eapol_test works but not wpa_supplicant with wired interface

xxiao8 xxiao8 at fosiao.com
Wed Sep 10 04:31:04 CEST 2014


On 09/09/2014 02:29 PM, freeradius-users-request at lists.freeradius.org wrote:
>
> Message: 1
> Date: Tue, 09 Sep 2014 12:51:44 -0500
> From: xxiao8 <xxiao8 at fosiao.com>
> To: freeradius-users at lists.freeradius.org
> Subject: eapol_test works but not wpa_supplicant with wired interface
> Message-ID: <540F3E30.50603 at fosiao.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> Hello,
>
> I just set up freeradius 2.1.2(default) on debian and try to do 
> wpa_supplicant via wired interface to it. while eapol_test worked fine, 
> when wpa_supplicant is used on the freeradius server side I can never 
> see any incoming RADIUS packets(or any packets) at all.
>
> I'm running wpa_supplicant/eapol_test on a ubuntu 12.04 while the 
> freeradius is hosted on a VM/debian-wheezy in the same bridged network.
>
> Am I missing something basic? all logs are below.
>
> Thanks,
> xxiao
>
> ==========config file used==================
> $cat ttls-mschapv2.conf
> ctrl_interface=/var/run/wpa_supplicant
> ap_scan=0
> fast_reauth=1
> network={
>          key_mgmt=IEEE8021X
>          identity="bob"
>          password="hello"
>          eapol_flags=0
>          eap=TTLS
>          anonymous_identity="anonymous"
>          phase2="auth=MSCHAPV2"
> }
>
> ===============eapol_test works====================
> $sudo eapol_test -c ttls-mschapv2.conf -a192.168.1.132  -p1812 
> -stesting123 -r2
> RADIUS packet matching with station
> MS-MPPE-Send-Key (sign) - hexdump(len=32): 0e 41 0d 3b 24 75 5f 43 08 cc 
> 1c 63 c6 f8 21 d5 9c 2f f2 89 dd ab d9 d9 31 18 39 00 16 c3 92 86
> MS-MPPE-Recv-Key (crypt) - hexdump(len=32): e2 9b ce e2 c6 69 e9 d9 c0 
> 37 10 75 58 53 ba 51 a1 a4 38 b8 86 3d dc f5 6d 71 35 b1 18 a8 53 0f
> decapsulated EAP packet (code=3 id=6 len=4) from RADIUS server: EAP Success
> EAPOL: Received EAP-Packet frame
> EAPOL: SUPP_BE entering state REQUEST
> EAPOL: getSuppRsp
> EAP: EAP entering state RECEIVED
> EAP: Received EAP-Success
> EAP: Status notification: completion (param=success)
> EAP: EAP entering state SUCCESS
> CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
> EAPOL: SUPP_PAE entering state AUTHENTICATED
> EAPOL: SUPP_BE entering state RECEIVE
> EAPOL: SUPP_BE entering state SUCCESS
> EAPOL: SUPP_BE entering state IDLE
> eapol_sm_cb: result=1
> EAPOL: Successfully fetched key (len=32)
> PMK from EAPOL - hexdump(len=32): e2 9b ce e2 c6 69 e9 d9 c0 37 10 75 58 
> 53 ba 51 a1 a4 38 b8 86 3d dc f5 6d 71 35 b1 18 a8 53 0f
> No EAP-Key-Name received from server
> EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
> ENGINE: engine deinit
> MPPE keys OK: 3  mismatch: 0
> SUCCESS
>
>
> ======wpa_supplicant wired does not work===========
> $ sudo wpa_supplicant -Dwired -ieth0 -cttls-mschapv2.conf -d
> wpa_supplicant v2.2
> random: Trying to read entropy from /dev/random
> Successfully initialized wpa_supplicant
> Initializing interface 'eth0' conf 'ttls-mschapv2.conf' driver 'wired' 
> ctrl_interface 'N/A' bridge 'N/A'
> Configuration file 'ttls-mschapv2.conf' -> '/tmp/ttls-mschapv2.conf'
> Reading configuration file '/tmp/ttls-mschapv2.conf'
> ctrl_interface='/var/run/wpa_supplicant'
> ap_scan=0
> fast_reauth=1
> Priority group 0
>     id=0 ssid=''
> wpa_driver_wired_init: Added multicast membership with packet socket
> Add interface eth0 to a new radio N/A
> eth0: Own MAC address: 18:03:73:e0:ba:f1
> eth0: RSN: flushing PMKID list in the driver
> eth0: Setting scan request: 0.100000 sec
> EAPOL: SUPP_PAE entering state DISCONNECTED
> EAPOL: Supplicant port status: Unauthorized
> EAPOL: KEY_RX entering state NO_KEY_RECEIVE
> EAPOL: SUPP_BE entering state INITIALIZE
> EAP: EAP entering state DISABLED
> eth0: Added interface eth0
> eth0: State: DISCONNECTED -> DISCONNECTED
> random: Got 20/20 bytes from /dev/random
> EAPOL: External notification - EAP success=0
> EAPOL: External notification - EAP fail=0
> EAPOL: External notification - portControl=Auto
> eth0: Already associated with a configured network - generating 
> associated event
> eth0: Event ASSOC (0) received
> eth0: Association info event
