PEAP, Freeradius and Cisco AP 350

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

PEAP, Freeradius and Cisco AP 350

J Zakhar
Having some trouble setting up PEAP with a windows XP workstation, a Cisco 350 AP (upgraded to IOS version 12.2), I am using the default XP Client to set things up. Many moons ago I had LEAP working great, the hard drive on this linux machine failed and it was time to reinstall. Not sure why i'm having such trouble with this.
 
Mousing over the icon in my task bar Status: Validating Identity is all it ever says while trying to associate. I do however get prompted for my user name and password. Any advice/help would be much appreciated.
 
./radiusd -A -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/freeradius/etc/raddb/proxy.conf
Config:   including file: /usr/local/freeradius/etc/raddb/clients.conf
Config:   including file: /usr/local/freeradius/etc/raddb/snmp.conf
Config:   including file: /usr/local/freeradius/etc/raddb/eap.conf
Config:   including file: /usr/local/freeradius/etc/raddb/sql.conf
 main: prefix = "/usr/local/freeradius"
 main: localstatedir = "/usr/local/freeradius/var"
 main: logdir = "/usr/local/freeradius/var/log/radius"
 main: libdir = "/usr/local/freeradius/lib"
 main: radacctdir = "/usr/local/freeradius/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/freeradius/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/freeradius/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/freeradius/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = yes
 mschap: require_strong = yes
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/usr/local/freeradius/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "peap"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = yes
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/usr/local/freeradius/etc/raddb/certs/cert- srv.pem"
 tls: certificate_file = "/usr/local/freeradius/etc/raddb/certs/cert-srv.pem"
 tls: CA_file = "/usr/local/freeradius/etc/raddb/certs/demoCA/cacert.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/usr/local/freeradius/etc/raddb/certs/dh"
 tls: random_file = "/usr/local/freeradius/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/usr/local/freeradius/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/freeradius/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/usr/local/freeradius/etc/raddb/users"
 files: acctusersfile = "/usr/local/freeradius/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/freeradius/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile = "/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/usr/local/freeradius/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.28.42.253:21646, id=35, length=132
        User-Name = "jzakhar"
        Framed-MTU = 1400
        Called-Station-Id = "0040.9647.f2d6"
        Calling-Station-Id = "000e.9b2e.179a"
        Message-Authenticator = 0x657f7e3dee2731c4e91f25c395ef47d7
        EAP-Message = 0x0202000c016a7a616b686172
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 312
        Service-Type = Framed-User
        NAS-IP-Address = 172.28.42.253
        NAS-Identifier = "apcisco"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No [hidden email] in User-Name = "jzakhar", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: EAP packet type response id 2 length 12
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched jzakhar at 53
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 35 to 172.28.42.253:21646
        EAP-Message = 0x010300061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf730c83b331f347cf002f96adbba538e
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.28.42.253:21646, id=35, length=132
Sending duplicate reply to client EAP:21646 - ID: 35
Re-sending Access-Challenge of id 35 to 172.28.42.253:21646
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 35 with timestamp 4315dbd4
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.28.42.253:21646, id=36, length=132
        User-Name = "jzakhar"
        Framed-MTU = 1400
        Called-Station-Id = "0040.9647.f2d6"
        Calling-Station-Id = "000e.9b2e.179a"
        Message-Authenticator = 0x843b8ca357e3281d250307dff3caa9e6
        EAP-Message = 0x0202000c016a7a616b686172
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 313
        Service-Type = Framed-User
        NAS-IP-Address = 172.28.42.253
        NAS-Identifier = "apcisco"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No [hidden email] in User-Name = "jzakhar", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: EAP packet type response id 2 length 12
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched jzakhar at 53
  modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 36 to 172.28.42.253:21646
        EAP-Message = 0x010300061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x479ac19253ee20dc4d21810846227fc5
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: PEAP, Freeradius and Cisco AP 350

Artur Hecker
hi


J Zakhar wrote:
> Having some trouble setting up PEAP with a windows XP workstation, a
> Cisco 350 AP (upgraded to IOS version 12.2), I am using the default XP
> Client to set things up. Many moons ago I had LEAP working great, the
> hard drive on this linux machine failed and it was time to reinstall.
> Not sure why i'm having such trouble with this.
>  
> Mousing over the icon in my task bar Status: Validating Identity is all
> it ever says while trying to associate. I do however get prompted for my
> user name and password. Any advice/help would be much appreciated.

unfortunately, imho Windows XP prompts for those before it starts the
exchanges.

from your log it seems that there is no error on the Freeradius side. FR
sends out the Challenge, but the second message from the client (id =
36) looks to me as a repeat of the original Request (id 35). the
contents of the EAP-Message are the same.

thus it seems that your Windows client is not answering the challenge.
Or the access point does not relay the challenge to the Windows client.

difficult to say more from what you've given so far. you could try the
following:

- are you sure that you posted the complete log?

