Re: EAP/TLS trouble
Yes, I agree with you, the problem comes from My AP. Thank you for these precisions I am actually contacting Intel and I 'll share with you feedback. Anyway If anybody have some tips and feedback about using Intel Pro Wirelless 5000 Alan DeKok wrote: I'm willing to change the code in FreeRADIUS, but I would rather not. The AP should be thrown in the garbage, (or upgraded) instead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS trouble
Fabrice Beauvir <[EMAIL PROTECTED]> wrote: > I think I have some misgonfiguration but, to my point of view it comes > from free-redius configuration . I doubt that very much. > Freeradius : > 1. AP -> freeradius ACCESS REQUEST (1) : EAP message type iddentity >2. freeradius -> AP ACCESS CHALLENGE (11) : EAP request type EAP-TLS > (flag start) > 3. AP -> freeradius ACCESS CHALLENGE (11) : EAP request type EAP-TLS > (flag start) There is NOTHING you can to do the RADIUS server to make the AP send an Access-Challenge back to the RADIUS server. The AP is broken. The AP MUST NOT send an Access-Challenge to the RADIUS server. Any AP which DOES send an Access-Challenge is stupid and wrong. > I don't understand why the AP sent an ACCESS CHALENGE instead of a ACCES > REQUEST contaning a SSL handshake . Because the AP is broken. Rather than giving an error message saying what it doesn't like, it does something incredibly stupid. So you blame FreeRADIUS, rather than the AP. Nice. > But I had observed something a little bit ahum ... interesting : > When radius servers replie to AP the 1rst time they sent same EAP > request but EAP message authenticator & EAP States are inverted at the > end of the frame . > So, another idea , is when the AP (In my case an INTEL PRO 5000) receive > such a frame, it cannot interpet it beacause it is malformed and send it > back to the Radius serveur . No. The RFC's allow the RADIUS attributes to be in any order. If the AP wants them in a certain order, it's broken. It looks like the AP does NOT like the order of the attributes sent by FreeRADIUS. But rather than doing anything intelligent, it does the stupidest thing imaginable. I would suggest calling the company who sold you the AP, and complaining that it's broken. Tell them you want a firmware upgrade so that the AP actually handles the RADIUS protocol. > Iam not a EAP expert but I can understand that if an frame is malformed > the negociation can begin... The packet is not malformed. It's fine. > What happenned with others AP like Aironet ??? Someone ??? They work. They don't go out of their way to do stupid things. I'm willing to change the code in FreeRADIUS, but I would rather not. The AP should be thrown in the garbage, (or upgraded) instead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS trouble
Alan DeKok wrote: Fabrice Beauvir <[EMAIL PROTECTED]> wrote: Sorry, me again . I think I have some misgonfiguration but, to my point of view it comes from free-redius configuration . But I haven't found were... I check dialog differences between Freeradius and IAS in my case using ethereal : IAS : 1. AP -> IAS-radius ACCESS REQUEST (1) : EAP message type iddentity 2. IAS-radius -> AP ACCESS CHALLENGE (11): EAP request type EAP-TLS (flag start) 3. AP-> IAS-radius ACCESS REQUEST (1) : EAP message code response (SSL hello) 4. IAS-radius -> AP ACCESS CHALLENGE (11) : EAP message 5. . negociation end normaly with Acces Accept Freeradius : 1. AP -> freeradius ACCESS REQUEST (1) : EAP message type iddentity 2. freeradius -> AP ACCESS CHALLENGE (11) : EAP request type EAP-TLS (flag start) 3. AP -> freeradius ACCESS CHALLENGE (11) : EAP request type EAP-TLS (flag start) 3. AP -> freeradius ACCESS CHALLENGE (11) : EAP request type EAP-TLS (flag start) END of negociation I don't understand why the AP sent an ACCESS CHALENGE instead of a ACCES REQUEST contaning a SSL handshake . But I had observed something a little bit ahum ... interesting : When radius servers replie to AP the 1rst time they sent same EAP request but EAP message authenticator & EAP States are inverted at the end of the frame . So, another idea , is when the AP (In my case an INTEL PRO 5000) receive such a frame, it cannot interpet it beacause it is malformed and send it back to the Radius serveur . Iam not a EAP expert but I can understand that if an frame is malformed the negociation can begin... What happenned with others AP like Aironet ??? Someone ??? Thank for any help... Here is my log (It can provide complete cap files if any) --- IAS etheral capture : Frame 4 (118 bytes on wire, 118 bytes captured) Ethernet II, Src: 00:90:27:df:63:61, Dst: 