eapol_test for EAP testing

kevin kevin kevin198607 at gmail.com
Fri Nov 8 07:22:45 CET 2013


Hello

I'm trying to use eapol_test to test freeradius EAP process.

according to http://deployingradius.com/scripts/eapol_test/

I followed the steps to bring up FreeRadius Server version 2.1.12 and
eapol_test (wpa_supplicant-2.0)in Ubuntu 10.04.But the authentication
process was not success.
It was always Access-Reject result.

then i followed the website
http://www.freesoftwaremagazine.com/articles/howto_incremental_setup_freeradius_server_eap_authentications

i do the step 4 in the above website,but it still does not work.


do some radius configuration files(eg. eap.conf or radiusd.conf) need more
modification ? Can anyone help me?Thanks!



some important debug informations or file are below for eapol_test(PAP,
user name is bob,his password is passbob,the secret is testing123,and the
test is localhost environment):


*(freeradius server terminal)*

# radiusd -X

 ... adding new socket proxy address * port 48094
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 44726, id=0,
length=126
 User-Name = "anonymous"
 NAS-IP-Address = 127.0.0.1
 Calling-Station-Id = "02-00-00-00-00-01"
 Framed-MTU = 1400
 NAS-Port-Type = Wireless-802.11
 Connect-Info = "CONNECT 11Mbps 802.11b"
 EAP-Message = 0x0200000e01616e6f6e796d6f7573
 Message-Authenticator = 0x2f6860f96c26a5453d21db9125aff4e8
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql]  expand: %{User-Name} -> anonymous
[sql] sql_set_user escaped user --> 'anonymous'
rlm_sql (sql): Reserving sql socket id: 4
[sql]  expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = 'anonymous'           ORDER BY id
[sql]  expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'anonymous'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
[sql] User anonymous not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 44726
 EAP-Message = 0x01010016041031c544638527529b08c013be38035e82
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0xb81e5489b81f50a4b2d4f9c388430583
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 44726, id=1,
length=136
 User-Name = "anonymous"
 NAS-IP-Address = 127.0.0.1
 Calling-Station-Id = "02-00-00-00-00-01"
 Framed-MTU = 1400
 NAS-Port-Type = Wireless-802.11
 Connect-Info = "CONNECT 11Mbps 802.11b"
 EAP-Message = 0x020100060315
 State = 0xb81e5489b81f50a4b2d4f9c388430583
 Message-Authenticator = 0xbd1047623d98324569e98d518045db81
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql]  expand: %{User-Name} -> anonymous
[sql] sql_set_user escaped user --> 'anonymous'
rlm_sql (sql): Reserving sql socket id: 3
[sql]  expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY
id -> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = 'anonymous'           ORDER BY id
[sql]  expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'anonymous'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User anonymous not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for unsupported type EAP-TTLS
[eap] No common EAP types found.
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]  expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 1 to 127.0.0.1 port 44726
 EAP-Message = 0x04010004
 Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +3
Waking up in 1.0 seconds.
Cleaning up request 1 ID 1 with timestamp +3
Ready to process requests.
*(eapol_test terminal)*

