Re: EAP-MD5. Problems with XP Client
Arthur, I didn´t realize about the problem because I am using authentication with an ethernet card and a Switch as Authenticator.Indeed, MD5 disappers with XP SP1 in Wireless cards, but not in Ethernet ones. Probably Microsoft wants to promote his authentication protocols. (You have to user MS-CHAP over PEAP instead of MD5). Another reason probably is that with EAP-MD5 you can´t use the rekeying functionality, soy they force you to use PEAP that always uses TLS as Tunneling protocol, any derive then ciphersuit password to implement Rekeying. RegardsJorge. - Hi Jorge I'm sorry, i wanted to test out what you wrote about two weeks ago because i finally found some time. > First of all, c1 and c2 are two consecutive Hex numbers. I got them > for the ID field in the EAP message.> I have captured the traffic between the AP and the XP client and I > think (never 100% sure) that the NAS is working right because > it has copied exactly the EAP packet from Radius extension to > EAPOL message.> > The NAS also maintain the EAP-ID field, so the id number is > different in the EAP-Success message. Well, as I said, I wanted to see what happens in my case and to my great surprise, I couldn't find EAP/MD5 in my XP anymore - after the installation of SP1 for XP it seems to have disappeared. I have PEAP and TLS now, PEAP seems to be some MS system, based upon MSCHAPv2 and providing certificates and mutual auth support... Does anyone have some ideas on that? So, Jorge, i can't test it for the moment... Ciaoartur -- Artur Hecker Groupe Accès et Mobilitéhecker[at]enst[dot]fr Département Informatique et Réseaux+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Partial thread listing: Re: EAP-MD5. Problems with XP Client, (continued) Artur Hecker Tim D. McCracken unsubscribe Alen Sarkinovic Possible follow-ups Alen Sarkinovic bug in 0.7.1 (sql_fetch_row), User for Free Radius mail list
Re: EAP-MD5. Problems with XP Client
Hi Arthur, First of all, c1 and c2 are two consecutive Hex numbers. I got them for the ID field in the EAP message.I have captured the traffic between the AP and the XP client and I think (never 100% sure) that the NAS is working right because it has copied exactly the EAP packet from Radius extension to EAPOL message.The NAS also maintain the EAP-ID field, so the id number is different in the EAP-Success message. Jorge --hi > I am not sure, but I thing that is a problem with the EAP Id field in> the EAP-Success frame. Here you have a resume of the conversation> writing into parenthesis the eap id.> > NAS RADIUS> --> RAD-Req/EAP-Resp(id=1) >> <-- RAD-Chall/EAP-Req (id=c1) <> --> RAD-Req/EAP-Resp (id=c1) -->> <-- RAD-Acept/EAP-Success (id=c2)-->> > I have checked with other radius rervers and the conversation is as> follows.> > NAS RADIUS> --> RAD-Req/EAP-Resp(id=1) >> <-- RAD-Chall/EAP-Req (id=c1) <> --> RAD-Req/EAP-Resp (id=c1) -->> <-- RAD-Acept/EAP-Success (id=c1)--> i know what you want to say, i.e. i see these c1 and c2 differencies,but where have you got it from? what is this c1, c2 stuff anyway? justtwo different variables? can you point out exactly these differencies inthe server log or is it impossible to see? can you see it when sniffingthe traffic between server and client? > PS. I don't know if it is necessary, but here there is a copy of> ./radiusd -X log. Regards. server-log looks very good and if i understand what you are saying, wecould even conclude that the radius part works out great, right? the NASopens the port on the receive of the RADIUS Access-Accept packet. so, you say the included EAP message is kind of wrong. can you see thelogs of your AP or sniff the traffic between the supplicant and theclient? ciaoartur -- Artur Heckerartur[at]hecker.info
EAP-MD5. Problems with XP Client
