EAP Testing - Newbie

Sergio NNX sfhacker at hotmail.com
Mon Oct 17 11:06:06 CEST 2011 

First of all, thanks for your help.


radiusd.conf - eap section :

....
....
    eap {
          default_eap_type = ttls

           md5 {
           }

           mschapv2 {
           }

           tls {

                         rsa_key_exchange = no
                         dh_key_exchange = yes
                         rsa_key_length = 512
                         dh_key_length = 512

                         pem_file_type = yes

                         include_length = yes

                         CA_path = ${db_dir}/certs

                 CA_file = ${db_dir}/certs/rootca.pem

                 certificate_file = ${db_dir}/certs/server.pem
                 private_key_file = ${db_dir}/certs/server-key.pem

                 random_file = ${db_dir}/certs/random

                 dh_file = ${db_dir}/certs/dh
                 
                         check_crl = no

                 verify_depth = 0

                         cipher_list = "DEFAULT"

    
           }

           ttls {
                            default_eap_type = md5
                    copy_request_to_tunnel = no
                    use_tunneled_reply = no
           }

           peap {
           
                    default_eap_type = mschapv2
           }
    }

-----

users file: the first line reads:     testuser   Cleartext-Password := "testpw"
                                                Reply-Message = "Hello, %{User-Name}"

--------

then, i type: eapol_test -c md5.conf -s testing123 ; I'm using md5.conf from here: http://deployingradius.com/scripts/eapol_test/


Find below radiusd -X output:


