EAP Testing - Newbie

Sergio NNX sfhacker at hotmail.com
Sun Oct 16 17:49:10 CEST 2011


Ciao all,

First of all, I'm new to this project so I may ask 'dumb' questions and I may be slow to understand. Be patient!

I'm in the process of testing FreeRADIUS 2.1.11, just basic/standard setup. I've been following the following user guide: http://deployingradius.com/documents/configuration/pap.html. Very useful, by the way.

PAP, MSCHAP and MSCHAPv2 work ok, but I'm unable to get any EAP tests to pass. I've tries almost everything, including: http://deployingradius.com/documents/configuration/eap-problems.html


I need some help!

Thanks in advance.


Sergio.


Test output
-------------


radtest -t eap-md5 .......                  (it works ok)

(Client side)

Sending Access-Request packet to host 127.0.0.1 port 1812, id=229, length=0
    User-Name = "testuser"
    User-Password = "testpw"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 1812
    EAP-Code = Response
    EAP-Type-Identity = "testuser"
    Message-Authenticator = 0x00
    EAP-Message = 0x02e4000d017465737475736572
Received Access-Challenge packet from host 127.0.0.1 port 1812, id=229, length=97
    Reply-Message = "Hello, testuser"
    EAP-Message = 0x01e5001604103823185ef840cc37ad7436a904db9605
    Message-Authenticator = 0xf5a2da42e33cfe56a80104afb9931946
    State = 0x3dcf853c3d2a813191ce5fb05bf39134
    EAP-Id = 229
    EAP-Code = Request
    EAP-Type-MD5 = 0x103823185ef840cc37ad7436a904db9605
Sending Access-Request packet to host 127.0.0.1 port 1812, id=230, length=93
    User-Name = "testuser"
    User-Password = "testpw"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 1812
    EAP-Code = Response
    Message-Authenticator = 0x00000000000000000000000000000000
    EAP-Type-MD5 = 0x105a160cce9524d55843b32d1fcbaedb6b
    EAP-Id = 229
    State = 0x3dcf853c3d2a813191ce5fb05bf39134
    EAP-Message = 0x02e5001604105a160cce9524d55843b32d1fcbaedb6b
Received Access-Accept packet from host 127.0.0.1 port 1812, id=230, length=71
    Reply-Message = "Hello, testuser"
    EAP-Message = 0x03e50004
    Message-Authenticator = 0xa9e17bcb7d0b8e0ad062f9b3c5d0399c
    User-Name = "testuser"
    EAP-Id = 229
    EAP-Code = Success

       Total approved auths:  1
         Total denied auths:  0


(Server side)
Ready to process requests.
# Executing section authorize from file ..\etc\raddb/radiusd.conf
+- entering group authorize {...}
[auth_log] ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20111016.log
++[auth_log] returns ok
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
++[mschap] returns noop
[files] users: Matched entry testuser at line 29
++[files] returns ok
[eap] EAP packet type response id 228 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
# Executing group from file ..\etc\raddb/radiusd.conf
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
++[eap] returns handled
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
# Executing section authorize from file ..\etc\raddb/radiusd.conf
+- entering group authorize {...}
[auth_log] ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20111016.log
++[auth_log] returns ok
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
++[mschap] returns noop
[files] users: Matched entry testuser at line 29
++[files] returns ok
[eap] EAP packet type response id 229 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
# Executing group from file ..\etc\raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns ok
  WARNING: Empty post-auth section.  Using default return values.
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 229 with timestamp +14
Cleaning up request 1 ID 230 with timestamp +14
Ready to process requests.


--------- EAP-MD5 test ---------

http://deployingradius.com/scripts/eapol_test/


eapol_test.exe -c md5.conf -s testing123                ( it doesn't work!)


