Hello. First off I want to say thank you all to the developers and testers
for creating FreeRADIUS. Its nice to have real options, especially for
budget-minded companies that desire good security.
Over the last week or so I've set up a FreeRADIUS 0.9.2 server (on Redhat
Linux 8.0). I built it and its dependencies from source and installed them
in their respective places under /usr/local/. The server built fine, and is
apparently functioning fine. I currently have it authenticate using accounts
in /usr/local/etc/raddb/users and plan to eventually have it talk to an
OpenLDAP server. Radtest returns favorable results, as does a win32 based
radius test program.
I have a Cisco AP1200 that talks to the FreeRADIUS server. Using the Cisco
ACU (card utility) I can successfully authenticate against the FreeRADIUS
server. On the SAME client computer, with a Dell mini-pci card utilizing
XP's built-in card manager with LEAP support, I get authentication failure
messages (printed to the AP's log). Attached below is what the FreeRADIUS
server spits out first with a successful login (via the Cisco card software)
and second with the XP card software. Apparently XP supplies insufficient
message headers? I really don't know where to go from here. I can't take it
to MS/Dell unless I really know what the problem is, and I was hoping you
all could shed some light on it as the problem is only documented in detail
the FreeRADIUS log, and I don't really understand what its saying.
CISCO AIRONET 350, Cisco ACU software:
rad_recv: Access-Request packet from host 192.168.1.211:1060, id=37,
length=197
User-Name = "test"
Cisco-AVPair = "ssid=ACS"
NAS-IP-Address = 192.168.1.211
Called-Station-Id = "000dbc136a1e"
Calling-Station-Id = "000943cd2e0d"
NAS-Identifier = "AP1200-136a1e"
NAS-Port = 37
Framed-MTU = 1400
State = 0xf18093d7ba4c528...<SNIP>...ccfe0710dc3
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x01080016<SNIP>36c61726b
Message-Authenticator = 0x5a5fb5f1...<SNIP>...1d20
modcall: entering group authorize for request 58
modcall[authorize]: module "preprocess" returns ok for request 58
modcall[authorize]: module "chap" returns noop for request 58
rlm_eap: EAP packet type identity id 8 length 22
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 58
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 58
users: Matched test at 55
modcall[authorize]: module "files" returns ok for request 58
modcall[authorize]: module "mschap" returns noop for request 58
modcall: group authorize returns updated for request 58
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 58
rlm_eap: EAP packet type identity id 8 length 22
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - leap
rlm_eap: processing type leap
rlm_eap_leap: Stage 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 58
modcall: group authenticate returns ok for request 58
Sending Access-Accept of id 37 to 192.168.1.211:1060
Service-Type = Login-User
Cisco-AVPair +=
"leap:session-key=\303q\027j\...<SNIP>...\210\226\r^"
EAP-Message = 0x0209002611010018b3...<SNIP>...360af163636c61726b
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 58
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 56 ID 35 with timestamp 3fd00cf8
Cleaning up request 57 ID 36 with timestamp 3fd00cf8
Cleaning up request 58 ID 37 with timestamp 3fd00cf8
Nothing to do. Sleeping until we see a request.
Dell Truemobile (Broadcom) 1400 802.11a/g mini-pci, letting XP manage card:
rad_recv: Access-Request packet from host 192.168.1.211:1056, id=33,
length=213
User-Name = "test"
Cisco-AVPair = "ssid=ACS"
NAS-IP-Address = 192.168.1.211
Called-Station-Id = "000dbc136a1e"
Calling-Station-Id = "00904b2354e4"
NAS-Identifier = "AP1200-136a1e"
NAS-Port = 38
Framed-MTU = 1400
State = 0xfce76e21ea04b823101991...<SNIP>...20bf41463811b8e1dfec
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x02030026110100...<SNIP>...9f63636c61726b
Message-Authenticator = 0x3419249621c0f5cebc9ba4e13625f44f
modcall: entering group authorize for request 54
modcall[authorize]: module "preprocess" returns ok for request 54
modcall[authorize]: module "chap" returns noop for request 54
rlm_eap: EAP packet type notification id 3 length 38
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 54
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 54
users: Matched test at 55
modcall[authorize]: module "files" returns ok for request 54
modcall[authorize]: module "mschap" returns noop for request 54
modcall: group authorize returns updated for request 54
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 54
rlm_eap: EAP packet type notification id 3 length 38
rlm_eap: EAP Start not found
rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
EAP-request
modcall[authenticate]: module "eap" returns invalid for request 54
modcall: group authenticate returns invalid for request 54
auth: Failed to validate the user.
Delaying request 54 for 1 seconds
Finished request 54
Going to the next request
Sending Access-Reject of id 31 to 192.168.1.211:1054
So, any ideas what happens? It appears as if the XP-based LEAP client
supplies incomplete info or state info and that FreeRADIUS doesn't recognize
its query as a LEAP request, although the Cisco AP happily detects it as
such and passes it along to FreeRADIUS... This happens consistently, and all
Cisco client cards/software appear to work where XP client does not. I
realize that this is probably an issue with either the Dell card's driver,
firmware, or XP LEAP implementation but I am not sure. Thanks for any
suggestions,
Cameron Clark
Systems Administrator
Architectural Construction Services, Inc.
151 Kalmus Drive
Costa Mesa, CA 92626
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
