PC XP SP2 with 802.1x/PEAP authenticate problem
igrubnic
irena.grubnic at st.t-com.hr
Fri Apr 8 14:39:15 CEST 2011
hi alan,
tnank you for reply.i google/found how to configure pc according to ch.4:
http://h17007.www1.hp.com/docs/interoperability/Microsoft/4AA2-1531EEE.pdf
on pc i have pop-up window which asks for credentials (username and pwd) and
for pc i have defined following entry (deleted old one including mac):
gponpc3 Cleartext-Password := "pw4gponpc3"
it works (as expected) with radtest check:
bash-3.2$ sudo radtest gponpc3 pw4gponpc3 127.0.0.1 0 testing123
Sending Access-Request of id 108 to 127.0.0.1 port 1812
User-Name = "gponpc3"
User-Password = "pw4gponpc3"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=108,
length=20
but when i enter that username/pwd on pc again same debug output obtained:
Ready to process requests.
rad_recv: Access-Request packet from host 10.223.0.131 port 65534, id=16,
length=132
NAS-IP-Address = 100.1.1.1
NAS-Port-Id = "1.2"
Framed-MTU = 1024
User-Name = "00-02-A5-F8-70-29"
Calling-Station-Id = "00-02-A5-F8-70-29"
Message-Authenticator = 0x9ea1afaf433c44fbe0e5197d6a2a0292
EAP-Message = 0x0279000c0167706f6e706333
NAS-Identifier = "PENKALA"
Ericsson-Attr-101 = 0x4552494353534f4e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "00-02-A5-F8-70-29", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 121 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> 00-02-A5-F8-70-29
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 16 to 10.223.0.131 port 65534
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.223.0.131 port 65534, id=16,
length=132
Sending duplicate reply to client 10.223.0.131 port 65534 - ID: 16
Sending Access-Reject of id 16 to 10.223.0.131 port 65534
Waking up in 4.7 seconds.
Cleaning up request 0 ID 16 with timestamp +44
Ready to process requests.
it seems that authenticator has field User-Name = "00-02-A5-F8-70-29" set
according
to RFC 3580, ch.3.1, regardles of what i define in users file:
3.1. User-Name
In IEEE 802.1X, the Supplicant typically provides its identity via an
EAP-Response/Identity message. Where available, the Supplicant
identity is included in the User-Name attribute, and included in the
RADIUS Access-Request and Access-Reply messages as specified in
[RFC2865] and [RFC3579].
Alternatively, as discussed in [RFC3579] Section 2.1., the User-Name
<------
attribute may contain the Calling-Station-ID value, which is set to
<------
the Supplicant MAC address.
<------
please can u comment again?
i have captured 2 wireshark traces:
-between server and authenticator
-between authenticator and supplicant
from wireshark trace (RADIUS_AUTH_SUPPLICANT.pcap) it can be observed that
identity obtained from PC is gponpc3 (username i entered in pop-up window).
please let me know
if u r interested to see those ws traces and how i can post it to you?
thank u in advance,
irena
--
View this message in context: http://freeradius.1045715.n5.nabble.com/PC-XP-SP2-with-802-1x-PEAP-authenticate-problem-tp4288722p4290719.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list