Adam Tauno Williams <E-mail Protected> wrote: >> I'm trying to setup RADIUS/WPA authentication using PEAP as >> described in - >> http://www.ibiblio.org/pub/Linux/docs/HOWTO/8021X-HOWTO - but I >> never seem to get past the "Sending Access-Challenge" after I enter >> my username and password on the client. User is simply an entry in >> the users file with a clear text password. I've gone over the >> config several times, but nothing jumps out at me as an error >> message. Alan DeKok wrote: > The problem most likely is that the AP isn't seeing the response, or >it isn't liking the response. Check the IP addresses that the packet >use, via "tcpdump".
Okay, I've etherealled the connection and I see an "Access-Request" from the WAP to the RADIUS server, then an "Access-Challenge" from the RADIUS serve to the WAP, and nothing else. What should the WAP's response to an "Access-Challenge" response be? The WAP is 192.168.1.42 and the RADIUS server is 192.168.1.47 No. Time Source Destination Protocol Info 8 0.839425 192.168.1.42 192.168.1.47 RADIUS Access-Request(1) (id=26, l=133) Frame 8 (175 bytes on wire, 175 bytes captured) Ethernet II, Src: noor.morrison.iserv.net (00:0f:3d:43:6a:3c), Dst: tor.morrison.iserv.net (00:0d:60:0f:fd:4a) Internet Protocol, Src: 192.168.1.42 (192.168.1.42), Dst: 192.168.1.47 (192.168.1.47) User Datagram Protocol, Src Port: groove-dpp (1211), Dst Port: radius (1812) Radius Protocol Code: Access-Request (1) Packet identifier: 0x1a (26) Length: 133 Authenticator: 14E77EEE7405E31F02AB6A803EB478A1 Attribute Value Pairs AVP: l=10 t=User-Name(1): awilliam AVP: l=6 t=NAS-IP-Address(4): 192.168.1.42 AVP: l=6 t=NAS-Port(5): 0 AVP: l=19 t=Called-Station-Id(30): 00-0F-3D-43-6A-3C AVP: l=19 t=Calling-Station-Id(31): 00-14-A5-30-BC-27 AVP: l=8 t=NAS-Identifier(32): wap001 AVP: l=6 t=Framed-MTU(12): 1380 AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=15 t=EAP-Message(79) Last Segment[1] Length: 13 EAP fragment Extensible Authentication Protocol Code: Response (2) Id: 1 Length: 13 Type: Identity [RFC3748] (1) Identity (8 bytes): awilliam AVP: l=18 t=Message-Authenticator(80): 92C34CC691D9BC0D5B49F180B2F4EA59 Length: 16 Message-Authenticator: 92C34CC691D9BC0D5B49F180B2F4EA59 No. Time Source Destination Protocol Info 15 0.842887 192.168.1.47 192.168.1.42 RADIUS Access-challenge(11) (id=26, l=83) Frame 15 (125 bytes on wire, 125 bytes captured) Ethernet II, Src: tor.morrison.iserv.net (00:0d:60:0f:fd:4a), Dst: noor.morrison.iserv.net (00:0f:3d:43:6a:3c) Internet Protocol, Src: 192.168.1.47 (192.168.1.47), Dst: 192.168.1.42 (192.168.1.42) User Datagram Protocol, Src Port: radius (1812), Dst Port: groove-dpp (1211) Radius Protocol Code: Access-challenge (11) Packet identifier: 0x1a (26) Length: 83 Authenticator: DE3DC989610D986213D85EF526EA47BD Attribute Value Pairs AVP: l=19 t=Reply-Message(18): EAPTEST Hello, %u Length: 17 Reply-Message: EAPTEST Hello, %u AVP: l=8 t=EAP-Message(79) Last Segment[1] Length: 6 EAP fragment Extensible Authentication