Authentication problems between Cisco Aironet 1100 and freeradius

Torkel Mathisen torkel.mathisen at bbs.no
Wed Oct 26 16:40:53 CEST 2005


Hi

 

I got some problems getting EAP to work with Cisco Aironet 1100 and
Freeradius.

 

I've gotten freeradius to work I think and I have configured Cisco
Aironet 1100 AP according to Cisco.

(http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configu
ration_example09186a00801bd035.shtml)

(http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configu
ration_example09186a00801c40b6.shtml#NetEAP)

 

When I try to connect too my WLAN with my testuser. (User: testuser,
Password: Secret149) it won't

authenticate.

 

I've configured freeradius to use PEAP-MSCHAPv2. 

 

Anyone able to help me out?

 

 

Regards,

Torkel

 

This is the log I get when i run radiusd -X:

 

rad_recv: Access-Request packet from host 10.0.0.1:21645, id=65,
length=133

        User-Name = "testuser"

        Framed-MTU = 1400

        Called-Station-Id = "000e.8401.cd50"

        Calling-Station-Id = "0011.0a80.41d1"

        Message-Authenticator = 0x194f32c82aa7088f53cdfc8ac8a36151

        EAP-Message = 0x0202000d017465737475736572

        NAS-Port-Type = Wireless-802.11

        NAS-Port = 478

        Service-Type = Framed-User

        NAS-IP-Address = 10.0.0.1

        NAS-Identifier = "testAP"

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 63

  modcall[authorize]: module "preprocess" returns ok for request 63

  modcall[authorize]: module "chap" returns noop for request 63

  modcall[authorize]: module "mschap" returns noop for request 63

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 63

  rlm_eap: EAP packet type response id 2 length 13

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 63

    users: Matched entry testuser at line 90

  modcall[authorize]: module "files" returns ok for request 63

modcall: group authorize returns updated for request 63

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 63

  rlm_eap: EAP Identity

  rlm_eap: processing type tls

  rlm_eap_tls: Initiate

  rlm_eap_tls: Start returned 1

  modcall[authenticate]: module "eap" returns handled for request 63

modcall: group authenticate returns handled for request 63

Sending Access-Challenge of id 65 to 10.0.0.1:21645

        EAP-Message = 0x010300061920

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x67a4b4a551592fcc14469ef9c70a4601

Finished request 63

Going to the next request

--- Walking the entire request list ---

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 10.0.0.1:21645, id=66,
length=218

        User-Name = "testuser"

        Framed-MTU = 1400

        Called-Station-Id = "000e.8401.cd50"

        Calling-Station-Id = "0011.0a80.41d1"

        Message-Authenticator = 0xd5957923efcbfe4c3ee547a066e21d0a

        EAP-Message =
0x0203005019800000004616030100410100003d0301435f8f34c71e673ecee95256802f
571c6bfa86eaa89728f7d7f782809ef0f82600001600040005000a000900640062000300
060013001200630100

        NAS-Port-Type = Wireless-802.11

        NAS-Port = 478

        State = 0x67a4b4a551592fcc14469ef9c70a4601

        Service-Type = Framed-User

        NAS-IP-Address = 10.0.0.1

        NAS-Identifier = "testAP"

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 64

  modcall[authorize]: module "preprocess" returns ok for request 64

  modcall[authorize]: module "chap" returns noop for request 64

  modcall[authorize]: module "mschap" returns noop for request 64

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 64

  rlm_eap: EAP packet type response id 3 length 80

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 64

    users: Matched entry testuser at line 90

  modcall[authorize]: module "files" returns ok for request 64

modcall: group authorize returns updated for request 64

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 64

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/peap

  rlm_eap: processing type peap

  rlm_eap_peap: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls:  Length Included

