cf 64 27 8b 13 74 d9 02 03 01 00 01 a3 81 fb 30 81 f8 30 1d 06 03 55 1d 0e 04 16 04 14 72 7a 09 83 57 bf d2 2b 46 80 cf b8 43 56 36 37 47 a7 50 48 30 81 c8 06 03 55 1d 23 04 81 c0 30 81 bd 80 14 72 7a 09 83 57 bf d2 2b 46 80 cf b8 43 56 36 37 47 a7 50 48 a1 81 99 a4 81 96 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 13 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 13 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 13 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 63 6f 6d 31 26 30 24 06 03 55 04 03 13 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 82 09 00 d7 84 13 b6 23 ba 23 d7 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 82 01 01 00 7b c9 0e d5 42 35 fc 8c 17 1f 18 76 f2 7b 34 54 1a 67 b8 2a ce 83 67 52 2c e9 35 22 a6 fb 72 f3 2d 7c b4 70 fa 64 9d c4 4a 5a a5 c1 e1 c7 94 72 35 b3 e4 94 69 1a 83 95 c6 a4 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=6 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=1020) - Flags 0x40 SSL: Need 737 bytes more input data SSL: Building ACK EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=10): 01 00 00 06 02 06 00 06 19 00 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:10:18:58:36:10 RX EAPOL - hexdump(len=747): 01 00 02 e7 01 07 02 e7 19 00 b7 cd da 23 96 0c 13 03 80 f9 fd 68 69 3b 47 ea 5a 21 a0 f4 0c 23 26 69 cd 2b ce b2 7a 0b 05 0b 72 8f ac 4d 99 ab cf a0 1c 89 c2 5f b3 bf a0 12 67 52 30 73 79 f6 01 d9 a3 97 91 7f c4 d3 02 8e 76 78 6a 30 fe 41 c6 b7 a5 6c aa 8d ce f2 e1 1d 11 b6 8c 94 60 50 f8 59 ad e7 04 8e 7b 7f 24 d1 a0 45 7b d5 92 03 f6 75 64 3e 45 35 60 23 ef 33 a5 4a 24 79 08 62 58 bb 16 bf 47 f0 68 43 f9 99 d1 c1 d0 1f b7 c7 76 b1 f4 6e a8 b5 ba 29 71 87 15 73 f8 73 2f 62 32 0d f5 ac 4e 5c 11 4f e5 2e c0 09 0d d9 ab 84 45 1c 6e b8 a5 c9 ce 1f e6 83 c1 2a 2a 6e de 93 4e 24 5c 78 a0 73 18 af 10 b5 ca fa 79 95 b1 fa 16 03 01 02 0d 0c 00 02 09 00 80 bb 77 d9 48 67 de 29 5c 64 af 40 d4 5f 18 f9 ea 4c 71 42 f9 3b 2f f8 e4 08 97 a3 52 7e f8 b2 c3 ae a9 d3 77 05 0b 7d dc 3c 1f 21 d8 2f 77 5d 27 ad 5e a5 a5 44 b3 09 cd 22 d0 81 37 02 0d 2c 27 eb 6d 6f 1e b1 5d 1d 2a d3 20 9c fa 78 bf 31 19 bf 14 0f ed 62 d7 0a b2 83 0e de db b5 67 20 40 b5 f6 6b 5c 4d e3 4c e0 0b 8a 24 dc eb d5 1d 20 47 ce 9a 70 81 0e 3d 86 56 1b 2d 52 1d 8e 77 e3 00 01 02 00 80 4d ee aa d0 b5 41 29 98 ce bd 18 3e 37 27 e5 ec f2 87 c4 e7 c7 a4 5f 1f 93 72 e5 4a 41 cd 54 2b 50 80 d4 22 af d9 57 46 89 b0 35 ba 94 bb 71 d4 16 fe 54 54 db a9 76 9d 64 37 70 c7 3b c8 cc b9 8a af ed b5 f4 f2 25 af 64 0e 9f fa 9f eb 06 c4 17 36 e5 e0 48 9d c3 cc 33 2b a5 98 5a 20 46 5f a6 8b 7c 44 4a 1d 58 0e 02 3a e0 93 f5 94 44 16 f7 4c 3d 8d 2a dd 06 83 82 eb 95 6c 3e 63 a7 9c 01 00 2c bf 15 d9 0c 7c 24 31 85 ee 0a 8c 9a 52 00 4d 12 e0 cc a0 d0 dc 77 79 38 52 48 05 df 96 1e cc d9 29 42 e3 31 98 49 ab e1 3e fa ba be c9 3f f4 2b af 47 68 07 1c 7b 48 b1 4c f3 8f 6d cf e8 05 36 92 e4 09 2e 8f 4d bc 1e 5c b4 92 a6 b5 7e 52 56 76 e5 cf 26 78 bb 84 0c 92 09 e5 d7 db 4f 67 dd 42 62 cd 59 e2 5c 9a 64 ee 36 77 96 14 a3 46 c0 cc f0 cc 1d 11 a7 99 10 3e 2f 3f 2e bf cb 74 fe d3 11 f8 c0 a0 9e 6b ae fb 7a f5 12 74 3c 2d f6 fa 26 b4 2a 1c ca 65 36 27 8c 6f 15 42 b0 34 00 3a eb 64 c8 48 44 23 f5 e9 72 d6 c0 16 b8 8c 82 00 73 63 bd 18 5e 97 52 e4 e5 79 f7 07 b8 ac 8d c3 6e 0f 36 68 0b 19 19 7f 21 b0 d8 e8 2e