How to control a wpa_supplicant client request can only send to a hostapd NAS?

DJ HENRY henry1412 at gmail.com
Thu Jul 9 05:54:12 CEST 2009 

How to control a wpa_supplicant client request can only send to a hostapd
NAS?

My network struct was following:
                                                       RADIUS(freeradius)
                                                             |
                                                             |
                                                       SWITCH(cisco)
                                                             |
                                                             |

------------------------------------------------

|                                              |
                                         NAS1(hostapd)
NAS2(hostapd)

|                                              |
                                         CLIENT1(wpa_supplicant)
CLIENT2(wpa_supplicant)


If  the network only has the NAS1 device, the CLIENT1 can pass  the
authentication.  When  the  network have two NAS device, which one is NAS1
and the other is NAS2, the CLIENT1 request can send to NAS1 and NAS2,
then  NAS1 and  NAS2  all  send  the  request to radius. I don't know
whether CLIENT1 under NAS1 or NAS2 in radius. How to control a
wpa_supplicant client request can only send to a hostapd NAS? Thank you very
much!

The CLIENT1 MAC: 00:0F:1E:34:28:B4
The NAS1 MAC: 00:0F:1E:34:26:50
The NAS2 MAC: 00:0f:1e:00:00:83

The CLIENT1 log
--------------------------
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31
45 3a 33 34 3a 32 38 3a 42 34
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from *00:0f:1e:34:26:50*
RX EAPOL - hexdump(len=14): 02 00 00 0a 01 00 00 0a 01 68 65 6c 6c 6f
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=1 id=0
EAP: EAP entering state RETRANSMIT
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 30 30 3a 30 46 3a 31
45 3a 33 34 3a 32 38 3a 42 34
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from *00:0f:1e:00:00:83*
RX EAPOL - hexdump(len=46): 02 00 00 16 01 01 00 16 04 10 e3 1f ff 34 85 47
cd 3c d7 14 60 22 fc 2a 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=4 id=1
EAP: EAP entering state GET_METHOD
EAP: initialize selected EAP method (4, MD5)
CTRL-EVENT-EAP-METHOD EAP method 4 (MD5) selected
EAP: EAP entering state METHOD
EAP-MD5: Challenge - hexdump(len=16): e3 1f ff 34 85 47 cd 3c d7 14 60 22 fc
2a 24 fb
EAP-MD5: generating Challenge Response
EAP-MD5: Response - hexdump(len=16): 7d 5e a6 ea 11 c7 d9 ad ed 44 a4 b9 61
b5 ab 41
EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 7d 5e a6 ea 11 c7
d9 ad ed 44 a4 b9 61 b5 ab 41
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:0f:1e:34:26:50
RX EAPOL - hexdump(len=26): 02 00 00 16 01 01 00 16 04 10 02 c8 6c 9b 31 7d
34 bc 09 6a 0f f2 c3 a8 01 54
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=4 id=1
EAP: AS used the same Id again, but EAP packets were not identical
EAP: workaround - assume this is not a duplicate packet
EAP: EAP entering state DISCARD
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:0f:1e:34:26:50
RX EAPOL - hexdump(len=8): 02 00 00 04 04 01 00 04
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: EAP entering state DISCARD
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:0f:1e:00:00:83
RX EAPOL - hexdump(len=46): 02 00 00 04 03 01 00 04 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: EAP entering state SUCCESS

The NAS1 log
--------------------------
Deauthenticate all stations
br0: STA *00:0f:1e:34:28:b4* IEEE 802.1X: start authentication
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAPOL-Start from STA
br0: STA 00:0f:1e:34:28:b4 WPA: event 5 notification
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=0
len=22) from STA: EAP Response-Identity (1)
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: STA identity '00:0F:1E:34:28:B4'
br0: RADIUS Sending RADIUS message to authentication server
br0: RADIUS Next RADIUS client retransmit in 3 seconds