- if yes, deactivate Server Validation in the Windows XP PEAP client
(only for testing, activate it later) and re-start. see if the
authentication gets to a further point.

- if that does not change anything, take a look at the Ken Rosner's TLS
FAQ (see www.freeradius.org). he describes how you activate EAP debug on
Cisco 350 APs. log in into your cisco, activate the EAP Debug level 2
and see what happens - if it relays messages to the user machine.



ciao
artur


>  
> ./radiusd -A -X
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Config:   including file: /usr/local/freeradius/etc/raddb/proxy.conf
> Config:   including file: /usr/local/freeradius/etc/raddb/clients.conf
> Config:   including file: /usr/local/freeradius/etc/raddb/snmp.conf
> Config:   including file: /usr/local/freeradius/etc/raddb/eap.conf
> Config:   including file: /usr/local/freeradius/etc/raddb/sql.conf
>  main: prefix = "/usr/local/freeradius"
>  main: localstatedir = "/usr/local/freeradius/var"
>  main: logdir = "/usr/local/freeradius/var/log/radius"
>  main: libdir = "/usr/local/freeradius/lib"
>  main: radacctdir = "/usr/local/freeradius/var/log/radius/radacct"
>  main: hostname_lookups = no
>  main: max_request_time = 30
>  main: cleanup_delay = 5
>  main: max_requests = 1024
>  main: delete_blocked_requests = 0
>  main: port = 0
>  main: allow_core_dumps = no
>  main: log_stripped_names = no
>  main: log_file = "/usr/local/freeradius/var/log/radius/radius.log"
>  main: log_auth = no
>  main: log_auth_badpass = no
>  main: log_auth_goodpass = no
>  main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid"
>  main: user = "(null)"
>  main: group = "(null)"
>  main: usercollide = no
>  main: lower_user = "no"
>  main: lower_pass = "no"
>  main: nospace_user = "no"
>  main: nospace_pass = "no"
>  main: checkrad = "/usr/local/freeradius/sbin/checkrad"
>  main: proxy_requests = yes
>  proxy: retry_delay = 5
>  proxy: retry_count = 3
>  proxy: synchronous = no
>  proxy: default_fallback = yes
>  proxy: dead_time = 120
>  proxy: post_proxy_authorize = yes
>  proxy: wake_all_if_all_dead = no
>  security: max_attributes = 200
>  security: reject_delay = 1
>  security: status_server = no
>  main: debug_level = 0
> read_config_files:  reading dictionary
> read_config_files:  reading naslist
> Using deprecated naslist file.  Support for this will go away soon.
> read_config_files:  reading clients
> read_config_files:  reading realms
> radiusd:  entering modules setup
> Module: Library search path is /usr/local/freeradius/lib
> Module: Loaded exec
>  exec: wait = yes
>  exec: program = "(null)"
>  exec: input_pairs = "request"
>  exec: output_pairs = "(null)"
>  exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
>  pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
>  mschap: use_mppe = yes
>  mschap: require_encryption = yes
>  mschap: require_strong = yes
>  mschap: with_ntdomain_hack = no
>  mschap: passwd = "(null)"
>  mschap: authtype = "MS-CHAP"
>  mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
>  unix: cache = no
>  unix: passwd = "(null)"
>  unix: shadow = "(null)"
>  unix: group = "(null)"
>  unix: radwtmp = "/usr/local/freeradius/var/log/radius/radwtmp"
>  unix: usegroup = no
>  unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
>  eap: default_eap_type = "peap"
>  eap: timer_expire = 60
>  eap: ignore_unknown_eap_types = no
>  eap: cisco_accounting_username_bug = yes
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
>  gtc: challenge = "Password: "
>  gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
>  tls: rsa_key_exchange = no
>  tls: dh_key_exchange = yes
>  tls: rsa_key_length = 512
>  tls: dh_key_length = 512
>  tls: verify_depth = 0
>  tls: CA_path = "(null)"
>  tls: pem_file_type = yes
>  tls: private_key_file = "/usr/local/freeradius/etc/raddb/certs/cert-
> srv.pem"
>  tls: certificate_file =
> "/usr/local/freeradius/etc/raddb/certs/cert-srv.pem"
>  tls: CA_file = "/usr/local/freeradius/etc/raddb/certs/demoCA/cacert.pem"
>  tls: private_key_password = "whatever"
>  tls: dh_file = "/usr/local/freeradius/etc/raddb/certs/dh"
>  tls: random_file = "/usr/local/freeradius/etc/raddb/certs/random"
>  tls: fragment_size = 1024
>  tls: include_length = yes
>  tls: check_crl = no
>  tls: check_cert_cn = "(null)"
> rlm_eap: Loaded and initialized type tls
>  peap: default_eap_type = "mschapv2"
>  peap: copy_request_to_tunnel = no
>  peap: use_tunneled_reply = no
>  peap: proxy_tunneled_request_as_eap = yes
> rlm_eap: Loaded and initialized type peap
>  mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
>  preprocess: huntgroups = "/usr/local/freeradius/etc/raddb/huntgroups"
>  preprocess: hints = "/usr/local/freeradius/etc/raddb/hints"
>  preprocess: with_ascend_hack = no
>  preprocess: ascend_channels_per_line = 23
>  preprocess: with_ntdomain_hack = no
>  preprocess: with_specialix_jetstream_hack = no
>  preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
