Problem with EAP Authentication working not every time
stefan novak
lms.brubaker at gmail.com
Wed Aug 8 10:43:03 CEST 2012
>
> If it's "sometimes", then it would be wise to compare the debug log of
> when the client succeeds and when it does not. Also, IIRC RHEL5 has
> 2.1.12 already, so you should upgrade just in case this is a fixed
> bug.
>
>
just updated my testserver to 2.1.12.
I test now with rad_eap_test utility to eliminate a client failure. the
behaviour gets more stranger. the test utility also fails sometimes, but
the radius server seams to be ok now?
[root at wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
-S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root at wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
-S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root at wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
-S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root at wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
-S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 0
[root at wlan-radius rad_eap_test-0.23]# ./rad_eap_test -H 172.21.15.1 -P 1812
-S testtest -u nagios -p xxxx -m WPA-EAP -e PEAP -2 MSCHAPV2
access-accept; 1
[root at wlan-radius rad_eap_test-0.23]#
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85
MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "nagios"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x5b1d5157a6d94d87d527c9aab7234a85
MS-MPPE-Recv-Key = 0x942bf481ca97760d330305771e0d2e09
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "nagios"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 9 to 172.21.15.1 port 59848
EAP-Message =
0x010a003b19001703010030a46c09beb178741efc835036735026e09d8b1b1b44a88b55fce72fc28133dbf7e6edca8c0a65a6a2a85fd98eeeef2f6e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc9f5fd31c0ffe486f9e2896c0b298eff
Finished request 779.
Going to the next request
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 172.21.15.1 port 59848, id=10,
length=226
User-Name = "nagios"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message =
0x020a006019001703010020fcc074273699ca1e907af0200b96b3eaa01064887cff1a26b692f38602c3a48817030100309381801c8d424b14a2d053af534f137d1f632c69aa0572f0720bec578a1d6a61df79dc279e86b9f81d68dc6c81191e8f
State = 0xc9f5fd31c0ffe486f9e2896c0b298eff
Message-Authenticator = 0xb3249ed0ca17319a8d00741f734c974b
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "nagios", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
Login OK: [nagios/<via Auth-Type = EAP>] (from client 172.21.15.1 port 0
cli 70-6F-6C-69-73-68)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> nagios
[sql] sql_set_user escaped user --> 'nagios'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( 'nagios', '',
'Access-Accept', '2012-08-08 10:42:37')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'nagios', '',
'Access-Accept', '2012-08-08 10:42:37')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 10 to 172.21.15.1 port 59848
MS-MPPE-Recv-Key =
0x3a1be0edbc8566fc1b291ff8d09a4892ad61da4dc4a33927088e7c700d478e12
MS-MPPE-Send-Key =
0x39a7512be1ea532b88619cf74533da41e180aeb57c6077287a98c82597f8cfa5
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "nagios"
Finished request 780.
Going to the next request
Waking up in 0.1 seconds.
--
kind regards,
Stefan
_______________________
www.epb.at - Your IT Partner in East Austria
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120808/92b17ba3/attachment-0001.html>
More information about the Freeradius-Users
mailing list