Fwd: FW:

Arpit Jain arpi2706 at gmail.com
Thu Dec 27 13:51:15 CET 2012 

Hi,

I am sending an Access-Request packet using radeapclient without password,**
**

I am giving the following attributes in radeapclient:****

User-Name= "testuser"****

EAP-Code = Response****

EAP-Id = 210****

EAP-Type-Identity = " testuser "****

Message-Authenticator = 0x00****

** **

** **

But server is sending Access-Reject to the request.****

Following are the logs of radeapclient:****

** **

User-Name= "testuser"****

EAP-Code = Response****

EAP-Id = 210****

EAP-Type-Identity = "testuser"****

Message-Authenticator = 0x00****

** **

** **

+++> About to send encoded packet:****

        User-Name = "testuser"****

        EAP-Code = Response****

        EAP-Id = 210****

        EAP-Type-Identity = "testuser"****

        Message-Authenticator = 0x00****

<+++ EAP decoded packet:****

        EAP-Message = 0x01d3001604107b44069aa80b67319a536bfd4f8ac713****

        Message-Authenticator = 0xb4499f3ee54742d9dd8469980720dcf6****

        State = 0x8a52e3488a81e7f33f4b54075fcd3936****

        EAP-Id = 211****

        EAP-Code = Request****

        EAP-Type-MD5 = 0x107b44069aa80b67319a536bfd4f8ac713****

** **

+++> About to send encoded packet:****

        User-Name = "testuser"****

        EAP-Code = Response****

        EAP-Id = 211****

        Message-Authenticator = 0x00000000000000000000000000000000****

        EAP-Type-MD5 = 0x10d2c45d5e328b2b2db8bd66c7d171635d****

        State = 0x8a52e3488a81e7f33f4b54075fcd3936****

<+++ EAP decoded packet:****

        EAP-Message = 0x04d30004****

        Message-Authenticator = 0xf6f7e2707ef22ea86a660a4ddce7fb30****

        EAP-Id = 211****

        EAP-Code = Failure****

** **

On further investigation, i found an example to test eap-md5  in the source
code{ freeradius-2.1.8 }  in src/tests****

** **

Example is :****

** **

echo 'User-Name = "eapmd5"'****

echo 'Cleartext-Password = "md5md5"'****

echo 'NAS-IP-Address = marajade.sandelman.ottawa.on.ca'****

echo 'EAP-Code = Response'****

echo 'EAP-Id = 210'****

echo 'EAP-Type-Identity = "eapsim'****

echo 'Message-Authenticator = 0'****

echo 'NAS-Port = 0' )****

** **

** **

But EAP RFC3579 and RFC2869 states that User-Password should not be part of
a radius packet containing EAP-Message attribute,****

** **

 ****

it written that “An Access-Request that contains either a User-Password or**
**

CHAP-Password or ARAP-Password or one or more EAP-Message attributes****

MUST NOT contain more than one type of those four attributes. If it****

does not contain any of those four attributes, it SHOULD contain a****

Message-Authenticator. If any packet type contains an EAP-Message****

attribute it MUST also contain a Message-Authenticator.”****

** **

** **

Please let me know if any specific configuration need to be done on the
server so that server sends Access-Accept.****

  ****

** **

Thanks in advance.

Arpit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121227/6ee67869/attachment.html>

More information about the Freeradius-Users mailing list