Re: 3com Wirless Access Point and FreeRadius
Eric John Seneca wrote: > Sending Access-Challenge of id 29 to 64.214.69.235:5001 > EAP-Message = > "\001\035\000\026\004\020#\237\300j\320\225\376<\2639\262\265\340\333F\243" > Message-Authenticator = 0x > State = > 0xd3a5063b0b3c477241aa038a1bd600d50ac8913cf4210ec4828ecd3a5430359074e4689b > rad_recv: Access-Request packet from host 64.214.69.235:5001, id=30, > length=108 > EAP-Message = > "\002\035\000\032\004\020\364<\366\257\206F\017@Nb\tV\251.\314\334junk" > Message-Authenticator = 0x465a58897948e060466ca171349e5911 > NAS-IP-Address = 192.168.100.170 > User-Name = "junk" > State = 0xd3a5063b0b3c477241aa038a1bd600d50ac8913cf421 > Framed-MTU = 1400 > rlm_eap: State verification failed. Ok. The problem now is that Your 3com AP MODIFIED the State Attribute that Radius Server sent and replied. For some reason it stripped off the last bytes. Try to verify, why this is happening. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
> Then it doesn't do EAP properly. I have double checked with 3com to confirm they did not "microsoft" the EAP standard and I am told it is completely compliant with standard EAP. After reviewing the url posted by John Lindsay, I see that Cisco Aironet working with freeradius and I have found a curious item in dump of freeradius. The 3com access point is sending back a response to the challenge but the radius server is getting an error in the rlm_eap modules. The following is a full dump of the transaction: rad_recv: Access-Request packet from host 64.214.69.235:5001, id=29, length=67 EAP-Message = "\002\001\000\t\001junk" Message-Authenticator = 0x391509740ecb0d9e19fa22520f29ee1a NAS-IP-Address = 192.168.100.170 User-Name = "junk" Framed-MTU = 1400 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated modcall[authorize]: module "suffix" returns ok users: Matched junk at 67 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: processing type md5 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 29 to 64.214.69.235:5001 EAP-Message = "\001\035\000\026\004\020#\237\300j\320\225\376<\2639\262\265\340\333F\243" Message-Authenticator = 0x State = 0xd3a5063b0b3c477241aa038a1bd600d50ac8913cf4210ec4828ecd3a5430359074e4689b Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 64.214.69.235:5001, id=30, length=108 EAP-Message = "\002\035\000\032\004\020\364<\366\257\206F\017@Nb\tV\251.\314\334junk" Message-Authenticator = 0x465a58897948e060466ca171349e5911 NAS-IP-Address = 192.168.100.170 User-Name = "junk" State = 0xd3a5063b0b3c477241aa038a1bd600d50ac8913cf421 Framed-MTU = 1400 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated modcall[authorize]: module "suffix" returns ok users: Matched junk at 67 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: State verification failed. modcall[authenticate]: module "eap" returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Sending Access-Reject of id 30 to 64.214.69.235:5001 Finished request 1 Going to the next request Waking up in 6 seconds... How can I track down what is causing the failure in the eap module? Eric - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 14, 2002 2:33 PM Subject: Re: 3com Wirless Access Point and FreeRadius > "Eric John Seneca" <[EMAIL PROTECTED]> wrote: > > The reason there is not response back is because the 3com access point > > interprets challenge as a failure. > > Then it doesn't do EAP properly. > > > Is there any special setting I must define for the user? The access point > > and client only has one setting which is EAP-MD5. I do not have any DEFAULT > > setting for EAP. There seems to be setting for SLIP and other protocols in > > the users file. Am I missing something in the configuration of the radius > > server? > > No. The NAS is asking to do EAP, and then complaining when it gets > an EAP response. > > Fix the NAS to do EAP properly. Poking the RADIUS server won't do > anything. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
I have found the following URL very useful: http://www.missl.cs.umd.edu/~adam/802/ jsl -- John Lindsay - Engineering Services Manager Internode Professional Access ph +61 8 8223 2999 fx +61 8 8223 1777 31 York St Adelaide, PO BOX 284 Rundle Mall SA 5000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
"Eric John Seneca" <[EMAIL PROTECTED]> wrote: > The reason there is not response back is because the 3com access point > interprets challenge as a failure. Then it doesn't do EAP properly. > Is there any special setting I must define for the user? The access point > and client only has one setting which is EAP-MD5. I do not have any DEFAULT > setting for EAP. There seems to be setting for SLIP and other protocols in > the users file. Am I missing something in the configuration of the radius > server? No. The NAS is asking to do EAP, and then complaining when it gets an EAP response. Fix the NAS to do EAP properly. Poking the RADIUS server won't do anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
