Re: 3com Wirless Access Point and FreeRadius
Then it doesn't do EAP properly. I have double checked with 3com to confirm they did not microsoft the EAP standard and I am told it is completely compliant with standard EAP. After reviewing the url posted by John Lindsay, I see that Cisco Aironet working with freeradius and I have found a curious item in dump of freeradius. The 3com access point is sending back a response to the challenge but the radius server is getting an error in the rlm_eap modules. The following is a full dump of the transaction: rad_recv: Access-Request packet from host 64.214.69.235:5001, id=29, length=67 EAP-Message = \002\001\000\t\001junk Message-Authenticator = 0x391509740ecb0d9e19fa22520f29ee1a NAS-IP-Address = 192.168.100.170 User-Name = junk Framed-MTU = 1400 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated modcall[authorize]: module suffix returns ok users: Matched junk at 67 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: processing type md5 modcall[authenticate]: module eap returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 29 to 64.214.69.235:5001 EAP-Message = \001\035\000\026\004\020#\237\300j\320\225\376\2639\262\265\340\333F\243 Message-Authenticator = 0x State = 0xd3a5063b0b3c477241aa038a1bd600d50ac8913cf4210ec4828ecd3a5430359074e4689b Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 64.214.69.235:5001, id=30, length=108 EAP-Message = \002\035\000\032\004\020\364\366\257\206F\017@Nb\tV\251.\314\334junk Message-Authenticator = 0x465a58897948e060466ca171349e5911 NAS-IP-Address = 192.168.100.170 User-Name = junk State = 0xd3a5063b0b3c477241aa038a1bd600d50ac8913cf421 Framed-MTU = 1400 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated modcall[authorize]: module suffix returns ok users: Matched junk at 67 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: State verification failed. modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Sending Access-Reject of id 30 to 64.214.69.235:5001 Finished request 1 Going to the next request Waking up in 6 seconds... How can I track down what is causing the failure in the eap module? Eric - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 14, 2002 2:33 PM Subject: Re: 3com Wirless Access Point and FreeRadius Eric John Seneca [EMAIL PROTECTED] wrote: The reason there is not response back is because the 3com access point interprets challenge as a failure. Then it doesn't do EAP properly. Is there any special setting I must define for the user? The access point and client only has one setting which is EAP-MD5. I do not have any DEFAULT setting for EAP. There seems to be setting for SLIP and other protocols in the users file. Am I missing something in the configuration of the radius server? No. The NAS is asking to do EAP, and then complaining when it gets an EAP response. Fix the NAS to do EAP properly. Poking the RADIUS server won't do anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
Eric John Seneca wrote: Sending Access-Challenge of id 29 to 64.214.69.235:5001 EAP-Message = \001\035\000\026\004\020#\237\300j\320\225\376\2639\262\265\340\333F\243 Message-Authenticator = 0x State = 0xd3a5063b0b3c477241aa038a1bd600d50ac8913cf4210ec4828ecd3a5430359074e4689b rad_recv: Access-Request packet from host 64.214.69.235:5001, id=30, length=108 EAP-Message = \002\035\000\032\004\020\364\366\257\206F\017@Nb\tV\251.\314\334junk Message-Authenticator = 0x465a58897948e060466ca171349e5911 NAS-IP-Address = 192.168.100.170 User-Name = junk State = 0xd3a5063b0b3c477241aa038a1bd600d50ac8913cf421 Framed-MTU = 1400 rlm_eap: State verification failed. Ok. The problem now is that Your 3com AP MODIFIED the State Attribute that Radius Server sent and replied. For some reason it stripped off the last bytes. Try to verify, why this is happening. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
Eric John Seneca [EMAIL PROTECTED] wrote: Where do I get the module rlm_eap for freeradius? I get the following message ... It was not included in the tarball for freeradius-0.4. Try grabbing the latest CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
Try grabbing the latest CVS snapshot. After compiling the CVS snapshot and configuring the /etc/raddb/radius.conf, I still get authentification failure. I sniffed the session traffic and I see the following information 192.168.100.170 - 64.95.221.220 UDP D=1812 S=1812 LEN=75 AND THE RADIUS SERVER RECEIVES THIS MESSAGE IN THE FOLLOWING DEBUG DUMP rad_recv: Access-Request packet from host 64.214.69.230:4916, id=62, length=67 EAP-Message = \002\001\000\t\001junk Message-Authenticator = 0x76874a9715bf9621d54c7074912d6ccc NAS-IP-Address = 192.168.100.170 User-Name = junk Framed-MTU = 1400 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated modcall[authorize]: module suffix returns ok users: Matched junk at 74 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: processing type md5 modcall[authenticate]: module eap returns ok modcall: group authenticate returns ok NOW I ASSUME THE MESSAGE BEING SENT BACK IT MY SECOND PACKET IN THE SNIFFER LOG. 64.95.221.220- 192.168.100.170 UDP D=1812 S=1812 LEN=108 Sending Access-Challenge of id 62 to 64.214.69.230:4916 EAP-Message = \001\000\026\004\020#\237\300j\320\225\376\2639\262\265\340\333F\243 Message-Authenticator = 0x State = 0xa6e15e0f06d3880b882260dbb8e69f2de88c903cf69a33702ce1ec0ba905020673dd8337 Finished request 0 It seems as though the 3com access point interprets this message as an authentification failure and ends the conversation. It also displays an message box authentification failure on the client side. What is the contents of the message being sent back to the 3com access point? Does anyone know a reason the 3com device will interpret the Challenge message as a failure? Eric - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 14, 2002 10:06 AM Subject: Re: 3com Wirless Access Point and FreeRadius Eric John Seneca [EMAIL PROTECTED] wrote: Where do I get the module rlm_eap for freeradius? I get the following message ... It was not included in the tarball for freeradius-0.4. Try grabbing the latest CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
