(RADIATOR) Re: cant connect Win XP to Orinoco AP-2000 via 802.1x (continue)

Mike McCauley mikem at open.com.au
Thu Aug 21 18:26:47 CDT 2003


Hello Pavel,

On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote:
> Mike McCauley wrote:
> >On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote:
> >>Hallo,
> >>
> >>I am trying to get work wifi access point Orinoco/Proxim AP-2000 with
> >>802.1x EAP/PEAP user auth by Radiator:
> >>- Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP
> >>with demo certificates.
> >>- Orinoco/Proxim AP-2000 (latest firmware 2.1.3)
> >>- Test client is notebook Dell with Win XP (all patches applied),
> >>wireless card Orinoco Silver
> >>  and/or builtin Intel Pro/WirelessLAN 2100 3A
> >>
> >>After all known install and config issues I meet (described in FAQ,
> >>archive and UtahGeeks) I moved to status where
> >>user is authenticated OK and radius send "Access-Accept". But its last
> >>info from radius log, no real connection follows, no accounting on log.
> >>Especially basic UtahGeeks config of Access point is pretty closed to
> >>our config, but unfortunatelly there are not published Radiator
> >>configuration so here maybe I have a problem. Or problem is in using
> >>different wifi client?   Please help me somebody where is a problem?
> >
> >That sounds a lot like the client is not configured to expect a dynamic
> > WEP key, but your Radiator is configured to send themto the AP.
> >
> >Check the 'WEP key will be provided for me' option in your client
> >configuration.
>
> of course, as I have written below in Windows XP client config:
>
> "- Key is provided for me automatically ON"
> yesterday i also turn on eap tracing in WinXP, see log below, interesting
> is last line:
>
> "We got a EAP_failure after we got a PEAP_SUCCESS.  Failing auth."
>
> ...i dont know what it means.

That is very curious, since the last thing sent by Radiator is clearly an  EAP 
Success.
Perhaps the EAP Failure is being sent by the AP?

I wonder if your AP needs some configuration so that it will support dynamic 
WEP?

Cheers.

>
> Pavel
>
> >Cheers.
> >
> >>My configuration:
> >>
> >>------   users ------
> >>wifitest        User-Password=wifi
> >>       Session-Timeout=60
> >>
> >>
> >>------   radius.cfg ------
> >>AuthPort        1812
> >>AcctPort        1813
> >>
> >>LogStdout
> >>LogDir          /var/log/radius
> >>DbDir           /etc/radiator
> >>
> >>Trace   5
> >>
> >><Client XXX.XXX.XXX.XXX>
> >>       Secret  XXXXX
> >>       Identifier      wifi-testnet
> >>       IgnoreAcctSignature     yes
> >></Client>
> >># now core config from eap_peap.cfg example:
> >>
> >><Handler TunnelledByPEAP=1>
> >>       AcctLogFileName %L/detail
> >>       <AuthBy FILE>
> >>               Filename %D/users
> >>               EAPType MSCHAP-V2
> >>       </AuthBy>
> >></Handler>
> >><Handler>
> >>       <AuthBy FILE>
> >>                Filename %D/users
> >>               EAPType PEAP
> >>               EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> >>
> >>               EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> >>               EAPTLS_CertificateType PEM
> >>
> >>               EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> >>               EAPTLS_PrivateKeyPassword whatever
> >>
> >>               EAPTLS_MaxFragmentSize 1024
> >>
> >>               AutoMPPEKeys
> >>               # i did try also
> >>               #AddToReply      MS-MPPE-Encryption-Policy =
> >>Encryption-Allowed,\
> >>               #               MS-MPPE-Encryption-Types  = Encryption-Any
> >>                             SSLeayTrace 4
> >>
> >>       </AuthBy>
> >></Handler>
> >>
> >>
> >>------  WinXP client configuration ------
> >>
> >> - Data encryption (WEP enabled)  ON
