(RADIATOR) cant connect Win XP to Orinoco AP-2000 via 802.1x (continue)

Pavel Paprok ppaprok at applet.cz
Thu Aug 21 07:40:32 CDT 2003


Mike McCauley wrote:

>On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote:
>  
>
>>Hallo,
>>
>>I am trying to get work wifi access point Orinoco/Proxim AP-2000 with
>>802.1x EAP/PEAP user auth by Radiator:
>>- Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP
>>with demo certificates.
>>- Orinoco/Proxim AP-2000 (latest firmware 2.1.3)
>>- Test client is notebook Dell with Win XP (all patches applied),
>>wireless card Orinoco Silver
>>  and/or builtin Intel Pro/WirelessLAN 2100 3A
>>
>>After all known install and config issues I meet (described in FAQ,
>>archive and UtahGeeks) I moved to status where
>>user is authenticated OK and radius send "Access-Accept". But its last
>>info from radius log, no real connection follows, no accounting on log.
>>Especially basic UtahGeeks config of Access point is pretty closed to
>>our config, but unfortunatelly there are not published Radiator
>>configuration so here maybe I have a problem. Or problem is in using
>>different wifi client?   Please help me somebody where is a problem?
>>    
>>
>
>That sounds a lot like the client is not configured to expect a dynamic WEP 
>key, but your Radiator is configured to send themto the AP.
>
>Check the 'WEP key will be provided for me' option in your client 
>configuration.
>  
>

of course, as I have written below in Windows XP client config:

"- Key is provided for me automatically ON"
yesterday i also turn on eap tracing in WinXP, see log below, interesting is
last line:

"We got a EAP_failure after we got a PEAP_SUCCESS.  Failing auth."

...i dont know what it means.

