Ciao all, First of all, I'm new to this project so I may ask 'dumb' questions and I may be slow to understand. Be patient!
I'm in the process of testing FreeRADIUS 2.1.11, just basic/standard setup. I've been following the following user guide: http://deployingradius.com/documents/configuration/pap.html. Very useful, by the way. PAP, MSCHAP and MSCHAPv2 work ok, but I'm unable to get any EAP tests to pass. I've tries almost everything, including: http://deployingradius.com/documents/configuration/eap-problems.html I need some help! Thanks in advance. Sergio. Test output ------------- radtest -t eap-md5 ....... (it works ok) (Client side) Sending Access-Request packet to host 127.0.0.1 port 1812, id=229, length=0 User-Name = "testuser" User-Password = "testpw" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 EAP-Code = Response EAP-Type-Identity = "testuser" Message-Authenticator = 0x00 EAP-Message = 0x02e4000d017465737475736572 Received Access-Challenge packet from host 127.0.0.1 port 1812, id=229, length=97 Reply-Message = "Hello, testuser" EAP-Message = 0x01e5001604103823185ef840cc37ad7436a904db9605 Message-Authenticator = 0xf5a2da42e33cfe56a80104afb9931946 State = 0x3dcf853c3d2a813191ce5fb05bf39134 EAP-Id = 229 EAP-Code = Request EAP-Type-MD5 = 0x103823185ef840cc37ad7436a904db9605 Sending Access-Request packet to host 127.0.0.1 port 1812, id=230, length=93 User-Name = "testuser" User-Password = "testpw" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 EAP-Code = Response Message-Authenticator = 0x00000000000000000000000000000000 EAP-Type-MD5 = 0x105a160cce9524d55843b32d1fcbaedb6b EAP-Id = 229 State = 0x3dcf853c3d2a813191ce5fb05bf39134 EAP-Message = 0x02e5001604105a160cce9524d55843b32d1fcbaedb6b Received Access-Accept packet from host 127.0.0.1 port 1812, id=230, length=71 Reply-Message = "Hello, testuser" EAP-Message = 0x03e50004 Message-Authenticator = 0xa9e17bcb7d0b8e0ad062f9b3c5d0399c User-Name = "testuser" EAP-Id = 229 EAP-Code = Success Total approved auths: 1 Total denied auths: 0 (Server side) Ready to process requests. # Executing section authorize from file ..\etc\raddb/radiusd.conf +- entering group authorize {...} [auth_log] ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20111016.log ++[auth_log] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[mschap] returns noop [files] users: Matched entry testuser at line 29 ++[files] returns ok [eap] EAP packet type response id 228 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file ..\etc\raddb/radiusd.conf +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 ++[eap] returns handled Finished request 0. Going to the next request Waking up in 4.9 seconds. # Executing section authorize from file ..\etc\raddb/radiusd.conf +- entering group authorize {...} [auth_log] ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/127.0.0.1/auth-detail-20111016.log ++[auth_log] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++[mschap] returns noop [files] users: Matched entry testuser at line 29 ++[files] returns ok [eap] EAP packet type response id 229 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file ..\etc\raddb/radiusd.conf +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 [eap] Freeing handler ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 229 with timestamp +14 Cleaning up request 1 ID 230 with timestamp +14 Ready to process requests. --------- EAP-MD5 test --------- http://deployingradius.com/scripts/eapol_test/ eapol_test.exe -c md5.conf -s testing123 ( it doesn't work!) Output: Reading configuration file 'md5.conf' Line: 1 - start of a new network block ssid - hexdump_ascii(len=7): 45 78 61 6d 70 6c 65 Example eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00 eapol_flags=0 (0x0) key_mgmt: 0x1 identity - hexdump_ascii(len=8): 74 65 73 74 75 73 65 72 testuser password - hexdump_ascii(len=6): 74 65 73 74 70 77 testpw ca_cert - hexdump_ascii(len=40): 63 3a 2f 46 72 65 65 52 41 44 49 55 53 2f 65 74 c:/FreeRADIUS/et 63 2f 72 61 64 64 62 2f 63 65 72 74 73 2f 52 6f c/raddb/certs/Ro 6f 74 43 41 2e 70 65 6d otCA.pem phase2 - hexdump_ascii(len=8): 61 75 74 68 3d 4d 44 35 auth=MD5 anonymous_identity - hexdump_ascii(len=9): 61 6e 6f 6e 79 6d 6f 75 73 anonymous Priority group 0 id=0 ssid='Example' Authentication server 127.0.0.1:1812 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using anonymous identity - hexdump_ascii(len=9): 61 6e 6f 6e 79 6d 6f 75 73 anonymous EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=14) TX EAP -> RADIUS - hexdump(len=14): 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73 Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=9): 61 6e 6f 6e 79 6d 6f 75 73 Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=126 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=16 Value: 02 00 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73 Attribute 80 (Message-Authenticator) length=18 Value: 8a 2a d9 3f 9a 16 02 d3 9e be 52 a3 cc a2 a0 b6 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 80 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=80 Attribute 79 (EAP-Message) length=24 Value: 01 01 00 16 04 10 2d 5a 5e ca fd 46 31 37 33 67 ef 5f ec 14 64 c3 Attribute 80 (Message-Authenticator) length=18 Value: 37 83 06 12 9c 7b 2d 98 9a e8 6b 81 79 03 ce 63 Attribute 24 (State) length=18 Value: cb 7a ce 96 cb 7b ca 0b 07 a3 2c 75 4a 0c c4 c6 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-Request-MD5 (4) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: configuration does not allow: vendor 0 method 4 EAP: vendor 0 method 4 not allowed CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed) EAP: allowed methods - hexdump(len=1): 15 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 15 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=1 length=136 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 01 00 06 03 15 Attribute 24 (State) length=18 Value: cb 7a ce 96 cb 7b ca 0b 07 a3 2c 75 4a 0c c4 c6 Attribute 80 (Message-Authenticator) length=18 Value: 6b 08 01 29 89 bc 34 13 49 53 aa 7a 8d 43 4d f4 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE EAPOL: startWhen --> 0 STA 02:00:00:00:00:01: Resending RADIUS message (id=1) Next RADIUS client retransmit in 6 seconds STA 02:00:00:00:00:01: Resending RADIUS message (id=1) Next RADIUS client retransmit in 12 seconds STA 02:00:00:00:00:01: Resending RADIUS message (id=1) Next RADIUS client retransmit in 24 seconds EAPOL test timed out EAPOL: EAP key not available MPPE keys OK: 0 mismatch: 1 FAILURE The server shows: rad_recv: Access-Request packet .... then Sending Access-Challenge of id 0 to 127.0.0.1 then .... nothing at all!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
