EAP Testing - Newbie
Sergio NNX
sfhacker at hotmail.com
Sun Oct 16 17:49:10 CEST 2011
Ciao all,
First of all, I'm new to this project so I may ask 'dumb' questions and I may be slow to understand. Be patient!
I'm in the process of testing FreeRADIUS 2.1.11, just basic/standard setup. I've been following the following user guide: http://deployingradius.com/documents/configuration/pap.html. Very useful, by the way.
PAP, MSCHAP and MSCHAPv2 work ok, but I'm unable to get any EAP tests to pass. I've tries almost everything, including: http://deployingradius.com/documents/configuration/eap-problems.html
I need some help!
Thanks in advance.
Sergio.
Test output
-------------
radtest -t eap-md5 ....... (it works ok)
(Client side)
Sending Access-Request packet to host 127.0.0.1 port 1812, id=229, length=0
User-Name = "testuser"
User-Password = "testpw"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
EAP-Code = Response
EAP-Type-Identity = "testuser"
Message-Authenticator = 0x00
EAP-Message = 0x02e4000d017465737475736572
Received Access-Challenge packet from host 127.0.0.1 port 1812, id=229, length=97
Reply-Message = "Hello, testuser"
EAP-Message = 0x01e5001604103823185ef840cc37ad7436a904db9605
Message-Authenticator = 0xf5a2da42e33cfe56a80104afb9931946
State = 0x3dcf853c3d2a813191ce5fb05bf39134
EAP-Id = 229
EAP-Code = Request
EAP-Type-MD5 = 0x103823185ef840cc37ad7436a904db9605
Sending Access-Request packet to host 127.0.0.1 port 1812, id=230, length=93
User-Name = "testuser"
User-Password = "testpw"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
EAP-Code = Response
Message-Authenticator = 0x00000000000000000000000000000000
EAP-Type-MD5 = 0x105a160cce9524d55843b32d1fcbaedb6b
EAP-Id = 229
State = 0x3dcf853c3d2a813191ce5fb05bf39134
EAP-Message = 0x02e5001604105a160cce9524d55843b32d1fcbaedb6b
Received Access-Accept packet from host 127.0.0.1 port 1812, id=230, length=71
Reply-Message = "Hello, testuser"
EAP-Message = 0x03e50004
Message-Authenticator = 0xa9e17bcb7d0b8e0ad062f9b3c5d0399c
User-Name = "testuser"
EAP-Id = 229
EAP-Code = Success
Total approved auths: 1
Total denied auths: 0
(Server side)
Ready to process requests.
# Executing section authorize from file ..\etc\raddb/radiusd.conf
+- entering group authorize {...}
[auth_log] ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20111016.log
++[auth_log] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++[mschap] returns noop
[files] users: Matched entry testuser at line 29
++[files] returns ok
[eap] EAP packet type response id 228 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
# Executing group from file ..\etc\raddb/radiusd.conf
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
++[eap] returns handled
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
# Executing section authorize from file ..\etc\raddb/radiusd.conf
+- entering group authorize {...}
[auth_log] ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20111016.log
++[auth_log] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++[mschap] returns noop
[files] users: Matched entry testuser at line 29
++[files] returns ok
[eap] EAP packet type response id 229 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
# Executing group from file ..\etc\raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 229 with timestamp +14
Cleaning up request 1 ID 230 with timestamp +14
Ready to process requests.
--------- EAP-MD5 test ---------
http://deployingradius.com/scripts/eapol_test/
eapol_test.exe -c md5.conf -s testing123 ( it doesn't work!)
Output:
Reading configuration file 'md5.conf'
Line: 1 - start of a new network block
ssid - hexdump_ascii(len=7):
45 78 61 6d 70 6c 65 Example
eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00
eapol_flags=0 (0x0)
key_mgmt: 0x1
identity - hexdump_ascii(len=8):
74 65 73 74 75 73 65 72 testuser
password - hexdump_ascii(len=6):
74 65 73 74 70 77 testpw
ca_cert - hexdump_ascii(len=40):
63 3a 2f 46 72 65 65 52 41 44 49 55 53 2f 65 74 c:/FreeRADIUS/et
63 2f 72 61 64 64 62 2f 63 65 72 74 73 2f 52 6f c/raddb/certs/Ro
6f 74 43 41 2e 70 65 6d otCA.pem
phase2 - hexdump_ascii(len=8):
61 75 74 68 3d 4d 44 35 auth=MD5
anonymous_identity - hexdump_ascii(len=9):
61 6e 6f 6e 79 6d 6f 75 73 anonymous
Priority group 0
id=0 ssid='Example'
Authentication server 127.0.0.1:1812
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using anonymous identity - hexdump_ascii(len=9):
61 6e 6f 6e 79 6d 6f 75 73 anonymous
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=14)
TX EAP -> RADIUS - hexdump(len=14): 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=9): 61 6e 6f 6e 79 6d 6f 75 73
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=126
Attribute 1 (User-Name) length=11
Value: 'anonymous'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=16
Value: 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73
Attribute 80 (Message-Authenticator) length=18
Value: 8a 2a d9 3f 9a 16 02 d3 9e be 52 a3 cc a2 a0 b6
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 80 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=80
Attribute 79 (EAP-Message) length=24
Value: 01 01 00 16 04 10 2d 5a 5e ca fd 46 31 37 33 67 ef 5f ec 14 64 c3
Attribute 80 (Message-Authenticator) length=18
Value: 37 83 06 12 9c 7b 2d 98 9a e8 6b 81 79 03 ce 63
Attribute 24 (State) length=18
Value: cb 7a ce 96 cb 7b ca 0b 07 a3 2c 75 4a 0c c4 c6
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-Request-MD5 (4)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: configuration does not allow: vendor 0 method 4
EAP: vendor 0 method 4 not allowed
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed)
EAP: allowed methods - hexdump(len=1): 15
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 15
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=136
Attribute 1 (User-Name) length=11
Value: 'anonymous'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 02 01 00 06 03 15
Attribute 24 (State) length=18
Value: cb 7a ce 96 cb 7b ca 0b 07 a3 2c 75 4a 0c c4 c6
Attribute 80 (Message-Authenticator) length=18
Value: 6b 08 01 29 89 bc 34 13 49 53 aa 7a 8d 43 4d f4
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: startWhen --> 0
STA 02:00:00:00:00:01: Resending RADIUS message (id=1)
Next RADIUS client retransmit in 6 seconds
STA 02:00:00:00:00:01: Resending RADIUS message (id=1)
Next RADIUS client retransmit in 12 seconds
STA 02:00:00:00:00:01: Resending RADIUS message (id=1)
Next RADIUS client retransmit in 24 seconds
EAPOL test timed out
EAPOL: EAP key not available
MPPE keys OK: 0 mismatch: 1
FAILURE
The server shows: rad_recv: Access-Request packet ....
then Sending Access-Challenge of id 0 to 127.0.0.1
then .... nothing at all!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20111016/09750334/attachment.html>
More information about the Freeradius-Devel
mailing list