Problem authenticating with Checkpoint Integrity.

Ian Walker scatmanwalks at gmail.com
Tue Nov 21 10:02:14 CET 2006 

I'm attempting 802.1x authentication with Checkpoint Integrity.  I have it
working with peap no problems and usings mschapv2.  However, when I attempt
with Integrity, I have to choose "Zone Labs Cooperative Enforcement" within
the Windows 802.1x authentication options.  I've then chosen peap/mschapv2
here, but an additional setting is eap-type "44" of which I'm unable to
change on the client.

When the authentication attempt is tried with freeradius, this is what I see
from the debug log.

rad_recv: Access-Request packet from host 172.20.12.220:4066, id=145,
length=232
        Framed-MTU = 1480
        NAS-IP-Address = 172.20.12.220
        NAS-Identifier = "HP ProCurve Switch 5304XL"
        User-Name = "bartek"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 1
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "A1"
        Called-Station-Id = "00-11-85-57-88-00"
        Calling-Station-Id = "00-00-39-53-b0-aa"
        Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "111"
        State = 0xa470cc42adabab0256dc2c8bc1eed1a2
        EAP-Message = 0x02020006032c
        Message-Authenticator = 0x7aaa286e636cd7d6d2db5775789ea1ec
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
  rlm_eap: EAP packet type response id 2 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry bartek at line 223
  modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group eap for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: NAK asked for bad type 44
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 1
modcall: leaving group eap (returns invalid) for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.20.12.220:4066, id=145,
length=232
Sending Access-Reject of id 145 to 172.20.12.220 port 4066
        EAP-Message = 0x04020004
        Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 144 with timestamp 4562beee
Cleaning up request 1 ID 145 with timestamp 4562beee
Nothing to do.  Sleeping until we see a request.

The main bit of this being the EAP NAK and "NAK asked for bad type 44".  I'm
unsure of how I'm supposed to configure freeradius to use this type, as in
the IANA numbers, type 44 is shown as:

44 ZoneLabs EAP (ZLXEAP)

Any ideas on what I can do to get this working?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061121/695ec4ec/attachment.html>

More information about the Freeradius-Users mailing list