(RADIATOR) Radiator - Linksys WRT54G - Odyssey using EAP-SIM

David Pomeroy dpomeroy at mobile-mind.com
Wed Sep 13 12:40:38 CDT 2006


Thanks again Hugh.

By enabling debugging on the Odyssey Client I was able to narrow down on the problem some more.  It seems as though the client is stopping the EAP-SIM dialogue with Radiator because the calculated MAC and received AT_MAC (from the EAP-Request/SIM/Challenge packet) do not match.  I was able to calculate the expected MAC using another tool, and verified that the MAC that Odyssey is expecting is correct.  Is there a way to see how Radiator is calculating the MAC and K_aut?

Thanks, Dave

-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Friday, September 08, 2006 7:50 PM
To: David Pomeroy
Cc: Radiator (E-mail)
Subject: Re: (RADIATOR) Radiator with Linksys WRT54G and EAP-MD5



Hello David -

As you say - Radiator responds to the EAP SIM/Start with a Challenge,  
the client responds and Radiator sends another Challenge.

I think there must be something wrong on the client end (besides  
always using Identifier 0).

There is a FAQ item here describing how to configure debugging for  
the Odyssey client:

	http://www.open.com.au/radiator/faq.html#170

hope that helps

regards

Hugh


On 9 Sep 2006, at 03:42, David Pomeroy wrote:

