(RADIATOR) Radiator - Linksys WRT54G - Odyssey using EAP-SIM
David Pomeroy
dpomeroy at mobile-mind.com
Wed Sep 13 12:40:38 CDT 2006
Thanks again Hugh.
By enabling debugging on the Odyssey Client I was able to narrow down on the problem some more. It seems as though the client is stopping the EAP-SIM dialogue with Radiator because the calculated MAC and received AT_MAC (from the EAP-Request/SIM/Challenge packet) do not match. I was able to calculate the expected MAC using another tool, and verified that the MAC that Odyssey is expecting is correct. Is there a way to see how Radiator is calculating the MAC and K_aut?
Thanks, Dave
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Friday, September 08, 2006 7:50 PM
To: David Pomeroy
Cc: Radiator (E-mail)
Subject: Re: (RADIATOR) Radiator with Linksys WRT54G and EAP-MD5
Hello David -
As you say - Radiator responds to the EAP SIM/Start with a Challenge,
the client responds and Radiator sends another Challenge.
I think there must be something wrong on the client end (besides
always using Identifier 0).
There is a FAQ item here describing how to configure debugging for
the Odyssey client:
http://www.open.com.au/radiator/faq.html#170
hope that helps
regards
Hugh
On 9 Sep 2006, at 03:42, David Pomeroy wrote:
>
> Setting "DupInterval 0" in the Client clause fixed my problem.
> (Thanks Hugh!)
>
> Now, both Radiator and OAC claim the EAP-MD5 dialogue is
> successful, but the Linksys WRT54G is not releasing an IP address
> to the client machine. This may be an issue with the static WEP
> keys. Linksys tech support claims they do not support RADIUS for
> this device. Has anyone successfully configured a WRT54G with a
> RADIUS server? I would like to know which EAP type was used and
> what options were set in the router's firmware.
>
> Since I'm convinced this is an issue with the router, I am more
> concerned with getting an EAP-SIM dialogue working. Using most of
> the default settings in eap_sim.cfg, the OAC machine is saying
> authentication failed. The EAP message exchange is taking place
> but OAC is not responding to the last Access-Challenge message in
> this log file. The exchange in the log file continues to loop ( 4
> messages ). Any idea on why this is happening?
>
> Thanks, DaveP.
>
> I get the following log file. ( I XXXed out the IP addresses )
>
> Fri Sep 8 10:53:24 2006: DEBUG: Finished reading configuration
> file '..\Radius-EAP-SIM\goodies\eap_sim.cfg'
> Fri Sep 8 10:53:24 2006: DEBUG: Reading dictionary file './
> dictionary'
> Fri Sep 8 10:53:25 2006: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Fri Sep 8 10:53:25 2006: DEBUG: Creating accounting port 0.0.0.0:1813
> Fri Sep 8 10:53:25 2006: NOTICE: Server started: Radiator 3.15 on
> radius
> Fri Sep 8 10:54:32 2006: DEBUG: Packet dump:
> *** Received from XXX.XXX.XXX.5 port 1041 ....
> Code: Access-Request
> Identifier: 0
> Authentic:
> 1<172><205><200>k<214><205><211><196><134><218><238><228><138>m<18>
> Attributes:
> NAS-IP-Address = XXX.XXX.XXX.5
> Called-Station-Id = "0018397d4bd8"
> Calling-Station-Id = "0020e08fc5c8"
> NAS-Identifier = "0018397d4bd8"
> NAS-Port = 2
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2><1><0><5><1>
> Message-Authenticator = <206><208>G<194>)<242>&&<167><_|
> <171><13><145><223>
>
> Fri Sep 8 10:54:32 2006: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Sep 8 10:54:32 2006: DEBUG: Deleting session for ,
> XXX.XXX.XXX.5, 2
> Fri Sep 8 10:54:32 2006: DEBUG: Handling with Radius::AuthSIM:
> Fri Sep 8 10:54:32 2006: DEBUG: Handling with EAP: code 2, 1, 5
> Fri Sep 8 10:54:32 2006: DEBUG: Response type 1
> Fri Sep 8 10:54:32 2006: DEBUG: EAP result: 3, EAP SIM/Start
> Fri Sep 8 10:54:32 2006: DEBUG: AuthBy SIM result: CHALLNGE, EAP
> SIM/Start
> Fri Sep 8 10:54:32 2006: DEBUG: Access challenged for : EAP SIM/Start
> Fri Sep 8 10:54:32 2006: DEBUG: Packet dump:
> *** Sending to XXX.XXX.XXX.5 port 1041 ....