Pavel

>
>Cheers.
>
>  
>
>>My configuration:
>>
>>------   users ------
>>wifitest        User-Password=wifi
>>       Session-Timeout=60
>>
>>
>>------   radius.cfg ------
>>AuthPort        1812
>>AcctPort        1813
>>
>>LogStdout
>>LogDir          /var/log/radius
>>DbDir           /etc/radiator
>>
>>Trace   5
>>
>><Client XXX.XXX.XXX.XXX>
>>       Secret  XXXXX
>>       Identifier      wifi-testnet
>>       IgnoreAcctSignature     yes
>></Client>
>># now core config from eap_peap.cfg example:
>>
>><Handler TunnelledByPEAP=1>
>>       AcctLogFileName %L/detail
>>       <AuthBy FILE>
>>               Filename %D/users
>>               EAPType MSCHAP-V2
>>       </AuthBy>
>></Handler>
>><Handler>
>>       <AuthBy FILE>
>>                Filename %D/users
>>               EAPType PEAP
>>               EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>>
>>               EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>>               EAPTLS_CertificateType PEM
>>
>>               EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>>               EAPTLS_PrivateKeyPassword whatever
>>
>>               EAPTLS_MaxFragmentSize 1024
>>
>>               AutoMPPEKeys
>>               # i did try also
>>               #AddToReply      MS-MPPE-Encryption-Policy =
>>Encryption-Allowed,\
>>               #               MS-MPPE-Encryption-Types  = Encryption-Any
>>                             SSLeayTrace 4
>>
>>       </AuthBy>
>></Handler>
>>
>>
>>------  WinXP client configuration ------
>>
>> - Data encryption (WEP enabled)  ON
>> - Network Authentication (Shared mode) OFF
>> - Key is provided for me automatically ON
>> - Adhoc network OFF
>> - Enable 802.1x auth ON
>> - EAP type: PEAP
>> -Authenticate as computer OFF
>> - Authenticate as guest OFF
>> - Validate server certificate OFF
>> - Authentication method: EAP-MSCHAP v2 (automatically use Windows logon
>>name OFF)
>> - Enable fast reconnect OFF
>>
>>----- something from Orinoco-2000 config -----
>>
>>Operational Mode
>> Wireless A: 802.11bg
>>    physical iface 802.11g OFDM / DSSS 2.4 GHz, enable auto channel
>>select ON, transmit rate: auto fallback,
>>    dtim period: 1 rts/cts medium reservation: 2347, enable closed
>>system: OFF
>>
>>
>> Wireless B: 802.11b only
>>     physical iface 802.11b DSSS 2.4 GHz enable auto channel select ON,
>>mcast rate: 2mbit,
>>     dtim period: 1 rts/cts medium reservation: 2347, dist AP: large,
>>enable closed system: OFF,
>>     enable load balancing: ON, enable medium density distribution: ON
>>
>>  MAC access control: OFF
>>
>>  Authentication:
>>      wireless slot A: mode 802.1x, rekeying interval: 900, encr key
>>lenght: 64bits
>>      wireless slot B: mode 802.1x, rekeying interval: 900, encr key
>>lenght: 64bits
>>
>>   Radius auth:
>>       enable radius mac access control: OFF, enable primary radius: ON,
>>enable backup radius: OFF,
>>       auth lifetime: 900sec,  primary radius server ip, port and shared
>>secret set properly, resp time: 3sec,
>>       max retr: 3
>>
>>   Radius acct:
>>       enable radius accounting: ON, enable primary radius: ON, enable
>>backup radius: OFF,