Title: EAP-MD5. Problems with XP Client Hi, I am trying authenticate XP supplicants with freeradius, but I have found a problem I am not sure if is a bug (I don´t think so) or I am configuring something wrong. When I authenticate a nuser using XP client , The Radius authentication is success and the NAS open the port. But the problem is that the client doesn´t realize that it has been authenticated and continue sending EAP-Request frames in order grand connection. I am not sure, but I thing that is a problem with the EAP Id field in the EAP-Success frame. Here you have a resume of the conversation writing into parenthesis the eap id. NAS RADIUS --> RAD-Req/EAP-Resp(id=1) > <-- RAD-Chall/EAP-Req (id=c1) < --> RAD-Req/EAP-Resp (id=c1) --> <-- RAD-Acept/EAP-Success (id=c2)--> I have checked with other radius rervers and the conversation is as follows. NAS RADIUS --> RAD-Req/EAP-Resp(id=1) > <-- RAD-Chall/EAP-Req (id=c1) < --> RAD-Req/EAP-Resp (id=c1) --> <-- RAD-Acept/EAP-Success (id=c1)--> Has anybody found this problem before? (BTW, I have read and follow all the steps described in eap-md5 how-to ;-)) Thanks in advance. Jorge. PS. I don't know if it is necessary, but here there is a copy of ./radiusd -X log. Regards. Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 134.141.221.252:1042, id=22, length=75 Message-Authenticator = 0x4854f73892ec16e8bd0da4eb55ffbc8f User-Name = "jorge" NAS-IP-Address = 134.141.221.252 NAS-Port = 1 EAP-Message = "\002\001\000\n\001jorge" Framed-MTU = 1000 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok users: Matched jorge at 106 modcall[authorize]: module "files" returns ok modcall[authorize]: module "eap" returns updated modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 22 to 134.141.221.252:1042 Filter-Id = "Enterasys;version=1;mgmt=su" EAP-Message = "\001\026\000\026\004\020\250(r\267bE*Y\017\025v\253\305LUD" Message-Authenticator = 0x State = 0xcf889d6182c3b228d524b102a660c5c8 Finished request 0 Going to the next request SMUX connect try 2 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 134.141.221.252:1042, id=23, length=110 Message-Authenticator = 0x4bf7ee8fc92e1d30f3a2b516a0b76ddf User-Name = "jorge" State = 0xcf889d6182c3b228d524b102a660c5c8 NAS-IP-Address = 134.141.221.252 NAS-Port = 1 Framed-MTU = 1000 EAP-Message = "\002\026\000\033\004\020J\274\311\024\367\305x\273k\007l^\345\220\324.jorge" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok users: Matched jorge at 106 modcall[authorize]: module "files" returns ok modcall[authorize]: module "eap" returns updated modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - md5 rlm_eap: processing type md5 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Accept of id 23 to 134.141.221.252:1042 Filter-Id = "Enterasys;version=1;mgmt=su" EAP-Message = "\003\027\000\004" Message-Authenticator = 0x Finished request 1 Going to the next request SMUX connect try 3 Can't connect to SNMP agent with SMUX: Connection refused Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 22 with timestamp 3da2eccc Cleaning up request 1 ID 23 with timestamp 3da2eccc Nothing to do. Sleeping until we see a request.
RE:EAP-MD5 fails to authenticate users
Indeed SteelBelted and Microsoft IAS issues very short State attributes that the NAS doesn´t truncate. Is possible to change the State attribute max length in freeradius? (I know is a workaround to solve the problem temporally) Ragards and thanks for your answer. Jorge Artur Hecker <[EMAIL PROTECTED]> wrote:> take a look at the state attributes. your NAS is truncating the State> attribute which was issued by Radius to 64 hexadecimal characters, i.e.> 256bit (64*4):> > issued:> 0x6d2728c26e0a5e55a7067440895cbafc619d893d72e45a66b2612d2defb73fafc8b0590f> > received:> 0x6d2728c26e0a5e55a7067440895cbafc619d893d72e45a66b2612d2defb73faf The software on your NAS must have been written by the same peoplewho wrote the Merit RADIUS server. > i have no idea if this behaviour is RFC-correct or not. the problem> doesn't or didn't occur with other radius servers, probably because> their state attributes are always/were by chance shorter. Mangling the State attribute is explicitely prohibited by the RFC's. > Raghu, Alan, what do you think? are the state attributes too long or is> the NAS firmware broken? I wouldn't object to making the State attribute shorter, but the NASis definitely broken. > Jorge: you can try to take a look in the radius RFC if you can find a> limitation for the state attribute... http://www.freeradius.org/rfc/attributes.html and click on 'State'. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MD5 fails to authenticate users
Hi,
I´m trying to
perform 802.1X authentication using freeradius and
the EAP-MD5 authentication method, but I am experimenting some problems.
