EAP-Problem

K. Hoercher wbhoer at gmail.com
Wed Sep 20 14:02:53 CEST 2006


On 9/20/06, Florian Prester <Florian.Prester at rrze.uni-erlangen.de> wrote:
> Also I have some questions about eap at all. How should it work
> correctly. because I see up to 10 Authentication-Requests until the
> client is authenticated correctly. For example the client wants to do
> EAP-PEAP (Windows-client), but the radius says EAP-NAK:
>       rlm_eap: Request found, released from the list
>       rlm_eap: EAP NAK
>      rlm_eap: EAP-NAK asked for EAP-Type/peap
>       rlm_eap: processing type tls
>       rlm_eap_tls: Initiate
>       rlm_eap_tls: Start returned 1
>       modcall[authenticate]: module "eap" returns handled for request 231
>     modcall: leaving group authenticate (returns handled) for request 231
>     Sending Access-Challenge ...
>     Finished request 231
>
> What does it mean? Can I tune the process?

My guess would be, that your default_eap_type in eap.conf is not set
to peap. So your supplicant (XP) is sending the NAK (not the server,
it just logs that it got the NAK) to get the server to use peap.
Depending on your needs you could change it. That's a normal part of
EAP. As is the sending back and forth of Access-Requests and
Access-Challenges to negotiate the details inherent to EAP.

> Log:
> rad_recv: Access-Request packet from host 131.188.4.190:20000, id=35,
> length=202
>         NAS-Port-Id = "2059/1"
>         Calling-Station-Id = "00-15-00-01-C0-D1"
>         Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF"
>         Service-Type = Framed-User
>         User-Name = "unrz06"
>         State = 0x...
>         EAP-Message = 0x...
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "Trapeze"
>         NAS-IP-Address = 131.188.4.190
>         Message-Authenticator = 0x...

The username looks like a machine name for .uni-erlangen.de. Do you
intend to use machine authentication? If so, what does a succesful
request look like? Note, that it seems to only find matching DEFAULT
entries, so peap would be impossible, as no User-Password is known to
freeradius. Otherwise, you should check your XP setup to use the
intended username/password credentials combo.

regards
K. Hoercher



More information about the Freeradius-Users mailing list