Re: EAP/TLS trouble

2003-08-29 Thread Fabrice Beauvir 
Yes, 
  I agree with you, the problem comes from My AP.
Thank you for these precisions

I am actually contacting Intel and I 'll share with you feedback.

Anyway If anybody  have some tips and feedback about using Intel Pro 
Wirelless 5000 

Alan DeKok wrote:

 I'm willing to change the code in FreeRADIUS, but I would rather
not.  The AP should be thrown in the garbage, (or upgraded) instead.
 Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS trouble

2003-08-28 Thread Alan DeKok 
Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
>  I think I have some misgonfiguration but, to my point of view it comes 
> from free-redius configuration .

  I doubt that very much.

>  Freeradius :
> 1.  AP -> freeradius ACCESS REQUEST (1)  : EAP message type iddentity
>2.  freeradius -> AP ACCESS CHALLENGE (11) : EAP request type EAP-TLS 
> (flag start)
> 3. AP -> freeradius ACCESS CHALLENGE (11) : EAP request type EAP-TLS 
> (flag start)

  There is NOTHING you can to do the RADIUS server to make the AP send
an Access-Challenge back to the RADIUS server.

  The AP is broken.

  The AP MUST NOT send an Access-Challenge to the RADIUS server.  Any
AP which DOES send an Access-Challenge is stupid and wrong.

> I don't understand why the AP sent an ACCESS CHALENGE instead of a ACCES 
> REQUEST contaning a SSL handshake .

  Because the AP is broken.  Rather than giving an error message
saying what it doesn't like, it does something incredibly stupid.  So
you blame FreeRADIUS, rather than the AP.  Nice.

> But I had observed something a little bit ahum ... interesting :
>  When radius servers replie to AP the 1rst time they sent same EAP 
> request but EAP message authenticator & EAP States are inverted at the 
> end of the frame .
> So, another idea , is when the AP (In my case an INTEL PRO 5000) receive 
> such a frame, it cannot interpet it beacause it is malformed and send it 
> back to the Radius serveur .

  No.  The RFC's allow the RADIUS attributes to be in any order.  If
the AP wants them in a certain order, it's broken.

  It looks like the AP does NOT like the order of the attributes sent
by FreeRADIUS.  But rather than doing anything intelligent, it does
the stupidest thing imaginable.

  I would suggest calling the company who sold you the AP, and
complaining that it's broken.  Tell them you want a firmware upgrade
so that the AP actually handles the RADIUS protocol.

> Iam not a EAP expert but I can understand that if an frame is malformed 
> the negociation can begin...

  The packet is not malformed.  It's fine.

> What happenned with others AP like Aironet ??? Someone  ???

  They work.  They don't go out of their way to do stupid things.

  I'm willing to change the code in FreeRADIUS, but I would rather
not.  The AP should be thrown in the garbage, (or upgraded) instead.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS trouble

2003-08-28 Thread Fabrice Beauvir 
Alan DeKok wrote:

Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
 

Sorry, me again .
I think I have some misgonfiguration but, to my point of view it comes 
from free-redius configuration .
But I haven't found were...

I check dialog differences between Freeradius and IAS in my case using 
ethereal :

IAS :
  1.  AP -> IAS-radius ACCESS REQUEST (1)  : EAP message type iddentity
  2.  IAS-radius -> AP ACCESS CHALLENGE (11):  EAP request type EAP-TLS 
(flag start)
  3.  AP-> IAS-radius ACCESS REQUEST (1) : EAP message code response 
(SSL hello)
  4. IAS-radius -> AP ACCESS CHALLENGE (11) : EAP message
  5. .
negociation end normaly  with Acces Accept

Freeradius :
   1.  AP -> freeradius ACCESS REQUEST (1)  : EAP message type iddentity
  2.  freeradius -> AP ACCESS CHALLENGE (11) : EAP request type EAP-TLS 
(flag start)
   3. AP -> freeradius ACCESS CHALLENGE (11) : EAP request type EAP-TLS 
(flag start)
   3. AP -> freeradius ACCESS CHALLENGE (11) : EAP request type EAP-TLS 
(flag start)
   END of negociation

I don't understand why the AP sent an ACCESS CHALENGE instead of a ACCES 
REQUEST contaning a SSL handshake .