00:50:04:48:42:18 Internet Protocol, Src Addr: 192.168.6.51 (192.168.6.51), Dst Addr: 192.168.6.73 (192.168.6.73) User Datagram Protocol, Src Port: radius (1812), Dst Port: 1024 (1024) Radius Protocol Code: Access challenge (11) Packet identifier: 0x65 (101) Length: 76 Authenticator Attribute value pairs t:Session Timeout(27) l:6, Value:30 t:EAP Message(79) l:8 Extensible Authentication Protocol Code: Request (1) Id: 101 Length: 6 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0x20): Start --> t:State(24) l:24, Value:15BD01ED01370001C0A8063300010011 --> t:Message Authenticator(80) l:18, Value:E7DEA72137BD47280570CACBB76D4010 Freeradius ethreal capture : Frame 2 (126 bytes on wire, 126 bytes captured) Ethernet II, Src: 00:90:27:df:3b:b2, Dst: 00:50:04:48:42:18 Internet Protocol, Src Addr: 192.168.6.38 (192.168.6.38), Dst Addr: 192.168.6.73 (192.168.6.73) User Datagram Protocol, Src Port: radius (1812), Dst Port: 1024 (1024) Source port: radius (1812) Destination port: 1024 (1024) Length: 92 Checksum: 0x1f46 (correct) Radius Protocol Code: Access challenge (11) Packet identifier: 0x65 (101) Length: 84 Authenticator Attribute value pairs t:EAP Message(79) l:8 Extensible Authentication Protocol Code: Request (1) Id: 101 Length: 6 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0x20): Start ---> t:Message Authenticator(80) l:18, Value:17D6EED226D4BCD1C61BF1341734CFB4 ---> t:State(24) l:38,Value:6DB22C56FAD125A927314088F49BA683F3E74D3FCB1E55934676BEBF30ACE44B158FA5EE here is my radiusd.conf (in case of...) ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id: radiusd.conf.in,v 1.123 2002/11/12 20:22:48 aland Exp $ ## # The location of other config files and # logfiles are declared in this file # # Also general configuration for modules can be done # in this file, it is exported through the API to # modules that ask for it. # # The configuration variables defined here are of the form ${foo} # They are local to this file, and do not change from request to # request. # # The per-request variables are of the form %{Attribute-Name}, and # are taken from the values of the attribute in the incoming # request. See 'doc/variables.txt' for more information. prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = ${logdir}/radius.log # # libdir: Where to find the rlm_* modules.
Re: EAP/TLS trouble
Fabrice Beauvir <[EMAIL PROTECTED]> wrote: > So, > is the misconfiguration is due to the fact that my clients are MS type > (Windows 2000 and XP) and not the radius server nor my certificates are > wrong ? No. As I said, the problem is that the AP is receiving an Access-Challenge packet from FreeRADIUS, and is sending it back to the server. It's not supposed to do that. > I mean , it works fine using a Windows 2000 IAS radius server. I can't explain that, sorry. Double-check your networking setup. You've done SOMETHING to break it. It should make NO difference to your network if you simply replace the Windows IAS server with FreeRADIUS. Everything should work fine. There is NOTHING in the network that suddenly decides to stop working, when it sees FreeRADIUS. > The radius receive in an acces challenge a EAP "start" that it can't > understood . No. That's not the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS trouble
Alan DeKok wrote: Fabrice Beauvir <[EMAIL PROTECTED]> wrote: You've managed to convince the server to send packets to itself. That's quite a feat. No 192.168.6.73 is my AP .. So sorry, It's my duty fault , it my client throught the AP . Then the AP is bouncing the Access-Challenge packet back to the server. The AP SHOULD NOT be sending Access-Challenges to the server. Fix that, and it should work. So, is the misconfiguration is due to the fact that my clients are MS type (Windows 2000 and XP) and not the radius server nor my certificates are wrong ? I mean , it works fine using a Windows 2000 IAS radius server. Do you understand ;-) The radius receive in an acces challenge a EAP "start" that it can't understood . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS trouble
Fabrice Beauvir <[EMAIL PROTECTED]> wrote: > > You've managed to convince the server to send packets to itself. > >That's quite a feat. > > No 192.168.6.73 is my AP .. Then the AP is bouncing the Access-Challenge packet back to the server. The AP SHOULD NOT be sending Access-Challenges to the server. Fix that, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS trouble