>  realm: format = "suffix"
>  realm: delimiter = "@"
>  realm: ignore_default = no
>  realm: ignore_null = no
> Module: Instantiated realm (suffix)
> Module: Loaded files
>  files: usersfile = "/usr/local/freeradius/etc/raddb/users"
>  files: acctusersfile = "/usr/local/freeradius/etc/raddb/acct_users"
>  files: preproxy_usersfile =
> "/usr/local/freeradius/etc/raddb/preproxy_users"
>  files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
>  acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
>  detail: detailfile =
> "/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>  detail: detailperm = 384
>  detail: dirperm = 493
>  detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
>  radutmp: filename = "/usr/local/freeradius/var/log/radius/radutmp"
>  radutmp: username = "%{User-Name}"
>  radutmp: case_sensitive = yes
>  radutmp: check_with_nas = yes
>  radutmp: perm = 384
>  radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on authentication *:1812
> Listening on accounting *:1813
> Listening on proxy *:1814
> Ready to process requests.
> rad_recv: Access-Request packet from host 172.28.42.253:21646
> <http://172.28.42.253:21646/>, id=35, length=132
>         User-Name = "jzakhar"
>         Framed-MTU = 1400
>         Called-Station-Id = "0040.9647.f2d6"
>         Calling-Station-Id = "000e.9b2e.179a"
>         Message-Authenticator = 0x657f7e3dee2731c4e91f25c395ef47d7
>         EAP-Message = 0x0202000c016a7a616b686172
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 312
>         Service-Type = Framed-User
>         NAS-IP-Address = 172.28.42.253 <http://172.28.42.253/>
>         NAS-Identifier = "apcisco"
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
>     rlm_realm: No '@' <mailto:'@'> in User-Name = "jzakhar", looking up
> realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
>   rlm_eap: EAP packet type response id 2 length 12
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 0
>     users: Matched jzakhar at 53
>   modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns updated for request 0
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
>   rlm_eap: EAP Identity
>   rlm_eap: processing type tls
>   rlm_eap_tls: Initiate
>   rlm_eap_tls: Start returned 1
>   modcall[authenticate]: module "eap" returns handled for request 0
> modcall: group authenticate returns handled for request 0
> Sending Access-Challenge of id 35 to 172.28.42.253:21646
> <http://172.28.42.253:21646/>
>         EAP-Message = 0x010300061920
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xf730c83b331f347cf002f96adbba538e
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 172.28.42.253:21646
> <http://172.28.42.253:21646/>, id=35, length=132
> Sending duplicate reply to client EAP:21646 - ID: 35
> Re-sending Access-Challenge of id 35 to 172.28.42.253:21646
> <http://172.28.42.253:21646/>
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 35 with timestamp 4315dbd4
> Nothing to do.  Sleeping until we see a request.
> rad_recv: Access-Request packet from host 172.28.42.253:21646
> <http://172.28.42.253:21646/>, id=36, length=132
>         User-Name = "jzakhar"
>         Framed-MTU = 1400
>         Called-Station-Id = "0040.9647.f2d6"
>         Calling-Station-Id = "000e.9b2e.179a"
>         Message-Authenticator = 0x843b8ca357e3281d250307dff3caa9e6
>         EAP-Message = 0x0202000c016a7a616b686172
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 313
>         Service-Type = Framed-User
>         NAS-IP-Address = 172.28.42.253 <http://172.28.42.253/>
>         NAS-Identifier = "apcisco"
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
>   modcall[authorize]: module "preprocess" returns ok for request 1
>   modcall[authorize]: module "chap" returns noop for request 1
>   modcall[authorize]: module "mschap" returns noop for request 1
>     rlm_realm: No '@' <mailto:'@'> in User-Name = "jzakhar", looking up
> realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 1
>   rlm_eap: EAP packet type response id 2 length 12
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 1
>     users: Matched jzakhar at 53
>   modcall[authorize]: module "files" returns ok for request 1
> modcall: group authorize returns updated for request 1
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
>   rlm_eap: EAP Identity
>   rlm_eap: processing type tls
>   rlm_eap_tls: Initiate
>   rlm_eap_tls: Start returned 1
>   modcall[authenticate]: module "eap" returns handled for request 1
> modcall: group authenticate returns handled for request 1
> Sending Access-Challenge of id 36 to 172.28.42.253:21646
> <http://172.28.42.253:21646/>
>         EAP-Message = 0x010300061920
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x479ac19253ee20dc4d21810846227fc5
> Finished request 1
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
>  
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: PEAP, Freeradius and Cisco AP 350