But I had observed something a little bit ahum ... interesting :
When radius servers replie to AP the 1rst time they sent same EAP 
request but EAP message authenticator & EAP States are inverted at the 
end of the frame .
So, another idea , is when the AP (In my case an INTEL PRO 5000) receive 
such a frame, it cannot interpet it beacause it is malformed and send it 
back to the Radius serveur .

Iam not a EAP expert but I can understand that if an frame is malformed 
the negociation can begin...

What happenned with others AP like Aironet ??? Someone  ???

Thank for any help...

Here is my log (It can provide complete cap files if any)
---
IAS etheral capture :
  Frame 4 (118 bytes on wire, 118 bytes captured)
Ethernet II, Src: 00:90:27:df:63:61, Dst: 00:50:04:48:42:18
Internet Protocol, Src Addr: 192.168.6.51 (192.168.6.51), Dst Addr: 
192.168.6.73 (192.168.6.73)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 1024 (1024)
Radius Protocol
   Code: Access challenge (11)
   Packet identifier: 0x65 (101)
   Length: 76
   Authenticator
   Attribute value pairs
   t:Session Timeout(27) l:6, Value:30
   t:EAP Message(79) l:8
   Extensible Authentication Protocol
   Code: Request (1)
   Id: 101
   Length: 6
   Type: EAP-TLS [RFC2716] [Aboba] (13)
   Flags(0x20): Start
-->   t:State(24) l:24, Value:15BD01ED01370001C0A8063300010011
-->   t:Message Authenticator(80) l:18, 
Value:E7DEA72137BD47280570CACBB76D4010

Freeradius ethreal capture :

Frame 2 (126 bytes on wire, 126 bytes captured)
Ethernet II, Src: 00:90:27:df:3b:b2, Dst: 00:50:04:48:42:18
Internet Protocol, Src Addr: 192.168.6.38 (192.168.6.38), Dst Addr: 
192.168.6.73 (192.168.6.73)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 1024 (1024)
   Source port: radius (1812)
   Destination port: 1024 (1024)
   Length: 92
   Checksum: 0x1f46 (correct)
Radius Protocol
   Code: Access challenge (11)
   Packet identifier: 0x65 (101)
   Length: 84
   Authenticator
   Attribute value pairs
   t:EAP Message(79) l:8
   Extensible Authentication Protocol
   Code: Request (1)
   Id: 101
   Length: 6
   Type: EAP-TLS [RFC2716] [Aboba] (13)
   Flags(0x20): Start
--->   t:Message Authenticator(80) l:18, 
Value:17D6EED226D4BCD1C61BF1341734CFB4
--->   t:State(24) 
l:38,Value:6DB22C56FAD125A927314088F49BA683F3E74D3FCB1E55934676BEBF30ACE44B158FA5EE

here is my radiusd.conf (in case of...)


##
## radiusd.conf -- FreeRADIUS server configuration file.
##
##  http://www.freeradius.org/
##  $Id: radiusd.conf.in,v 1.123 2002/11/12 20:22:48 aland Exp $
##

#   The location of other config files and
#   logfiles are declared in this file
#
#   Also general configuration for modules can be done
#   in this file, it is exported through the API to
#   modules that ask for it.
#
#   The configuration variables defined here are of the form ${foo}
#   They are local to this file, and do not change from request to
#   request.
#
#   The per-request variables are of the form %{Attribute-Name}, and
#   are taken from the values of the attribute in the incoming
#   request.  See 'doc/variables.txt' for more information.

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd

#
#  The logging messages for the server are appended to the
#  tail of this file.
#
log_file = ${logdir}/radius.log

#
# libdir: Where to find the rlm_* modules.

Re: EAP/TLS trouble

2003-08-27 Thread Alan DeKok 
Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
> So,
>  is the misconfiguration is due to the fact that my clients are MS type 
> (Windows 2000 and XP) and not the radius server nor my certificates are 
> wrong ?

