WPA/RADIUS Problems
Loukas Kalenderidis
loukas at hb.com.au
Fri Sep 1 08:12:41 CEST 2006
Hi list,
I'm a FreeRADIUS noob, and I've been charged with getting some WiFi
APs authenticating against an existing FreeRADIUS server being used
for dialup users. I've configured FreeRADIUS as best I can figure
from what I've found on the web, but I'm having no success with
getting WPA to work. I'm using a D-Link 2100AP access point, and a
Mac OS X 10.4 client. From what I can gather it seems that I might
have misconfigured FreeRADIUS, based on the error message below.
I've configured a test user as follows:
pants Auth-Type := Accept
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 1
The last 3 lines I found in a tutorial on the web, but I'm not sure
if they are necessary or not (and commenting them out makes no
difference).
When I run radtest everything looks OK:
$ radtest pants "" localhost 1 XXXXXX
Sending Access-Request of id 141 to 127.0.0.1:1812
User-Name = "pants"
User-Password = ""
NAS-IP-Address = newdeewhy
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=141,
length=35
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
When I try to connect from my Mac OS X client I get the following error:
And the following appears in the radius.log:
Fri Sep 1 15:50:59 2006 : Auth: Login OK: [pants] (from client
testap port 1 cli 00-0D-93-86-48-8E)
Fri Sep 1 15:51:02 2006 : Error: Authentication reply packet code 2
sent to a non-proxy reply port from client testap:1025 - ID 0 : IGNORED
Watching the traffic shows the Access-Accept packet being sent back
to the AP, but confusingly the AP sends an Access-Accept back to the
RADIUS server! (10.0.0.100 is the AP, 10.0.0.101 is the RADIUS server):
# tcpdump -nXi eth1 -s 65535 host 10.0.0.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:08:43.990613 IP 10.0.0.100.1027 > 10.0.0.101.1812: RADIUS, Access
Request (1), id: 0x00 length: 193
0x0000: 4500 00dd 0008 0000 4011 6540 0a00 0064
E....... at .e@...d
0x0010: 0a00 0065 0403 0714 00c9 0613 0100
00c1 ...e............
0x0020: 3daa 0458 77d9 5edd 5149 6230 7717 7c71
=..Xw.^.QIb0w.|q
0x0030: 5012 091d 4b11 cb44 3587 c0cd d27e c929
P...K..D5....~.)
0x0040: 2bbd 0606 0000 0002 0108 7061 6e74 7300
+.........pants.
0x0050: 0c06 0000 05d0 1e1b 3030 2d31 312d 3935 ........
00-11-95
0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 -
DB-37-0B:TestWP
0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A..
00-0D-93-86-4
0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D-
Link.Acc
0x0090: 6573 7320 506f 696e 743d 0600 0000 134d
ess.Point=.....M
0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT.
54Mbps.
0x00b0: 3830 322e 3131 674f 0c02 0000 0a01 7061
802.11gO......pa
0x00c0: 6e74 7304 060a 0000 6405 0600 0000 0157
nts.....d......W
0x00d0: 0e53 5441 2070 6f72 7420 2320 31 .STA.port.#.1
16:08:43.992271 IP 10.0.0.101.1812 > 10.0.0.100.1027: RADIUS, Access
Accept (2), id: 0x00 length: 35
0x0000: 4500 003f 0015 4000 4011 25d1 0a00 0065 E..?.. at .@.
%....e
0x0010: 0a00 0064 0714 0403 002b fc7c 0200 0023 ...d.....
+.|...#
0x0020: a6d5 7da7 33d8 c5a1 b0d4 f206 098f 1394 ..}.
3...........
0x0030: 4006 0000 000d 4106 0000 0006 5103 31
@.....A.....Q.1
16:08:46.987506 IP 10.0.0.100.1027 > 10.0.0.101.1812: RADIUS, Access
Accept (2), id: 0x00 length: 35
0x0000: 4500 003f 0009 0000 4011 65dd 0a00 0064
E..?.... at .e....d
0x0010: 0a00 0065 0403 0714 002b 1ab7 0200 0023 ...e.....
