Hello. First off I want to say thank you all to the developers and testers for creating FreeRADIUS. Its nice to have real options, especially for budget-minded companies that desire good security.
Over the last week or so I've set up a FreeRADIUS 0.9.2 server (on Redhat Linux 8.0). I built it and its dependencies from source and installed them in their respective places under /usr/local/. The server built fine, and is apparently functioning fine. I currently have it authenticate using accounts in /usr/local/etc/raddb/users and plan to eventually have it talk to an OpenLDAP server. Radtest returns favorable results, as does a win32 based radius test program. I have a Cisco AP1200 that talks to the FreeRADIUS server. Using the Cisco ACU (card utility) I can successfully authenticate against the FreeRADIUS server. On the SAME client computer, with a Dell mini-pci card utilizing XP's built-in card manager with LEAP support, I get authentication failure messages (printed to the AP's log). Attached below is what the FreeRADIUS server spits out first with a successful login (via the Cisco card software) and second with the XP card software. Apparently XP supplies insufficient message headers? I really don't know where to go from here. I can't take it to MS/Dell unless I really know what the problem is, and I was hoping you all could shed some light on it as the problem is only documented in detail the FreeRADIUS log, and I don't really understand what its saying. CISCO AIRONET 350, Cisco ACU software: rad_recv: Access-Request packet from host 192.168.1.211:1060, id=37, length=197 User-Name = "test" Cisco-AVPair = "ssid=ACS" NAS-IP-Address = 192.168.1.211 Called-Station-Id = "000dbc136a1e" Calling-Station-Id = "000943cd2e0d" NAS-Identifier = "AP1200-136a1e" NAS-Port = 37 Framed-MTU = 1400 State = 0xf18093d7ba4c528...<SNIP>...ccfe0710dc3 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x01080016<SNIP>36c61726b Message-Authenticator = 0x5a5fb5f1...<SNIP>...1d20 modcall: entering group authorize for request 58 modcall[authorize]: module "preprocess" returns ok for request 58 modcall[authorize]: module "chap" returns noop for request 58 rlm_eap: EAP packet type identity id 8 length 22 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 58 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 58 users: Matched test at 55 modcall[authorize]: module "files" returns ok for request 58 modcall[authorize]: module "mschap" returns noop for request 58 modcall: group authorize returns updated for request 58 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 58 rlm_eap: EAP packet type identity id 8 length 22 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - leap rlm_eap: processing type leap rlm_eap_leap: Stage 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 58 modcall: group authenticate returns ok for request 58 Sending Access-Accept of id 37 to 192.168.1.211:1060 Service-Type = Login-User Cisco-AVPair += "leap:session-key=\303q\027j\...<SNIP>...\210\226\r^" EAP-Message = 0x0209002611010018b3...<SNIP>...360af163636c61726b Message-Authenticator = 0x00000000000000000000000000000000 Finished request 58 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 56 ID 35 with timestamp 3fd00cf8 Cleaning up request 57 ID 36 with timestamp 3fd00cf8 Cleaning up request 58 ID 37 with timestamp 3fd00cf8 Nothing to do. Sleeping until we see a request. Dell Truemobile (Broadcom) 1400 802.11a/g mini-pci, letting XP manage card: rad_recv: Access-Request packet from host 192.168.1.211:1056, id=33, length=213 User-Name = "test" Cisco-AVPair = "ssid=ACS" NAS-IP-Address = 192.168.1.211 Called-Station-Id = "000dbc136a1e" Calling-Station-Id = "00904b2354e4" NAS-Identifier = "AP1200-136a1e" NAS-Port = 38 Framed-MTU = 1400 State = 0xfce76e21ea04b823101991...<SNIP>...20bf41463811b8e1dfec NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x02030026110100...<SNIP>...9f63636c61726b Message-Authenticator = 0x3419249621c0f5cebc9ba4e13625f44f modcall: entering group authorize for request 54 modcall[authorize]: module "preprocess" returns ok for request 54 modcall[authorize]: module "chap" returns noop for request 54 rlm_eap: EAP packet type notification id 3 length 38 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 54 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 54 users: Matched test at 55 modcall[authorize]: module "files" returns ok for request 54 modcall[authorize]: module "mschap" returns noop for request 54 modcall: group authorize returns updated for request 54 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 54 rlm_eap: EAP packet type notification id 3 length 38 rlm_eap: EAP Start not found rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request modcall[authenticate]: module "eap" returns invalid for request 54 modcall: group authenticate returns invalid for request 54 auth: Failed to validate the user. Delaying request 54 for 1 seconds Finished request 54 Going to the next request Sending Access-Reject of id 31 to 192.168.1.211:1054 So, any ideas what happens? It appears as if the XP-based LEAP client supplies incomplete info or state info and that FreeRADIUS doesn't recognize its query as a LEAP request, although the Cisco AP happily detects it as such and passes it along to FreeRADIUS... This happens consistently, and all Cisco client cards/software appear to work where XP client does not. I realize that this is probably an issue with either the Dell card's driver, firmware, or XP LEAP implementation but I am not sure. Thanks for any suggestions, Cameron Clark Systems Administrator Architectural Construction Services, Inc. 151 Kalmus Drive Costa Mesa, CA 92626 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html