  No.  As I said, the problem is that the AP is receiving an
Access-Challenge packet from FreeRADIUS, and is sending it back to the
server.  It's not supposed to do that.

> I mean , it works fine using a Windows 2000 IAS radius server.

  I can't explain that, sorry.  Double-check your networking setup.
You've done SOMETHING to break it.

  It should make NO difference to your network if you simply replace
the Windows IAS server with FreeRADIUS.  Everything should work fine.
There is NOTHING in the network that suddenly decides to stop working,
when it sees FreeRADIUS.

> The radius receive in an acces challenge a EAP "start" that it can't 
> understood .

  No.  That's not the problem.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS trouble

2003-08-27 Thread Fabrice Beauvir 
Alan DeKok wrote:

Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
 

You've managed to convince the server to send packets to itself.
That's quite a feat.
 

No 192.168.6.73 is my AP ..

So sorry, It's  my duty fault , it my client throught the AP .

   

   Then the AP is bouncing the Access-Challenge packet back to
the server.
 The AP SHOULD NOT be sending Access-Challenges to the server.  Fix
that, and it should work.
 

So,
is the misconfiguration is due to the fact that my clients are MS type 
(Windows 2000 and XP) and not the radius server nor my certificates are 
wrong ?
I mean , it works fine using a Windows 2000 IAS radius server.

Do you understand  ;-)

The radius receive in an acces challenge a EAP "start" that it can't 
understood .





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS trouble

2003-08-26 Thread Alan DeKok 
Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
> >  You've managed to convince the server to send packets to itself.
> >That's quite a feat.
> 
> No 192.168.6.73 is my AP ..

Then the AP is bouncing the Access-Challenge packet back to
the server.

  The AP SHOULD NOT be sending Access-Challenges to the server.  Fix
that, and it should work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS trouble

2003-08-26 Thread Fabrice Beauvir 
Alan DeKok wrote:

Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
 

  after generating and installing freeradius, generating and installing 
certificates on server and client , I  tried to initiate an EAP/TLS 
negociation but negocation failed after the 2nd frame :
 
"rad_recv: Access-Challenge packet from host 192.168.6.73:1024, id=203, 
length=84
Reply packet code 11 sent to a non-proxy reply port from client 
borne-wifi:1024 - ID 203 : IGNORED"
   

 You've got something seriously misconfigured.

 

Sending Access-Challenge of id 209 to 192.168.6.73:1024
   

...
 

rad_recv: Access-Challenge packet from host 192.168.6.73:1024, id=209, 
   

 You've managed to convince the server to send packets to itself.
That's quite a feat.
 

No 192.168.6.73 is my AP ..



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS trouble

2003-08-26 Thread Alan DeKok 
Fabrice Beauvir <[EMAIL PROTECTED]> wrote:
>after generating and installing freeradius, generating and installing 
> certificates on server and client , I  tried to initiate an EAP/TLS 
> negociation but negocation failed after the 2nd frame :
>   
> "rad_recv: Access-Challenge packet from host 192.168.6.73:1024, id=203, 
> length=84
> Reply packet code 11 sent to a non-proxy reply port from client 
> borne-wifi:1024 - ID 203 : IGNORED"

  You've got something seriously misconfigured.

> Sending Access-Challenge of id 209 to 192.168.6.73:1024
...
> rad_recv: Access-Challenge packet from host 192.168.6.73:1024, id=209, 

  You've managed to convince the server to send packets to itself.
That's quite a feat.

