EAP-TTLS and PEAP auth problem ... sorry!!
I forgot to explain the real problem! I cannot authenticate any user, try to connect to my network through a supplicant, both from Windows and from WPA-supplicant under Linux. It seems no EAP-challenge is really going on. this is the output from tre radius server after a try made by AEGIS client under windows XP, with PEAP MSCHAPv2. rad_recv: Access-Request packet from host 192.168.127.36:21646, id=105, length=131 User-Name = "attoo" Framed-MTU = 1400 Called-Station-Id = "00-12-D9-B3-26-90" Calling-Station-Id = "00-0C-30-28-A6-65" Message-Authenticator = 0xd58f44466d3cc004486c04c445cfc4e7 EAP-Message = 0x0202000a016174746f6f NAS-Port-Type = Wireless-802.11 NAS-Port = 507 Service-Type = Framed-User NAS-IP-Address = 192.168.127.36 NAS-Identifier = "appi" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 251 modcall[authorize]: module "preprocess" returns ok for request 251 modcall[authorize]: module "mschap" returns noop for request 251 rlm_realm: No '@' in User-Name = "attoo", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 251 rlm_eap: EAP packet type response id 2 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 251 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 251 modcall: group authorize returns updated for request 251 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 251 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 251 modcall: group authenticate returns handled for request 251 Sending Access-Challenge of id 105 to 192.168.127.36:21646 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb61d0352bd2bf83c854f36b74c91b5c Finished request 251 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.127.36:21646, id=105, length=131 Sending duplicate reply to client appi:21646 - ID: 105 Re-sending Access-Challenge of id 105 to 192.168.127.36:21646 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 251 ID 105 with timestamp 42c9343a One more time, thank you very much for your help!! Gtheg ____________________________________________________ Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com
Gandalf the Gray <gtheg1@yahoo.com> wrote:
It seems no EAP-challenge is really going on. this is the output from tre radius server after a try made by AEGIS client under windows XP, with PEAP MSCHAPv2.
The AEGIS client works with FreeRADIUS. What the debug log shows Is that the client is not seeing the response from FreeRADIUS. It's probably because you have multiple IP's on the radius server, and the client is sending to one address, and seeing the response from another. Use 'tcpdump' to verify the problem, and make the server listen on only one IP. Alan DeKok.
--- Alan DeKok <aland@ox.org> wrote:
Gandalf the Gray <gtheg1@yahoo.com> wrote:
It seems no EAP-challenge is really going on. this is the output from tre radius server after a try made by AEGIS client under windows XP, with PEAP MSCHAPv2.
The AEGIS client works with FreeRADIUS.
What the debug log shows Is that the client is not seeing the response from FreeRADIUS. It's probably because you have multiple IP's on the radius server, and the client is sending to one address, and seeing the response from another.
Use 'tcpdump' to verify the problem, and make the server listen on only one IP.
Alan DeKok.
I checked and set a single IP address on my freeradius server. But it seems always the same result... this is my log by radiusd -X: rad_recv: Access-Request packet from host 192.168.127.36:21646, id=123, length=131 User-Name = "attoo" Framed-MTU = 1400 Called-Station-Id = "00-12-D9-B3-26-90" Calling-Station-Id = "00-50-FC-F1-7A-91" Message-Authenticator = 0x17e90f1da3ab8ca6003b033cdfa7926d EAP-Message = 0x0202000a016174746f6f NAS-Port-Type = Wireless-802.11 NAS-Port = 337 Service-Type = Framed-User NAS-IP-Address = 192.168.127.36 NAS-Identifier = "appi" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "attoo", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 123 to 192.168.127.36:21646 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x305eceed6a3b96ee99d532871dffa83f Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.127.36:21646, id=123, length=131 Sending duplicate reply to client appi:21646 - ID: 123 Re-sending Access-Challenge of id 123 to 192.168.127.36:21646 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 123 with timestamp 42ca647d Nothing to do. Sleeping until we see a request. thank you for your attention! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Gandalf the Gray <gtheg1@yahoo.com> wrote:
I checked and set a single IP address on my freeradius server. But it seems always the same result... this is my log by radiusd -X: ...
Which shows that the client is sending a duplicate request to the server. i.e. the client is probably never seeing the response from the server. I don't think this is a RADIUS problem. Try using 'tcpdump' or 'ethereal' to see what's going wrong in your network. Alan DeKok.
thanks for the help until now! I have another problem on freeradius, related to PEAP. The MSCHAP module needs a couple user-pw to perform authentication... and in the radiusd log I can read that is not possible to retrieve a NT-password or NL-password. But I don't want to use such thing (I read is related to Samba). I would like to submit user and password to my LDAP server, and this one have to check the right relationship! But I know EAP doesn't allow plain text PW, as LDAP needs! Now: is it possible to tell MSCHAP to use LDAP or passwd file to authenticate the user? And, before this, is it possible to obtain the PW from the EAP challenge in order to submit it further? Please give me a little advice... it seems it should be a problem soooo simple to solve! I already lost 10 days .. to help: I'm working with such a system. - Standard Windows XP client, PEAP-MSCHAPv2 - Aegis supplicant, with all types of EAP - Access Point Cisco Aironet 1200, set to use WPA-TKIP and EAP authentication -Freeradius server, working on GENTOO linux 2005 thank you very much, for everything you could suggest! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Gandalf the Gray <gtheg1@yahoo.com> wrote:
I would like to submit user and password to my LDAP server, and this one have to check the right relationship!
LDAP is a database, not an authentication server. FreeRADIUS is an authentication server.
Now: is it possible to tell MSCHAP to use LDAP or passwd file to authenticate the user? And, before this, is it possible to obtain the PW from the EAP challenge in order to submit it further?
No. It's impossible, and designed to be impossible. Make the LDAP server return a clear-text, or NT-Password to FreeRADIUS, and it will Just Work. Any other combination is impossible. Alan DeKok.
I changed the settings of the AP, allowing Aironet Extensions and the result is a little different, now TLS is performed, but it still doesn't work fine... rad_recv: Access-Request packet from host 192.168.127.36:21646, id=158, length=145 User-Name = "fresh" Framed-MTU = 1400 Called-Station-Id = "00-12-D9-B3-26-90" Calling-Station-Id = "00-50-FC-F1-7A-91" Message-Authenticator = 0x44ebb1858de22fda1162620cce508446 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 364 State = 0x730ee4d85739cac2db03508048550566 Service-Type = Framed-User NAS-IP-Address = 192.168.127.36 NAS-Identifier = "appi" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "fresh", skipping NULL due to config. modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 158 to 192.168.127.36:21646 EAP-Message = 0x010502f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8 EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010 EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf2e1d273a634f616e56bde68cbf0106 Finished request 6 Going to the next request Waking up in 6 seconds... __________________________________ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html
participants (2)
-
Alan DeKok -
Gandalf the Gray