Sending Access-Challenge
Hello! I'm new to this list and don't found archive or something where maybe somebody answered my question. So I want a radius server to wifi auth with eap-ttls/peap, ldap and not plain-text passwords. I downloaded 2.1.4 source and create debian package without modification, do some basic configuration and testing, radtest from local is fine, but radeapclient eap-md5 testing fail. I saw this on server side: rad_recv: Access-Request packet from host 127.0.0.1 port 52650, id=76, length=69 User-Name = "steve" NAS-IP-Address = 127.0.0.1 Message-Authenticator = 0xafa8ae1b1aaa6fb0a6cbd0719b507e94 NAS-Port = 0 EAP-Message = 0x02d2000a017374657665 +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "steve", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 210 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry steve at line 206 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 76 to 127.0.0.1 port 52650 Service-Type = Framed-User Framed-Protocol = SLIP Framed-IP-Address = 192.20.126.200 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x01d300160410b7703d97cfb88bff2835ec9a9aedde83 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae48086bae9b0cd33d7dacc7cd15f18d Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 76 with timestamp +94 Ready to process requests. And this on client side (local): # radeapclient -s -X localhost auth testing123 About to send encoded packet: User-Name = "steve" Cleartext-Password = "testing" NAS-IP-Address = 127.0.0.1 EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "steve" Message-Authenticator = 0x30 NAS-Port = 0 Received response ID 76, code 11, length = 131 Service-Type = Framed-User Framed-Protocol = SLIP Framed-IP-Address = 192.20.126.200 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x01d300160410b7703d97cfb88bff2835ec9a9aedde83 Message-Authenticator = 0xe65c832fea00201e76a340cc0e38cf37 State = 0xae48086bae9b0cd33d7dacc7cd15f18d <+++ EAP decoded packet: Service-Type = Framed-User Framed-Protocol = SLIP Framed-IP-Address = 192.20.126.200 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x01d300160410b7703d97cfb88bff2835ec9a9aedde83 Message-Authenticator = 0xe65c832fea00201e76a340cc0e38cf37 State = 0xae48086bae9b0cd33d7dacc7cd15f18d EAP-Id = 211 EAP-Code = Request EAP-Type-MD5 = 0x10b7703d97cfb88bff2835ec9a9aedde83 +++> About to send encoded packet: User-Name = "steve" Cleartext-Password = "testing" NAS-IP-Address = 127.0.0.1 EAP-Code = Response EAP-Id = 211 Message-Authenticator = 0x00000000000000000000000000000000 NAS-Port = 0 EAP-Type-MD5 = 0x106e2008d8fc099a16335131c045fc6df6 State = 0xae48086bae9b0cd33d7dacc7cd15f18d ^C # cat re.txt User-Name = "steve" Cleartext-Password = "testing" NAS-IP-Address = 127.0.0.1 EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "steve" Message-Authenticator = 0 NAS-Port = 0 What's wrong with the configuration? Thank you: blackluck
Laszlo Fekete wrote:
So I want a radius server to wifi auth with eap-ttls/peap, ldap and not plain-text passwords. I downloaded 2.1.4 source and create debian package without modification, do some basic configuration and testing, radtest from local is fine, but radeapclient eap-md5 testing fail.
Don't use radeapclient. See my web page for instructions on setting up EAP: http://deployingradius.com Alan DeKok.
Alan DeKok wrote:
Don't use radeapclient. See my web page for instructions on setting up EAP:
I tried the eapol_test from the web page ( http://deployingradius.com/scripts/eapol_test/ ). With Eap-ttls pap/chap/ms-chap said success: RADIUS packet matching with station MS-MPPE-Send-Key (sign) - hexdump(len=32): f6 97 5f 08 83 c3 6f 4d db 4b 85 d9 9a 1b 89 b6 6a 93 3e 49 39 bc 5e 2b fc 43 4f b8 d7 35 c5 2a MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 5d 56 b2 09 50 c8 ae 7d c0 b4 f3 3f e1 92 a0 6c 9b fe c6 51 b5 a9 3a d3 39 38 70 d2 76 c2 8b 73 decapsulated EAP packet (code=3 id=6 len=4) from RADIUS server: EAP Success EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required WPA: EAPOL processing complete EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): 5d 56 b2 09 50 c8 ae 7d c0 b4 f3 3f e1 92 a0 6c 9b fe c6 51 b5 a9 3a d3 39 38 70 d2 76 c2 8b 73 EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS But when I try with eap-ttls eap-md5/eap-mschapv2, eap-peap eap-mschapv2 it fails: RADIUS packet matching with station decapsulated EAP packet (code=4 id=8 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAPOL: EAP key not available EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE If need I put the whole output, or if its easier pls tell where should I search the problem? Thank you: blackluck
Do *not* CC me on messages sent to the list. In case you hadn't noticed, I already read the list. And do *not* set "return receipt requested". It's rude, and it causes me to be biased against people who use it. Laszlo Fekete wrote: ...
But when I try with eap-ttls eap-md5/eap-mschapv2, eap-peap eap-mschapv2 it fails:
Is there any reason you're not looking at the debugging output of the server, as suggested in the FAQ, README, INSTALL, "man page", and daily on this list? Alan DeKok.
Alan DeKok wrote:
Do *not* CC me on messages sent to the list. In case you hadn't noticed, I already read the list.
And do *not* set "return receipt requested". It's rude, and it causes me to be biased against people who use it.
Sorry, I will watching for this in the future.
Laszlo Fekete wrote: ...
But when I try with eap-ttls eap-md5/eap-mschapv2, eap-peap eap-mschapv2 it fails:
Is there any reason you're not looking at the debugging output of the server, as suggested in the FAQ, README, INSTALL, "man page", and daily on this list?
Alan DeKok.
True, sorry again! And I found the problem, I turned off proxy earlier, because read: "# The server has proxying turned on by default. If your system is NOT # set up to proxy requests to another server, then you can turn proxying # off here. This will save a small amount of resources on the server." When turned on again proxy, succeded the eap-md5 and eap--mschapv2 auth. Thank you, blackluck
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Laszlo Fekete