f1 07 ca 79 bc f1 c4 da b5 38 1c 64 88 27 95 c2 17 d8 07 cb 08 2c 0a bd 28 c8 d8 52 1e 25 55 86 0d 08 64 5b 9e 09 30 79 df ee 5c 4b 4f ca 86 c6 09 16 03 01 00 04 0e 00 00 00 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=7 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=743) - Flags 0x00 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server hello A TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) depth=1 buf='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority' TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) depth=0 buf='/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.com' SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server certificate A SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server key exchange A SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server done A SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write client key exchange A SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write change cipher spec A SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write finished A SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 flush data SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read finished A SSL: SSL_connect - want more data SSL: 198 bytes pending from ssl_out SSL: 198 bytes left to be sent out (of total 198 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=208): 01 00 00 cc 02 07 00 cc 19 00 16 03 01 00 86 10 00 00 82 00 80 86 54 f3 5f 29 8a 7b 6e b5 93 d2 f0 a1 d9 7d ec fe 8b fc 66 9f f8 03 80 84 0d f7 84 9a 0e 37 33 aa fc a9 6b ed 2c e6 99 9d 5c af 3e 23 83 26 19 e4 15 b0 c1 ee 3e 75 0b 79 01 e9 60 d9 e5 09 f9 1b 4a b0 e0 e6 34 35 33 0d 7d 56 59 8b 62 3e 93 0a 33 8d db 45 9c 22 22 1d bd 96 35 81 45 8e 30 d4 c6 43 de 07 14 80 19 95 7b d5 52 1a 00 d9 a4 85 d3 f0 09 ef 2e 08 f4 15 c2 3c db 4b 1f 77 a0 14 03 01 00 01 01 16 03 01 00 30 58 25 75 7f 8e 35 52 ea 71 59 d4 35 bd 4c 1b 1f 1c e5 23 db d2 04 52 b9 1f f4 04 a3 91 e8 2a cd 0a 53 1b ec e4 ef 78 0e 67 a9 12 96 e8 41 ac 75 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:10:18:58:36:10 RX EAPOL - hexdump(len=69): 01 00 00 41 01 08 00 41 19 00 14 03 01 00 01 01 16 03 01 00 30 ad a9 2a 5e 8d 5e df 9e 9a f0 ea e2 44 f0 fd d3 96 14 bc a2 ba cc b9 5c 34 e0 bd 86 41 d5 1d 3a 49 d0 2d 39 f5 43 b7 47 a4 af a9 11 f5 d7 d2 0c EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=8 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=65) - Flags 0x00 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read finished A SSL: (where=0x20 ret=0x1) SSL: (where=0x1002 ret=0x1) SSL: 0 bytes pending from ssl_out OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0) SSL: No data to be sent out EAP-PEAP: TLS done, proceed to Phase 2 EAP-PEAP: using label 'client EAP encryption' in key derivation EAP-PEAP: Derived key - hexdump(len=64): [REMOVED] SSL: Building ACK EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=10): 01 00 00 06 02 08 00 06 19 00 EAPOL: SUPP_BE entering state RECEIVE CTRL-EVENT-TERMINATING - signal 2 received Removing interface eth0 State: ASSOCIATED -> DISCONNECTED No keys have been configured - skip key clearing EAPOL: External notification - portEnabled=0 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 No keys have been configured - skip key clearing EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit Cancelling scan request Cancelling authentication timeout