> >> - Network Authentication (Shared mode) OFF
> >> - Key is provided for me automatically ON
> >> - Adhoc network OFF
> >> - Enable 802.1x auth ON
> >> - EAP type: PEAP
> >> -Authenticate as computer OFF
> >> - Authenticate as guest OFF
> >> - Validate server certificate OFF
> >> - Authentication method: EAP-MSCHAP v2 (automatically use Windows logon
> >>name OFF)
> >> - Enable fast reconnect OFF
> >>
> >>----- something from Orinoco-2000 config -----
> >>
> >>Operational Mode
> >> Wireless A: 802.11bg
> >>    physical iface 802.11g OFDM / DSSS 2.4 GHz, enable auto channel
> >>select ON, transmit rate: auto fallback,
> >>    dtim period: 1 rts/cts medium reservation: 2347, enable closed
> >>system: OFF
> >>
> >>
> >> Wireless B: 802.11b only
> >>     physical iface 802.11b DSSS 2.4 GHz enable auto channel select ON,
> >>mcast rate: 2mbit,
> >>     dtim period: 1 rts/cts medium reservation: 2347, dist AP: large,
> >>enable closed system: OFF,
> >>     enable load balancing: ON, enable medium density distribution: ON
> >>
> >>  MAC access control: OFF
> >>
> >>  Authentication:
> >>      wireless slot A: mode 802.1x, rekeying interval: 900, encr key
> >>lenght: 64bits
> >>      wireless slot B: mode 802.1x, rekeying interval: 900, encr key
> >>lenght: 64bits
> >>
> >>   Radius auth:
> >>       enable radius mac access control: OFF, enable primary radius: ON,
> >>enable backup radius: OFF,
> >>       auth lifetime: 900sec,  primary radius server ip, port and shared
> >>secret set properly, resp time: 3sec,
> >>       max retr: 3
> >>
> >>   Radius acct:
> >>       enable radius accounting: ON, enable primary radius: ON, enable
> >>backup radius: OFF,
> >>       primary radius server ip, port and shared secret set properly,
> >>resp time: 3sec,
> >>       max retr: 3
> >>           DHCP server:
> >>      enabled
> >>
> >>
> >>------  radius log recorded ------ (tainted, only last lines, real ip of
> >> radiator and AP replaced, there are no ERROR lines in log...)
> >>
> >>
> >>Packet length = 163
> >>01 0a 00 a3 35 01 00 00 d3 70 00 00 ea 7f 00 00
> >>fc 20 00 00 01 0a 77 69 66 69 74 65 73 74 04 06
> >>d5 c2 c2 5e 1e 13 30 30 2d 32 30 2d 61 36 2d 34
> >>38 2d 65 37 2d 33 66 1f 13 30 30 2d 30 34 2d 32
> >>33 2d 34 38 2d 66 31 2d 66 33 20 13 4f 52 69 4e
> >>4f 43 4f 2d 41 50 2d 32 30 30 30 41 45 0c 06 00
> >>00 05 78 3d 06 00 00 00 13 4f 28 02 0b 00 26 19
> >>00 17 03 01 00 1b 21 3a 80 0e 47 22 d7 62 48 7e
> >>9e 6c 5f 02 a9 68 ba 5f 5d 43 03 a4 20 bb 7d 3c
> >>04 50 12 4d 14 ad 48 15 4e 0b 5a da b5 23 9f ab
> >>a0 b4 b8
> >>Code:       Access-Request
> >>Identifier: 10
> >>Authentic:  5<1><0><0><211>p<0><0><234><127><0><0><252> <0><0>
> >>Attributes:
> >>       User-Name = "wifitest"
> >>       NAS-IP-Address = ORI.NO.CO.IP
> >>       Called-Station-Id = "00-20-a6-48-e7-3f"
> >>       Calling-Station-Id = "00-04-23-48-f1-f3"
> >>       NAS-Identifier = "ORiNOCO-AP-2000AE"
> >>       Framed-MTU = 1400
> >>       NAS-Port-Type = Wireless-IEEE-802-11
> >>       EAP-Message =
> >><2><11><0>&<25><0><23><3><1><0><27>!:<128><14>G"<215>bH~<158>l_<2><169>h<
> >>18 6>_]C<3><164> <187>}<<4>
> >>       Message-Authenticator =
> >>M<20><173>H<21>N<11>Z<218><181>#<159><171><160><180><184>
> >>
> >>Tue Aug 19 14:20:36 2003: DEBUG: Handling request with Handler ''
> >>Tue Aug 19 14:20:36 2003: DEBUG:  Deleting session for wifitest,
> >>ORI.NO.CO.IP ,
> >>Tue Aug 19 14:20:36 2003: DEBUG: Handling with Radius::AuthFILE:
> >>Tue Aug 19 14:20:36 2003: DEBUG: Handling with EAP: code 2, 11, 38
> >>Tue Aug 19 14:20:36 2003: DEBUG: Response type 25
> >>Tue Aug 19 14:20:36 2003: DEBUG: Access accepted for wifitest
> >>Tue Aug 19 14:20:36 2003: DEBUG: Packet dump:
> >>*** Sending to ORI.NO.CO.IP  port 6001 ....