Alan DeKok wrote: Fabrice Beauvir <[EMAIL PROTECTED]> wrote: after generating and installing freeradius, generating and installing certificates on server and client , I tried to initiate an EAP/TLS negociation but negocation failed after the 2nd frame : "rad_recv: Access-Challenge packet from host 192.168.6.73:1024, id=203, length=84 Reply packet code 11 sent to a non-proxy reply port from client borne-wifi:1024 - ID 203 : IGNORED" You've got something seriously misconfigured. Sending Access-Challenge of id 209 to 192.168.6.73:1024 ... rad_recv: Access-Challenge packet from host 192.168.6.73:1024, id=209, You've managed to convince the server to send packets to itself. That's quite a feat. No 192.168.6.73 is my AP .. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS trouble
Fabrice Beauvir <[EMAIL PROTECTED]> wrote: >after generating and installing freeradius, generating and installing > certificates on server and client , I tried to initiate an EAP/TLS > negociation but negocation failed after the 2nd frame : > > "rad_recv: Access-Challenge packet from host 192.168.6.73:1024, id=203, > length=84 > Reply packet code 11 sent to a non-proxy reply port from client > borne-wifi:1024 - ID 203 : IGNORED" You've got something seriously misconfigured. > Sending Access-Challenge of id 209 to 192.168.6.73:1024 ... > rad_recv: Access-Challenge packet from host 192.168.6.73:1024, id=209, You've managed to convince the server to send packets to itself. That's quite a feat. I have no clue what you're doing wrong, but it looks like you've gone out of your way to configure the server very strangely. I've been using EAP-TLS for a while, and have never had a problem like this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS trouble
Hi all , my eap module authentication doesn't seem to work properly. 1st of all here is my configuration : - AP : INTEL *PRO/Wireless 5000 LAN Access Point* *** - Radius server : Linux Mandrake 9.1 Beta with : Openssl (and openssl-develop) : 0.9.7a-1.1 Freeradius : 0.9.0 Cert generation : openssl openssl-certgen-0.9.7-beta3 - Wifi client : Windows 2000SP3 client with a pcmcia intel 5000 wireless LAN SO, after generating and installing freeradius, generating and installing certificates on server and client , I tried to initiate an EAP/TLS negociation but negocation failed after the 2nd frame : "rad_recv: Access-Challenge packet from host 192.168.6.73:1024, id=203, length=84 Reply packet code 11 sent to a non-proxy reply port from client borne-wifi:1024 - ID 203 : IGNORED" My idea is : the EAP start has not be done and the challenge is not possible : **"rlm_eap: EAP Start not found"* * my question is : where am I wrong Thanks a lot all ! In radiusd log I got : rad_recv: Access-Request packet from host 192.168.6.73:1024, id=209, length=157 User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 10.0.10.1 Called-Station-Id = "00053C085BFF" Calling-Station-Id = "00053C081C8C" NAS-Identifier = "WDAP5000" NAS-Port = 1 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02d0001d0141646d696e697374726174657572406f73697269732e6672 Message-Authenticator = 0x753bbcef45b7674e49cf5493743d7b24 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_eap: EAP packet type notification id 208 length 29 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: Looking up realm "osiris.fr" for User-Name = "[EMAIL PROTECTED] is.fr" rlm_realm: Found realm "osiris.fr" rlm_realm: Adding Stripped-User-Name = "Administrateur" rlm_realm: Proxying request from user Administrateur to realm osiris.fr rlm_realm: Adding Realm = "osiris.fr" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 158 users: Matched Administrateur at 223 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: list_clean deleted one item rlm_eap: EAP packet type notification id 208 length 29 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 209 to 192.168.6.73:1024 EAP-Message = 0x01d100060d20 Message-Authenticator = 0x State = 0xa13a1b3dc1e9b3750120ef9d9862851e7d654b3fe86a1ddfb96101aa4d067d 80103f6474 Finished request 60 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Challenge packet from host 192.168.6.73:1024, id=209, length=84 Reply packet code 11 sent to a non-proxy reply port from client borne-wifi:1024 Ethereal report : 0.00 192.168.6.73 -> 192.168.6.38 RADIUS Access Request(1) (id=205, l=157) 0.489001 Intel_df:3b:b2 -> BroadcastARP Who has 192.168.6.73? Tell 192.168.6.38 0.489210 3com_48:42:18 -> Intel_df:3b:b2 ARP 192.168.6.73 is at 00:50:04:48:42:18 0.489236 192.168.6.38 -> 192.168.6.73 RADIUS Access challenge(11) (id=205, l=84) 0.490142 192.168.6.73 -> 192.168.6.38 RADIUS Access challenge(11) (id=205, l=84) 2.482117 192.168.6.73 -> 192.168.6.38 RADIUS Access challenge(11) (id=205, l=84) *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html