hi Jorge
the user line should read :=System or :=Local, since you have eap as
last module in the authorize section. but this is not the point.
take a look at the state attributes. your NAS is truncating the State
attribute which was issued by Radius to 64 hexadecimal characters, i.e.
256bit (64*4):
issued:
0x6d2728c26e0a5e55a7067440895cbafc619d893d72e45a66b2612d2defb73fafc8b0590f
received:
0x6d2728c26e0a5e55a7067440895cbafc619d893d72e45a66b2612d2defb73faf
i have no idea if this behaviour is RFC-correct or not. the problem
doesn't or didn't occur with other radius servers, probably because
their state attributes are always/were by chance shorter.
Raghu, Alan, what do you think? are the state attributes too long or is
the NAS firmware broken?
Jorge: you can try to take a look in the radius RFC if you can find a
limitation for the state attribute... you can also try a firmware
update.
ciao
artur
original message:
Hi,
I�m trying to perform 802.1X authentication using freeradius and the
EAP-MD5 authentication method, but I am experimenting
some problems.
First, the supplicant I�m using is XP native supplicant.
The Authenticator is a Enterasys Matrix E1
I have read hundreds of mails looking for a similar problem and I
haven�t found any one. Also I have read the /doc/EAP-MD5
document form freeradius page.
Also I have to say that I have test the solution using other Radius
Servers (SteelBelted and MS-IAS) and all tests have worked OK
with them.
So, I think I am configuring something wrong in freeradius. So, can
anybody help me, please?
Regards.
Jorge.
The configuration is the following one
*** User file ***
I have tried with 3 different users with 3 different Auth-Types. (Local,
System and EAP) The single one that has worked (Has
recognize EAP and radius has issued a Chellege-String) has been EAP
luis Auth-Type :=eap, User-Password =="hello"
** radiusd.conf ***
eap {
default_eap_type = md5
md5 {
}
}
authorize {
preprocess
files
eap
}
authenticate {
eap
}
***** radiusd -X ********* LOG
[root@satanas sbin]# ./radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/proxy.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
Config: including file: /usr/local/radius/etc/raddb/snmp.conf
Config: including file: /usr/local/radius/etc/raddb/sql.conf
main: prefix = "/usr/local/radius"
main: localstatedir = "/usr/local/radius/var"
main: logdir = "/usr/local/radius/var/log/radius"
main: libdir = "/usr/local/radius/lib"
main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
security: max_attributes = 200
security: reject_delay = 1
main: debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/radius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = "/usr/local/radius/etc/raddb/users"
files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded detail
detail: detailfile =
"/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/radius/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
main: smux_password = ""
main: snmp_write_access = no
SMUX connect try 1
Can't connect to SNMP agent with SMUX: Connection refused
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 134.141.221.252:1062, id=52,
length=73
Message-Authenticator = 0x48951dd61c5d4eb2e2af4b60c866f07f
User-Name = "luis"
NAS-IP-Address = 134.141.221.252
NAS-Port = 2
EAP-Message = "\002\001\000\t\001luis"
Framed-MTU = 1000
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
users: Matched luis at 108
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "eap" returns updated
modcall: group authorize returns updated
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 52 to 134.141.221.252:1062
EAP-Message =
"\0014\000\026\004\020\250(r\267bE*Y\017\025v\253\305LUD"
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x6d2728c26e0a5e55a7067440895cbafc619d893d72e45a66b2612d2defb73fafc8b0590f
Finished request 0
Going to the next request
SMUX connect try 2
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 134.141.221.252:1062, id=53,
length=124
Message-Authenticator = 0x9974460f859b7d8026ccb1c5c02165b2
User-Name = "luis"
State =
0x6d2728c26e0a5e55a7067440895cbafc619d893d72e45a66b2612d2defb73faf
NAS-IP-Address = 134.141.221.252
NAS-Port = 2
Framed-MTU = 1000
EAP-Message =
"\0024\000\032\004\020\316K\334\306\246O\367E\257\253\t
\230b\261\220luis"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
users: Matched luis at 108
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "eap" returns updated
modcall: group authorize returns updated
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: State verification failed.
modcall[authenticate]: module "eap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
SMUX connect try 3
Can't connect to SNMP agent with SMUX: Connection refused
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 52 with timestamp 3d899d61
Sending Access-Reject of id 53 to 134.141.221.252:1062
Cleaning up request 1 ID 53 with timestamp 3d899d61
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