J Zakhar
I managed to get it working, the machine here running freeradius has 2 ip addresses. I had noticed in another message on the list, that can be problematic. I set freeradius to bind to a specific IP and it light right up, go figure heh. I do appreciate the respone though. I spent a good 5 1/2 hours before posting to this list I am kind of embaressed to find out it was a simple IP address problem, sorry for the bogus posting.

On 8/31/05, Artur Hecker <[hidden email]> wrote:
hi


J Zakhar wrote:
> Having some trouble setting up PEAP with a windows XP workstation, a
> Cisco 350 AP (upgraded to IOS version 12.2), I am using the default XP
> Client to set things up. Many moons ago I had LEAP working great, the
> hard drive on this linux machine failed and it was time to reinstall.
> Not sure why i'm having such trouble with this.
>
> Mousing over the icon in my task bar Status: Validating Identity is all
> it ever says while trying to associate. I do however get prompted for my
> user name and password. Any advice/help would be much appreciated.

unfortunately, imho Windows XP prompts for those before it starts the
exchanges.

from your log it seems that there is no error on the Freeradius side. FR
sends out the Challenge, but the second message from the client (id =
36) looks to me as a repeat of the original Request (id 35). the
contents of the EAP-Message are the same.

thus it seems that your Windows client is not answering the challenge.
Or the access point does not relay the challenge to the Windows client.

difficult to say more from what you've given so far. you could try the
following:

- are you sure that you posted the complete log?

- if yes, deactivate Server Validation in the Windows XP PEAP client
(only for testing, activate it later) and re-start. see if the
authentication gets to a further point.

- if that does not change anything, take a look at the Ken Rosner's TLS
FAQ (see www.freeradius.org). he describes how you activate EAP debug on
Cisco 350 APs. log in into your cisco, activate the EAP Debug level 2
and see what happens - if it relays messages to the user machine.



