EAP-TLS authentication problem
park jeho
parkjeho at hotmail.com
Thu Sep 22 18:41:00 CEST 2005
hi All !
i have one problem for wireless connection after authentication procedure
using EAP-TLS authentication method through a radius server .
i have not solved this problem for about two week .. :-)
wondering is that after xsupplicant print out "AUTHENTICATED" message , my
wireless card even can't connect to AP or other links
i cant get a any ping reply from other host !
but during athentication prcedure, radius server sent "Access-Accept "
message with MS-MPPE-Recv-Key and MS-MPPE-Send-Key to AP,
then xsupplicant display authentication success message like below
->[ALL] Got EAP-Success!
->Authenticated!
[ testbed ]
WN(192.168.1.2) < -- wireless network -- > AP (192.168.1.1) <----- LAN
-----> Authentication Server (192.168.1.3)
- WN
[hardware] : thinkpad R52
[OS]: debian3.1, kernel 2.6.11.11
[software] :
xsupplicant 1.2pre and 1.2.1 configuration file ->
openssl 0.9.7a
ieee802 v1.0.3
ipw2200 v1.0.6 ( intel pro/wireless 2915ABG )
xsupplication configuration :
http://jhpark.guideline.co.kr/project/mds/xsupplicant/xsupplicant-tls.conf
- AP
[hardware] : ASUS wl500g, firmware v 1.9.4
configuration info :
http://jhpark.guideline.co.kr/project/mds/AP/ap_config_info.txt
- Authentication Server
[hardware] : toshiba tecra m3
[OS]: debian3.1, kernel 2.6.13
[software]:
freeradius v1.0.4, openssl v0.9.7e ( /usr/lib is base install path )
freeradius configuration :
radiud.conf ->
http://jhpark.guideline.co.kr/project/mds/freeradius/radiusd.conf
eap.conf -> http://jhpark.guideline.co.kr/project/mds/freeradius/eap.conf
other config -> http://jhpark.guideline.co.kr/project/mds/freeradius/
1. association command with iwconfig
root at debian#iwconfig eth1 essid asus key [xxxxx: 26 hex key which was setup
in AP wep key] open
2. xsupplicant exec command
root at debian#/usr/local/sbin/xsupplicant -i eth1 -d 7 -f -c
/root/xsupplicant-tls.conf
3. interface up
root at debian#ifconfig eth1 92.168.1.3 netmask 255.255.255.0 up
and as a result, i got this xsupplicant result message
---------------------snip ------------------------
Stats for Interface eth1 :
EAPOL Frames RX : 8 EAPOL Frames TX : 8
EAPOL Starts TX : 1 EAPOL Logoff TX : 0
EAPOL Resp. ID TX : 1 EAPOL Resp. TX : 6
EAPOL Req. ID RX : 1 EAPOL Req. RX : 6
EAPOL Invalid Frame: 0 EAP Length Error : 0
Last EAPOL Version : 1 Last EAPOL Src. :00 11 D8 24 69 AA
EAPOL Success : 1 EAPOL Failure : 0
[STATE] Backend State : RECEIVE -> SUCCESS
[STATE] Backend State : SUCCESS -> IDLE
[ALL] Got Frame :
-------------------- snip ---------------------------------
Processing EAPoL-Key!
[INT] Key Descriptor = 1
[INT] Key Length = 13
[INT] Replay Counter = 83 AA 80 92 94 9F 62 2A
[INT] Key IV = B9 11 F5 37 D3 57 75 DB C4 F7 F1 47 98 BB 55 58
[INT] Key Index (RAW) = 83
[INT] Key Signature = C2 76 90 CD 97 20 AA CF 8A EB 12 C8 DD 45 BC B9
[INT] EAPoL Key Processed: unicast [4] 13 bytes.
[INT] Using peer key!
*WARNING* This AP uses the key generated during the authentication
process. If reauthentication doesn't happen frequently enough your
connection
may not be very secure!
[INT] Successfully set WEP key [4]
[INT] Successfully set the WEP transmit key [4]
[INT] Got an RTM_NEWLINK!
[INT] Wireless event: cmd=0x8b2a len=12
[INT] Encryption key set
[STATE] AUTHENTICATING -> AUTHENTICATED
[ALL] Canceled timer for 'authentication timer'!
[INT] Got an RTM_NEWLINK!
[INT] Wireless event: cmd=0x8b2a len=12
[INT] Encryption key set
------------------------------------------------------------------
Full xsupplicant message is this (
http://jhpark.guideline.co.kr/project/mds/xsupplicant/xsupplicant.result )
above all, i can't sure AP and WN (client) have successed in making a right
pairwise transient key.
if pairwise transient key was made perfectly, why Wn node can't connect
other network links ?
here is radiusd message during processing above client request.
root at debian#radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "root"
main: group = "root"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAPv2"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = yes
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "/etc/passwd"
unix: shadow = "/etc/shadow"
unix: group = "/etc/group"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
detail: detailfile = "%A/%{Client-IP-Address}/detail"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (reply_log)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.1:2048, id=0, length=129
User-Name = "testUser"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "0011d82469aa"
Calling-Station-Id = "0012f0947701"
NAS-Identifier = "0011d82469aa"
NAS-Port = 34
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000d017465737455736572
Message-Authenticator = 0x0a886b447e7581235a7974ecabcc0d92
------------------ snip
----------------------------------------------------
modcall: group post-auth returns ok for request 6
Sending Access-Accept of id 0 to 192.168.1.1:2048
Session-Timeout := 900
MS-MPPE-Recv-Key =
0xb6eed12463e0d9089d372359a2ee586ef35c93293d0579ab053fe2fd617b8353
MS-MPPE-Send-Key =
0x79ae9d4df30ea49dbc6fe5884a20da515fd6b23b2cc9f0cfd44503e0fc2e6c9b
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testUser"
Finished request 6
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 6 ID 0 with timestamp 43323914
Nothing to do. Sleeping until we see a request.
----------------------------------------------------------------------------------
Full radiusd result message is this (
http://jhpark.guideline.co.kr/project/mds/freeradius/radiusd.result
Why i can't connect any other host after finishing EAP-TLS authenticaiton
procedure ?
and
someone please explain to me why xsupplicant prints driver warning message
previously Thanks !
---
http://jhpark.guideline.co.kr
private mail : linuxpark at kernelproject.org
More information about the Freeradius-Users
mailing list