freeradius-1.0.4 and MAC address authentication w/ win xp supplicant

Phil Mayers p.mayers at imperial.ac.uk
Wed Aug 29 18:56:34 CEST 2007 

On Wed, 2007-08-29 at 11:41 -0500, John C. Koen wrote:
> I am running freeradius-1.0.4 on SLES10, XP supplicant and Cisco Aironet 1200 AP.
> 
> My goal is to authenticate against the "users" file and use WEP with eap-tls.
> I am trying to support Windows CE, and PEAP is not an option.

There's so much wrong I don't know where to begin.

> 
> 
> users:
> 0213dec2114a  Auth-Type:=Accept
>         Service-Type = Framed-User,
>         Tunnel-Private-Group-ID := 116,
>         Tunnel-Medium-Type := IEEE-802

This looks like a mac-address-based authentication, not EAP.

You can't force Auth-Type to Accept for EAP. EAP is a challenge-response
protocol, and the server needs to do it's thing for the client to
function.

Remove the Auth-Type if you're trying to do EAP.

Please also be aware that most NASes will require the "Tunnel-Type =
VLAN" reply attribute for VLAN assignment.


> 
> eap.conf:
>         eap {
>                 default_eap_type = tls
>                tls {
>                         private_key_password = secret
>                         private_key_file = ${raddbdir}/certs/private/radius.key
>                         certificate_file = /etc/raddb/certs/radius.crt
>                 
>                         #  Trusted Root CA list
>                         CA_file = /etc/raddb/certs/CA.crt
>                 
>                         dh_file = ${raddbdir}/certs/dh
>                         random_file = /etc/raddb/certs/random
>                        fragment_size = 1024
>                         include_length = yes
>                 }       
>         }
> 
> 
> radiusd.conf:
> authorize {
>         auth_log
>         files
>         eap
> }
> 
> authenticate {
>         eap
> }
> 
> I have uploaded both the CA andd certificate file to the supplicant, as
> trusted certificates.  For some reason, I continue to see the balloon from
> windows indicating that a valid certificate could not be found for comparison.
> I have followed the PDF instructions found in EAPTLS.pdf.
> 
> Here is a sample of my radiusd -X -s logs:
> 
> rad_recv: Access-Request packet from host 192.168.214.99:1645, id=39, length=115
>         User-Name = "0213dec2114a"
>         User-Password = "Qp\203e\206%\010`\256\243\203u;\362\321\017"
>         Called-Station-Id = "0014.6a73.6110"
>         Calling-Station-Id = "0213.dec2.114a"
>         Service-Type = Login-User
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 551
>         NAS-IP-Address = 192.168.214.99
>         NAS-Identifier = "AP-99"

This is not an EAP authentication; your NAS (wireless AP) is not doing
EAP. Make it do EAP if you want to do EAP.


> rad_rmspace_pair:  User-Password now 'Qp?d?%?`?u;?'
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 2
> radius_xlat:  '/var/log/radius/radius-MAC/radacct/auth-detail-20070829'
> rlm_detail: /var/log/radius/radius-MAC/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radius-MAC/radacct//auth-detail-20070829
>   modcall[authorize]: module "auth_log" returns ok for request 2
>     users: Matched entry 0213dec2114a at line 38
>   modcall[authorize]: module "files" returns ok for request 2
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 2
> modcall: group authorize returns ok for request 2
>   rad_check_password:  Found Auth-Type Accept
>   rad_check_password: Auth-Type = Accept, accepting the user
>   Processing the post-auth section of radiusd.conf
> modcall: entering group post-auth for request 2
> radius_xlat:  '/var/log/radius/radius-MAC/radacct/reply-detail-20070829'
> rlm_detail: /var/log/radius/radius-MAC/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radius-MAC/radacct/reply-detail-20070829
>   modcall[post-auth]: module "reply_log" returns ok for request 2
> modcall: group post-auth returns ok for request 2
> Sending Access-Accept of id 39 to 192.168.214.99:1645
>         Service-Type = Framed-User
>         Tunnel-Private-Group-Id:0 := "116"
>         Tunnel-Medium-Type:0 := IEEE-802
> Finished request 2
> Going to the next request
> --- Walking the entire request list ---
> 
> ...this transaction is repeated over and over and over again.
> 
> I have also tried commenting out all instances of "eap" from radiusd.conf, hoping
> to do non-wep mac address authentication, as a list effort.  I then remove
> WEP support from the supplicant and Cisco AP.  While freeradius reports 
> "access-accept", the supplicant hangs on obtaining an ip address (with no related 
> logs shown on my dhcp server) and the cisco AP reports "GMT: %DOT11-7-AUTH_FAILED: 
> Station 0213.dec2.114a Authentication failed"
> 
> --johnk
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list