Output:

Reading configuration file 'md5.conf'
Line: 1 - start of a new network block
ssid - hexdump_ascii(len=7):
     45 78 61 6d 70 6c 65                              Example         
eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00
eapol_flags=0 (0x0)
key_mgmt: 0x1
identity - hexdump_ascii(len=8):
     74 65 73 74 75 73 65 72                           testuser        
password - hexdump_ascii(len=6):
     74 65 73 74 70 77                                 testpw          
ca_cert - hexdump_ascii(len=40):
     63 3a 2f 46 72 65 65 52 41 44 49 55 53 2f 65 74   c:/FreeRADIUS/et
     63 2f 72 61 64 64 62 2f 63 65 72 74 73 2f 52 6f   c/raddb/certs/Ro
     6f 74 43 41 2e 70 65 6d                           otCA.pem        
phase2 - hexdump_ascii(len=8):
     61 75 74 68 3d 4d 44 35                           auth=MD5        
anonymous_identity - hexdump_ascii(len=9):
     61 6e 6f 6e 79 6d 6f 75 73                        anonymous       
Priority group 0
   id=0 ssid='Example'
Authentication server 127.0.0.1:1812
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using anonymous identity - hexdump_ascii(len=9):
     61 6e 6f 6e 79 6d 6f 75 73                        anonymous       
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=14)
TX EAP -> RADIUS - hexdump(len=14): 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=9): 61 6e 6f 6e 79 6d 6f 75 73
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=126
   Attribute 1 (User-Name) length=11
      Value: 'anonymous'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '02-00-00-00-00-01'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=16
      Value: 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73
   Attribute 80 (Message-Authenticator) length=18
      Value: 8a 2a d9 3f 9a 16 02 d3 9e be 52 a3 cc a2 a0 b6
Next RADIUS client retransmit in 3 seconds

EAPOL: SUPP_BE entering state RECEIVE
Received 80 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=80
   Attribute 79 (EAP-Message) length=24
      Value: 01 01 00 16 04 10 2d 5a 5e ca fd 46 31 37 33 67 ef 5f ec 14 64 c3
   Attribute 80 (Message-Authenticator) length=18
      Value: 37 83 06 12 9c 7b 2d 98 9a e8 6b 81 79 03 ce 63
   Attribute 24 (State) length=18
      Value: cb 7a ce 96 cb 7b ca 0b 07 a3 2c 75 4a 0c c4 c6
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec

RADIUS packet matching with station
decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-Request-MD5 (4)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: configuration does not allow: vendor 0 method 4
EAP: vendor 0 method 4 not allowed
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed)
EAP: allowed methods - hexdump(len=1): 15
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 15
Encapsulating EAP message into a RADIUS packet
  Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=136
   Attribute 1 (User-Name) length=11
      Value: 'anonymous'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '02-00-00-00-00-01'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=8
      Value: 02 01 00 06 03 15
   Attribute 24 (State) length=18
      Value: cb 7a ce 96 cb 7b ca 0b 07 a3 2c 75 4a 0c c4 c6
   Attribute 80 (Message-Authenticator) length=18
      Value: 6b 08 01 29 89 bc 34 13 49 53 aa 7a 8d 43 4d f4
Next RADIUS client retransmit in 3 seconds

EAPOL: SUPP_BE entering state RECEIVE
EAPOL: startWhen --> 0
STA 02:00:00:00:00:01: Resending RADIUS message (id=1)

Next RADIUS client retransmit in 6 seconds
STA 02:00:00:00:00:01: Resending RADIUS message (id=1)

Next RADIUS client retransmit in 12 seconds
STA 02:00:00:00:00:01: Resending RADIUS message (id=1)

Next RADIUS client retransmit in 24 seconds
EAPOL test timed out
EAPOL: EAP key not available
MPPE keys OK: 0  mismatch: 1
FAILURE


The server shows: rad_recv: Access-Request packet ....

then                     Sending Access-Challenge of id 0 to 127.0.0.1

then .... nothing at all!


 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111016/09750334/attachment.html>


More information about the Freeradius-Users mailing list