Protocol Code: Request (1) Id: 2 Length: 6 Type: PEAP [Palekar] (25) Flags(0x20): Start PEAP version 0 AVP: l=18 t=Message-Authenticator(80): 36719CCCEE09502EA6C644C5EEC62B87 Length: 16 Message-Authenticator: 36719CCCEE09502EA6C644C5EEC62B87 AVP: l=18 t=State(24): 4CA90CA7DE0086900AEB2E8BB35E773A Length: 16 State: 4CA90CA7DE0086900AEB2E8BB35E773A No. Time Source Destination Protocol Info 16 0.879314 192.168.1.42 192.168.1.47 RADIUS Access-Request(1) (id=27, l=218) Frame 16 (260 bytes on wire, 260 bytes captured) Ethernet II, Src: noor.morrison.iserv.net (00:0f:3d:43:6a:3c), Dst: tor.morrison.iserv.net (00:0d:60:0f:fd:4a) Internet Protocol, Src: 192.168.1.42 (192.168.1.42), Dst: 192.168.1.47 (192.168.1.47) User Datagram Protocol, Src Port: groove-dpp (1211), Dst Port: radius (1812) Radius Protocol Code: Access-Request (1) Packet identifier: 0x1b (27) Length: 218 Authenticator: FBD53DBF46F4F69697F2427EDE5176A3 Attribute Value Pairs AVP: l=10 t=User-Name(1): awilliam AVP: l=6 t=NAS-IP-Address(4): 192.168.1.42 AVP: l=6 t=NAS-Port(5): 0 AVP: l=19 t=Called-Station-Id(30): 00-0F-3D-43-6A-3C AVP: l=19 t=Calling-Station-Id(31): 00-14-A5-30-BC-27 AVP: l=8 t=NAS-Identifier(32): wap001 AVP: l=6 t=Framed-MTU(12): 1380 AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=82 t=EAP-Message(79) Last Segment[1] Length: 80 EAP fragment Extensible Authentication Protocol Code: Response (2) Id: 2 Length: 80 Type: PEAP [Palekar] (25) Flags(0x80): Length PEAP version 0 Length: 70 Secure Socket Layer AVP: l=18 t=State(24): 4CA90CA7DE0086900AEB2E8BB35E773A Length: 16 State: 4CA90CA7DE0086900AEB2E8BB35E773A AVP: l=18 t=Message-Authenticator(80): DF3CCA452EF2AF5D0CAA8EB46534127D Length: 16 Message-Authenticator: DF3CCA452EF2AF5D0CAA8EB46534127D No. Time Source Destination Protocol Info 23 0.885616 192.168.1.47 192.168.1.42 RADIUS Access-challenge(11) (id=27, l=1119) Frame 23 (1161 bytes on wire, 1161 bytes captured) Ethernet II, Src: tor.morrison.iserv.net (00:0d:60:0f:fd:4a), Dst: noor.morrison.iserv.net (00:0f:3d:43:6a:3c) Internet Protocol, Src: 192.168.1.47 (192.168.1.47), Dst: 192.168.1.42 (192.168.1.42) User Datagram Protocol, Src Port: radius (1812), Dst Port: groove-dpp (1211) Radius Protocol Code: Access-challenge (11) Packet identifier: 0x1b (27) Length: 1119 Authenticator: 51DB666236DA04D0B72A4E99FAE73956 Attribute Value Pairs AVP: l=19 t=Reply-Message(18): EAPTEST Hello, %u Length: 17 Reply-Message: EAPTEST Hello, %u AVP: l=255 t=EAP-Message(79) Segment[1] AVP: l=255 t=EAP-Message(79) Segment[2] AVP: l=255 t=EAP-Message(79) Segment[3] AVP: l=255 t=EAP-Message(79) Segment[4] AVP: l=24 t=EAP-Message(79) Last Segment[5] Length: 22 EAP fragment Extensible Authentication Protocol Code: Request (1) Id: 3 Length: 1034 Type: PEAP [Palekar] (25) Flags(0xC0): Length More PEAP version 0 Length: 3974 EAP-TLS Fragments (3974 bytes): #23(1024), #35(1024), #46(1024), #54(902) Secure Socket Layer AVP: l=18 t=Message-Authenticator(80): F4814C72EEE61CD5CEFC53B36B267D4C Length: 16 Message-Authenticator: F4814C72EEE61CD5CEFC53B36B267D4C AVP: l=18 t=State(24): D338F7D46B55BA06D75A99DAB2F12D57 Length: 16 State: D338F7D46B55BA06D75A99DAB2F12D57 No. Time Source Destination Protocol Info 27 2.062088 192.168.1.42 192.168.1.47 RADIUS Access-Request(1) (id=28, l=144) Frame 27 (186 bytes on wire, 186 bytes captured) Ethernet II, Src: noor.morrison.iserv.net (00:0f:3d:43:6a:3c), Dst: tor.morrison.iserv.net (00:0d:60:0f:fd:4a) Internet Protocol, Src: 192.168.1.42 (192.168.1.42), Dst: 192.168.1.47 (192.168.1.47) User Datagram Protocol, Src Port: groove-dpp (1211), Dst Port: radius (1812) Radius Protocol Code: Access-Request (1) Packet identifier: 0x1c (28) Length: 144 Authenticator: 77439BFA74CDEE8C8B73E043554916F0 Attribute Value Pairs AVP: l=10 t=User-Name(1): awilliam AVP: l=6 t=NAS-IP-Address(4): 192.168.1.42 AVP: l=6 t=NAS-Port(5): 0 AVP: l=19 t=Called-Station-Id(30): 00-0F-3D-43-6A-3C AVP: l=19 t=Calling-Station-Id(31): 00-14-A5-30-BC-27 AVP: l=8 t=NAS-Identifier(32): wap001 AVP: l=6 t=Framed-MTU(12): 1380 AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19) AVP: l=8 t=EAP-Message(79) Last Segment[1] Length: 6 EAP fragment Extensible Authentication Protocol Code: Response (2) Id: 3 Length: 6 Type: PEAP [Palekar] (25) Flags(0x0): PEAP version 0 AVP: l=18 t=State(24): D338F7D46B55BA06D75A99DAB2F12D57 Length: 16 State: D338F7D46B55BA06D75A99DAB2F12D57 AVP: l=18 t=Message-Authenticator(80): 7A8DCF047F1B584608FE71A8EAB584AC Length: 16 Message-Authenticator: 7A8DCF047F1B584608FE71A8EAB584AC No. Time Source Destination Protocol Info 35 2.068415 192.168.1.47 192.168.1.42 RADIUS Access-challenge(11) (id=28, l=1115) Frame 35 (1157 bytes on wire, 1157 bytes captured) Ethernet II, Src: tor.morrison.iserv.net (00:0d:60:0f:fd:4a), Dst: noor.morrison.iserv.net (00:0f:3d:43:6a:3c) Internet Protocol, Src: 192.168.1.47 (192.168.1.47), Dst: 192.168.1.42 (192.168.1.42) User Datagram Protocol, Src Port: radius (1812), Dst Port: groove-dpp (1211) Radius Protocol Code: Access-challenge (11) Packet identifier: 0x1c (28) Length: 1115 Authenticator: 2A5E1665347BA87046D857CAB331686F Attribute Value Pairs AVP: l=19 t=Reply-Message(18): EAPTEST Hello, %u Length: 17 Reply-Message: EAPTEST Hello, %u AVP: l=255 t=EAP-Message(79) Segment[1] AVP: l=255 t=EAP-Message(79) Segment[2] AVP: l=255 t=EAP-Message(79) Segment[3] AVP: l=255 t=EAP-Message(79) Segment[4] AVP: l=20 t=EAP-Message(79) Last Segment[5] Length: 18 EAP fragment Extensible Authentication Protocol Code: Request (1) Id: 4 Length: 1030 Type: PEAP [Palekar] (25) Flags(0x40): More PEAP version 0 EAP-TLS Fragments (3974 bytes): #23(1024), #35(1024), #46(1024), #54(902) Secure Socket Layer AVP: l=18 t=Message-Authenticator(80): 755BE6D63AA6F48DC661705F2EE3A5AD Length: 16 Message-Authenticator: 755BE6D63AA6F48DC661705F2EE3A5AD AVP: l=18 t=State(24): 6A14161A7B2A4D2A2B0EED6451D7555F Length: 16 State: 6A14161A7B2A4D2A2B0EED6451D7555F -- Adam Tauno Williams - http://www.whitemice.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html