> >>
> >>Packet length = 160
> >>02 0a 00 a0 16 83 b2 81 33 aa 76 f3 c4 8c bd f6
> >>80 76 b9 ea 1a 3a 00 00 01 37 10 34 ed 16 5d 7f
> >>0e 74 a1 73 03 45 9c 75 15 67 22 90 c7 3d b5 b1
> >>71 60 1d ba be d4 29 00 42 83 18 62 b0 2f 61 c6
> >>ca db b1 02 2d f4 76 4e 67 65 2c 98 f2 ea 1a 3a
> >>00 00 01 37 11 34 87 c2 87 6c 05 9a 2e c2 87 c5
> >>39 89 e5 45 73 57 63 e9 02 be 82 f2 21 84 ea 0d
> >>f9 8e cc fd 4d 72 8e d9 4b 72 37 5e 55 e9 f7 65
> >>87 79 8d 45 2d 79 46 99 4f 06 03 0b 00 04 50 12
> >>9d 85 0f 55 3f ea 50 c9 85 db 50 75 01 92 67 ec
> >>Code:       Access-Accept
> >>Identifier: 10
> >>Authentic:  5<1><0><0><211>p<0><0><234><127><0><0><252> <0><0>
> >>Attributes:
> >>       MS-MPPE-Send-Key =
> >>"<237><22>]<127><14>t<161>s<3>E<156>u<21>g"<144><199>=<181><177>q`<29><18
> >>6>
> >> <190><212>)<0>B<131><24>b<176>/a<198><202><219><177><2>-<244>vNge,<152><
> >>242> <234>"
> >>
> >>       MS-MPPE-Recv-Key =
> >>"<135><194><135>l<5><154>.<194><135><197>9<137><229>EsWc<233><2><190><130
> >>><
> >> 242>!<132><234><13><249><142><204><253>Mr<142><217>Kr7^U<233><247>e<135>
> >>y<14 1>E-yF<153>"
> >>
> >>       EAP-Message = <3><11><0><4>
> >>       Message-Authenticator =
> >><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> log from windows xp 802.1x client:
>
> [5584] 12:58:01:192: PeapReadConnectionData
> [5584] 12:58:01:192: PeapReadUserData
> [5584] 12:58:01:192: RasEapGetInfo
> [5584] 12:58:01:192: PeapReDoUserData
> [5584] 12:58:30:234: PeapReadConnectionData
> [5584] 12:58:30:234: PeapReadUserData
> [5584] 12:58:30:244: RasEapGetInfo
> [5584] 12:58:30:244: PeapReDoUserData
> [5584] 12:58:43:203: EapPeapBegin
> [5584] 12:58:43:203: PeapReadConnectionData
> [5584] 12:58:43:203: PeapReadUserData
> [5584] 12:58:43:203:
> [5584] 12:58:43:203: EapTlsBegin(wifitest)
> [5584] 12:58:43:203: State change to Initial
> [5584] 12:58:43:203: EapTlsBegin: Detected 8021X authentication
> [5584] 12:58:43:203: EapTlsBegin: Detected PEAP authentication
> [5584] 12:58:43:203: MaxTLSMessageLength is now 16384
> [5584] 12:58:43:203: EapPeapBegin done
> [5584] 12:58:43:203: EapPeapMakeMessage
> [5584] 12:58:43:203: EapPeapCMakeMessage
> [5584] 12:58:43:203: PEAP:PEAP_STATE_INITIAL
> [5584] 12:58:43:203: EapTlsCMakeMessage
> [5584] 12:58:43:203: EapTlsReset
> [5584] 12:58:43:203: State change to Initial
> [5584] 12:58:43:203: GetCredentials
> [5584] 12:58:43:203: Flag is Client and Store is Current User
> [5584] 12:58:43:203: GetCachedCredentials
> [5584] 12:58:43:203: PEAP GetCachedCredentials: Using cached credentials.