First, the supplicant I´m using is
XP native supplicant.
The Authenticator is a Enterasys
Matrix E1
I have read hundreds of mails looking for a similar problem
and I haven´t found any one. Also I have read the
/doc/EAP-MD5 document form freeradius page.
Also I have to say that I have test the solution using other
Radius Servers (SteelBelted and MS-IAS) and all tests
have worked OK with them.
So, I think I am configuring something wrong in freeradius. So, can anybody help me, please?
Regards.
Jorge.
The configuration is the following one
*** User file ***
I have tried with 3 different users with 3 different
Auth-Types. (Local, System and EAP) The single one that has worked (Has recognize
EAP and radius has issued a Chellege-String) has been
EAP
luis
Auth-Type :=eap, User-Password =="hello"
** radiusd.conf ***
eap {
default_eap_type = md5
md5 {
}
}
authorize {
preprocess
files
eap
}
authenticate {
eap
}
* radiusd
-X * LOG
[root@satanas sbin]# ./radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/proxy.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
Config: including file: /usr/local/radius/etc/raddb/snmp.conf
Config: including file: /usr/local/radius/etc/raddb/sql.conf
main:
prefix = "/usr/local/radius"
main:
localstatedir = "/usr/local/radius/var"
main:
logdir = "/usr/local/radius/var/log/radius"
main:
libdir = "/usr/local/radius/lib"
main:
radacctdir = "/usr/local/radius/var/log/radius/radacct"
main:
hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main:
max_request_time = 30
main:
cleanup_delay = 5
main:
max_requests = 1024
main:
delete_blocked_requests = 0
main:
port = 0
main:
allow_core_dumps = no
main:
log_stripped_names = no
main:
log_auth = no
main:
log_auth_badpass = no
main:
log_auth_goodpass = no
main:
pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
main:
user = "(null)"
main:
group = "(null)"
main:
usercollide = no
main:
lower_user = "no"
main:
lower_pass = "no"
main:
nospace_user = "no"
main:
nospace_pass = "no"
main:
proxy_requests = yes
proxy:
retry_delay = 5
proxy:
retry_count = 3
proxy:
synchronous = no
proxy:
default_fallback = yes
proxy:
dead_time = 120
security:
max_attributes = 200
security:
reject_delay = 1
main:
debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded eap
eap: default_eap_type =
"md5"
eap: timer_expire = 60
rlm_eap: Loaded and
initialized the type md5
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess:
huntgroups = "/usr/local/radius/etc/raddb/huntgroups"
preprocess:
hints = "/usr/local/radius/etc/raddb/hints"
preprocess:
with_ascend_hack = no
preprocess:
ascend_channels_per_line = 23
preprocess:
with_ntdomain_hack = no
preprocess:
with_specialix_jetstream_hack = no
preprocess:
with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files:
usersfile = "/usr/local/radius/etc/raddb/users"
files:
acctusersfile = "/usr/local/radius/etc/raddb/acct_users"
files:
compat = "no"
Module: Instantiated files (files)
Module: Loaded realm
realm:
format = "suffix"
realm:
delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded detail
detail:
detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail"
detail:
detailperm = 384
detail:
dirperm = 493
detail:
locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/radius/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
main: smux_password = ""
main:
snmp_write_access = no
SMUX connect try 1
Can't connect to SNMP agent with SMUX: Connection refused
Listening on IP address *, ports 1812/udp and 1813/udp, with
proxy on 1814/udp.
Ready to process requests.
rad_recv:
Access-Request packet from host 134.141.221.252:1062, id=52, length=73
Message-Authenticator =
0x48951dd61c5d4eb2e2af4b60c866f07f
User-Name =
"luis"
NAS-IP-Address
= 134.141.221.252
NAS-Port = 2
EAP-Message =
"\002\001\000\t\001luis"
Framed-MTU = 1000
modcall: entering
group authorize
modcall[authorize]: module
"preprocess" returns ok
users:
Matched luis at 108
modcall[authorize]: module
"files" returns ok
modcall[authorize]: module
"eap" ret