+.....#
0x0020: 3daa 0458 77d9 5edd 5149 6230 7717 7c71
=..Xw.^.QIb0w.|q
0x0030: 4006 0000 000d 4106 0000 0006 5103 31
@.....A.....Q.1
16:08:48.382840 IP 10.0.0.100.1027 > 10.0.0.101.1812: RADIUS, Access
Request (1), id: 0x01 length: 193
0x0000: 4500 00dd 000a 0000 4011 653e 0a00 0064
E....... at .e>...d
0x0010: 0a00 0065 0403 0714 00c9 bedd 0101
00c1 ...e............
0x0020: 0489 1566 53aa 5f00 1842 47e4 38e0
661d ...fS._..BG.8.f.
0x0030: 5012 46a9 7407 9185 bbc4 4d10 7445 1df2
P.F.t.....M.tE..
0x0040: 301d 0606 0000 0002 0108 7061 6e74 7300
0.........pants.
0x0050: 0c06 0000 05d0 1e1b 3030 2d31 312d 3935 ........
00-11-95
0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 -
DB-37-0B:TestWP
0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A..
00-0D-93-86-4
0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D-
Link.Acc
0x0090: 6573 7320 506f 696e 743d 0600 0000 134d
ess.Point=.....M
0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT.
54Mbps.
0x00b0: 3830 322e 3131 674f 0c02 0100 0a01 7061
802.11gO......pa
0x00c0: 6e74 7304 060a 0000 6405 0600 0000 0157
nts.....d......W
0x00d0: 0e53 5441 2070 6f72 7420 2320 31 .STA.port.#.1
16:08:48.384472 IP 10.0.0.101.1812 > 10.0.0.100.1027: RADIUS, Access
Accept (2), id: 0x01 length: 35
0x0000: 4500 003f 0016 4000 4011 25d0 0a00 0065 E..?.. at .@.
%....e
0x0010: 0a00 0064 0714 0403 002b e581 0201 0023 ...d.....
+.....#
0x0020: fcf6 b690 11e0 81d6 d8ca 90b4 c0f3
833e ...............>
0x0030: 4006 0000 000d 4106 0000 0006 5103 31
@.....A.....Q.1
16:08:51.370904 IP 10.0.0.100.1027 > 10.0.0.101.1812: RADIUS, Access
Accept (2), id: 0x01 length: 35
0x0000: 4500 003f 000b 0000 4011 65db 0a00 0064
E..?.... at .e....d
0x0010: 0a00 0065 0403 0714 002b 0eb4 0201 0023 ...e.....
+.....#
0x0020: 0489 1566 53aa 5f00 1842 47e4 38e0
661d ...fS._..BG.8.f.
0x0030: 4006 0000 000d 4106 0000 0006 5103 31
@.....A.....Q.1
16:09:02.626769 IP 10.0.0.100.1028 > 10.0.0.101.1812: RADIUS, Access
Request (1), id: 0x00 length: 193
0x0000: 4500 00dd 000c 0000 4011 653c 0a00 0064
E....... at .e<...d
0x0010: 0a00 0065 0404 0714 00c9 03eb 0100
00c1 ...e............
0x0020: 32b4 2a4d 2ac5 2831 0ba6 120d 3064 6cf9 2.*M*.
(1....0dl.
0x0030: 5012 f943 27f4 f8c4 d74c b014 6c59 69e2
P..C'....L..lYi.
0x0040: bc6d 0606 0000 0002 0108 7061 6e74
7300 .m........pants.
0x0050: 0c06 0000 05d0 1e1b 3030 2d31 312d 3935 ........
00-11-95
0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 -
DB-37-0B:TestWP
0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A..
00-0D-93-86-4
0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D-
Link.Acc
0x0090: 6573 7320 506f 696e 743d 0600 0000 134d
ess.Point=.....M
0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT.
54Mbps.
0x00b0: 3830 322e 3131 674f 0c02 0000 0a01 7061
802.11gO......pa
0x00c0: 6e74 7304 060a 0000 6405 0600 0000 0157
nts.....d......W
0x00d0: 0e53 5441 2070 6f72 7420 2320 31 .STA.port.#.1
16:09:02.628391 IP 10.0.0.101.1812 > 10.0.0.100.1028: RADIUS, Access
Accept (2), id: 0x00 length: 35
0x0000: 4500 003f 0017 4000 4011 25cf 0a00 0065 E..?.. at .@.
%....e
0x0010: 0a00 0064 0714 0404 002b 310c 0200 0023 ...d.....
+1....#
0x0020: 0f90 831a 311e 14e3 2b1e ce7b 7b42 5bdd ....1...+..
{{B[.