>
> Setting "DupInterval 0" in the Client clause fixed my problem.  
> (Thanks Hugh!)
>
> Now, both Radiator and OAC claim the EAP-MD5 dialogue is  
> successful, but the Linksys WRT54G is not releasing an IP address  
> to the client machine.  This may be an issue with the static WEP  
> keys.  Linksys tech support claims they do not support RADIUS for  
> this device.  Has anyone successfully configured a WRT54G with a  
> RADIUS server?  I would like to know which EAP type was used and  
> what options were set in the router's firmware.
>
> Since I'm convinced this is an issue with the router, I am more  
> concerned with getting an EAP-SIM dialogue working.  Using most of  
> the default settings in eap_sim.cfg, the OAC machine is saying  
> authentication failed.  The EAP message exchange is taking place  
> but OAC is not responding to the last Access-Challenge message in  
> this log file.  The exchange in the log file continues to loop ( 4  
> messages ).  Any idea on why this is happening?
>
> Thanks, DaveP.
>
> I get the following log file. ( I XXXed out the IP addresses )
>
> Fri Sep  8 10:53:24 2006: DEBUG: Finished reading configuration  
> file '..\Radius-EAP-SIM\goodies\eap_sim.cfg'
> Fri Sep  8 10:53:24 2006: DEBUG: Reading dictionary file './ 
> dictionary'
> Fri Sep  8 10:53:25 2006: DEBUG: Creating authentication port  
> 0.0.0.0:1812
> Fri Sep  8 10:53:25 2006: DEBUG: Creating accounting port 0.0.0.0:1813
> Fri Sep  8 10:53:25 2006: NOTICE: Server started: Radiator 3.15 on  
> radius
> Fri Sep  8 10:54:32 2006: DEBUG: Packet dump:
> *** Received from XXX.XXX.XXX.5 port 1041 ....
> Code:       Access-Request
> Identifier: 0
> Authentic:   
> 1<172><205><200>k<214><205><211><196><134><218><238><228><138>m<18>
> Attributes:
> 	NAS-IP-Address = XXX.XXX.XXX.5
> 	Called-Station-Id = "0018397d4bd8"
> 	Calling-Station-Id = "0020e08fc5c8"
> 	NAS-Identifier = "0018397d4bd8"
> 	NAS-Port = 2
> 	Framed-MTU = 1400
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	EAP-Message = <2><1><0><5><1>
> 	Message-Authenticator = <206><208>G<194>)<242>&&<167><_| 
> <171><13><145><223>
>
> Fri Sep  8 10:54:32 2006: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Fri Sep  8 10:54:32 2006: DEBUG:  Deleting session for ,  
> XXX.XXX.XXX.5, 2
> Fri Sep  8 10:54:32 2006: DEBUG: Handling with Radius::AuthSIM:
> Fri Sep  8 10:54:32 2006: DEBUG: Handling with EAP: code 2, 1, 5
> Fri Sep  8 10:54:32 2006: DEBUG: Response type 1
> Fri Sep  8 10:54:32 2006: DEBUG: EAP result: 3, EAP SIM/Start
> Fri Sep  8 10:54:32 2006: DEBUG: AuthBy SIM result: CHALLNGE, EAP  
> SIM/Start
> Fri Sep  8 10:54:32 2006: DEBUG: Access challenged for : EAP SIM/Start
> Fri Sep  8 10:54:32 2006: DEBUG: Packet dump:
> *** Sending to XXX.XXX.XXX.5 port 1041 ....
> Code:       Access-Challenge
> Identifier: 0
> Authentic:   
> 1<172><205><200>k<214><205><211><196><134><218><238><228><138>m<18>
> Attributes:
> 	EAP-Message =  
> <1><2><0><20><18><10><0><0><13><1><0><0><15><2><0><4><0><0><0><1>
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Sep  8 10:54:33 2006: DEBUG: Packet dump:
> *** Received from XXX.XXX.XXX.5 port 1041 ....
> Code:       Access-Request
> Identifier: 0
> Authentic:  <203><155><174>o<169>^<167>`<173>r<27>T<211>m<197><217>
> Attributes:
> 	NAS-IP-Address = XXX.XXX.XXX.5
> 	Called-Station-Id = "0018397d4bd8"
> 	Calling-Station-Id = "0020e08fc5c8"
> 	NAS-Identifier = "0018397d4bd8"
> 	NAS-Port = 2
> 	Framed-MTU = 1400
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	EAP-Message =  
> <2><2><0>4<18><10><0><0><14><5><0><16>1274040299002308<7><5><0><0><247 
> ><253>q<20><152><8>e<217>c"<207><22><30><134><217><178><16><1><0><1>
> 	Message-Authenticator = <226><224>9<166>} 
> <233><173><192><142><141><250><185>W<22><237><19>
>
> Fri Sep  8 10:54:33 2006: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Fri Sep  8 10:54:33 2006: DEBUG:  Deleting session for ,  
> XXX.XXX.XXX.5, 2
> Fri Sep  8 10:54:33 2006: DEBUG: Handling with Radius::AuthSIM:
> Fri Sep  8 10:54:33 2006: DEBUG: Handling with EAP: code 2, 2, 52
> Fri Sep  8 10:54:33 2006: DEBUG: Response type 18
> Fri Sep  8 10:54:33 2006: DEBUG: EAP result: 3, EAP SIM/Challenge
> Fri Sep  8 10:54:33 2006: DEBUG: AuthBy SIM result: CHALLENGE, EAP  
> SIM/Challenge
> Fri Sep  8 10:54:33 2006: DEBUG: Access challenged for : EAP SIM/ 
> Challenge
> Fri Sep  8 10:54:33 2006: DEBUG: Packet dump:
> *** Sending to XXX.XXX.XXX.5 port 1041 ....
> Code:       Access-Challenge
> Identifier: 0
> Authentic:  <203><155><174>o<169>^<167>`<173>r<27>T<211>m<197><217>
> Attributes:
> 	EAP-Message =  
> <1><3><0>x<18><11><0><0><1><9><0><0><170><170><170><170><170><170><170 
> ><170><170><170><170><170><170><170><170><170><187><187><187><187><187 
> ><187><187><187><187><187><187><187><187><187><187><187><129><5><0><0> 
> <19><9>Z<2>/ 
> <225><174>t<154>86<19>g<217>'<18><130><9><0><0><148><173> 
