Authentication with Novell 802.1x client fails but WinXP supplicant works fine ?
Marc Charbonneau
mcharbonneau at ottawaheart.ca
Fri May 4 13:29:58 CEST 2007
Hi all,
I have tried everything recommended to me by Novell (as far as Microsoft patches) that may address an issue with their new (beta) Client 4.91 SP4. This client allows you to select 802.1x authentication and it's suppose to pass the login credentials to the Windows XP supplicant. Once 802.1x authentication is done, the Novell Client is supposed to continue it's login process. Based on the RADIUSD logs, I'm not getting a proper PEAP authentication at the Novell login prompt stage. Once this stage times out and I log in locally to the WinXP workstation, the PEAP authentication works fine.
The timeout error is:
802.1x Authentication Failed. Timeout waiting for authentication to finish. Logging to workstation only. <OK>
FYI, Once the Novell 802.1x is enabled, the only thing I see that changes with WinXP supplicant's configuration (under PEAP) is that the Authentication Method is now listed as "Novell (EAP-MSCHAP v2)" instead of "Secured password (EAP-MSCHAP v2)".
I'm wondering if the issue is related to something with my FreeRADIUS configuration? I've inculded the logs for when my pure Windows XP workstation authenticates and included the logs for what's going on while waiting for the Novell 802.1x client to timeout.
I'm hoping a trained eye can spot something or anything that would lead me to a solution.
Thanks for any help.
Marc
--------------------------------*------------------------------------*--------
--------------------------------Novell 802.1x*-------------------------------
--------------------------------*------------------------------------*--------
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.242.4:32768, id=156, length=184
User-Name = "UOHI-40626"
Calling-Station-Id = "00-40-96-B1-43-A8"
Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2"
NAS-Port = 1
NAS-IP-Address = 192.168.242.4
NAS-Identifier = "UOHIWLAN2"
Vendor-14179-Attr-1 = 0x00000002
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "23"
EAP-Message = 0x0202000f01554f48492d3430363236
Message-Authenticator = 0xf173e2f693b6439540056725af55c9a5
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5046
modcall[authorize]: module "preprocess" returns ok for request 5046
modcall[authorize]: module "chap" returns noop for request 5046
modcall[authorize]: module "mschap" returns noop for request 5046
rlm_realm: No '@' in User-Name = "UOHI-40626", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5046
rlm_ldap: - authorize
rlm_ldap: performing user authorization for UOHI-40626
radius_xlat: '(&(objectClass=inetOrgPerson)(cn=UOHI-40626))'
radius_xlat: 'o=OHICO'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=UOHI-40626))
rlm_ldap: checking if remote access for UOHI-40626 is allowed by dialupAccess
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user UOHI-40626 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5046
rlm_eap: EAP packet type response id 2 length 15
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5046
modcall: group authorize returns updated for request 5046
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5046
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 5046
modcall: group authenticate returns handled for request 5046
Sending Access-Challenge of id 156 to 192.168.242.4:32768
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x236c181e57c0ea83025c9e57460d53fb
Finished request 5046
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.242.4:32768, id=157, length=267
User-Name = "UOHI-40626"
Calling-Station-Id = "00-40-96-B1-43-A8"
Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2"
NAS-Port = 1
NAS-IP-Address = 192.168.242.4
NAS-Identifier = "UOHIWLAN2"
Vendor-14179-Attr-1 = 0x00000002
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "23"
EAP-Message = 0x0203005019800000004616030100410100003d0301463a53cad2f596a4d17f6cdba65ae68141b95a139ae441539224f3830ecfbd2d00001600040005000a000900640062000300060013001200630100