> Radius Server has sent an Access-Challenge with EAP-MD5 challenge value > for which the client should respond back. > Based on the response received, Radius Server authenticates the user. The reason there is not response back is because the 3com access point interprets challenge as a failure. Hence the syslog entry for the access point Mar 14 13:49:55 accesspoint 802.1x FSM: Supplicant 00:40:96:48:89:b6 has failed Authentication Mar 14 14:06:05 accesspoint Associated station [ AID = 001, 00:40:96:48:89:b6 ] Mar 14 14:06:10 accesspoint 802.1x FSM: Supplicant 00:40:96:48:89:b6 has failed Authentication Is there any special setting I must define for the user? The access point and client only has one setting which is EAP-MD5. I do not have any DEFAULT setting for EAP. There seems to be setting for SLIP and other protocols in the users file. Am I missing something in the configuration of the radius server? Eric - Original Message - From: "Raghu" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 14, 2002 12:05 PM Subject: Re: 3com Wirless Access Point and FreeRadius > > NOW I ASSUME THE MESSAGE BEING SENT BACK IT MY SECOND PACKET IN THE SNIFFER > > LOG. > > 64.95.221.220-> 192.168.100.170 UDP D=1812 S=1812 LEN=108 > > > > Sending Access-Challenge of id 62 to 64.214.69.230:4916 > > EAP-Message = > > "\001>\000\026\004\020#\237\300j\320\225\376<\2639\262\265\340\333F\243" > > Message-Authenticator = 0x > > State = > > 0xa6e15e0f06d3880b882260dbb8e69f2de88c903cf69a33702ce1ec0ba905020673dd8337 > > Finished request 0 > > > > It seems as though the 3com access point interprets this message as an > > authentification failure and ends the conversation. It also displays an > > message box "authentification failure" on the client side. What is the > > contents of the message being sent back to the 3com access point? Does > > anyone know a reason the 3com device will interpret the Challenge message as > > a failure? > > > > Radius Server has sent an Access-Challenge with EAP-MD5 challenge value > for which the client should respond back. > Based on the response received, Radius Server authenticates the user. > > Since there is no response received, > I think there is some misconfiguration either on your AP or client. > > You might also want to check, what EAP-Types ( like EAP-MD5 ...) > are supported by your 3com client & AP. > > -Raghu > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
> NOW I ASSUME THE MESSAGE BEING SENT BACK IT MY SECOND PACKET IN THE SNIFFER > LOG. > 64.95.221.220-> 192.168.100.170 UDP D=1812 S=1812 LEN=108 > > Sending Access-Challenge of id 62 to 64.214.69.230:4916 > EAP-Message = > "\001>\000\026\004\020#\237\300j\320\225\376<\2639\262\265\340\333F\243" > Message-Authenticator = 0x > State = > 0xa6e15e0f06d3880b882260dbb8e69f2de88c903cf69a33702ce1ec0ba905020673dd8337 > Finished request 0 > > It seems as though the 3com access point interprets this message as an > authentification failure and ends the conversation. It also displays an > message box "authentification failure" on the client side. What is the > contents of the message being sent back to the 3com access point? Does > anyone know a reason the 3com device will interpret the Challenge message as > a failure? > Radius Server has sent an Access-Challenge with EAP-MD5 challenge value for which the client should respond back. Based on the response received, Radius Server authenticates the user. Since there is no response received, I think there is some misconfiguration either on your AP or client. You might also want to check, what EAP-Types ( like EAP-MD5 ...) are supported by your 3com client & AP. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
> Try grabbing the latest CVS snapshot. After compiling the CVS snapshot and configuring the /etc/raddb/radius.conf, I still get authentification failure. I sniffed the session traffic and I see the following information 192.168.100.170 -> 64.95.221.220 UDP D=1812 S=1812 LEN=75 AND THE RADIUS SERVER RECEIVES THIS MESSAGE IN THE FOLLOWING DEBUG DUMP rad_recv: Access-Request packet from host 64.214.69.230:4916, id=62, length=67 EAP-Message = "\002\001\000\t\001junk" Message-Authenticator = 0x76874a9715bf9621d54c7074912d6ccc NAS-IP-Address = 192.168.100.170 User-Name = "junk" Framed-MTU = 1400 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated modcall[authorize]: module "suffix" returns ok users: Matched junk at 74 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: processing type md5 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok NOW I ASSUME THE MESSAGE BEING SENT BACK IT MY SECOND PACKET IN THE SNIFFER LOG. 64.95.221.220-> 192.168.100.170 UDP D=1812 S=1812 LEN=108 Sending Access-Challenge of id 62 to 64.214.69.230:4916 EAP-Message = "\001>\000\026\004\020#\237\300j\320\225\376<\2639\262\265\340\333F\243" Message-Authenticator = 0x State = 0xa6e15e0f06d3880b882260dbb8e69f2de88c903cf69a33702ce1ec0ba905020673dd8337 Finished request 0 It seems as though the 3com access point interprets this message as an authentification failure and ends the conversation. It also displays an message box "authentification failure" on the client side. What is the contents of the message being sent back to the 3com access point? Does anyone know a reason the 3com device will interpret the Challenge message as a failure? Eric - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 14, 2002 10:06 AM Subject: Re: 3com Wirless Access Point and FreeRadius > "Eric John Seneca" <[EMAIL PROTECTED]> wrote: > > Where do I get the module rlm_eap for freeradius? I get the following > > message > ... > > It was not included in the tarball for freeradius-0.4. > > Try grabbing the latest CVS snapshot. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