> Code: Access-Challenge
> Identifier: 0
> Authentic:
> 1<172><205><200>k<214><205><211><196><134><218><238><228><138>m<18>
> Attributes:
> EAP-Message =
> <1><2><0><20><18><10><0><0><13><1><0><0><15><2><0><4><0><0><0><1>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Sep 8 10:54:33 2006: DEBUG: Packet dump:
> *** Received from XXX.XXX.XXX.5 port 1041 ....
> Code: Access-Request
> Identifier: 0
> Authentic: <203><155><174>o<169>^<167>`<173>r<27>T<211>m<197><217>
> Attributes:
> NAS-IP-Address = XXX.XXX.XXX.5
> Called-Station-Id = "0018397d4bd8"
> Calling-Station-Id = "0020e08fc5c8"
> NAS-Identifier = "0018397d4bd8"
> NAS-Port = 2
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message =
> <2><2><0>4<18><10><0><0><14><5><0><16>1274040299002308<7><5><0><0><247
> ><253>q<20><152><8>e<217>c"<207><22><30><134><217><178><16><1><0><1>
> Message-Authenticator = <226><224>9<166>}
> <233><173><192><142><141><250><185>W<22><237><19>
>
> Fri Sep 8 10:54:33 2006: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Sep 8 10:54:33 2006: DEBUG: Deleting session for ,
> XXX.XXX.XXX.5, 2
> Fri Sep 8 10:54:33 2006: DEBUG: Handling with Radius::AuthSIM:
> Fri Sep 8 10:54:33 2006: DEBUG: Handling with EAP: code 2, 2, 52
> Fri Sep 8 10:54:33 2006: DEBUG: Response type 18
> Fri Sep 8 10:54:33 2006: DEBUG: EAP result: 3, EAP SIM/Challenge
> Fri Sep 8 10:54:33 2006: DEBUG: AuthBy SIM result: CHALLENGE, EAP
> SIM/Challenge
> Fri Sep 8 10:54:33 2006: DEBUG: Access challenged for : EAP SIM/
> Challenge
> Fri Sep 8 10:54:33 2006: DEBUG: Packet dump:
> *** Sending to XXX.XXX.XXX.5 port 1041 ....
> Code: Access-Challenge
> Identifier: 0
> Authentic: <203><155><174>o<169>^<167>`<173>r<27>T<211>m<197><217>
> Attributes:
> EAP-Message =
> <1><3><0>x<18><11><0><0><1><9><0><0><170><170><170><170><170><170><170
> ><170><170><170><170><170><170><170><170><170><187><187><187><187><187
> ><187><187><187><187><187><187><187><187><187><187><187><129><5><0><0>
> <19><9>Z<2>/
> <225><174>t<154>86<19>g<217>'<18><130><9><0><0><148><173>
> +<186><11><20><213><134>s<223>w"'<244>-
> <142>D<227><184>g<170>R<148><238><9>n<151><229>}
> h<141><129><11><5><0><0>v<30>Rt"\P<188><251><241>j<152>e<183>Kj
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Friday, September 08, 2006 1:52 AM
> To: David Pomeroy
> Cc: Radiator Tech Support
> Subject: Re: (RADIATOR) Radiator with Linksys WRT54G and EAP-MD5
>
>
>
> Hello David -
>
> This appears to be a client problem, as the second access request has
> the same Identifier 0 as the first request, and this is confusing
> Radiator.
>
> You can try setting DupInterval 0 in your Client clause - please let
> us know if this helps.
>
>
> <Client ....>
> .....
> DupInterval 0
> </Client>
>
>
> You should probably check to see if there are any relevant updates
> for the Odyssey client and/or XP.
>
> regards
>
> Hugh
>
>
>
>
>>>> Dear List,
>>>>
>>>> I am having a problem with setting up Radiator with the Linksys
>>>> WRT54G to authenticate using EAP-MD5.
>>>>
>>>> I am not sure I have properly configured the WRT54G and/or Radiator
>>>> to talk with each other. I am using Radiator installed on a
>>>> Windows 2003 Server box and Odyssey Access Client (OAC) on a Laptop
>>>> with XP. The Access-Request packets are making their way through
>>>> the WRT54G to the server, but it appears that the Access-Challenge
>>>> packets are not making it back to OAC. The reason I believe this
>>>> is because OAC responds to the Access-Challenge packet with another
>>>> Access-Request packet.
>>>>
>>>> I have set up the WRT54G to do RADIUS 802.1X authentication using
>>>> static WEP keys. Maybe this is the problem? Has anyone got the
>>>> WRT54G to work using this configuration? Is there some other step
>>>> I am missing?
