EAP Testing - Newbie

Tim Sylvester tim.sylvester at networkradius.com
Sun Oct 16 21:37:20 CEST 2011 

> I'm in the process of testing FreeRADIUS 2.1.11, just basic/standard
setup.
> I've been following the following user guide:
> http://deployingradius.com/documents/configuration/pap.html. Very
> useful, by the way.
> 
> PAP, MSCHAP and MSCHAPv2 work ok, but I'm unable to get any EAP tests to
> pass. I've tries almost everything, including:
> http://deployingradius.com/documents/configuration/eap-problems.html
> 
> radtest -t eap-md5 .......                  (it works ok)
> 

OK. The means the eap-md5 worked for radtest and FreeRADIUS.

> --------- EAP-MD5 test ---------
> 
> http://deployingradius.com/scripts/eapol_test/
> 
> 
> eapol_test.exe -c md5.conf -s testing123                ( it doesn't
work!)

OK. Since eap-md5 worked for FreeRADIUS and radeaptest above, but not for
eapol_test and FreeRADIUS, this is most likely a problem with eapol_test not
supporting eap-md5.

> EAPOL: SUPP_BE entering state RECEIVE
> Received 80 bytes from RADIUS server
> Received RADIUS message
> RADIUS message: code=11 (Access-Challenge) identifier=0 length=80
>    Attribute 79 (EAP-Message) length=24
>       Value: 01 01 00 16 04 10 2d 5a 5e ca fd 46 31 37 33 67 ef 5f ec 14
64 c3
>    Attribute 80 (Message-Authenticator) length=18
>       Value: 37 83 06 12 9c 7b 2d 98 9a e8 6b 81 79 03 ce 63
>    Attribute 24 (State) length=18
>       Value: cb 7a ce 96 cb 7b ca 0b 07 a3 2c 75 4a 0c c4 c6 STA
02:00:00:00:00:01:
> Received RADIUS packet matched with a pending request, round trip time
> 0.00 sec
> 
> RADIUS packet matching with station
> decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-
> Request-MD5 (4)

RADIUS Server proposed using eap-md5.


> EAPOL: Received EAP-Packet frame
> EAPOL: SUPP_BE entering state REQUEST
> EAPOL: getSuppRsp
> EAP: EAP entering state RECEIVED
> EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0
> EAP: EAP entering state GET_METHOD
> EAP: configuration does not allow: vendor 0 method 4
> EAP: vendor 0 method 4 not allowed

eapol_test said it's configuration does not support "method 4" (aka
eap-md5). 


> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
> EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed)
> EAP: allowed methods - hexdump(len=1): 15
> EAP: EAP entering state SEND_RESPONSE

eapol_test sends a NAK back to the FreeRADIUS because it does not support
eap-md5 (or any other eap method sent back by FR).

Verify that eapol_test was successfully built with support for eap-md5. Look
for error messages during the build process. You will probably see error
messages saying that it could not find the OpenSSL libraries and/or headers.

Tim

More information about the Freeradius-Users mailing list