> eth0: State: DISCONNECTED -> ASSOCIATED
> eth0: Associated to a new BSS: BSSID=01:80:c2:00:00:03
> eth0: Select network based on association information
> eth0: Network configuration found for the current AP
> eth0: WPA: clearing AP WPA IE
> eth0: WPA: clearing AP RSN IE
> eth0: WPA: clearing own WPA/RSN IE
> eth0: Failed to get scan results
> EAPOL: External notification - EAP success=0
> EAPOL: External notification - EAP fail=0
> EAPOL: External notification - portControl=Auto
> eth0: Associated with 01:80:c2:00:00:03
> eth0: WPA: Association event - clear replay counter
> eth0: WPA: Clear old PTK
> EAPOL: External notification - portEnabled=0
> EAPOL: External notification - portValid=0
> EAPOL: External notification - portEnabled=1
> EAPOL: SUPP_PAE entering state CONNECTING
> EAPOL: SUPP_BE entering state IDLE
> EAP: EAP entering state INITIALIZE
> EAP: EAP entering state IDLE
> eth0: Cancelling scan request
> EAPOL: startWhen --> 0
> EAPOL: SUPP_PAE entering state CONNECTING
> EAPOL: txStart
> TX EAPOL: dst=01:80:c2:00:00:03
> EAPOL: startWhen --> 0
> EAPOL: SUPP_PAE entering state CONNECTING
> EAPOL: txStart
> TX EAPOL: dst=01:80:c2:00:00:03
> EAPOL: idleWhile --> 0
> EAP: EAP entering state FAILURE
> eth0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
> EAPOL: SUPP_PAE entering state AUTHENTICATING
> EAPOL: SUPP_BE entering state FAIL
> EAPOL: SUPP_PAE entering state HELD
> EAPOL: Supplicant port status: Unauthorized
> EAPOL: SUPP_BE entering state IDLE
> EAPOL authentication completed - result=FAILURE
> ^Ceth0: Removing interface eth0
> eth0: Request to deauthenticate - bssid=01:80:c2:00:00:03 
> pending_bssid=00:00:00:00:00:00 reason=3 state=ASSOCIATED
> eth0: Event DEAUTH (12) received
> eth0: Deauthentication notification
> eth0:  * reason 3 (locally generated)
> Deauthentication frame IE(s) - hexdump(len=0): [NULL]
> eth0: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 
> locally_generated=1
> eth0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="" auth_failures=1 
> duration=10 reason=AUTH_FAILED
> eth0: Auto connect disabled: do not try to re-connect
> eth0: Ignore connection failure indication since interface has been put 
> into disconnected state
> eth0: State: ASSOCIATED -> DISCONNECTED
> EAPOL: External notification - portEnabled=0
> EAPOL: SUPP_PAE entering state DISCONNECTED
> EAPOL: Supplicant port status: Unauthorized
> EAPOL: SUPP_BE entering state INITIALIZE
> EAP: EAP entering state DISABLED
> EAPOL: External notification - portValid=0
> eth0: State: DISCONNECTED -> DISCONNECTED
> EAPOL: External notification - portEnabled=0
> EAPOL: External notification - portValid=0
> eth0: Cancelling scan request
> eth0: Cancelling authentication timeout
> Remove interface eth0 from radio
> Remove radio
> eth0: CTRL-EVENT-TERMINATING
>
>
>
> Message: 3
> Date: Tue, 9 Sep 2014 18:18:00 +0000
> From: A.L.M.Buxey at lboro.ac.uk
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: eapol_test works but not wpa_supplicant with wired
> 	interface
> Message-ID: <20140909181800.GD12554 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> hi,
>
>
> you need to look at your freeradius server in debug mode to see whats going on...and
> verify that the packets are being received by the server (eg by using 'tcpdump' tool or such
> looking for udp port 1812).  you also need to eg check your freeradius server to ensure
> that the firewall isnt blocking said UDP 1812 port (eapol_test locally bypasses this....)
> and finally you need to verify your switch that you are doing 802.1X on to ensure that its
> sending auths to the right box...you should be able to do debug on the switch too....
>
> alan
>
>
> ------------------------------
>
Yes I did run freeradius -X -f and it receives lots of info from
eapol_test successfully, when I ran wpa_supplicant as described above I
received nothing at all either over 'freeradius -X -f' or from
'tcpdump', it's like somehow wpa_supplicant is not sending out anything
to the multicast MAC? I made sure iptable is fully disabled, plus
eapol_test is running from the same machine where I ran
wpa_supplicant(non-localhost that is).

Thanks!
xxiao


More information about the Freeradius-Users mailing list