> [5584] 12:58:43:203: MakeReplyMessage
> [5584] 12:58:43:203: SecurityContextFunction
> [5584] 12:58:43:243: InitializeSecurityContext returned 0x90312
> [5584] 12:58:43:243: State change to SentHello
> [5584] 12:58:43:243: BuildPacket
> [5584] 12:58:43:243: << Sending Response (Code: 2) packet: Id: 4,
> Length: 80, Type: 13, TLS blob length: 70. Flags: L
> [5584] 12:58:43:243: EapPeapCMakeMessage done
> [5584] 12:58:43:243: EapPeapMakeMessage done
> [5584] 12:58:43:263: EapPeapMakeMessage
> [5584] 12:58:43:263: EapPeapCMakeMessage
> [5584] 12:58:43:263: PEAP:PEAP_STATE_TLS_INPROGRESS
> [5584] 12:58:43:263: EapTlsCMakeMessage
> [5584] 12:58:43:263: MakeReplyMessage
> [5584] 12:58:43:263: Reallocating input TLS blob buffer
> [5584] 12:58:43:263: BuildPacket
> [5584] 12:58:43:263: << Sending Response (Code: 2) packet: Id: 5,
> Length: 6, Type: 13, TLS blob length: 0. Flags:
> [5584] 12:58:43:263: EapPeapCMakeMessage done
> [5584] 12:58:43:263: EapPeapMakeMessage done
> [5584] 12:58:43:323: EapPeapMakeMessage
> [5584] 12:58:43:323: EapPeapCMakeMessage
> [5584] 12:58:43:323: PEAP:PEAP_STATE_TLS_INPROGRESS
> [5584] 12:58:43:323: EapTlsCMakeMessage
> [5584] 12:58:43:323: MakeReplyMessage
> [5584] 12:58:43:323: BuildPacket
> [5584] 12:58:43:323: << Sending Response (Code: 2) packet: Id: 6,
> Length: 6, Type: 13, TLS blob length: 0. Flags:
> [5584] 12:58:43:323: EapPeapCMakeMessage done
> [5584] 12:58:43:323: EapPeapMakeMessage done
> [5584] 12:58:43:333: EapPeapMakeMessage
> [5584] 12:58:43:333: EapPeapCMakeMessage
> [5584] 12:58:43:333: PEAP:PEAP_STATE_TLS_INPROGRESS
> [5584] 12:58:43:333: EapTlsCMakeMessage
> [5584] 12:58:43:333: MakeReplyMessage
> [5584] 12:58:43:333: SecurityContextFunction
> [5584] 12:58:43:393: InitializeSecurityContext returned 0x90312
> [5584] 12:58:43:393: State change to SentFinished
> [5584] 12:58:43:393: BuildPacket
> [5584] 12:58:43:393: << Sending Response (Code: 2) packet: Id: 7,
> Length: 199, Type: 13, TLS blob length: 189. Flags: L
> [5584] 12:58:43:393: EapPeapCMakeMessage done
> [5584] 12:58:43:393: EapPeapMakeMessage done
> [5584] 12:58:43:413: EapPeapMakeMessage
> [5584] 12:58:43:413: EapPeapCMakeMessage
> [5584] 12:58:43:413: PEAP:PEAP_STATE_TLS_INPROGRESS
> [5584] 12:58:43:413: EapTlsCMakeMessage
> [5584] 12:58:43:413: MakeReplyMessage
> [5584] 12:58:43:413: SecurityContextFunction
> [5584] 12:58:43:413: InitializeSecurityContext returned 0x0
> [5584] 12:58:43:413: AuthenticateServer
> [5584] 12:58:43:413: CreateMPPEKeyAttributes
> [5584] 12:58:43:413: State change to RecdFinished
> [5584] 12:58:43:413: BuildPacket
> [5584] 12:58:43:413: << Sending Response (Code: 2) packet: Id: 8,
> Length: 6, Type: 13, TLS blob length: 0. Flags:
> [5584] 12:58:43:413: EapPeapCMakeMessage done
> [5584] 12:58:43:413: EapPeapMakeMessage done
> [5584] 12:58:43:423: EapPeapMakeMessage
> [5584] 12:58:43:423: EapPeapCMakeMessage
> [5584] 12:58:43:423: PEAP:PEAP_STATE_TLS_INPROGRESS
> [5584] 12:58:43:423: EapTlsCMakeMessage
> [5584] 12:58:43:423: Negotiation successful
> [5584] 12:58:43:423: PeapGetTunnelProperties