# eapol_test -c eapol_test.conf.pap -s testing123
Reading configuration file 'eapol_test.conf.peap'
Line: 4 - start of a new network block
key_mgmt: 0x1
eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00
00
identity - hexdump_ascii(len=3):
     62 6f 62                                          bob
anonymous_identity - hexdump_ascii(len=9):
     61 6e 6f 6e 79 6d 6f 75 73                        anonymous
password - hexdump_ascii(len=7):
     70 61 73 73 62 6f 62                              passbob
phase2 - hexdump_ascii(len=8):
     61 75 74 68 3d 50 41 50                           auth=PAP
Priority group 0
   id=0 ssid=''
Authentication server 127.0.0.1:1812
RADIUS local address: 127.0.0.1:34535
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using anonymous identity - hexdump_ascii(len=9):
     61 6e 6f 6e 79 6d 6f 75 73                        anonymous
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=14)
TX EAP -> RADIUS - hexdump(len=14): 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75
73
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=9): 61 6e 6f 6e
79 6d 6f 75 73
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=126
   Attribute 1 (User-Name) length=11
      Value: 'anonymous'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '02-00-00-00-00-01'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=16
      Value: 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73
   Attribute 80 (Message-Authenticator) length=18
      Value: c6 18 63 bf 04 9d aa 99 df 2b e6 ae dc 9a 4f 62
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 80 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=80
   Attribute 79 (EAP-Message) length=24
      Value: 01 01 00 16 04 10 71 fc 64 70 75 ac c6 10 c6 0a 4d e8 01 aa 41
ee
   Attribute 80 (Message-Authenticator) length=18
      Value: d4 96 61 25 98 3c f3 94 58 65 88 46 9e fd 94 03
   Attribute 24 (State) length=18
      Value: f1 f3 cc a8 f1 f2 c8 96 aa 0e f0 55 a4 56 38 89
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server:
EAP-Request-MD5 (4)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: configuration does not allow: vendor 0 method 4
EAP: vendor 0 method 4 not allowed
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
EAP: Status notification: refuse proposed method (param=MD5)
EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed)
EAP: allowed methods - hexdump(len=1): 15
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 15
Encapsulating EAP message into a RADIUS packet
  Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=136
   Attribute 1 (User-Name) length=11
      Value: 'anonymous'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '02-00-00-00-00-01'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=8
      Value: 02 01 00 06 03 15
   Attribute 24 (State) length=18
      Value: f1 f3 cc a8 f1 f2 c8 96 aa 0e f0 55 a4 56 38 89
   Attribute 80 (Message-Authenticator) length=18
      Value: 67 47 36 e8 38 3e 60 c6 cd 13 e5 02 76 cb 50 f8
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 44 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=1 length=44
   Attribute 79 (EAP-Message) length=6
      Value: 04 01 00 04
   Attribute 80 (Message-Authenticator) length=18
      Value: ff 62 f1 59 12 84 99 e4 65 8a 03 00 53 97 b9 6b
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 1.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=1 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: Status notification: completion (param=failure)
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
EAPOL: EAP key not available
MPPE keys OK: 0  mismatch: 1
FAILURE
root at lsc-desktop:/opt/wpa_supplicant-2.0/wpa_supplicant# eapol_test -c
eapol_test.conf.peap -s testing123
Reading configuration file 'eapol_test.conf.peap'
Line: 4 - start of a new network block
key_mgmt: 0x1
eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00
00
identity - hexdump_ascii(len=3):
     62 6f 62                                          bob
anonymous_identity - hexdump_ascii(len=9):
     61 6e 6f 6e 79 6d 6f 75 73                        anonymous
password - hexdump_ascii(len=7):
     70 61 73 73 62 6f 62                              passbob
phase2 - hexdump_ascii(len=8):
     61 75 74 68 3d 50 41 50                           auth=PAP
Priority group 0
   id=0 ssid=''
Authentication server 127.0.0.1:1812
RADIUS local address: 127.0.0.1:44726
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using anonymous identity - hexdump_ascii(len=9):
     61 6e 6f 6e 79 6d 6f 75 73                        anonymous
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=14)
TX EAP -> RADIUS - hexdump(len=14): 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75
73
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=9): 61 6e 6f 6e
79 6d 6f 75 73
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=126
   Attribute 1 (User-Name) length=11
      Value: 'anonymous'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '02-00-00-00-00-01'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=16
      Value: 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73
   Attribute 80 (Message-Authenticator) length=18
      Value: 2f 68 60 f9 6c 26 a5 45 3d 21 db 91 25 af f4 e8
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 80 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=80
   Attribute 79 (EAP-Message) length=24
      Value: 01 01 00 16 04 10 31 c5 44 63 85 27 52 9b 08 c0 13 be 38 03 5e
82
   Attribute 80 (Message-Authenticator) length=18
      Value: b9 f5 cb c9 84 1d 02 3c 4f 4e 6e ef b2 d8 a7 dd
   Attribute 24 (State) length=18
      Value: b8 1e 54 89 b8 1f 50 a4 b2 d4 f9 c3 88 43 05 83
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server:
EAP-Request-MD5 (4)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: configuration does not allow: vendor 0 method 4
EAP: vendor 0 method 4 not allowed
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
EAP: Status notification: refuse proposed method (param=MD5)
EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed)
EAP: allowed methods - hexdump(len=1): 15
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 15
Encapsulating EAP message into a RADIUS packet
  Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=136
   Attribute 1 (User-Name) length=11
      Value: 'anonymous'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '02-00-00-00-00-01'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=8
      Value: 02 01 00 06 03 15
   Attribute 24 (State) length=18
      Value: b8 1e 54 89 b8 1f 50 a4 b2 d4 f9 c3 88 43 05 83
   Attribute 80 (Message-Authenticator) length=18
      Value: bd 10 47 62 3d 98 32 45 69 e9 8d 51 80 45 db 81
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 44 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=1 length=44
   Attribute 79 (EAP-Message) length=6
      Value: 04 01 00 04
   Attribute 80 (Message-Authenticator) length=18
      Value: 03 3b 7f f7 84 de 2c 69 6c 2f fe 4c fd 4e 92 f0
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 1.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=1 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: Status notification: completion (param=failure)
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
EAPOL: EAP key not available
MPPE keys OK: 0  mismatch: 1
FAILURE

*eapol_test.conf.pap  file:*

#
#   eapol_test -c eapol_test.conf.pap -s testing123
#
network={
        key_mgmt=WPA-EAP
        eap=TTLS
        identity="bob"
        anonymous_identity="anonymous"
        password="passbob"
        phase2="auth=PAP"
     #
     #  Uncomment the following to perform server certificate validation.
     # ca_cert = /usr/local/etc/raddb/certs/ca.pem
}


two more question :

1.during the above process ,my /usr/local/var/log/radius.log is empty.why?

2.the user is bob,but in the radiusd -X debug information, it is
< User-Name = "anonymous">.But if  i uncomment the
<anonymous_identity="anonymous">in the *eapol_test.conf.pap file, *it will
change to be  < User-Name = "bob">,so why?

Thanks a lot !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20131108/0766c01d/attachment-0001.html>


More information about the Freeradius-Devel mailing list