K. Hoercher wrote:
On 9/20/06, Florian Prester <[EMAIL PROTECTED]> wrote:
Also I have some questions about eap at all. How should it work
correctly. because I see up to 10 Authentication-Requests until the
client is authenticated correctly. For example the client wants to do
EAP-PEAP (Windows-client), but the radius says EAP-NAK:
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request
231
modcall: leaving group authenticate (returns handled) for request
231
Sending Access-Challenge ...
Finished request 231
What does it mean? Can I tune the process?
My guess would be, that your default_eap_type in eap.conf is not set
to peap. So your supplicant (XP) is sending the NAK (not the server,
it just logs that it got the NAK) to get the server to use peap.
Depending on your needs you could change it. That's a normal part of
EAP. As is the sending back and forth of Access-Requests and
Access-Challenges to negotiate the details inherent to EAP.
OK - thanks. So I have to take a deeper look at the eap-process.
But, ...
Log:
rad_recv: Access-Request packet from host 131.188.4.190:20000, id=35,
length=202
NAS-Port-Id = "2059/1"
Calling-Station-Id = "00-15-00-01-C0-D1"
Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF"
Service-Type = Framed-User
User-Name = "unrz06"
State = 0x...
EAP-Message = 0x...
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "Trapeze"
NAS-IP-Address = 131.188.4.190
Message-Authenticator = 0x...
The username looks like a machine name for .uni-erlangen.de. Do you
intend to use machine authentication? If so, what does a succesful
request look like? Note, that it seems to only find matching DEFAULT
entries, so peap would be impossible, as no User-Password is known to
freeradius. Otherwise, you should check your XP setup to use the
intended username/password credentials combo.
... no, that is not a maschine name or something. This a subsequent
request, after a password has been submitted.
looking a t EAP-Message, Authenticator.. and so on.
But looking back at the foll request:
ad_recv: Access-Request packet from host 131.188.4.190:20000, id=35,
length=202
NAS-Port-Id = "2059/1"
Calling-Station-Id = "00-15-00-01-C0-D1"
Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF"
Service-Type = Framed-User
User-Name = "unrz06"
State = 0x...
EAP-Message = 0x...
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "Trapeze"
NAS-IP-Address = 131.188.4.190
Message-Authenticator = 0x...
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 228
modcall[authorize]: module "preprocess" returns ok for request 228
modcall[authorize]: module "chap" returns noop for request 228
modcall[authorize]: module "mschap" returns noop for request 228
rlm_eap: EAP packet type response id 14 length 53
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 228
users: Matched entry DEFAULT at line 12
modcall[authorize]: module "files" returns ok for request 228
rlm_ldap: - authorize
modcall[authorize]: module "ldap" returns ok for request 228
modcall[authorize]: module "perl" returns ok for request 228
modcall: leaving group authorize (returns updated) for request 228
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 228
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
(other): SSL negotiation finished successfully
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
SSL Connection Established
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 228
modcall: leaving group authenticate (returns reject) for request 228
auth: Failed to validate the user.
Login incorrect: [unrz06] (from client QRA-MX port 0 cli 00-15-00-01-C0-D1)
Sending Access-Reject of id 35 to 131.188.4.190 port 20000
EAP-Message = 0x040e0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 228
I do not get the reason why this request is rejected!
Why does the modules "eap" reject a request? How can I debug eap?
regards
K. Hoercher
Thanks and best regards
F.Prester
--
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Martensstr. 1
91052 Erlangen
Germany
Tel.: +499131 8527813
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
