(RADIATOR) 802.1x authentication problems

[Guido Gerber]

To whom could help me...
I work with networks and I was recently assigned a new proyect in which I
have to install a number of  HotStops (Proxim AP700), and as it is for a
private use, It authentication needs to be implemented. 
I was asked to at least authenticate against a File in the Radiator´s
computer. I have added de user "test" and its passw "test", used the
"radpwtst", which turned ok. However, when I go into the HotSpot´s
configuration, I have to set the Security options, so I choose "802.1x" and
"PEAP (EAP-MSCHAP V2)" from the list that de Proxim AP700 provides
("EAP-TLS" , "EAP-TTLS" , "PEAP (EAP-GTC)" , "PEAP (EAP-MSCHAP V2)" ,
"LEAP"). I then configure the user and passw (both "test"), but when the
computer goes against the hotspot and the hotspot against the radiator, it
won´t give me access. The HotSpot has Authentication mode 802.1x,Cipher
WEP,Encryption Key Length:64bits. 

The following screen information is outputted:
 
______________
C:\>perl c:\perl\bin\radiusd
Wed Aug 24 11:06:08 2005: DEBUG: Finished reading configuration file
'C:\Program Files\Radiator\radius.cfg'
Wed Aug 24 11:06:08 2005: DEBUG: Reading dictionary file 'c:/Program
Files/Radiator/dictionary'
Wed Aug 24 11:06:08 2005: DEBUG: Creating authentication port 0.0.0.0:1645
Wed Aug 24 11:06:08 2005: DEBUG: Creating accounting port 0.0.0.0:1646
Wed Aug 24 11:06:08 2005: NOTICE: Server started: Radiator 3.12 on stream
(LOCKED)
Wed Aug 24 11:06:13 2005: DEBUG: Packet dump:
*** Received from 192.168.1.219 port 6001 ....
Code: Access-Request
Identifier: 187
Authentic: <0><0>sy<0><0>E<128><0><0>6K<0><0>G(
Attributes:
User-Name = "test"
NAS-IP-Address = 192.168.1.219
Called-Station-Id = "00-20-a6-59-9c-c9:UADE_DEMO"
Calling-Station-Id = "00-20-a6-4e-cf-ac"
NAS-Identifier = "UADEDEMO"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
EAP-Message = <2><30><0><9><1>test
Message-Authenticator = <222><6><167>@<26><29><177>6<193><158>1.&f<26><221>
Wed Aug 24 11:06:13 2005: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Aug 24 11:06:13 2005: DEBUG: Deleting session for test, 192.168.1.219,
Wed Aug 24 11:06:13 2005: DEBUG: Handling with Radius::AuthFILE:
Wed Aug 24 11:06:13 2005: DEBUG: Handling with EAP: code 2, 30, 9
Wed Aug 24 11:06:13 2005: DEBUG: Response type 1
Wed Aug 24 11:06:13 2005: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Wed Aug 24 11:06:13 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP
MSCHAP-V2 Challenge
Wed Aug 24 11:06:13 2005: DEBUG: Access challenged for test: EAP MSCHAP-V2
Challenge
Wed Aug 24 11:06:13 2005: DEBUG: Packet dump:
*** Sending to 192.168.1.219 port 6001 ....
Code: Access-Challenge
Identifier: 187
Authentic: <0><0>sy<0><0>E<128><0><0>6K<0><0>G(
Attributes:
EAP-Message = <1><31><0>
<26><1><31><0><27><16>YJ<221>H<18><160><142>w<166><190><223><199>#q<16><0>st
ream
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
 
Wed Aug 24 11:06:13 2005: DEBUG: Packet dump:
*** Received from 192.168.1.219 port 6001 ....
Code: Access-Request
Identifier: 188
Authentic: <0><0>sy<0><0>E<128><0><0>6K<0><0>G(
Attributes:
User-Name = "test"
NAS-IP-Address = 192.168.1.219
Called-Station-Id = "00-20-a6-59-9c-c9:UADE_DEMO"
Calling-Station-Id = "00-20-a6-4e-cf-ac"
NAS-Identifier = "UADEDEMO"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
EAP-Message = <2><31><0><6><3><25>
Message-Authenticator = *<160>Z<185>[<251><28>:)<223><218><160><11><19>LR
Wed Aug 24 11:06:13 2005: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Aug 24 11:06:13 2005: DEBUG: Deleting session for test, 192.168.1.219,
Wed Aug 24 11:06:13 2005: DEBUG: Handling with Radius::AuthFILE:
Wed Aug 24 11:06:13 2005: DEBUG: Handling with EAP: code 2, 31, 6
Wed Aug 24 11:06:13 2005: DEBUG: Response type 3
Wed Aug 24 11:06:13 2005: INFO: EAP Nak desires type 25
Wed Aug 24 11:06:13 2005: DEBUG: EAP result: 1, Desired EAP type 25 not
permitted
Wed Aug 24 11:06:13 2005: DEBUG: AuthBy FILE result: REJECT, Desired EAP
type 25not permitted
Wed Aug 24 11:06:13 2005: INFO: Access rejected for test: Desired EAP type
25 not permitted
Wed Aug 24 11:06:13 2005: DEBUG: Packet dump:
*** Sending to 192.168.1.219 port 6001 ....
Code: Access-Reject
Identifier: 188
Authentic: <0><0>sy<0><0>E<128><0><0>6K<0><0>G(
Attributes:
Reply-Message = "Request Denied"
______________

The following is the users file:
______________
# users
# This is an example of how to set up simple user for
# AuthBy FILE.
# The example user mikem has a password of fred, and will
# receive reply attributes suitable for most NASs.
# You can do many more interesting things. See the Radiator reference
# manual for more details
#
# You can test this user with the command
#  perl radpwtst


test User-Password = "test"
_____________

The following is the radius.cfg:
_____________
# windows.cfg
[...]
#
# You should consider this file to be a starting point only
# $Id: windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $

Foreground
LogStdout
LogDir		c:/Program Files/Radiator
DbDir		c:/Program Files/Radiator

# This will log at DEBUG level: very verbose
# User a lower trace level in production systems, typically use 3
Trace 		4



# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with. This will work
# at least with radpwtst running on the local machine
<Client DEFAULT>
	Secret	mysecret
	DupInterval 0
</Client>

# Authenticate all realms with this
<Realm DEFAULT>
	# Look up user details in a flat file
	<AuthBy FILE>
		# %D is replaced by DbDir above
		EAPType MSCHAP-V2		
		Filename %D/users
		
	</AuthBy>

	# Log accounting to a detail file. %D is replaced by DbDir above
	AcctLogFileName	%D/detail
</Realm>

<Handler>
<AuthBy FILE>
	EAPType MSCHAP-v2	
	Filename %D/users
</AuthBy>
</Handler>
_____________

I would appreciate any idea to solve this ASAP.
Thanks !

Guido

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.