br0: RADIUS Received 80 bytes from RADIUS server
br0: RADIUS Received RADIUS message
br0: STA 00:0f:1e:34:28:b4 RADIUS: Received RADIUS packet matched with a
pending request, round trip time 0.03 sec
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: using EAP timeout of 30 seconds
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: decapsulated EAP packet (code=1 id=1
len=22) from RADIUS server: EAP-Request-MD5-Challenge (4)
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: EAP Identifier of the
Response-Identity does not match (was 0, expected 1) - ignored
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=1
len=22) from STA: EAP Response-MD5-Challenge (4)
br0: RADIUS Sending RADIUS message to authentication server
br0: RADIUS Next RADIUS client retransmit in 3 seconds

br0: RADIUS Received 44 bytes from RADIUS server
br0: RADIUS Received RADIUS message
br0: STA 00:0f:1e:34:28:b4 RADIUS: Received RADIUS packet matched with a
pending request, round trip time 0.00 sec
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: decapsulated EAP packet (code=4 id=1
len=4) from RADIUS server: EAP Failure
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: authentication failed


The NAS2 log
--------------------------
Deauthenticate all stations
br0: STA *00:0f:1e:34:28:b4* IEEE 802.1X: start authentication
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAPOL-Start from STA
br0: STA 00:0f:1e:34:28:b4 WPA: event 5 notification
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: unauthorizing port
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=0
len=22) from STA: EAP Response-Identity (1)
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: STA identity '00:0F:1E:34:28:B4'
br0: RADIUS Sending RADIUS message to authentication server
br0: RADIUS Next RADIUS client retransmit in 3 seconds

br0: RADIUS Received 80 bytes from RADIUS server
br0: RADIUS Received RADIUS message
br0: STA 00:0f:1e:34:28:b4 RADIUS: Received RADIUS packet matched with a
pending request, round trip time 0.02 sec
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: using EAP timeout of 30 seconds
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: decapsulated EAP packet (code=1 id=1
len=22) from RADIUS server: EAP-Request-MD5-Challenge (4)
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: EAP Identifier of the
Response-Identity does not match (was 0, expected 1) - ignored
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: received EAP packet (code=2 id=1
len=22) from STA: EAP Response-MD5-Challenge (4)
br0: RADIUS Sending RADIUS message to authentication server
br0: RADIUS Next RADIUS client retransmit in 3 seconds

br0: RADIUS Received 63 bytes from RADIUS server
br0: RADIUS Received RADIUS message
br0: STA 00:0f:1e:34:28:b4 RADIUS: Received RADIUS packet matched with a
pending request, round trip time 0.01 sec
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: old identity '00:0F:1E:34:28:B4'
updated with User-Name from Access-Accept '00:0F:1E:34:28:B4'
br0: STA 00:0f:1e:34:28:b4 IEEE 802.1X: decapsulated EAP packet (code=3 id=1
len=4) from RADIUS server: EAP Success

The RADIUS log
--------------------------
rad_recv: Access-Request packet from host 192.168.1.45 port 1024, id=0,
length=168
        User-Name = "00:0F:1E:34:28:B4"
        NAS-IP-Address = 192.168.1.45
        NAS-Port = 0
        Called-Station-Id = "*00-0F-1E-34-26-50:*"
        Calling-Station-Id = "*00-0F-1E-34-28-B4*"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020000160130303a30463a31453a33343a32383a4234
        Message-Authenticator = 0xdfe32c5308f652199fc3f87459b2f8b8
+- entering group authorize {...}

rad_recv: Access-Request packet from host 192.168.1.44 port 1024, id=1,
length=186
        User-Name = "00:0F:1E:34:28:B4"
        NAS-IP-Address = 192.168.1.44
        NAS-Port = 0
        Called-Station-Id = "*00-0F-1E-00-00-83:*"
        Calling-Station-Id = "*00-0F-1E-34-28-B4"*
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x0201001604107d5ea6ea11c7d9aded44a4b961b5ab41
        State = 0x532668a453276c3283f462034e3542a3
        Message-Authenticator = 0x98ac376bdacceb01003f6f6bb9604f9c
+- entering group authorize {...}

Sending Access-Accept of id 1 to 192.168.1.44 port 1024
        EAP-Message = 0x03010004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "00:0F:1E:34:28:B4"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090709/ec59c474/attachment.html>

More information about the Freeradius-Users mailing list