0x0030: 4006 0000 000d 4106 0000 0006 5103 31
@.....A.....Q.1
16:09:05.620998 IP 10.0.0.100.1028 > 10.0.0.101.1812: RADIUS, Access
Accept (2), id: 0x00 length: 35
0x0000: 4500 003f 000d 0000 4011 65d9 0a00 0064
E..?.... at .e....d
0x0010: 0a00 0065 0404 0714 002b 6f69 0200 0023 ...e.....
+oi...#
0x0020: 32b4 2a4d 2ac5 2831 0ba6 120d 3064 6cf9 2.*M*.
(1....0dl.
0x0030: 4006 0000 000d 4106 0000 0006 5103 31
@.....A.....Q.1
16:09:06.912295 IP 10.0.0.100.1028 > 10.0.0.101.1812: RADIUS, Access
Request (1), id: 0x01 length: 193
0x0000: 4500 00dd 000e 0000 4011 653a 0a00 0064
E....... at .e:...d
0x0010: 0a00 0065 0404 0714 00c9 efec 0101
00c1 ...e............
0x0020: 25b0 0c0b 4bde 0758 193b 59e7 19fb 7f5e
%...K..X.;Y....^
0x0030: 5012 8626 e5d6 1f1e 6d3f ca86 5fd6 5f64
P..&....m?.._._d
0x0040: 9e83 0606 0000 0002 0108 7061 6e74
7300 ..........pants.
0x0050: 0c06 0000 05d0 1e1b 3030 2d31 312d 3935 ........
00-11-95
0x0060: 2d44 422d 3337 2d30 423a 5465 7374 5750 -
DB-37-0B:TestWP
0x0070: 411f 1330 302d 3044 2d39 332d 3836 2d34 A..
00-0D-93-86-4
0x0080: 382d 3845 2015 442d 4c69 6e6b 2041 6363 8-8E..D-
Link.Acc
0x0090: 6573 7320 506f 696e 743d 0600 0000 134d
ess.Point=.....M
0x00a0: 1843 4f4e 4e45 4354 2035 344d 6270 7320 .CONNECT.
54Mbps.
0x00b0: 3830 322e 3131 674f 0c02 0100 0a01 7061
802.11gO......pa
0x00c0: 6e74 7304 060a 0000 6405 0600 0000 0157
nts.....d......W
0x00d0: 0e53 5441 2070 6f72 7420 2320 31 .STA.port.#.1
16:09:06.913952 IP 10.0.0.101.1812 > 10.0.0.100.1028: RADIUS, Access
Accept (2), id: 0x01 length: 35
0x0000: 4500 003f 0018 4000 4011 25ce 0a00 0065 E..?.. at .@.
%....e
0x0010: 0a00 0064 0714 0404 002b 43c4 0201 0023 ...d.....
+C....#
0x0020: b02e 5ba5 c0a4 59b4 ee06 063d 6d18 0f23 ..
[...Y....=m..#
0x0030: 4006 0000 000d 4106 0000 0006 5103 31
@.....A.....Q.1
16:09:07.627117 arp who-has 10.0.0.100 tell 10.0.0.101
0x0000: 0001 0800 0604 0001 0080 c8cf df7e
0a00 .............~..
0x0010: 0065 0000 0000 0000 0a00 0064 .e.........d
16:09:07.627526 arp reply 10.0.0.100 is-at 00:11:95:db:37:0b
0x0000: 0001 0800 0604 0002 0011 95db 370b
0a00 ............7...
0x0010: 0064 0080 c8cf df7e 0a00 0065 0000
0000 .d.....~...e....
0x0020: 0000 0000 0000 0000 0000 0000
0000 ..............
16:09:09.904367 IP 10.0.0.100.1028 > 10.0.0.101.1812: RADIUS, Access
Accept (2), id: 0x01 length: 35
0x0000: 4500 003f 000f 0000 4011 65d7 0a00 0064
E..?.... at .e....d
0x0010: 0a00 0065 0404 0714 002b 4903 0201 0023 ...e.....
+I....#
0x0020: 25b0 0c0b 4bde 0758 193b 59e7 19fb 7f5e
%...K..X.;Y....^
0x0030: 4006 0000 000d 4106 0000 0006 5103 31
@.....A.....Q.1
Anybody know what is going on here? What have I misconfigured?
Thanks,
Loukas
More information about the Freeradius-Users
mailing list