>>>>
>>>> Below is the log file to illustrate the problem described above.
>>>>
>>>> Thanks in advance, DaveP.
>>>>
>>>> Thu Sep 7 13:17:53 2006: DEBUG: Finished reading configuration
>>>> file 'C:\Program Files\Radiator\radius.cfg'
>>>> Thu Sep 7 13:17:53 2006: DEBUG: Reading dictionary file 'c:/
>>>> Program Files/Radiator/dictionary'
>>>> Thu Sep 7 13:17:53 2006: DEBUG: Creating authentication port
>>>> 0.0.0.0:1812
>>>> Thu Sep 7 13:17:53 2006: DEBUG: Creating accounting port
>>>> 0.0.0.0:1813
>>>> Thu Sep 7 13:17:53 2006: NOTICE: Server started: Radiator 3.15 on
>>>> radius
>>>> Thu Sep 7 13:20:01 2006: DEBUG: Packet dump:
>>>> *** Received from 192.168.1.1 port 4210 ....
>>>> Code: Access-Request
>>>> Identifier: 0
>>>> Authentic: <143>0]`<169>&<252><25><211><177>X<197><191>\<190>p
>>>> Attributes:
>>>> User-Name = "mikem"
>>>> NAS-IP-Address = 192.168.1.1
>>>> Called-Station-Id = "0018397d4bd8"
>>>> Calling-Station-Id = "0020e08fc5c8"
>>>> NAS-Identifier = "0018397d4bd8"
>>>> NAS-Port = 2
>>>> Framed-MTU = 1400
>>>> NAS-Port-Type = Wireless-IEEE-802-11
>>>> EAP-Message = <2><0><0><10><1>mikem
>>>> Message-Authenticator = o<159><228><231><176>y
>>>> +*<2><251><222><178><194>y^<164>
>>>>
>>>> Thu Sep 7 13:20:01 2006: DEBUG: Handling request with Handler
>>>> 'Realm=DEFAULT'
>>>> Thu Sep 7 13:20:01 2006: DEBUG: Deleting session for mikem,
>>>> 192.168.1.1, 2
>>>> Thu Sep 7 13:20:01 2006: DEBUG: Handling with Radius::AuthFILE:
>>>> Thu Sep 7 13:20:01 2006: DEBUG: Handling with EAP: code 2, 0, 10
>>>> Thu Sep 7 13:20:01 2006: DEBUG: Response type 1
>>>> Thu Sep 7 13:20:01 2006: DEBUG: EAP result: 3, EAP MD5-Challenge
>>>> Thu Sep 7 13:20:01 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>>>> MD5-Challenge
>>>> Thu Sep 7 13:20:01 2006: DEBUG: Access challenged for mikem: EAP
>>>> MD5-Challenge
>>>> Thu Sep 7 13:20:01 2006: DEBUG: Packet dump:
>>>> *** Sending to 192.168.1.1 port 4210 ....
>>>> Code: Access-Challenge
>>>> Identifier: 0
>>>> Authentic: <143>0]`<169>&<252><25><211><177>X<197><191>\<190>p
>>>> Attributes:
>>>> EAP-Message =
>>>> <1><1><0><28><4><16>U<254><243><219><135><166>z#<5>m<153><175><216>
>>>> <
>>>> 24
>>>> 2><220>!radius
>>>> Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>
>>>> Thu Sep 7 13:20:01 2006: DEBUG: Packet dump:
>>>> *** Received from 192.168.1.1 port 4212 ....
>>>> Code: Access-Request
>>>> Identifier: 0
>>>> Authentic: Y1<168><149><5<200><0>-<27><215><140>\G<128><155>
>>>> Attributes:
>>>> User-Name = "mikem"
>>>> NAS-IP-Address = 192.168.1.1
>>>> Called-Station-Id = "0018397d4bd8"
>>>> Calling-Station-Id = "0020e08fc5c8"
>>>> NAS-Identifier = "0018397d4bd8"
>>>> NAS-Port = 2
>>>> Framed-MTU = 1400
>>>> NAS-Port-Type = Wireless-IEEE-802-11
>>>> EAP-Message =
>>>> <2><1><0><22><4><16>o<30><3><242><203><180>K<136>c<20><237>5<133><1
>>>> 9
>>>> 5>
>>>> <234>s
>>>> Message-Authenticator = <213>
>>>> $u<164><246><252><183><238>^<228><161><182>%<16>,<189>
>>>>
>>>> Thu Sep 7 13:20:01 2006: INFO: Duplicate request id 0 received
>>>> from 192.168.1.1(4212): ignored
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list