> [5584] 12:58:43:423: Successfully negotiated TLS with following
> parametersdwProtocol = 0x80, Cipher= 0x6801,
> CipherStrength=0x80,Hash=0x8003 [5584] 12:58:43:423:
> PeapGetTunnelProperties done
> [5584] 12:58:43:423: PeapClientDecryptTunnelData
> [5584] 12:58:43:423: IsDuplicatePacket
> [5584] 12:58:43:423: PeapDecryptTunnelData dwSizeofData = 0x16, pData =
> 0x4261ff4
> [5584] 12:58:43:423: PeapDecryptTunnelData completed with status 0x0
> [5584] 12:58:43:423: PeapEncryptTunnelData
> [5584] 12:58:43:423: PeapEncryptTunnelData completed with status 0x0
> [5584] 12:58:43:423: EapPeapCMakeMessage done
> [5584] 12:58:43:423: EapPeapMakeMessage done
> [5584] 12:58:43:483: EapPeapMakeMessage
> [5584] 12:58:43:483: EapPeapCMakeMessage
> [5584] 12:58:43:483: PEAP:PEAP_STATE_IDENTITY_RESPONSE_SENT
> [5584] 12:58:43:483: PeapClientDecryptTunnelData
> [5584] 12:58:43:483: IsDuplicatePacket
> [5584] 12:58:43:483: PeapDecryptTunnelData dwSizeofData = 0x38, pData =
> 0x4261ff4
> [5584] 12:58:43:483: PeapDecryptTunnelData completed with status 0x0
> [5584] 12:58:43:483: PeapEncryptTunnelData
> [5584] 12:58:43:483: PeapEncryptTunnelData completed with status 0x0
> [5584] 12:58:43:483: EapPeapCMakeMessage done
> [5584] 12:58:43:483: EapPeapMakeMessage done
> [5584] 12:58:43:503: EapPeapMakeMessage
> [5584] 12:58:43:503: EapPeapCMakeMessage
> [5584] 12:58:43:503: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
> [5584] 12:58:43:503: PeapClientDecryptTunnelData
> [5584] 12:58:43:503: IsDuplicatePacket
> [5584] 12:58:43:503: PeapDecryptTunnelData dwSizeofData = 0x4e, pData =
> 0x4261ff4
> [5584] 12:58:43:503: PeapDecryptTunnelData completed with status 0x0
> [5584] 12:58:43:503: PeapEncryptTunnelData
> [5584] 12:58:43:503: PeapEncryptTunnelData completed with status 0x0
> [5584] 12:58:43:503: EapPeapCMakeMessage done
> [5584] 12:58:43:503: EapPeapMakeMessage done
> [5584] 12:58:43:513: EapPeapMakeMessage
> [5584] 12:58:43:513: EapPeapCMakeMessage
> [5584] 12:58:43:513: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
> [5584] 12:58:43:513: PeapClientDecryptTunnelData
> [5584] 12:58:43:513: IsDuplicatePacket
> [5584] 12:58:43:513: PeapDecryptTunnelData dwSizeofData = 0x20, pData =
> 0x4261ff4
> [5584] 12:58:43:513: PeapDecryptTunnelData completed with status 0x0
> [5584] 12:58:43:513: GetPEAPTLVStatusMessageValue
> [5584] 12:58:43:523: CreatePEAPTLVStatusMessage
> [5584] 12:58:43:523: PeapEncryptTunnelData
> [5584] 12:58:43:523: PeapEncryptTunnelData completed with status 0x0
> [5584] 12:58:43:523: EapPeapCMakeMessage done
> [5584] 12:58:43:523: EapPeapMakeMessage done
> [5584] 12:58:43:533: EapPeapMakeMessage
> [5584] 12:58:43:533: EapPeapCMakeMessage
> [5584] 12:58:43:533: PEAP:PEAP_STATE_PEAP_SUCCESS_SEND
> [5584] 12:58:43:533: We got a EAP_failure after we got a PEAP_SUCCESS.
> Failing auth.
> [5584] 12:58:43:533: EapPeapCMakeMessage done
> [5584] 12:58:43:533: EapPeapMakeMessage done
> [5584] 12:59:43:349: EapPeapEnd
> [5584] 12:59

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list