  I have no clue what you're doing wrong, but it looks like you've
gone out of your way to configure the server very strangely.  I've
been using EAP-TLS for a while, and have never had a problem like
this.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/TLS trouble

2003-08-26 Thread Fabrice Beauvir 
Hi all ,
 my eap module authentication doesn't  seem to work properly.
1st of all here is my configuration :
  - AP : INTEL *PRO/Wireless 5000 LAN Access Point*
***  - Radius server :
Linux Mandrake 9.1 Beta with :
  Openssl (and openssl-develop) : 0.9.7a-1.1
  Freeradius : 0.9.0
  Cert generation : openssl openssl-certgen-0.9.7-beta3
 - Wifi client :
Windows 2000SP3 client with a pcmcia intel 5000 wireless LAN
SO,
  after generating and installing freeradius, generating and installing 
certificates on server and client , I  tried to initiate an EAP/TLS 
negociation but negocation failed after the 2nd frame :
 
"rad_recv: Access-Challenge packet from host 192.168.6.73:1024, id=203, 
length=84
Reply packet code 11 sent to a non-proxy reply port from client 
borne-wifi:1024 - ID 203 : IGNORED"

My  idea is :
the EAP start has not be done and the challenge is not possible :
**"rlm_eap: EAP Start not found"*
*
my question is : where am I wrong 
Thanks a lot all  !

In radiusd log I got :
rad_recv: Access-Request packet from host 192.168.6.73:1024, id=209, 
length=157
   User-Name = "[EMAIL PROTECTED]"
   NAS-IP-Address = 10.0.10.1
   Called-Station-Id = "00053C085BFF"
   Calling-Station-Id = "00053C081C8C"
   NAS-Identifier = "WDAP5000"
   NAS-Port = 1
   Framed-MTU = 1400
   NAS-Port-Type = Wireless-802.11
   EAP-Message = 
0x02d0001d0141646d696e697374726174657572406f73697269732e6672
   Message-Authenticator = 0x753bbcef45b7674e49cf5493743d7b24
modcall: entering group authorize
 modcall[authorize]: module "preprocess" returns ok
 rlm_eap: EAP packet type notification id 208 length 29
 rlm_eap: EAP Start not found
 
modcall[authorize]: module "eap" returns updated
   rlm_realm: Looking up realm "osiris.fr" for User-Name = 
"[EMAIL PROTECTED]
is.fr"
   rlm_realm: Found realm "osiris.fr"
   rlm_realm: Adding Stripped-User-Name = "Administrateur"
   rlm_realm: Proxying request from user Administrateur to realm osiris.fr
   rlm_realm: Adding Realm = "osiris.fr"
   rlm_realm: Authentication realm is LOCAL.
 modcall[authorize]: module "suffix" returns noop
   users: Matched DEFAULT at 158
   users: Matched Administrateur at 223
 modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
 rlm_eap:  list_clean deleted one item
 rlm_eap: EAP packet type notification id 208 length 29
 rlm_eap: EAP Start not found
 rlm_eap: EAP Identity
 rlm_eap: processing type tls
 rlm_eap_tls: Initiate
 rlm_eap_tls: Start returned 1
 modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 209 to 192.168.6.73:1024
   EAP-Message = 0x01d100060d20
   Message-Authenticator = 0x
   State = 
0xa13a1b3dc1e9b3750120ef9d9862851e7d654b3fe86a1ddfb96101aa4d067d
80103f6474
Finished request 60
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Challenge packet from host 192.168.6.73:1024, id=209, 
length=84
Reply packet code 11 sent to a non-proxy reply port from client 
borne-wifi:1024 

Ethereal report :
0.00 192.168.6.73 -> 192.168.6.38 RADIUS Access Request(1) (id=205, 
l=157)
0.489001 Intel_df:3b:b2 -> BroadcastARP Who has 192.168.6.73?  Tell 
192.168.6.38
 0.489210 3com_48:42:18 -> Intel_df:3b:b2 ARP 192.168.6.73 is at 
00:50:04:48:42:18
 0.489236 192.168.6.38 -> 192.168.6.73 RADIUS Access challenge(11) 
(id=205, l=84)
 0.490142 192.168.6.73 -> 192.168.6.38 RADIUS Access challenge(11) 
(id=205, l=84)
 2.482117 192.168.6.73 -> 192.168.6.38 RADIUS Access challenge(11) 
(id=205, l=84)

***

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html