"Eric John Seneca" <[EMAIL PROTECTED]> wrote: > Where do I get the module rlm_eap for freeradius? I get the following > message ... > It was not included in the tarball for freeradius-0.4. Try grabbing the latest CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
Where do I get the module rlm_eap for freeradius? I get the following message Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/usr/local/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) radiusd.conf[360] Failed to link to module 'rlm_eap': file not found It was not included in the tarball for freeradius-0.4. Eric - Original Message - From: "Raghu" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 13, 2002 7:36 PM Subject: Re: 3com Wirless Access Point and FreeRadius > Eric John Seneca wrote: > > > > Hi, > > I am trying to setup a 3com wireless access point to authenticate to a > > freeradius server. I have installed and configured the freeradius server as > > well as the access point but when I try to authenticate I get the following > > error: > > rad_recv: Access-Request packet from host 64.214.69.235:4859, id=183, > > length=69 > > EAP-Message = "\002\004\000\n\001happy" > > Message-Authenticator = 0x8963e751410fdebe8c00bb9310325f6f > > NAS-IP-Address = 192.168.100.170 > > User-Name = "happy" > > Framed-MTU = 1400 > > rad_check_password: Found Auth-Type Local > > auth: type Local > > auth: No Password or CHAP-Password attribute in the request > > auth: Failed to validate the user. > > You need to configure > Auth-Type = EAP for the user "happy". > Also configure EAP in authorize & authenticate sections of radiusd.conf > > > > The part that I cannot figure is the phantom password. I am not sure if the > > 3com client software is sending the password or the /etc/raddb/users file is > > not setup correct. If anyone has had experience with 3com products in the > > past any help would be greatly appreciated. > > Password is never sent over the wire in case of EAP. > Your 3com client is sending an EAP message to the 3com Access point(AP) > and > the AP is framing the RADIUS packet with EAP in it. > > so Enabling EAP authentication in the RADIUS server will help you. > > > -Raghu > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com Wirless Access Point and FreeRadius
Eric John Seneca wrote: > > Hi, > I am trying to setup a 3com wireless access point to authenticate to a > freeradius server. I have installed and configured the freeradius server as > well as the access point but when I try to authenticate I get the following > error: > rad_recv: Access-Request packet from host 64.214.69.235:4859, id=183, > length=69 > EAP-Message = "\002\004\000\n\001happy" > Message-Authenticator = 0x8963e751410fdebe8c00bb9310325f6f > NAS-IP-Address = 192.168.100.170 > User-Name = "happy" > Framed-MTU = 1400 > rad_check_password: Found Auth-Type Local > auth: type Local > auth: No Password or CHAP-Password attribute in the request > auth: Failed to validate the user. You need to configure Auth-Type = EAP for the user "happy". Also configure EAP in authorize & authenticate sections of radiusd.conf > The part that I cannot figure is the phantom password. I am not sure if the > 3com client software is sending the password or the /etc/raddb/users file is > not setup correct. If anyone has had experience with 3com products in the > past any help would be greatly appreciated. Password is never sent over the wire in case of EAP. Your 3com client is sending an EAP message to the 3com Access point(AP) and the AP is framing the RADIUS packet with EAP in it. so Enabling EAP authentication in the RADIUS server will help you. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3com Wirless Access Point and FreeRadius
Hi, I am trying to setup a 3com wireless access point to authenticate to a freeradius server. I have installed and configured the freeradius server as well as the access point but when I try to authenticate I get the following error: rad_recv: Access-Request packet from host 64.214.69.235:4859, id=183, length=69 Sending duplicate authentication reply to client 64.214.69.235:4859 - ID: 183 Sending Access-Reject of id 183 to 64.214.69.235 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 28 ID 183 with timestamp 3c8f9220 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 64.214.69.235:4859, id=183, length=69 EAP-Message = "\002\004\000\n\001happy" Message-Authenticator = 0x8963e751410fdebe8c00bb9310325f6f NAS-IP-Address = 192.168.100.170 User-Name = "happy" Framed-MTU = 1400 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok users: Matched happy at 73 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: No Password or CHAP-Password attribute in the request auth: Failed to validate the user. Sending Access-Reject of id 183 to 64.214.69.235:4859 Finished request 30 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... The part that I cannot figure is the phantom password. I am not sure if the 3com client software is sending the password or the /etc/raddb/users file is not setup correct. If anyone has had experience with 3com products in the past any help would be greatly appreciated. Eric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html