>>       primary radius server ip, port and shared secret set properly,
>>resp time: 3sec,
>>       max retr: 3
>>           DHCP server:
>>      enabled
>>
>>
>>------  radius log recorded ------ (tainted, only last lines, real ip of radiator
>>and AP replaced, there are no ERROR lines in log...)
>>    
>>
>>Packet length = 163
>>01 0a 00 a3 35 01 00 00 d3 70 00 00 ea 7f 00 00
>>fc 20 00 00 01 0a 77 69 66 69 74 65 73 74 04 06
>>d5 c2 c2 5e 1e 13 30 30 2d 32 30 2d 61 36 2d 34
>>38 2d 65 37 2d 33 66 1f 13 30 30 2d 30 34 2d 32
>>33 2d 34 38 2d 66 31 2d 66 33 20 13 4f 52 69 4e
>>4f 43 4f 2d 41 50 2d 32 30 30 30 41 45 0c 06 00
>>00 05 78 3d 06 00 00 00 13 4f 28 02 0b 00 26 19
>>00 17 03 01 00 1b 21 3a 80 0e 47 22 d7 62 48 7e
>>9e 6c 5f 02 a9 68 ba 5f 5d 43 03 a4 20 bb 7d 3c
>>04 50 12 4d 14 ad 48 15 4e 0b 5a da b5 23 9f ab
>>a0 b4 b8
>>Code:       Access-Request
>>Identifier: 10
>>Authentic:  5<1><0><0><211>p<0><0><234><127><0><0><252> <0><0>
>>Attributes:
>>       User-Name = "wifitest"
>>       NAS-IP-Address = ORI.NO.CO.IP
>>       Called-Station-Id = "00-20-a6-48-e7-3f"
>>       Calling-Station-Id = "00-04-23-48-f1-f3"
>>       NAS-Identifier = "ORiNOCO-AP-2000AE"
>>       Framed-MTU = 1400
>>       NAS-Port-Type = Wireless-IEEE-802-11
>>       EAP-Message =
>><2><11><0>&<25><0><23><3><1><0><27>!:<128><14>G"<215>bH~<158>l_<2><169>h<18
>>6>_]C<3><164> <187>}<<4>
>>       Message-Authenticator =
>>M<20><173>H<21>N<11>Z<218><181>#<159><171><160><180><184>
>>
>>Tue Aug 19 14:20:36 2003: DEBUG: Handling request with Handler ''
>>Tue Aug 19 14:20:36 2003: DEBUG:  Deleting session for wifitest,
>>ORI.NO.CO.IP ,
>>Tue Aug 19 14:20:36 2003: DEBUG: Handling with Radius::AuthFILE:
>>Tue Aug 19 14:20:36 2003: DEBUG: Handling with EAP: code 2, 11, 38
>>Tue Aug 19 14:20:36 2003: DEBUG: Response type 25
>>Tue Aug 19 14:20:36 2003: DEBUG: Access accepted for wifitest
>>Tue Aug 19 14:20:36 2003: DEBUG: Packet dump:
>>*** Sending to ORI.NO.CO.IP  port 6001 ....
>>
>>Packet length = 160
>>02 0a 00 a0 16 83 b2 81 33 aa 76 f3 c4 8c bd f6
>>80 76 b9 ea 1a 3a 00 00 01 37 10 34 ed 16 5d 7f
>>0e 74 a1 73 03 45 9c 75 15 67 22 90 c7 3d b5 b1
>>71 60 1d ba be d4 29 00 42 83 18 62 b0 2f 61 c6
>>ca db b1 02 2d f4 76 4e 67 65 2c 98 f2 ea 1a 3a
>>00 00 01 37 11 34 87 c2 87 6c 05 9a 2e c2 87 c5
>>39 89 e5 45 73 57 63 e9 02 be 82 f2 21 84 ea 0d
>>f9 8e cc fd 4d 72 8e d9 4b 72 37 5e 55 e9 f7 65
>>87 79 8d 45 2d 79 46 99 4f 06 03 0b 00 04 50 12
>>9d 85 0f 55 3f ea 50 c9 85 db 50 75 01 92 67 ec
>>Code:       Access-Accept
>>Identifier: 10
>>Authentic:  5<1><0><0><211>p<0><0><234><127><0><0><252> <0><0>
>>Attributes:
>>       MS-MPPE-Send-Key =
>>"<237><22>]<127><14>t<161>s<3>E<156>u<21>g"<144><199>=<181><177>q`<29><186>
>><190><212>)<0>B<131><24>b<176>/a<198><202><219><177><2>-<244>vNge,<152><242>
>><234>"
>>
>>       MS-MPPE-Recv-Key =
>>"<135><194><135>l<5><154>.<194><135><197>9<137><229>EsWc<233><2><190><130><
>>242>!<132><234><13><249><142><204><253>Mr<142><217>Kr7^U<233><247>e<135>y<14
>>1>E-yF<153>"
>>
>>       EAP-Message = <3><11><0><4>
>>       Message-Authenticator =
>><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>    
>>
>
>  
>
log from windows xp 802.1x client:

[5584] 12:58:01:192: PeapReadConnectionData
[5584] 12:58:01:192: PeapReadUserData
[5584] 12:58:01:192: RasEapGetInfo
[5584] 12:58:01:192: PeapReDoUserData
[5584] 12:58:30:234: PeapReadConnectionData
[5584] 12:58:30:234: PeapReadUserData
[5584] 12:58:30:244: RasEapGetInfo
[5584] 12:58:30:244: PeapReDoUserData
[5584] 12:58:43:203: EapPeapBegin
[5584] 12:58:43:203: PeapReadConnectionData
[5584] 12:58:43:203: PeapReadUserData
[5584] 12:58:43:203:
[5584] 12:58:43:203: EapTlsBegin(wifitest)
[5584] 12:58:43:203: State change to Initial
[5584] 12:58:43:203: EapTlsBegin: Detected 8021X authentication
[5584] 12:58:43:203: EapTlsBegin: Detected PEAP authentication
[5584] 12:58:43:203: MaxTLSMessageLength is now 16384
[5584] 12:58:43:203: EapPeapBegin done
[5584] 12:58:43:203: EapPeapMakeMessage
[5584] 12:58:43:203: EapPeapCMakeMessage
[5584] 12:58:43:203: PEAP:PEAP_STATE_INITIAL
[5584] 12:58:43:203: EapTlsCMakeMessage
[5584] 12:58:43:203: EapTlsReset
[5584] 12:58:43:203: State change to Initial
[5584] 12:58:43:203: GetCredentials
[5584] 12:58:43:203: Flag is Client and Store is Current User
[5584] 12:58:43:203: GetCachedCredentials
[5584] 12:58:43:203: PEAP GetCachedCredentials: Using cached credentials.
[5584] 12:58:43:203: MakeReplyMessage
[5584] 12:58:43:203: SecurityContextFunction
[5584] 12:58:43:243: InitializeSecurityContext returned 0x90312
[5584] 12:58:43:243: State change to SentHello
[5584] 12:58:43:243: BuildPacket
[5584] 12:58:43:243: << Sending Response (Code: 2) packet: Id: 4, 
Length: 80, Type: 13, TLS blob length: 70. Flags: L
[5584] 12:58:43:243: EapPeapCMakeMessage done
[5584] 12:58:43:243: EapPeapMakeMessage done
[5584] 12:58:43:263: EapPeapMakeMessage
[5584] 12:58:43:263: EapPeapCMakeMessage
[5584] 12:58:43:263: PEAP:PEAP_STATE_TLS_INPROGRESS
[5584] 12:58:43:263: EapTlsCMakeMessage
[5584] 12:58:43:263: MakeReplyMessage
[5584] 12:58:43:263: Reallocating input TLS blob buffer
[5584] 12:58:43:263: BuildPacket
[5584] 12:58:43:263: << Sending Response (Code: 2) packet: Id: 5, 
Length: 6, Type: 13, TLS blob length: 0. Flags:
[5584] 12:58:43:263: EapPeapCMakeMessage done
[5584] 12:58:43:263: EapPeapMakeMessage done
[5584] 12:58:43:323: EapPeapMakeMessage
[5584] 12:58:43:323: EapPeapCMakeMessage
[5584] 12:58:43:323: PEAP:PEAP_STATE_TLS_INPROGRESS
[5584] 12:58:43:323: EapTlsCMakeMessage
[5584] 12:58:43:323: MakeReplyMessage
[5584] 12:58:43:323: BuildPacket
[5584] 12:58:43:323: << Sending Response (Code: 2) packet: Id: 6, 
Length: 6, Type: 13, TLS blob length: 0. Flags:
[5584] 12:58:43:323: EapPeapCMakeMessage done
[5584] 12:58:43:323: EapPeapMakeMessage done
[5584] 12:58:43:333: EapPeapMakeMessage
[5584] 12:58:43:333: EapPeapCMakeMessage
[5584] 12:58:43:333: PEAP:PEAP_STATE_TLS_INPROGRESS
[5584] 12:58:43:333: EapTlsCMakeMessage
[5584] 12:58:43:333: MakeReplyMessage
[5584] 12:58:43:333: SecurityContextFunction
[5584] 12:58:43:393: InitializeSecurityContext returned 0x90312
[5584] 12:58:43:393: State change to SentFinished
[5584] 12:58:43:393: BuildPacket
[5584] 12:58:43:393: << Sending Response (Code: 2) packet: Id: 7, 
Length: 199, Type: 13, TLS blob length: 189. Flags: L
[5584] 12:58:43:393: EapPeapCMakeMessage done
[5584] 12:58:43:393: EapPeapMakeMessage done
[5584] 12:58:43:413: EapPeapMakeMessage
[5584] 12:58:43:413: EapPeapCMakeMessage
[5584] 12:58:43:413: PEAP:PEAP_STATE_TLS_INPROGRESS
[5584] 12:58:43:413: EapTlsCMakeMessage
[5584] 12:58:43:413: MakeReplyMessage
[5584] 12:58:43:413: SecurityContextFunction
[5584] 12:58:43:413: InitializeSecurityContext returned 0x0