State = 0x236c181e57c0ea83025c9e57460d53fb
Message-Authenticator = 0x3c69468e56b4da685f74f2ee77b5b65f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5047
modcall[authorize]: module "preprocess" returns ok for request 5047
modcall[authorize]: module "chap" returns noop for request 5047
modcall[authorize]: module "mschap" returns noop for request 5047
rlm_realm: No '@' in User-Name = "UOHI-40626", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5047
rlm_ldap: - authorize
rlm_ldap: performing user authorization for UOHI-40626
radius_xlat: '(&(objectClass=inetOrgPerson)(cn=UOHI-40626))'
radius_xlat: 'o=OHICO'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=UOHI-40626))
rlm_ldap: checking if remote access for UOHI-40626 is allowed by dialupAccess
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user UOHI-40626 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5047
rlm_eap: EAP packet type response id 3 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5047
modcall: group authorize returns updated for request 5047
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5047
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0af4], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 5047
modcall: group authenticate returns handled for request 5047
Sending Access-Challenge of id 157 to 192.168.242.4:32768
EAP-Message = 0x0104040a19c000000b51160301004a02000046030146399d4d91edd8cb95d2ede5c24ddbf00855871dea30a66113c57772f9caf8c8206e4958d7d4c95074067aad0113ae120af60337670458b2638256c9cd7f19b6830004001603010af40b000af0000aed00063a308206363082051ea003020102020a6129017f000000000015300d06092a864886f70d0101050500305a31153013060a0992268993f22c64011916056c6f63616c31123010060a0992268993f22c64011916026361311b3019060a0992268993f22c640119160b6f747461776168656172743110300e06035504031307756f68692d6361301e170d3037303432373139343330325a
EAP-Message = 0x170d3039303432363139343330325a3077310b30090603550406130243413110300e060355040813074f6e746172696f310f300d060355040713064f7474617761310d300b060355040a1304554f48493111300f060355040313084f4849534c4553313123302106092a864886f70d010901161461646d696e406f747461776168656172742e636130820122300d06092a864886f70d01010105000382010f003082010a02820101009c62aac4b4d7c2a0a3b074bc3a9922f6eade8be2b126ef833e55f97b61f8ddc0b90d016c0f0bdc12c94ba162085969a2ea5348e6ecdd88dbbd2a24723fb099730e01ae6f3b7bd7eafcdb69f847ced1b09a04eed9
EAP-Message = 0x6d813d07547b3b998f164cd74539e432acd8f0bdfdfb6a9820e92b85e0576412108da40f41775f8f4e78f34d549db299a3f74d8d01fc92c9929f4e48d4a6886656a44a37f3536c4a8da0fcec8f6f6552b5f61c3227808aaa9c6cbb5f1e927316419eaba102aea640cf280a6cbfc0f2757d7ae89d9efadc4b64ebf540af9ee1895bd5329305745ff6a9693efb9eb007e4ec939794b37d038702b1f934d58ce4f6d568cb87bc1f779b833821e30203010001a38202df308202db301d0603551d0e041604144355ae8326e8e176e53691675c60bc20e389907f301f0603551d23041830168014f2e6025e7d0e816e7f54b3c650fd4d7bca8a5ef230820112
EAP-Message = 0x0603551d1f048201093082010530820101a081fea081fb8681bb6c6461703a2f2f2f434e3d756f68692d63612c434e3d6f686961707033302c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6f747461776168656172742c44433d63612c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74863b687474703a2f2f6f686961707033302e6f747461776168656172742e63612e6c6f63616c2f43
EAP-Message = 0x657274456e726f6c6c2f756f68692d63612e63726c30
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x50ae1445bfa19e9199ff676e0527a36d
Finished request 5047
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.242.4:32768, id=158, length=193
User-Name = "UOHI-40626"
Calling-Station-Id = "00-40-96-B1-43-A8"
Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2"
NAS-Port = 1
NAS-IP-Address = 192.168.242.4
NAS-Identifier = "UOHIWLAN2"
Vendor-14179-Attr-1 = 0x00000002
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "23"
EAP-Message = 0x020400061900
State = 0x50ae1445bfa19e9199ff676e0527a36d
Message-Authenticator = 0xe439288adf4546ea77fd4b41db6d415f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5048
modcall[authorize]: module "preprocess" returns ok for request 5048
