I've realized a new test with lastest version : Catalyst 2950 : IOS 12.1.19 (c2950-i6q4l2-mz.121-19.EA1a.bin) xsupplicant client version : 0.8b freeradius server version : 0.9.3 (snapshot-20031223) openssl version : 0.9.7c Client and server machines are linux box (RH 7.3).
The radius server receive a 'Access-Request' with the good identity but it return a 'Access-Reject'.
Thank for any suggestion !!! And Merry Xmas for all ... JP.
Below some detail of config and traces. ======================================= Xsupplicant file config : ------------------------- default:id = chapalain #comment here default:auth = EAP default:type = wireless default : pref = md5 default : chunk_size = 1398 default : random_file = /dev/random default : first_auth = "/sbin/dhclient eth0" default : after_auth = "/bin/echo I authenticated" Freeradius config : ------------------- users's file : #========================================================= # Test's User for 802.1x #========================================================= chapalain Auth-type := eap, User-Password == "aaaa" Service-Type = Framed-User
# Reject all #--------------------------------------------------------- DEFAULT Auth-Type := Reject
radius.conf :
...
#
# For all EAP related authentications
eap {
default_eap_type = md5 md5 {
}
}
...
authorize {
preprocess eap
}Catalyst config look like this :
--------------------------------
aaa new-model
...
aaa authentication dot1x default group radius
...
interface FastEthernet0/19
description --- Test 802.1x ---
switchport mode access
no ip address
duplex full
speed 100
dot1x port-control auto
...
radius-server host 10.154.99.1 auth-port 1812 acct-port 1813 timeout 3 key <removed>
...
end
Output of xsupplicant :
-----------------------
Wed Dec 24 15:50:16 2003 (eth0) - Setup on device eth0 complete
Wed Dec 24 15:50:16 2003 (eth0) - Done with init.
Wed Dec 24 15:50:16 2003 (eth0) - Sending EAPOL-Start #1
Wed Dec 24 15:50:17 2003 (eth0) - Connection Established, authenticating...
Wed Dec 24 15:50:19 2003 (eth0) - Failed to Authenticate
Wed Dec 24 15:50:48 2003 (eth0) - Sending EAPOL-Start #1
Wed Dec 24 15:51:18 2003 (eth0) - Sending EAPOL-Start #2
Wed Dec 24 15:51:48 2003 (eth0) - No authenticator found! Assuming the port is authorized!
Ethereal trace on the supplicant side :
---------------------------------------
Frame 1 (150 bytes on wire, 150 bytes captured)
Ethernet II, Src: 00:06:d7:81:e6:82, Dst: 00:00:39:ca:03:3b
Internet Protocol, Src Addr: 10.154.253.18 (10.154.253.18), Dst Addr: 10.154.99.1 (10.154.99.1)
User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)
Radius Protocol
Code: Access Request (1)
Packet identifier: 0x29 (41)
Length: 108
Authenticator
Attribute value pairs
t:NAS IP Address(4) l:6, Value:10.154.253.18
t:NAS Port Type(61) l:6, Value:Async(0)
t:User Name(1) l:11, Value:"chapalain"
t:Service Type(6) l:6, Value:Framed(2)
t:Framed MTU(12) l:6, Value:1500
t:Calling Station Id(31) l:19, Value:"00-0b-cd-ac-7a-fa"
t:EAP Message(79) l:16
Extensible Authentication Protocol
Code: Response (2)
Id: 0
Length: 14
Type: Identity [RFC2284] (1)
Identity (9 bytes): chapalain
t:Message Authenticator(80) l:18, Value:878322BA5A0B5B33D8449259DB11A607
0000 00 00 39 ca 03 3b 00 06 d7 81 e6 82 08 00 45 00 ..9..;........E.
0010 00 88 03 3f 00 00 fe 11 43 de 0a 9a fd 12 0a 9a ...?....C.......
0020 63 01 07 14 07 14 00 74 79 85 01 29 00 6c d2 1e c......ty..).l..
0030 af e8 57 45 27 95 b7 8c 9f d2 89 8c fd 2f 04 06 ..WE'......../..
