questions about eap md5 authentication

Robert WAKIM rwakim at mind-techno.fr
Tue Jan 24 10:44:16 CET 2006 

Hi,

I'm pretty stuck in a radius/ldap 802.1x authentication.

During the authentication process the client (windows 2k through a e1
switch) sends the authentication using MD5-Challenge which is for what I
understand the easiest of all.

The FreeRadius server recevies everything but failed to authenticate the
user.

Here is the output



rad_recv: Access-Request packet from host 192.168.1.200:1056, id=37,
length=96
        Message-Authenticator = 0xf44b1f115e9f9aa7d8026af7916c954f
        User-Name = "gab"
        NAS-IP-Address = 192.168.1.200
        NAS-Port = 32
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-E0-29-38-72-DB"
        EAP-Message = 0x0240000801676162
        Framed-MTU = 1000
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gab
radius_xlat:  '(uid=gab)'
radius_xlat:  'ou=radius, dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to galilee.mind-techno.fr:389, authentication 0
rlm_ldap: bind as cn=emanager,ou=radius,dc=fr/socrate2803 to
galilee.mind-techno.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=radius, dc=fr, with filter (uid=gab)
rlm_ldap: checking if remote access for gab is allowed by radiusFilterId
rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFilterId as Filter-Id, value
Enterasys:version=1:policy=Enterprise User & op=11
rlm_ldap: user gab authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
  rlm_eap: EAP packet type response id 64 length 8
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 37 to 192.168.1.200:1056
        Filter-Id = "Enterasys:version=1:policy=Enterprise User"
        EAP-Message = 0x014100160410f863dc8a4ae21123368575c7ac478f42
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0d1c294f270f623665d377ff9b34eb92
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.200:1057, id=38,
length=96
        Message-Authenticator = 0x5c5c8803ec4b135afc57ba4443c8f64f
        User-Name = "gab"
        NAS-IP-Address = 192.168.1.200
        NAS-Port = 32
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-E0-29-38-72-DB"
        EAP-Message = 0x0242000801676162
        Framed-MTU = 1000
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gab
radius_xlat:  '(uid=gab)'
radius_xlat:  'ou=radius, dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=radius, dc=fr, with filter (uid=gab)
rlm_ldap: checking if remote access for gab is allowed by radiusFilterId
rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFilterId as Filter-Id, value
Enterasys:version=1:policy=Enterprise User & op=11
rlm_ldap: user gab authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
  rlm_eap: EAP packet type response id 66 length 8
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
modcall: group authorize returns updated for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: EAP Identity
  rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 38 to 192.168.1.200:1057
        Filter-Id = "Enterasys:version=1:policy=Enterprise User"
        EAP-Message = 0x014300160410537c01ae485e80e5e60a42ebe253c954
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x924e905b561231069339383faf04ce3b
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 192.168.1.200:1057, id=39,
length=128
        Message-Authenticator = 0x1419a4cc9ce6110c3899d7e1b6e16e96
        User-Name = "gab"
        State = 0x924e905b561231069339383faf04ce3b
        NAS-IP-Address = 192.168.1.200
        NAS-Port = 32
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-E0-29-38-72-DB"
        Framed-MTU = 1000
        EAP-Message = 0x024300160410e2a54a8018106d1354e86a78906ab7b9
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for gab
radius_xlat:  '(uid=gab)'
radius_xlat:  'ou=radius, dc=fr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=radius, dc=fr, with filter (uid=gab)
rlm_ldap: checking if remote access for gab is allowed by radiusFilterId
rlm_ldap: Added password {MD5}mmGCSLZNti0VswCgewBYCw== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFilterId as Filter-Id, value
Enterasys:version=1:policy=Enterprise User & op=11
rlm_ldap: user gab authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
  rlm_eap: EAP packet type response id 67 length 22
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/md5
  rlm_eap: processing type md5
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 2
modcall: group authenticate returns reject for request 2
auth: Failed to validate the user.
Login incorrect: [gab] (from client mind-intern port 32 cli
00-E0-29-38-72-DB)
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Cleaning up request 0 ID 37 with timestamp 43d5f546
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 39 to 192.168.1.200:1057
        EAP-Message = 0x04430004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 38 with timestamp 43d5f54b
Cleaning up request 2 ID 39 with timestamp 43d5f54b
Nothing to do.  Sleeping until we see a request.



The user gab in the ldap database is :

dn: uid=gab,ou=users,ou=radius,dc=fr
structuralObjectClass: inetOrgPerson
entryUUID: a4ff72d0-2078-102a-99d1-fb3e3efc1b6e
creatorsName: cn=admin,ou=radius,dc=fr
createTimestamp: 20060123162543Z
radiusFilterId: "Enterasys:version=1:policy=Enterprise User"
uid: gab
description: 802.1x user
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
sn: gab
cn: gab
userPassword:: e01ENX1tbUdDU0xaTnRpMFZzd0NnZXdCWUN3PT0=
entryCSN: 20060124083844Z#000001#00#000000
modifiersName: cn=admin,ou=radius,dc=fr
modifyTimestamp: 20060124083844Z


The radius.conf file for the authorize and authenticate section :


authorize {
        ldap
        eap
}



authenticate {
        Auth-Type LDAP {
                ldap
        }
        eap
}


I'm getting lost in all this. Do you have any clues to resolve this ?

Thanks in advance.

Regards,

-- 
M. Robert Wakim
Mind Technologies
 
24 rue Victor Hugo
94220 Charenton-Le-Pont
FRANCE
 
tel         :  +33 (0)1 41 79 09 40
Fax       :  +33 (0)1 43 68 80 32
 
Email    : rwakim at mind-techno.fr
web       : http://www.mind-techno.fr

More information about the Freeradius-Users mailing list