eapol_test works but not wpa_supplicant with wired interface

xxiao8 xxiao8 at fosiao.com
Wed Sep 10 04:38:46 CEST 2014


On 09/09/2014 02:29 PM, freeradius-users-request at lists.freeradius.org
wrote:
>> Message: 1
>> Date: Tue, 09 Sep 2014 12:51:44 -0500
>> From: xxiao8 <xxiao8 at fosiao.com>
>> To: freeradius-users at lists.freeradius.org
>> Subject: eapol_test works but not wpa_supplicant with wired interface
>> Message-ID: <540F3E30.50603 at fosiao.com>
>> Content-Type: text/plain; charset=windows-1252; format=flowed
>>
>> Hello,
>>
>> I just set up freeradius 2.1.2(default) on debian and try to do 
>> wpa_supplicant via wired interface to it. while eapol_test worked fine, 
>> when wpa_supplicant is used on the freeradius server side I can never 
>> see any incoming RADIUS packets(or any packets) at all.
>>
>> I'm running wpa_supplicant/eapol_test on a ubuntu 12.04 while the 
>> freeradius is hosted on a VM/debian-wheezy in the same bridged network.
>>
>> Am I missing something basic? all logs are below.
>>
>> Thanks,
>> xxiao
>>
>> ==========config file used==================
>> $cat ttls-mschapv2.conf
>> ctrl_interface=/var/run/wpa_supplicant
>> ap_scan=0
>> fast_reauth=1
>> network={
>>          key_mgmt=IEEE8021X
>>          identity="bob"
>>          password="hello"
>>          eapol_flags=0
>>          eap=TTLS
>>          anonymous_identity="anonymous"
>>          phase2="auth=MSCHAPV2"
>> }
>>
>> ===============eapol_test works====================
>> $sudo eapol_test -c ttls-mschapv2.conf -a192.168.1.132  -p1812 
>> -stesting123 -r2
>> RADIUS packet matching with station
>> MS-MPPE-Send-Key (sign) - hexdump(len=32): 0e 41 0d 3b 24 75 5f 43 08 cc 
>> 1c 63 c6 f8 21 d5 9c 2f f2 89 dd ab d9 d9 31 18 39 00 16 c3 92 86
>> MS-MPPE-Recv-Key (crypt) - hexdump(len=32): e2 9b ce e2 c6 69 e9 d9 c0 
>> 37 10 75 58 53 ba 51 a1 a4 38 b8 86 3d dc f5 6d 71 35 b1 18 a8 53 0f
>> decapsulated EAP packet (code=3 id=6 len=4) from RADIUS server: EAP Success
>> EAPOL: Received EAP-Packet frame
>> EAPOL: SUPP_BE entering state REQUEST
>> EAPOL: getSuppRsp
>> EAP: EAP entering state RECEIVED
>> EAP: Received EAP-Success
>> EAP: Status notification: completion (param=success)
>> EAP: EAP entering state SUCCESS
>> CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
>> EAPOL: SUPP_PAE entering state AUTHENTICATED
>> EAPOL: SUPP_BE entering state RECEIVE
>> EAPOL: SUPP_BE entering state SUCCESS
>> EAPOL: SUPP_BE entering state IDLE
>> eapol_sm_cb: result=1
>> EAPOL: Successfully fetched key (len=32)
>> PMK from EAPOL - hexdump(len=32): e2 9b ce e2 c6 69 e9 d9 c0 37 10 75 58 
>> 53 ba 51 a1 a4 38 b8 86 3d dc f5 6d 71 35 b1 18 a8 53 0f
>> No EAP-Key-Name received from server
>> EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
>> ENGINE: engine deinit
>> MPPE keys OK: 3  mismatch: 0
>> SUCCESS
>>
>>
>> ======wpa_supplicant wired does not work===========
>> $ sudo wpa_supplicant -Dwired -ieth0 -cttls-mschapv2.conf -d
>> wpa_supplicant v2.2
>> random: Trying to read entropy from /dev/random
>> Successfully initialized wpa_supplicant
>> Initializing interface 'eth0' conf 'ttls-mschapv2.conf' driver 'wired' 
>> ctrl_interface 'N/A' bridge 'N/A'
>> Configuration file 'ttls-mschapv2.conf' -> '/tmp/ttls-mschapv2.conf'
>> Reading configuration file '/tmp/ttls-mschapv2.conf'
>> ctrl_interface='/var/run/wpa_supplicant'
>> ap_scan=0
>> fast_reauth=1
>> Priority group 0
>>     id=0 ssid=''
>> wpa_driver_wired_init: Added multicast membership with packet socket
>> Add interface eth0 to a new radio N/A
>> eth0: Own MAC address: 18:03:73:e0:ba:f1
>> eth0: RSN: flushing PMKID list in the driver
>> eth0: Setting scan request: 0.100000 sec
>> EAPOL: SUPP_PAE entering state DISCONNECTED
>> EAPOL: Supplicant port status: Unauthorized
>> EAPOL: KEY_RX entering state NO_KEY_RECEIVE
>> EAPOL: SUPP_BE entering state INITIALIZE
>> EAP: EAP entering state DISABLED
>> eth0: Added interface eth0
>> eth0: State: DISCONNECTED -> DISCONNECTED
>> random: Got 20/20 bytes from /dev/random
>> EAPOL: External notification - EAP success=0
>> EAPOL: External notification - EAP fail=0
>> EAPOL: External notification - portControl=Auto
>> eth0: Already associated with a configured network - generating 
>> associated event
>> eth0: Event ASSOC (0) received
>> eth0: Association info event
>> eth0: State: DISCONNECTED -> ASSOCIATED
>> eth0: Associated to a new BSS: BSSID=01:80:c2:00:00:03
>> eth0: Select network based on association information