ciao
artur


>
> ./radiusd -A -X
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Config:   including file: /usr/local/freeradius/etc/raddb/proxy.conf
> Config:   including file: /usr/local/freeradius/etc/raddb/clients.conf
> Config:   including file: /usr/local/freeradius/etc/raddb/snmp.conf
> Config:   including file: /usr/local/freeradius/etc/raddb/eap.conf
> Config:   including file: /usr/local/freeradius/etc/raddb/sql.conf
>  main: prefix = "/usr/local/freeradius"
>  main: localstatedir = "/usr/local/freeradius/var"
>  main: logdir = "/usr/local/freeradius/var/log/radius"
>  main: libdir = "/usr/local/freeradius/lib"
>  main: radacctdir = "/usr/local/freeradius/var/log/radius/radacct"
>  main: hostname_lookups = no
>  main: max_request_time = 30
>  main: cleanup_delay = 5
>  main: max_requests = 1024
>  main: delete_blocked_requests = 0
>  main: port = 0
>  main: allow_core_dumps = no
>  main: log_stripped_names = no
>  main: log_file = "/usr/local/freeradius/var/log/radius/radius.log"
>  main: log_auth = no
>  main: log_auth_badpass = no
>  main: log_auth_goodpass = no
>  main: pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid"
>  main: user = "(null)"
>  main: group = "(null)"
>  main: usercollide = no
>  main: lower_user = "no"
>  main: lower_pass = "no"
>  main: nospace_user = "no"
>  main: nospace_pass = "no"
>  main: checkrad = "/usr/local/freeradius/sbin/checkrad"
>  main: proxy_requests = yes
>  proxy: retry_delay = 5
>  proxy: retry_count = 3
>  proxy: synchronous = no
>  proxy: default_fallback = yes
>  proxy: dead_time = 120
>  proxy: post_proxy_authorize = yes
>  proxy: wake_all_if_all_dead = no
>  security: max_attributes = 200
>  security: reject_delay = 1
>  security: status_server = no
>  main: debug_level = 0
> read_config_files:  reading dictionary
> read_config_files:  reading naslist
> Using deprecated naslist file.  Support for this will go away soon.
> read_config_files:  reading clients
> read_config_files:  reading realms
> radiusd:  entering modules setup
> Module: Library search path is /usr/local/freeradius/lib
> Module: Loaded exec
>  exec: wait = yes
>  exec: program = "(null)"
>  exec: input_pairs = "request"
>  exec: output_pairs = "(null)"
>  exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
>  pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
>  mschap: use_mppe = yes
>  mschap: require_encryption = yes
>  mschap: require_strong = yes
>  mschap: with_ntdomain_hack = no
>  mschap: passwd = "(null)"
>  mschap: authtype = "MS-CHAP"
>  mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
>  unix: cache = no
>  unix: passwd = "(null)"
>  unix: shadow = "(null)"
>  unix: group = "(null)"
>  unix: radwtmp = "/usr/local/freeradius/var/log/radius/radwtmp"
>  unix: usegroup = no
>  unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
>  eap: default_eap_type = "peap"
>  eap: timer_expire = 60
>  eap: ignore_unknown_eap_types = no
>  eap: cisco_accounting_username_bug = yes
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
>  gtc: challenge = "Password: "
>  gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
>  tls: rsa_key_exchange = no
>  tls: dh_key_exchange = yes
>  tls: rsa_key_length = 512
>  tls: dh_key_length = 512
>  tls: verify_depth = 0
>  tls: CA_path = "(null)"
>  tls: pem_file_type = yes
>  tls: private_key_file = "/usr/local/freeradius/etc/raddb/certs/cert-
> srv.pem"
>  tls: certificate_file =
> "/usr/local/freeradius/etc/raddb/certs/cert- srv.pem"
>  tls: CA_file = "/usr/local/freeradius/etc/raddb/certs/demoCA/cacert.pem"
>  tls: private_key_password = "whatever"
>  tls: dh_file = "/usr/local/freeradius/etc/raddb/certs/dh"
>  tls: random_file = "/usr/local/freeradius/etc/raddb/certs/random"
>  tls: fragment_size = 1024
>  tls: include_length = yes
>  tls: check_crl = no
>  tls: check_cert_cn = "(null)"
> rlm_eap: Loaded and initialized type tls
>  peap: default_eap_type = "mschapv2"
>  peap: copy_request_to_tunnel = no
>  peap: use_tunneled_reply = no
>  peap: proxy_tunneled_request_as_eap = yes
> rlm_eap: Loaded and initialized type peap
>  mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
>  preprocess: huntgroups = "/usr/local/freeradius/etc/raddb/huntgroups"

