WAP authentication problem

[Skylar Thompson]

I'm having some trouble getting a USR8054 WAP authenticating against a FreeRADIUS server. Currently, I'm using MSCHAPv2 against an entry in users for simplicity's sake, but I hope to move that to ntlm_auth off our NT PDC later. To do the data transfer, I'm using PEAP over TLS. I generated certificates with the certs.sh script provided in the source package. I copied the cert-srv.pem to the server and cert-clt.pem to the client, and root.pem to both.

The problem manifests itself like this. My testing machine is a Linux box with open1x.org's Xsupplicant installed and a Cisco Aironet wireless card. The card gets an initial connection just fine from the WAP, but when I try to authenticate against RADIUS, xsupplicant spits this back after curState goes to AUTHENTICATING:

[ALL] Got EAP-Failure!
Failure!
[ALL] (TLS-FUNCS) Cleaning up (possible after a failure)!
[AUTH TYPE] (EAP-TLS) Freeing mytls_vars->ctx!
[ALL] (EAP-PEA) Failed. Resetting

I have the FreeRADIUS server in -X mode, and I see this at that point:

SSL Connection Established
 eaptls_process returned 13
 rlm_eap_peap: EAPTLS_HANDLED
 rlm_eap: Freeing handler
 modcall[authenticate]: module "eap" returns reject for request 7
modcall: group authenticate returns reject for request 7
auth: Failed to validate the user.

I don't see any obvious errors on either client or server up to this point. The user is authenticated fine:

rad_recv: Access-Request packet from host 192.168.0.251:1207, id=1, length=123
User-Name = "skylar"
NAS-IP-Address = 192.168.0.251
NAS-Port = 0
Called-Station-Id = "00-c0-49-ee-4a-b2"
Calling-Station-Id = "00-40-96-44-c4-ec"
NAS-Identifier = ""
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000b01736b796c6172
Message-Authenticator = 0x569ec933397b73cc649fe1d15cdf7af1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "skylar", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 152
users: Matched skylar at 215
modcall[authorize]: module "files" returns ok for request 0

The only other possible error I can see on the server side is this:

modcall: entering group authenticate for request 1
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/peap
 rlm_eap: processing type peap
 rlm_eap_peap: Authenticate
   TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
 eaptls_process returned 13
 rlm_eap_peap: EAPTLS_HANDLED
 modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1

But after some Google'ing, it appears that the TLS error isn't fatal.

Any ideas?

--
-- Skylar Thompson ([EMAIL PROTECTED])
-- http://www.cs.earlham.edu/~skylar/

signature.asc

Description: OpenPGP digital signature