> +<186><11><20><213><134>s<223>w"'<244>- 
> <142>D<227><184>g<170>R<148><238><9>n<151><229>} 
> h<141><129><11><5><0><0>v<30>Rt"\P<188><251><241>j<152>e<183>Kj
> 	Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Friday, September 08, 2006 1:52 AM
> To: David Pomeroy
> Cc: Radiator Tech Support
> Subject: Re: (RADIATOR) Radiator with Linksys WRT54G and EAP-MD5
>
>
>
> Hello David -
>
> This appears to be a client problem, as the second access request has
> the same Identifier 0 as the first request, and this is confusing
> Radiator.
>
> You can try setting DupInterval 0 in your Client clause - please let
> us know if this helps.
>
>
> <Client ....>
> 	.....
> 	DupInterval 0
> </Client>
>
>
> You should probably check to see if there are any relevant updates
> for the Odyssey client and/or XP.
>
> regards
>
> Hugh
>
>
>
>
>>>> Dear List,
>>>>
>>>> I am having a problem with setting up Radiator with the Linksys
>>>> WRT54G to authenticate using EAP-MD5.
>>>>
>>>> I am not sure I have properly configured the WRT54G and/or Radiator
>>>> to talk with each other.  I am using Radiator installed on a
>>>> Windows 2003 Server box and Odyssey Access Client (OAC) on a Laptop
>>>> with XP.  The Access-Request packets are making their way through
>>>> the WRT54G to the server, but it appears that the Access-Challenge
>>>> packets are not making it back to OAC.  The reason I believe this
>>>> is because OAC responds to the Access-Challenge packet with another
>>>> Access-Request packet.
>>>>
>>>> I have set up the WRT54G to do RADIUS 802.1X authentication using
>>>> static WEP keys.  Maybe this is the problem?  Has anyone got the
>>>> WRT54G to work using this configuration?  Is there some other step
>>>> I am missing?
>>>>
>>>> Below is the log file to illustrate the problem described above.
>>>>
>>>> Thanks in advance, DaveP.
>>>>
>>>> Thu Sep  7 13:17:53 2006: DEBUG: Finished reading configuration
>>>> file 'C:\Program Files\Radiator\radius.cfg'
>>>> Thu Sep  7 13:17:53 2006: DEBUG: Reading dictionary file 'c:/
>>>> Program Files/Radiator/dictionary'
>>>> Thu Sep  7 13:17:53 2006: DEBUG: Creating authentication port
>>>> 0.0.0.0:1812
>>>> Thu Sep  7 13:17:53 2006: DEBUG: Creating accounting port
>>>> 0.0.0.0:1813
>>>> Thu Sep  7 13:17:53 2006: NOTICE: Server started: Radiator 3.15 on
>>>> radius
>>>> Thu Sep  7 13:20:01 2006: DEBUG: Packet dump:
>>>> *** Received from 192.168.1.1 port 4210 ....
>>>> Code:       Access-Request
>>>> Identifier: 0
>>>> Authentic:  <143>0]`<169>&<252><25><211><177>X<197><191>\<190>p
>>>> Attributes:
>>>> 	User-Name = "mikem"
>>>> 	NAS-IP-Address = 192.168.1.1
>>>> 	Called-Station-Id = "0018397d4bd8"
>>>> 	Calling-Station-Id = "0020e08fc5c8"
>>>> 	NAS-Identifier = "0018397d4bd8"
>>>> 	NAS-Port = 2
>>>> 	Framed-MTU = 1400
>>>> 	NAS-Port-Type = Wireless-IEEE-802-11
>>>> 	EAP-Message = <2><0><0><10><1>mikem
>>>> 	Message-Authenticator = o<159><228><231><176>y
>>>> +*<2><251><222><178><194>y^<164>
>>>>
>>>> Thu Sep  7 13:20:01 2006: DEBUG: Handling request with Handler
>>>> 'Realm=DEFAULT'
>>>> Thu Sep  7 13:20:01 2006: DEBUG:  Deleting session for mikem,
>>>> 192.168.1.1, 2
>>>> Thu Sep  7 13:20:01 2006: DEBUG: Handling with Radius::AuthFILE:
>>>> Thu Sep  7 13:20:01 2006: DEBUG: Handling with EAP: code 2, 0, 10
>>>> Thu Sep  7 13:20:01 2006: DEBUG: Response type 1
>>>> Thu Sep  7 13:20:01 2006: DEBUG: EAP result: 3, EAP MD5-Challenge
>>>> Thu Sep  7 13:20:01 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>>>> MD5-Challenge
>>>> Thu Sep  7 13:20:01 2006: DEBUG: Access challenged for mikem: EAP
>>>> MD5-Challenge
>>>> Thu Sep  7 13:20:01 2006: DEBUG: Packet dump:
>>>> *** Sending to 192.168.1.1 port 4210 ....
>>>> Code:       Access-Challenge
>>>> Identifier: 0
>>>> Authentic:  <143>0]`<169>&<252><25><211><177>X<197><191>\<190>p
>>>> Attributes:
>>>> 	EAP-Message =
>>>> <1><1><0><28><4><16>U<254><243><219><135><166>z#<5>m<153><175><216> 
>>>> <
>>>> 24
>>>> 2><220>!radius
>>>> 	Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>
>>>> Thu Sep  7 13:20:01 2006: DEBUG: Packet dump:
>>>> *** Received from 192.168.1.1 port 4212 ....
>>>> Code:       Access-Request
>>>> Identifier: 0
>>>> Authentic:  Y1<168><149><5<200><0>-<27><215><140>\G<128><155>
>>>> Attributes:
>>>> 	User-Name = "mikem"
>>>> 	NAS-IP-Address = 192.168.1.1
>>>> 	Called-Station-Id = "0018397d4bd8"
>>>> 	Calling-Station-Id = "0020e08fc5c8"
>>>> 	NAS-Identifier = "0018397d4bd8"
>>>> 	NAS-Port = 2
>>>> 	Framed-MTU = 1400
>>>> 	NAS-Port-Type = Wireless-IEEE-802-11
>>>> 	EAP-Message =
>>>> <2><1><0><22><4><16>o<30><3><242><203><180>K<136>c<20><237>5<133><1 
>>>> 9
>>>> 5>
>>>> <234>s
>>>> 	Message-Authenticator = <213>
>>>> $u<164><246><252><183><238>^<228><161><182>%<16>,<189>
>>>>
>>>> Thu Sep  7 13:20:01 2006: INFO: Duplicate request id 0 received
>>>> from 192.168.1.1(4212): ignored
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list