[5584] 12:58:43:413: AuthenticateServer
[5584] 12:58:43:413: CreateMPPEKeyAttributes
[5584] 12:58:43:413: State change to RecdFinished
[5584] 12:58:43:413: BuildPacket
[5584] 12:58:43:413: << Sending Response (Code: 2) packet: Id: 8, 
Length: 6, Type: 13, TLS blob length: 0. Flags:
[5584] 12:58:43:413: EapPeapCMakeMessage done
[5584] 12:58:43:413: EapPeapMakeMessage done
[5584] 12:58:43:423: EapPeapMakeMessage
[5584] 12:58:43:423: EapPeapCMakeMessage
[5584] 12:58:43:423: PEAP:PEAP_STATE_TLS_INPROGRESS
[5584] 12:58:43:423: EapTlsCMakeMessage
[5584] 12:58:43:423: Negotiation successful
[5584] 12:58:43:423: PeapGetTunnelProperties
[5584] 12:58:43:423: Successfully negotiated TLS with following 
parametersdwProtocol = 0x80, Cipher= 0x6801, CipherStrength=0x80,Hash=0x8003
[5584] 12:58:43:423: PeapGetTunnelProperties done
[5584] 12:58:43:423: PeapClientDecryptTunnelData
[5584] 12:58:43:423: IsDuplicatePacket
[5584] 12:58:43:423: PeapDecryptTunnelData dwSizeofData = 0x16, pData = 
0x4261ff4
[5584] 12:58:43:423: PeapDecryptTunnelData completed with status 0x0
[5584] 12:58:43:423: PeapEncryptTunnelData
[5584] 12:58:43:423: PeapEncryptTunnelData completed with status 0x0
[5584] 12:58:43:423: EapPeapCMakeMessage done
[5584] 12:58:43:423: EapPeapMakeMessage done
[5584] 12:58:43:483: EapPeapMakeMessage
[5584] 12:58:43:483: EapPeapCMakeMessage
[5584] 12:58:43:483: PEAP:PEAP_STATE_IDENTITY_RESPONSE_SENT
[5584] 12:58:43:483: PeapClientDecryptTunnelData
[5584] 12:58:43:483: IsDuplicatePacket
[5584] 12:58:43:483: PeapDecryptTunnelData dwSizeofData = 0x38, pData = 
0x4261ff4
[5584] 12:58:43:483: PeapDecryptTunnelData completed with status 0x0
[5584] 12:58:43:483: PeapEncryptTunnelData
[5584] 12:58:43:483: PeapEncryptTunnelData completed with status 0x0
[5584] 12:58:43:483: EapPeapCMakeMessage done
[5584] 12:58:43:483: EapPeapMakeMessage done
[5584] 12:58:43:503: EapPeapMakeMessage
[5584] 12:58:43:503: EapPeapCMakeMessage
[5584] 12:58:43:503: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[5584] 12:58:43:503: PeapClientDecryptTunnelData
[5584] 12:58:43:503: IsDuplicatePacket
[5584] 12:58:43:503: PeapDecryptTunnelData dwSizeofData = 0x4e, pData = 
0x4261ff4
[5584] 12:58:43:503: PeapDecryptTunnelData completed with status 0x0
[5584] 12:58:43:503: PeapEncryptTunnelData
[5584] 12:58:43:503: PeapEncryptTunnelData completed with status 0x0
[5584] 12:58:43:503: EapPeapCMakeMessage done
[5584] 12:58:43:503: EapPeapMakeMessage done
[5584] 12:58:43:513: EapPeapMakeMessage
[5584] 12:58:43:513: EapPeapCMakeMessage
[5584] 12:58:43:513: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[5584] 12:58:43:513: PeapClientDecryptTunnelData
[5584] 12:58:43:513: IsDuplicatePacket
[5584] 12:58:43:513: PeapDecryptTunnelData dwSizeofData = 0x20, pData = 
0x4261ff4
[5584] 12:58:43:513: PeapDecryptTunnelData completed with status 0x0
[5584] 12:58:43:513: GetPEAPTLVStatusMessageValue
[5584] 12:58:43:523: CreatePEAPTLVStatusMessage
[5584] 12:58:43:523: PeapEncryptTunnelData
[5584] 12:58:43:523: PeapEncryptTunnelData completed with status 0x0
[5584] 12:58:43:523: EapPeapCMakeMessage done
[5584] 12:58:43:523: EapPeapMakeMessage done
[5584] 12:58:43:533: EapPeapMakeMessage
[5584] 12:58:43:533: EapPeapCMakeMessage
[5584] 12:58:43:533: PEAP:PEAP_STATE_PEAP_SUCCESS_SEND
[5584] 12:58:43:533: We got a EAP_failure after we got a PEAP_SUCCESS.  
Failing auth.
[5584] 12:58:43:533: EapPeapCMakeMessage done
[5584] 12:58:43:533: EapPeapMakeMessage done
[5584] 12:59:43:349: EapPeapEnd
[5584] 12:59






===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list