You should post that on wpa_supplicant list. Google returned this as likely: http://ubuntuforums.org/archive/index.php/t-604576.html Ivan Kalik Kalik Informatika ISP Dana 29/10/2008, "Lukas Lisa" <lukas.lisa@stringdata.cz> piše:
tnt@kalik.net wrote:
I tried windows xp sp3 and linux (wpa_supplicant) client and both cause the same server output and authorization can't pass. Testing tools eapol_test, radeapclient and jRadiusSimulator can pass all tests fine.
Your supplicant has issues then. Examine eapol.log file (XP):
http://technet.microsoft.com/en-us/library/bb457018.aspx Thanks for hint, but i can see the same radiusd -X output when I am trying authorize from Linux box with wpa_supplicant.
wpa_supplicant also has logs. It won't hurt to look. Testing tools work so it's going to be some supplicant issue.
yes, it has logs. I am not able to recognize where is problem from them. You can take a look into my wpa_supplicant logs.
In my opinion is probable point of failure in authenticator (3com switch) thank you Lukas Lisa
tnt@kalik.net wrote:
You should post that on wpa_supplicant list. Google returned this as likely:
i saw similar posts yet but i never reached this state: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully only CTRL-EVENT-EAP-FAILURE EAP authentication failed was repeated I am sorry, I canceled the output so early. anyway thank you for your time! Lukas Lisa
Thanks for hint, but i can see the same radiusd -X output when I am trying authorize from Linux box with wpa_supplicant. wpa_supplicant also has logs. It won't hurt to look. Testing tools work so it's going to be some supplicant issue.
yes, it has logs. I am not able to recognize where is problem from them. You can take a look into my wpa_supplicant logs.
In my opinion is probable point of failure in authenticator (3com switch) thank you Lukas Lisa
Hi all, problem is in 3com switch. I found in 3com knowledge base a record about similar 3com Baseline switches and only EAP not PEAP is supported. This ugly device also doesn't allow to pass through auth traffic for another connected devices. Is not possible to authorize via IEEE 802.1x wifi AP when RADIUS and AP uplink is connected into 3com switch. If dlink switch is used instead, everything works fine. AVOID 3com baseline switches! thanks for all replies Lukas Lisa Lukas Lisa wrote:
Hello, I would like to authorize windows clients access to 3com Baseline Switch 2948 SFP against FreeRADIUS server 2.0.5.
Windows are cofigured to use PEAP - EAP-MSCHAPv2. Server certificate was created with bootstrap script (xpextensions are included).
I tried windows xp sp3 and linux (wpa_supplicant) client and both cause the same server output and authorization can't pass. Testing tools eapol_test, radeapclient and jRadiusSimulator can pass all tests fine.
EAP - MD5 Challenge works fine.
Attaching radiusd.conf and radius -X output. Thanks for help.
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Lukas Lisa Administrator StringData, s.r.o. _________________________________________ Antala Staska 38, 140 00 Praha 4, CR +420 266 772 625 www.stringdata.cz - ISO 9001:2000 -
participants (3)
-
Lukas Lisa -
Madwifi Wireless -
tnt@kalik.net