NOW I ASSUME THE MESSAGE BEING SENT BACK IT MY SECOND PACKET IN THE SNIFFER LOG. 64.95.221.220- 192.168.100.170 UDP D=1812 S=1812 LEN=108 Sending Access-Challenge of id 62 to 64.214.69.230:4916 EAP-Message = \001\000\026\004\020#\237\300j\320\225\376\2639\262\265\340\333F\243 Message-Authenticator = 0x State = 0xa6e15e0f06d3880b882260dbb8e69f2de88c903cf69a33702ce1ec0ba905020673dd8337 Finished request 0 It seems as though the 3com access point interprets this message as an authentification failure and ends the conversation. It also displays an message box authentification failure on the client side. What is the contents of the message being sent back to the 3com access point? Does anyone know a reason the 3com device will interpret the Challenge message as a failure? Radius Server has sent an Access-Challenge with EAP-MD5 challenge value for which the client should respond back. Based on the response received, Radius Server authenticates the user. Since there is no response received, I think there is some misconfiguration either on your AP or client. You might also want to check, what EAP-Types ( like EAP-MD5 ...) are supported by your 3com client AP. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
Radius Server has sent an Access-Challenge with EAP-MD5 challenge value for which the client should respond back. Based on the response received, Radius Server authenticates the user. The reason there is not response back is because the 3com access point interprets challenge as a failure. Hence the syslog entry for the access point Mar 14 13:49:55 accesspoint 802.1x FSM: Supplicant 00:40:96:48:89:b6 has failed Authentication Mar 14 14:06:05 accesspoint Associated station [ AID = 001, 00:40:96:48:89:b6 ] Mar 14 14:06:10 accesspoint 802.1x FSM: Supplicant 00:40:96:48:89:b6 has failed Authentication Is there any special setting I must define for the user? The access point and client only has one setting which is EAP-MD5. I do not have any DEFAULT setting for EAP. There seems to be setting for SLIP and other protocols in the users file. Am I missing something in the configuration of the radius server? Eric - Original Message - From: Raghu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, March 14, 2002 12:05 PM Subject: Re: 3com Wirless Access Point and FreeRadius NOW I ASSUME THE MESSAGE BEING SENT BACK IT MY SECOND PACKET IN THE SNIFFER LOG. 64.95.221.220- 192.168.100.170 UDP D=1812 S=1812 LEN=108 Sending Access-Challenge of id 62 to 64.214.69.230:4916 EAP-Message = \001\000\026\004\020#\237\300j\320\225\376\2639\262\265\340\333F\243 Message-Authenticator = 0x State = 0xa6e15e0f06d3880b882260dbb8e69f2de88c903cf69a33702ce1ec0ba905020673dd8337 Finished request 0 It seems as though the 3com access point interprets this message as an authentification failure and ends the conversation. It also displays an message box authentification failure on the client side. What is the contents of the message being sent back to the 3com access point? Does anyone know a reason the 3com device will interpret the Challenge message as a failure? Radius Server has sent an Access-Challenge with EAP-MD5 challenge value for which the client should respond back. Based on the response received, Radius Server authenticates the user. Since there is no response received, I think there is some misconfiguration either on your AP or client. You might also want to check, what EAP-Types ( like EAP-MD5 ...) are supported by your 3com client AP. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
Eric John Seneca [EMAIL PROTECTED] wrote: The reason there is not response back is because the 3com access point interprets challenge as a failure. Then it doesn't do EAP properly. Is there any special setting I must define for the user? The access point and client only has one setting which is EAP-MD5. I do not have any DEFAULT setting for EAP. There seems to be setting for SLIP and other protocols in the users file. Am I missing something in the configuration of the radius server? No. The NAS is asking to do EAP, and then complaining when it gets an EAP response. Fix the NAS to do EAP properly. Poking the RADIUS server won't do anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
I have found the following URL very useful: http://www.missl.cs.umd.edu/~adam/802/ jsl -- John Lindsay - Engineering Services Manager Internode Professional Access ph +61 8 8223 2999 fx +61 8 8223 1777 31 York St Adelaide, PO BOX 284 Rundle Mall SA 5000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
Eric John Seneca wrote: Hi, I am trying to setup a 3com wireless access point to authenticate to a freeradius server. I have installed and configured the freeradius server as well as the access point but when I try to authenticate I get the following error: rad_recv: Access-Request packet from host 64.214.69.235:4859, id=183, length=69 EAP-Message = \002\004\000\n\001happy Message-Authenticator = 0x8963e751410fdebe8c00bb9310325f6f NAS-IP-Address = 192.168.100.170 User-Name = happy Framed-MTU = 1400 rad_check_password: Found Auth-Type Local auth: type Local auth: No Password or CHAP-Password attribute in the request auth: Failed to validate the user. You need to configure Auth-Type = EAP for the user happy. Also configure EAP in authorize authenticate sections of radiusd.conf The part that I cannot figure is the phantom password. I am not sure if the 3com client software is sending the password or the /etc/raddb/users file is not setup correct. If anyone has had experience with 3com products in the past any help would be greatly appreciated. Password is never sent over the wire in case of EAP. Your 3com client is sending an EAP message to the 3com Access point(AP) and the AP is framing the RADIUS packet with EAP in it. so Enabling EAP authentication in the RADIUS server will help you. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html