0040 0a 9a fd 12 3d 06 00 00 00 00 01 0b 63 68 61 70 ....=.......chap
0050 61 6c 61 69 6e 06 06 00 00 00 02 0c 06 00 00 05 alain...........
0060 dc 1f 13 30 30 2d 30 62 2d 63 64 2d 61 63 2d 37 ...00-0b-cd-ac-7
0070 61 2d 66 61 4f 10 02 00 00 0e 01 63 68 61 70 61 a-faO......chapa
0080 6c 61 69 6e 50 12 87 83 22 ba 5a 0b 5b 33 d8 44 lainP...".Z.[3.D
0090 92 59 db 11 a6 07 .Y....
Frame 2 (104 bytes on wire, 104 bytes captured)
Ethernet II, Src: 00:00:39:ca:03:3b, Dst: 00:00:0c:07:ac:c7
Internet Protocol, Src Addr: 10.154.99.1 (10.154.99.1), Dst Addr: 10.154.253.18 (10.154.253.18)
User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)
Radius Protocol
Code: Access Reject (3)
Packet identifier: 0x29 (41)
Length: 62
Authenticator
Attribute value pairs
t:EAP Message(79) l:24
Extensible Authentication Protocol
Code: Request (1)
Id: 1
Length: 22
Type: MD5-Challenge [RFC2284] (4)
Type-Data (17 bytes) Value: 10800766AEDF0F2C2DED8A76B82EFA44...
t:Message Authenticator(80) l:18, Value:3F61354DE1798D328C34D104A9E04E9E
0000 00 00 0c 07 ac c7 00 00 39 ca 03 3b 08 00 45 00 ........9..;..E.
0010 00 5a 00 00 40 00 40 11 c5 4b 0a 9a 63 01 0a 9a [EMAIL PROTECTED]@..K..c...
0020 fd 12 07 14 07 14 00 46 bb d0 03 29 00 3e 3c 3e .......F...).><>
0030 ae 25 eb 6f f6 c3 35 7a f5 24 45 fb d8 7c 4f 18 .%.o..5z.$E..|O.
0040 01 01 00 16 04 10 80 07 66 ae df 0f 2c 2d ed 8a ........f...,-..
0050 76 b8 2e fa 44 76 50 12 3f 61 35 4d e1 79 8d 32 v...DvP.?a5M.y.2
0060 8c 34 d1 04 a9 e0 4e 9e .4....N.
Output of freeradius server :
-----------------------------
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /opt/freeradius/etc/raddb/proxy.conf
Config: including file: /opt/freeradius/etc/raddb/clients.conf
Config: including file: /opt/freeradius/etc/raddb/snmp.conf
Config: including file: /opt/freeradius/etc/raddb/sql.conf
main: prefix = "/opt/freeradius"
main: localstatedir = "/opt/freeradius/var"
main: logdir = "/opt/freeradius/var/log/radius"
main: libdir = "/opt/freeradius/lib"
main: radacctdir = "/opt/freeradius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1812
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/opt/freeradius/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
...
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x8132060
Module: Instantiated ldap (ldap)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
rlm_eap: Loaded and initialized type md5
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/opt/freeradius/etc/raddb/huntgroups"
preprocess: hints = "/opt/freeradius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
...
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 10.154.253.18:1812, id=41, length=108
NAS-IP-Address = 10.154.253.18
NAS-Port-Type = Async
User-Name = "chapalain"
Service-Type = Framed-User
Framed-MTU = 1500
Calling-Station-Id = "00-0b-cd-ac-7a-fa"
EAP-Message = 0x0200000e0163686170616c61696e
Message-Authenticator = 0x878322ba5a0b5b33d8449259db11a607
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_eap: EAP packet type response id 0 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
rlm_realm: No '@' in User-Name = "chapalain", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Checking chapalain at 10
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 0
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
users: Matched DEFAULT at 15
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [chapalain/<no User-Password attribute>] (from client sw-info-ouest-test port 0 cli 00-0b-cd-ac-7a-fa)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 41 to 10.154.253.18:1812
EAP-Message = 0x010100160410800766aedf0f2c2ded8a76b82efa4476
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 41 with timestamp 3fe9a252
Nothing to do. Sleeping until we see a request.
---
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