>> eth0: Network configuration found for the current AP
>> eth0: WPA: clearing AP WPA IE
>> eth0: WPA: clearing AP RSN IE
>> eth0: WPA: clearing own WPA/RSN IE
>> eth0: Failed to get scan results
>> EAPOL: External notification - EAP success=0
>> EAPOL: External notification - EAP fail=0
>> EAPOL: External notification - portControl=Auto
>> eth0: Associated with 01:80:c2:00:00:03
>> eth0: WPA: Association event - clear replay counter
>> eth0: WPA: Clear old PTK
>> EAPOL: External notification - portEnabled=0
>> EAPOL: External notification - portValid=0
>> EAPOL: External notification - portEnabled=1
>> EAPOL: SUPP_PAE entering state CONNECTING
>> EAPOL: SUPP_BE entering state IDLE
>> EAP: EAP entering state INITIALIZE
>> EAP: EAP entering state IDLE
>> eth0: Cancelling scan request
>> EAPOL: startWhen --> 0
>> EAPOL: SUPP_PAE entering state CONNECTING
>> EAPOL: txStart
>> TX EAPOL: dst=01:80:c2:00:00:03
>> EAPOL: startWhen --> 0
>> EAPOL: SUPP_PAE entering state CONNECTING
>> EAPOL: txStart
>> TX EAPOL: dst=01:80:c2:00:00:03
>> EAPOL: idleWhile --> 0
>> EAP: EAP entering state FAILURE
>> eth0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
>> EAPOL: SUPP_PAE entering state AUTHENTICATING
>> EAPOL: SUPP_BE entering state FAIL
>> EAPOL: SUPP_PAE entering state HELD
>> EAPOL: Supplicant port status: Unauthorized
>> EAPOL: SUPP_BE entering state IDLE
>> EAPOL authentication completed - result=FAILURE
>> ^Ceth0: Removing interface eth0
>> eth0: Request to deauthenticate - bssid=01:80:c2:00:00:03 
>> pending_bssid=00:00:00:00:00:00 reason=3 state=ASSOCIATED
>> eth0: Event DEAUTH (12) received
>> eth0: Deauthentication notification
>> eth0:  * reason 3 (locally generated)
>> Deauthentication frame IE(s) - hexdump(len=0): [NULL]
>> eth0: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 
>> locally_generated=1
>> eth0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="" auth_failures=1 
>> duration=10 reason=AUTH_FAILED
>> eth0: Auto connect disabled: do not try to re-connect
>> eth0: Ignore connection failure indication since interface has been put 
>> into disconnected state
>> eth0: State: ASSOCIATED -> DISCONNECTED
>> EAPOL: External notification - portEnabled=0
>> EAPOL: SUPP_PAE entering state DISCONNECTED
>> EAPOL: Supplicant port status: Unauthorized
>> EAPOL: SUPP_BE entering state INITIALIZE
>> EAP: EAP entering state DISABLED
>> EAPOL: External notification - portValid=0
>> eth0: State: DISCONNECTED -> DISCONNECTED
>> EAPOL: External notification - portEnabled=0
>> EAPOL: External notification - portValid=0
>> eth0: Cancelling scan request
>> eth0: Cancelling authentication timeout
>> Remove interface eth0 from radio
>> Remove radio
>> eth0: CTRL-EVENT-TERMINATING
>>
>>
>>
>> Message: 3
>> Date: Tue, 9 Sep 2014 18:18:00 +0000
>> From: A.L.M.Buxey at lboro.ac.uk
>> To: FreeRadius users mailing list
>> 	<freeradius-users at lists.freeradius.org>
>> Subject: Re: eapol_test works but not wpa_supplicant with wired
>> 	interface
>> Message-ID: <20140909181800.GD12554 at lboro.ac.uk>
>> Content-Type: text/plain; charset=us-ascii
>>
>> hi,
>>
>>
>> you need to look at your freeradius server in debug mode to see whats going on...and
>> verify that the packets are being received by the server (eg by using 'tcpdump' tool or such
>> looking for udp port 1812).  you also need to eg check your freeradius server to ensure
>> that the firewall isnt blocking said UDP 1812 port (eapol_test locally bypasses this....)
>> and finally you need to verify your switch that you are doing 802.1X on to ensure that its
>> sending auths to the right box...you should be able to do debug on the switch too....
>>
>> alan
>>
>>
>> ------------------------------
>>
> Yes I did run freeradius -X -f and it receives lots of info from
> eapol_test successfully, when I ran wpa_supplicant as described above I
> received nothing at all either over 'freeradius -X -f' or from
> 'tcpdump', it's like somehow wpa_supplicant is not sending out anything
> to the multicast MAC? I made sure iptable is fully disabled, plus
> eapol_test is running from the same machine where I ran
> wpa_supplicant(non-localhost that is).
>
> Thanks!
> xxiao
>
>
I forgot to mention that I'm running against freeradius directly, from a
Linux PC on the local LAN, so there is no switch involved at all, could
this be a problem? can WPA_SUPPLICANT talk with freeradius _directly_?

Thanks,
xxiao


More information about the Freeradius-Users mailing list