Starting - reading configuration files ...
including configuration file ..\etc\raddb/radiusd.conf
including configuration file ../etc/raddb/clients.conf
including configuration file ../etc/raddb/policy.conf
including dictionary file ..\etc\raddb/dictionary
main {
    name = "radiusd"
    prefix = ".."
    localstatedir = "../var"
    sbindir = "../sbin"
    logdir = "../var/log/radius"
    run_dir = "../var/run/radiusd"
    libdir = "../lib"
    radacctdir = "../var/log/radius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    pidfile = "../var/run/radiusd/radiusd.pid"
    checkrad = "../sbin/checkrad"
    debug_level = 0
    proxy_requests = no
 log {
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
 }
 security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 home_server localhost {
    ipaddr = 127.0.0.1
    port = 1812
    type = "auth"
    secret = "testing123"
    response_window = 30
    max_outstanding = 65536
    zombie_period = 40
    status_check = "none"
    ping_interval = 30
    check_interval = 30
    num_answers_to_alive = 3
    num_pings_to_alive = 3
    revive_interval = 300
    status_check_timeout = 4
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = "testing123"
    nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file ..\etc\raddb/radiusd.conf
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file ..\etc\raddb/radiusd.conf
 }
radiusd: #### Loading Virtual Servers ####
server { # from file ..\etc\raddb/radiusd.conf
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file ..\etc\raddb/radiusd.conf
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file ..\etc\raddb/radiusd.conf
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file ..\etc\raddb/radiusd.conf
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "auth_log" from file ..\etc\raddb/radiusd.conf
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file ..\etc\raddb/radiusd.conf
 Module: Checking accounting {...} for more modules to load
 Module: Instantiating module "detail" from file ..\etc\raddb/radiusd.conf
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file ..\etc\raddb/radiusd.conf
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
    type = "auth"
    ipaddr = *
    port = 0
}
listen {
    type = "acct"
    ipaddr = *
    port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
# Executing section authorize from file ..\etc\raddb/radiusd.conf
+- entering group authorize {...}
[auth_log] ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20111017.log
++[auth_log] returns ok
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
++[mschap] returns noop
++[files] returns noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
# Executing group from file ..\etc\raddb/radiusd.conf
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Finished request 0.
Going to the next request
Waking up in 4.10 seconds.
# Executing section authorize from file ..\etc\raddb/radiusd.conf
+- entering group authorize {...}
[auth_log] ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20111017.log
++[auth_log] returns ok
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
++[mschap] returns noop
++[files] returns noop
[eap] EAP packet type response id 1 length 216
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file ..\etc\raddb/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls]     TLS_accept: SSLv3 write key exchange A
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
[ttls] eaptls_process returned 13 
++[eap] returns handled
Finished request 1.
Going to the next request
Waking up in 4.7 seconds.
Waking up in 4.4 seconds.
Waking up in 1.4 seconds.
Cleaning up request 0 ID 0 with timestamp +27
Waking up in 0.2 seconds.
Cleaning up request 1 ID 1 with timestamp +27
Ready to process requests.
Ready to process requests.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 58118, id=0, length=126
    User-Name = "anonymous"
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = "02-00-00-00-00-01"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 11Mbps 802.11b"
    EAP-Message = 0x0200000e01616e6f6e796d6f7573
    Message-Authenticator = 0xfe5e2cea30ed69e3ebb5597d9c677bcf
Sending Access-Challenge of id 0 to 127.0.0.1 port 58118
    EAP-Message = 0x010100061520
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x26b3a7ae26b2b26bc177f1c70c867315
rad_recv: Access-Request packet from host 127.0.0.1 port 58118, id=1, length=346
    User-Name = "anonymous"
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = "02-00-00-00-00-01"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 11Mbps 802.11b"
    EAP-Message = 0x020100d8150016030100cd010000c903014e9bf235ba7f9efdc193f071e50186c14a010f47a15bd3e3897a7fd552820b8c00005cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000
    State = 0x26b3a7ae26b2b26bc177f1c70c867315
    Message-Authenticator = 0xc51bb1dac6f978b85e3f41a1357b4ca0
Sending Access-Challenge of id 1 to 127.0.0.1 port 58118
    EAP-Message = 0x0102040015c000000dc116030100310200002d03014e9bf2356d72da691120cc7a5be6fa242c914777e7a6cddfadb8e39923496e78000039000005ff010001001603010beb0b000be7000be400065f3082065b30820543a003020102020102300d06092a864886f70d01010505003081dd310b3009060355040613024742310f300d060355040813064c6f6e646f6e311430120603550407130b576573746d696e73746572311c301a060355040a13134d617465415220495420536f6c7574696f6e7331173015060355040b130e504b49204465706172746d656e7431223020060355040313195465737420526f6f7420434120284672656552414449
    EAP-Message = 0x5553293120301e060355040d13175465737420526f6f744341204365727469666963617465311d301b06092a864886f70d010901160e696e666f406d61746561722e6575310b3009060355040513023031301e170d3131313031363134323735325a170d3132313031353134323735325a3081f2312330210603550403131a554b57494e3230303852322e636f72702e6d61746561722e657531123010060a0992268993f22c64011916024555311d301b06092a864886f70d010901160e696e666f406d61746561722e6575310b3009060355040613024742310f300d060355040813064c6f6e646f6e311430120603550407130b576573746d696e73
    EAP-Message = 0x74657231163014060355040b130d4954204465706172746d656e74311630140603550405130d554b4c4f4e444f4e535256303131343032060355040d132b5465737420536572766572204365727469666963617465202850454150202d20467265655241444955532930819f300d06092a864886f70d010101050003818d0030818902818100d0912be92981af2f9ee8e1c827c30b70a9710463fbe052bde41c7a96af52bc770a83daa7bbc286da3beff1f7f71394c806f0214b2b1fae41aafb045efc1e49b5a70082fd2eace9f7c098dbea777b6bd8d6d80c99d42a2a6184f763756838faff97048737f92bdbc41cd803e12ed17cc4cfed295797d6f6
    EAP-Message = 0xdb799f5bbc4b53ce810203010001a38202913082028d300f0603551d130101ff04053003020100300e0603551d0f0101ff0404030203f8301d0603551d0e04160414c7c514ad16237701f629bf2c1d18c24c8186188f3082010b0603551d23048201023081ff80148c042872c8603f29a58ac14fdb9a62ff9aadc3faa181e3a481e03081dd310b3009060355040613024742310f300d060355040813064c6f6e646f6e311430120603550407130b576573746d696e73746572311c301a060355040a13134d617465415220495420536f6c7574696f6e7331173015060355040b130e504b49204465706172746d656e7431223020060355040313195465
    EAP-Message = 0x737420526f6f742043412028
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x26b3a7ae27b1b26bc177f1c70c867315


----------


I've tried almost everything. I'd appreciate any pointers/help here. Is there any other tool I could use instead of eapol_test?

Thanks again.

Sergio.







> Date: Mon, 17 Oct 2011 09:30:32 +0100
> From: A.L.M.Buxey at lboro.ac.uk
> To: tim.sylvester at networkradius.com; freeradius-users at lists.freeradius.org
> CC: sfhacker at hotmail.com
> Subject: Re: EAP Testing - Newbie
> 
> hi,
> 
> ...please dont send eapol_test output - send the output
> from radiusd -X
> 
> from the log sent it looks like the client isnt get a response from
> the server (note the 3 default timeouts at the end....)
> 
> alan
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111017/38743492/attachment.html>

More information about the Freeradius-Users mailing list