modcall[authorize]: module "chap" returns noop for request 5048
modcall[authorize]: module "mschap" returns noop for request 5048
rlm_realm: No '@' in User-Name = "UOHI-40626", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5048
rlm_ldap: - authorize
rlm_ldap: performing user authorization for UOHI-40626
radius_xlat: '(&(objectClass=inetOrgPerson)(cn=UOHI-40626))'
radius_xlat: 'o=OHICO'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=OHICO, with filter (&(objectClass=inetOrgPerson)(cn=UOHI-40626))
rlm_ldap: checking if remote access for UOHI-40626 is allowed by dialupAccess
rlm_ldap: Added the eDirectory password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user UOHI-40626 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5048
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5048
modcall: group authorize returns updated for request 5048
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5048
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 5048
modcall: group authenticate returns handled for request 5048
Sending Access-Challenge of id 158 to 192.168.242.4:32768
EAP-Message = 0x01050406194082012e06082b06010505070101048201203082011c3081b206082b060105050730028681a56c6461703a2f2f2f434e3d756f68692d63612c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6f747461776168656172742c44433d63612c44433d6c6f63616c3f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479306506082b060105050730028659687474703a2f2f6f686961707033302e6f747461776168656172742e63612e
EAP-Message = 0x6c6f63616c2f43657274456e726f6c6c2f6f686961707033302e6f747461776168656172742e63612e6c6f63616c5f756f68692d63612e637274302106092b060104018237140204141e12005700650062005300650072007600650072300c0603551d130101ff04023000300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010075b204baebe82901036bb830065f26844a0f213df174c9b4af8dd92b5a8c5290cced2f2ab28d6eda45c659fe6a331c117b0c761b590d7323f6f7bdd5b863c31bbb56085e97f0f2b0830777fab6c6760b19accb2ae195e9b5f9858bc3
EAP-Message = 0xeac04eb89e052a856661a194f8cbe3c013ea4dd5047092935bd7551cb41a5a1995f3ab82ee990e3b81fc8be9434df8172b66e358293c0a85ee8a0935b97415ac9b3133068c613ade745a4976fb8d3eca03f938cc8c7ab71b4c0fe95925b9013c0b1ab08676ec7779ca6ee8252c7252fc54b24a20bdda5ca33cb70b6308f4fc0e2af423e5fd02397e3655af5d869257b38406be19600966266b3eb6002072cd919fd602100004ad308204a930820391a003020102021015846cfa42f5b2904f917bb3c3381bc4300d06092a864886f70d0101050500305a31153013060a0992268993f22c64011916056c6f63616c31123010060a0992268993f22c6401
EAP-Message = 0x1916026361311b3019060a0992268993f22c640119160b6f747461776168656172743110300e06035504031307756f68692d6361301e170d3036313031383132333134325a170d3131313031383132343033395a305a31153013060a0992268993f22c64011916056c6f63616c31123010060a0992268993f22c64011916026361311b3019060a0992268993f22c640119160b6f747461776168656172743110300e06035504031307756f68692d636130820122300d06092a864886f70d01010105000382010f003082010a02820101009d08ba6ca5266c5161bff2aba9fea2dfc2f20347f7de7f21c9886b4cd7a1a189159fa78815bbd73b43e1bf73
EAP-Message = 0xf4af9701ecd685f783c48b6db282334729fb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x76bc89cb174520f20da1729de7efd20f
Finished request 5048
Going to the next request
Waking up in 6 seconds...
.................truncated log...................
--------------------------------*------------------------------------*--------
--------------------------------WinXP 802.1x*------------------------------
--------------------------------*------------------------------------*--------
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.242.4:32768, id=121, length=184
User-Name = "uohi-40626"
Calling-Station-Id = "00-40-96-B1-43-A8"
Called-Station-Id = "00-15-2C-49-E0-B0:UOHISSID2"
NAS-Port = 1
NAS-IP-Address = 192.168.242.4
NAS-Identifier = "UOHIWLAN2"
Vendor-14179-Attr-1 = 0x00000002
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "23"
EAP-Message = 0x0202000f01756f68692d3430363236
Message-A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070504/a245502e/attachment.html>
More information about the Freeradius-Users
mailing list