Dear All, Kndly help with the following setup: SETUP;
wifi client (Windows-XPservice pack 2) <-----------------> AP <-----------------------> freeradius-2.1.1 on red hat fedora-9 auth type:PEAP-EAP-MD5 wpa-enterprise (external Radius Server) user: client password :test123 I trying to use WPA-Enterprise using PEAP,EAP-MD5 as authentication type and freeradius-2.1.1 as external radius server. It fails to authenticate. Attached are the log files and wireshark captures from the freeradius-2.1.1. Regards Prasad
Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=90, length=182 User-Name = "client" NAS-IP-Address = 192.168.0.199 NAS-Identifier = "test.5gwireless.com" NAS-Port = 0 Called-Station-Id = "00-0B-6B-87-01-BD:test" Calling-Station-Id = "00-1C-F0-9B-64-E5" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020300061900 State = 0x49595b094b5a4202775fa048860f1f11 Message-Authenticator = 0x536599f560d86a4c509be7a69f47084e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "client", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 90 to 192.168.0.199 port 1376 EAP-Message = 0x010402c719004e071ea95e3d7726e47f44c7cada8299cb134d5f0fbc491f7a1b8dcf8b014cc36f95a4d15cddcc861f2fa61c5433d2f417cdceda75620bd687128300957c99c8e8a1ed728f992ad98187abb16d10be7f4728242a89d18cf3b909fc50ea7b0044e32483860426732d83c107bc648fa7326fc71665dfa6cf60108aaaa8713b4f36b9a942fdf56e5ca530bace2a81b8db083bc3015d0cd19db23d09c59b765f3bf182ac28b46327160301020d0c0002090080ca6b6b090d42dbd654e500e15188e1f8db31d77b18d37bae34d299d06c5e6b5a59b670a81389f7101ee8b070444fb8587b8d26e797175d316e46411dbd7d700ac3fbe0b85496 EAP-Message = 0xcae6ec2286040c046c79931d291755387e002808e0d95d2c0276f20623955173768285a1e80665364ff7971f05d91421dbcac745d421f74d28730001020080c919d0d6645d3629a3339f2d830832bbd4d18f0f6932285a063c7732540f1d037a53528fa61ea6c751eac9e64141a8c884c4221494a1619edb4ef83e08ef7b5500d970762ea5821e5a12e46ecb12aab281bebba9af5c94d4458e78928fcfef5629f6fc381ce9804832e54463a92fb03f425ce27eed791932585d670bbc1339db01000b33870443ed640a21bc007ff5481a947ea18bafcd5af55b3f00f0a03ec504e2cf093e8d506f1d1916c1d82c7b26db60eaab7ed89cc760559eaf144d EAP-Message = 0xaa038d4d59aaac90489b936a6fe2cdb931214fa2fb22d5fd999d8fd41c3438918c17d5d4a415a7cf91de037c318d1183f3aa98e2bfbe642cefdfc8ce6c3163862323baf4f9eb9e9ad175d106d4ced3679a46a2bf67572ba12b6631cf3aadf43b34121fa915fee0ccf9f5aa322e70600c47eefbe0070a08ac77ff117f548d38fe62401c32263aa9a30f9e2d30a39af60e79355c4a3989bd659676f2de96174cfd7ea3e40d48d3ba5d76dfc89f95ec3013e068cab6abe6b55a43639c385b8933d5a967b94116030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49595b094a5d4202775fa048860f1f11 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=91, length=376 User-Name = "client" NAS-IP-Address = 192.168.0.199 NAS-Identifier = "test.5gwireless.com" NAS-Port = 0 Called-Station-Id = "00-0B-6B-87-01-BD:test" Calling-Station-Id = "00-1C-F0-9B-64-E5" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020400c81980000000be1603010086100000820080921071c4c63cc4670634284452c1843e64dc3503e4ff15ab50d3402443f221d512966eeb9c8321a6b2f2dbda5960513a8deff8b54a3e38daac6ed006819df33f60a272ed93cbeca74ffd0ff7d22e22fb61ea177d938ad361b83fa9be6c6f332469d83657361268ef9c6b9e34a85ce3772395a5f127c1e08383c210aa7867f5ef140301000101160301002895b81e66dbea1f5ae2271fa4ed91741693c7d1fc4bc0b1449f2f68cba0fc095c56725f85057164f1 State = 0x49595b094a5d4202775fa048860f1f11 Message-Authenticator = 0xde20d26aea8d5ecf5fe8fd8e38f5414d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "client", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 200 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 190 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 91 to 192.168.0.199 port 1376 EAP-Message = 0x0105003919001403010001011603010028d11b1f9113307828ff1855a4d19be23a61a2747273fab76098dc4d83a3bd82500743194eb0dcb4b3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49595b094d5c4202775fa048860f1f11 Finished request 4. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=92, length=182 User-Name = "client" NAS-IP-Address = 192.168.0.199 NAS-Identifier = "test.5gwireless.com" NAS-Port = 0 Called-Station-Id = "00-0B-6B-87-01-BD:test" Calling-Station-Id = "00-1C-F0-9B-64-E5" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020500061900 State = 0x49595b094d5c4202775fa048860f1f11 Message-Authenticator = 0xc765f4cb6011014227ede4176aa494ff +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "client", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 92 to 192.168.0.199 port 1376 EAP-Message = 0x0106002b1900170301002051411f474ebeb73ac25eb6804f77f858c2162c497d0d44795af75750553d7cdb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49595b094c5f4202775fa048860f1f11 Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=93, length=248 User-Name = "client" NAS-IP-Address = 192.168.0.199 NAS-Identifier = "test.5gwireless.com" NAS-Port = 0 Called-Station-Id = "00-0B-6B-87-01-BD:test" Calling-Station-Id = "00-1C-F0-9B-64-E5" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02060048190017030100189dce6ae4b0e7626a80e9fa6b2033ae5111ba27f667cae4191703010020e7e2a4d0e906f105352cfadf2cf40dad31102a956da8cf1a7238a0808d0695ed State = 0x49595b094c5f4202775fa048860f1f11 Message-Authenticator = 0x38dc142142c303e80b7572794b3724d8 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "client", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 72 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - client [peap] Got tunnled request EAP-Message = 0x0206000b01636c69656e74 server (null) { PEAP: Got tunneled identity of client PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to client Sending tunneled request EAP-Message = 0x0206000b01636c69656e74 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "client" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "client", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry client at line 89 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Reply-Message = "Hello, client" EAP-Message = 0x010700201a0107001b10f474f3b69580e17f3b0680c2d41d7317636c69656e74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc6718235c67698c446659fb782fc21ed [peap] Got tunneled reply RADIUS code 11 Reply-Message = "Hello, client" EAP-Message = 0x010700201a0107001b10f474f3b69580e17f3b0680c2d41d7317636c69656e74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc6718235c67698c446659fb782fc21ed [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 93 to 192.168.0.199 port 1376 EAP-Message = 0x01070043190017030100386beaabe29f5cd53608a3709bff2704b45506358ecf996bc4a716ca71967d65619ed31409ce14c577ab3929b185eb24d47b047bd6e8a8d5bb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49595b094f5e4202775fa048860f1f11 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=94, length=240 User-Name = "client" NAS-IP-Address = 192.168.0.199 NAS-Identifier = "test.5gwireless.com" NAS-Port = 0 Called-Station-Id = "00-0B-6B-87-01-BD:test" Calling-Station-Id = "00-1C-F0-9B-64-E5" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02070040190017030100186e2edd18ceb5604a145d713f4597b44baece5f0f88e8e5ea17030100181ef6f25817bed8c00e1da6aa9838c59fcb9f174b6a388724 State = 0x49595b094f5e4202775fa048860f1f11 Message-Authenticator = 0x0e3ddbc203700437b5d6eee1cecd5912 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "client", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 64 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type nak [peap] Got tunnled request EAP-Message = 0x020700060304 server (null) { PEAP: Setting User-Name to client Sending tunneled request EAP-Message = 0x020700060304 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "client" State = 0xc6718235c67698c446659fb782fc21ed server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "client", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry client at line 89 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/md5 [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Reply-Message = "Hello, client" EAP-Message = 0x010800160410d10c9d658f673584ebe48d9ee23dd292 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc6718235c77986c446659fb782fc21ed [peap] Got tunneled reply RADIUS code 11 Reply-Message = "Hello, client" EAP-Message = 0x010800160410d10c9d658f673584ebe48d9ee23dd292 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc6718235c77986c446659fb782fc21ed [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 94 to 192.168.0.199 port 1376 EAP-Message = 0x0108003319001703010028d6840c48ca0c7872a1e0002880490cb55f3edcb169129e6bae0e834a36b04d8423df210db790d0ca Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49595b094e514202775fa048860f1f11 Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=95, length=256 User-Name = "client" NAS-IP-Address = 192.168.0.199 NAS-Identifier = "test.5gwireless.com" NAS-Port = 0 Called-Station-Id = "00-0B-6B-87-01-BD:test" Calling-Station-Id = "00-1C-F0-9B-64-E5" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02080050190017030100188fda9b5c9d547537d95d8b15b0bddf49979dca1a962227af170301002857d6298e0c53206e1445f8c5ec7cb11c63dc7d7e8a289dc5fe81a94fef7070a4213b0aace8e50a6c State = 0x49595b094e514202775fa048860f1f11 Message-Authenticator = 0x39edb9c79e34ab3c3688719c8ca23a74 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "client", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type md5 [peap] Got tunnled request EAP-Message = 0x020800160410622705afb928b5c49b4b6deae44b4ea7 server (null) { PEAP: Setting User-Name to client Sending tunneled request EAP-Message = 0x020800160410622705afb928b5c49b4b6deae44b4ea7 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "client" State = 0xc6718235c77986c446659fb782fc21ed server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "client", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry client at line 89 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 Reply-Message = "Hello, client" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 Reply-Message = "Hello, client" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 95 to 192.168.0.199 port 1376 EAP-Message = 0x0109002b19001703010020cf1e805cee2c191d83f70d7012d0ea5cd7ae3e2f6cd9543e784fdfa2147b4557 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x49595b0941504202775fa048860f1f11 Finished request 8. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=96, length=248 User-Name = "client" NAS-IP-Address = 192.168.0.199 NAS-Identifier = "test.5gwireless.com" NAS-Port = 0 Called-Station-Id = "00-0B-6B-87-01-BD:test" Calling-Station-Id = "00-1C-F0-9B-64-E5" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0209004819001703010018b13073e5eb51fae3821e121fdd6383c48cc6b5b190bb6788170301002083628dd64df93fffefdb38356d51e0b78093db0a5f5873dd888bff546386d219 State = 0x49595b0941504202775fa048860f1f11 Message-Authenticator = 0x1b52b20bc7954df7401c5c955e414687 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "client", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 72 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> client attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 96 to 192.168.0.199 port 1376 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Cleaning up request 0 ID 87 with timestamp +59 Cleaning up request 1 ID 88 with timestamp +59 Cleaning up request 2 ID 89 with timestamp +59 Cleaning up request 3 ID 90 with timestamp +59 Waking up in 0.1 seconds. Cleaning up request 4 ID 91 with timestamp +59 Cleaning up request 5 ID 92 with timestamp +59 Cleaning up request 6 ID 93 with timestamp +59 Cleaning up request 7 ID 94 with timestamp +59 Cleaning up request 8 ID 95 with timestamp +59 Waking up in 1.0 seconds. Cleaning up request 9 ID 96 with timestamp +59 Ready to process requests.
dro250i_auth_assoc_open_wpa-peap_eap_md5_eth_cap_freeradius-2.1.1
Description: Binary data
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html