  eaptls_verify returned 11

    (other): before/accept initialization

    TLS_accept: before/accept initialization

  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello

    TLS_accept: SSLv3 read client hello A

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello

    TLS_accept: SSLv3 write server hello A

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0654], Certificate

    TLS_accept: SSLv3 write certificate A

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone

    TLS_accept: SSLv3 write server done A

    TLS_accept: SSLv3 flush data

    TLS_accept:error in SSLv3 read client certificate A

In SSL Handshake Phase

In SSL Accept mode

  eaptls_process returned 13

  rlm_eap_peap: EAPTLS_HANDLED

  modcall[authenticate]: module "eap" returns handled for request 64

modcall: group authenticate returns handled for request 64

Sending Access-Challenge of id 66 to 10.0.0.1:21645

        EAP-Message =
0x0104040a19c0000006b1160301004a020000460301435f8f1b11c01e5389f06ab78215
4f3759e70cc9bb2b320d320ab9c656d33f6e205816b685a712ff840d91baa1dbf8b9c0ec
209492aecf22425643fafe1541596d00040016030106540b00065000064d0002b3308202
af30820218a003020102020900b646b246bff02a86300d06092a864886f70d0101040500
30818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b06
0355040713044f534c4f310f300d060355040a130642425320415331133011060355040b
130a66726565726164697573311b301906035504031312436c69656e7420636572746966
6963

        EAP-Message =
0x617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f737430
1e170d3035313032363132333432385a170d3036313032363132333432385a30818b310b
3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713
044f534c4f310f300d060355040a130642425320415331133011060355040b130a667265
657261646975733119301706035504031310526f6f74206365727469666963617465311d
301b06092a864886f70d010901160e726f6f74406c6f63616c686f737430819f300d0609
2a864886f70d010101050003818d0030818902818100eead5285b5e9f7b939a2dfc1b7fe
f60a

        EAP-Message =
0xbd055de0ba27b2ef81244e0eabad60241727ff5fc724f36147d08ea5f9e3f0110dfb5a
2397c3906a00ab8eb28509e4a672b2c948c0b8007785f550b3908c2f49d7a113d6e7198d
9606e567fc38be816fb2acf60f18bfe56d0617ff7e651439ce9c8ed40363b5b1e4d0d96f
59a468a6650203010001a317301530130603551d25040c300a06082b0601050507030130
0d06092a864886f70d01010405000381810050aa5f1713a5025d21f128094104579eb85a
9ded57072baf72b2c0e3fbea766eb53c62e9bc2a5d1bc22f2615cc1fe88487e2d0b7e5ea
a045a8ae1734a85f28e6cd70d3340c2a51bfe7b974c13b9a1a4abebe373312d1d4b987e3
2368

        EAP-Message =
0x1edad7e4a54456fd7989e901485e9f2fcf7e8ed8e57fae97fb2fdd1fba5a50c683b7da
7f00039430820390308202f9a003020102020900b646b246bff02a84300d06092a864886
f70d010104050030818d310b3009060355040613024e4f310d300b060355040813044f53
4c4f310d300b060355040713044f534c4f310f300d060355040a13064242532041533113
3011060355040b130a66726565726164697573311b301906035504031312436c69656e74
206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f
63616c686f7374301e170d3035313032363132333432335a170d30373130323631323334
3233

        EAP-Message = 0x5a30818d310b3009060355040613024e4f310d300b06

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0xd8223ab2cc29f1f3ad13843d71797409

Finished request 64

Going to the next request

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 10.0.0.1:21645, id=67,
length=144

        User-Name = "testuser"

        Framed-MTU = 1400

        Called-Station-Id = "000e.8401.cd50"

        Calling-Station-Id = "0011.0a80.41d1"

        Message-Authenticator = 0xcc2b18df4d9f3ad232f1d712d0fefa45

        EAP-Message = 0x020400061900

        NAS-Port-Type = Wireless-802.11

        NAS-Port = 478

        State = 0xd8223ab2cc29f1f3ad13843d71797409

        Service-Type = Framed-User

        NAS-IP-Address = 10.0.0.1

        NAS-Identifier = "testAP"

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 65

  modcall[authorize]: module "preprocess" returns ok for request 65

  modcall[authorize]: module "chap" returns noop for request 65

  modcall[authorize]: module "mschap" returns noop for request 65

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 65

  rlm_eap: EAP packet type response id 4 length 6

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 65

    users: Matched entry testuser at line 90

  modcall[authorize]: module "files" returns ok for request 65

modcall: group authorize returns updated for request 65

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 65

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/peap

  rlm_eap: processing type peap

  rlm_eap_peap: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls: Received EAP-TLS ACK message