>  preprocess: hints = "/usr/local/freeradius/etc/raddb/hints"
>  preprocess: with_ascend_hack = no
>  preprocess: ascend_channels_per_line = 23
>  preprocess: with_ntdomain_hack = no
>  preprocess: with_specialix_jetstream_hack = no
>  preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
>  realm: format = "suffix"
>  realm: delimiter = "@"
>  realm: ignore_default = no
>  realm: ignore_null = no
> Module: Instantiated realm (suffix)
> Module: Loaded files
>  files: usersfile = "/usr/local/freeradius/etc/raddb/users"
>  files: acctusersfile = "/usr/local/freeradius/etc/raddb/acct_users"
>  files: preproxy_usersfile =
> "/usr/local/freeradius/etc/raddb/preproxy_users"
>  files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
>  acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
>  detail: detailfile =
> "/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>  detail: detailperm = 384
>  detail: dirperm = 493
>  detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
>  radutmp: filename = "/usr/local/freeradius/var/log/radius/radutmp"
>  radutmp: username = "%{User-Name}"
>  radutmp: case_sensitive = yes
>  radutmp: check_with_nas = yes
>  radutmp: perm = 384
>  radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on authentication *:1812
> Listening on accounting *:1813
> Listening on proxy *:1814
> Ready to process requests.
> rad_recv: Access-Request packet from host 172.28.42.253:21646
> <http://172.28.42.253:21646/>, id=35, length=132
>         User-Name = "jzakhar"
>         Framed-MTU = 1400
>         Called-Station-Id = " 0040.9647.f2d6"
>         Calling-Station-Id = "000e.9b2e.179a"
>         Message-Authenticator = 0x657f7e3dee2731c4e91f25c395ef47d7
>         EAP-Message = 0x0202000c016a7a616b686172
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 312
>         Service-Type = Framed-User
>         NAS-IP-Address = 172.28.42.253 <http://172.28.42.253/ >
>         NAS-Identifier = "apcisco"
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
>     rlm_realm: No '@' <mailto:'@'> in User-Name = "jzakhar", looking up
> realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
>   rlm_eap: EAP packet type response id 2 length 12
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 0
>     users: Matched jzakhar at 53
>   modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns updated for request 0
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
>   rlm_eap: EAP Identity
>   rlm_eap: processing type tls
>   rlm_eap_tls: Initiate
>   rlm_eap_tls: Start returned 1
>   modcall[authenticate]: module "eap" returns handled for request 0
> modcall: group authenticate returns handled for request 0
> Sending Access-Challenge of id 35 to 172.28.42.253:21646
> <http://172.28.42.253:21646/>
>         EAP-Message = 0x010300061920
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xf730c83b331f347cf002f96adbba538e
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 172.28.42.253:21646
> <http://172.28.42.253:21646/ >, id=35, length=132
> Sending duplicate reply to client EAP:21646 - ID: 35
> Re-sending Access-Challenge of id 35 to 172.28.42.253:21646
> < http://172.28.42.253:21646/>
> --- Walking the entire request list ---
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 35 with timestamp 4315dbd4
> Nothing to do.  Sleeping until we see a request.
> rad_recv: Access-Request packet from host 172.28.42.253:21646
> <http://172.28.42.253:21646/ >, id=36, length=132
>         User-Name = "jzakhar"
>         Framed-MTU = 1400
>         Called-Station-Id = "0040.9647.f2d6"
>         Calling-Station-Id = "000e.9b2e.179a "
>         Message-Authenticator = 0x843b8ca357e3281d250307dff3caa9e6
>         EAP-Message = 0x0202000c016a7a616b686172
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 313
>         Service-Type = Framed-User

>         NAS-IP-Address = 172.28.42.253 <http://172.28.42.253/>
>         NAS-Identifier = "apcisco"
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
>   modcall[authorize]: module "preprocess" returns ok for request 1
>   modcall[authorize]: module "chap" returns noop for request 1
>   modcall[authorize]: module "mschap" returns noop for request 1
>     rlm_realm: No '@' <mailto:'@'> in User-Name = "jzakhar", looking up
> realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 1
>   rlm_eap: EAP packet type response id 2 length 12
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 1

>     users: Matched jzakhar at 53
>   modcall[authorize]: module "files" returns ok for request 1
> modcall: group authorize returns updated for request 1
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
>   rlm_eap: EAP Identity
>   rlm_eap: processing type tls
>   rlm_eap_tls: Initiate
>   rlm_eap_tls: Start returned 1
>   modcall[authenticate]: module "eap" returns handled for request 1
> modcall: group authenticate returns handled for request 1
> Sending Access-Challenge of id 36 to 172.28.42.253:21646
> <http://172.28.42.253:21646/>
>         EAP-Message = 0x010300061920
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x479ac19253ee20dc4d21810846227fc5
> Finished request 1
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
>
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html