  rlm_eap_tls: ack handshake fragment handler

  eaptls_verify returned 1

  eaptls_process returned 13

  rlm_eap_peap: EAPTLS_HANDLED

  modcall[authenticate]: module "eap" returns handled for request 65

modcall: group authenticate returns handled for request 65

Sending Access-Challenge of id 67 to 10.0.0.1:21645

        EAP-Message =
0x010502b719000355040813044f534c4f310d300b060355040713044f534c4f310f300d
060355040a130642425320415331133011060355040b130a66726565726164697573311b
301906035504031312436c69656e74206365727469666963617465311d301b06092a8648
86f70d010901160e726f6f74406c6f63616c686f737430819f300d06092a864886f70d01
0101050003818d0030818902818100bb9dc7f9a6b879ddde091ded35f3137693d1a9fa9d
2e2f1e20e1e49c9daf077fd1c4066e8e409eda68baac046ff390baedad93e603fdde7304
6df106c9c3775eb0e024a2682faf6469e778758b9c782a11ad0dcc25edca8f9efdee96cc
c1bc

        EAP-Message =
0x84850d853d4435da9ab22ec6c3dc4e6d9137e0ec36d705c923055aa8b900d833350203
010001a381f53081f2301d0603551d0e04160414227f0709429785a3169b9817627cd456
d617f2283081c20603551d230481ba3081b78014227f0709429785a3169b9817627cd456
d617f228a18193a4819030818d310b3009060355040613024e4f310d300b060355040813
044f534c4f310d300b060355040713044f534c4f310f300d060355040a13064242532041
5331133011060355040b130a66726565726164697573311b301906035504031312436c69
656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74
406c

        EAP-Message =
0x6f63616c686f7374820900b646b246bff02a84300c0603551d13040530030101ff300d
06092a864886f70d0101040500038181001fb7ec3488fd3b6349d6cc33b5c6451ce1c2e8
ef8db6f4818cd017991f9649141c1767553c20303e262fec4bb351cda19b403bab78aa37
236ffc78dace1a39089ff037eb911a5133bc6b1f0275cc9e68bc4c8f487a4d2cdc8e7061
34e512d7e715ca81c5a7bb6cc668ca8181e898befeab40773de8f3eb6629ecd2c79d5f74
f116030100040e000000

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x6a28407c14613e4bb49a5c41aab60bfd

Finished request 65

Going to the next request

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 10.0.0.1:21645, id=68,
length=144

        User-Name = "testuser"

        Framed-MTU = 1400

        Called-Station-Id = "000e.8401.cd50"

        Calling-Station-Id = "0011.0a80.41d1"

        Message-Authenticator = 0x9a39ada2dab238ef570b8dc1dd3f3b6c

        EAP-Message = 0x020500061900

        NAS-Port-Type = Wireless-802.11

        NAS-Port = 478

        State = 0x6a28407c14613e4bb49a5c41aab60bfd

        Service-Type = Framed-User

        NAS-IP-Address = 10.0.0.1

        NAS-Identifier = "testAP"

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 66

  modcall[authorize]: module "preprocess" returns ok for request 66

  modcall[authorize]: module "chap" returns noop for request 66

  modcall[authorize]: module "mschap" returns noop for request 66

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 66

  rlm_eap: EAP packet type response id 5 length 6

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 66

    users: Matched entry testuser at line 90

  modcall[authorize]: module "files" returns ok for request 66

modcall: group authorize returns updated for request 66

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 66

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/peap

  rlm_eap: processing type peap

  rlm_eap_peap: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls: Received EAP-TLS ACK message

  rlm_eap_tls: ack handshake fragment handler

  eaptls_verify returned 1

  eaptls_process returned 13

  rlm_eap_peap: EAPTLS_HANDLED

  modcall[authenticate]: module "eap" returns handled for request 66

modcall: group authenticate returns handled for request 66

Sending Access-Challenge of id 68 to 10.0.0.1:21645

        EAP-Message = 0x010600061900

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x029cb84784a586178ecaa439ab2c98ab

Finished request 66

Going to the next request

Waking up in 6 seconds...

--- Walking the entire request list ---

Cleaning up request 63 ID 65 with timestamp 435f8f1b

Cleaning up request 64 ID 66 with timestamp 435f8f1b

Cleaning up request 65 ID 67 with timestamp 435f8f1b

Cleaning up request 66 ID 68 with timestamp 435f8f1b

Nothing to do.  Sleeping until we see a request.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051026/c118a738/attachment.html>


More information about the Freeradius-Users mailing list