(RADIATOR) Radiator - Linksys WRT54G - Odyssey using EAP-SIM

Mike McCauley mikem at open.com.au
Wed Sep 13 17:03:00 CDT 2006


Hello David,


On Thursday 14 September 2006 03:40, David Pomeroy wrote:
> Thanks again Hugh.
>
> By enabling debugging on the Odyssey Client I was able to narrow down on
> the problem some more.  It seems as though the client is stopping the
> EAP-SIM dialogue with Radiator because the calculated MAC and received
> AT_MAC (from the EAP-Request/SIM/Challenge packet) do not match.  I was
> able to calculate the expected MAC using another tool, and verified that
> the MAC that Odyssey is expecting is correct.  Is there a way to see how
> Radiator is calculating the MAC and K_aut?

That is very curious.
You can enable a lot of debugging info in the Radius EAP package by 
uncommenting the lines around line 878 in AuthSIM.pm

However, it is puzzling that this is not working for you as we have not had 
previous reports of a similar problem. Perhaps you should send me the details 
of the results you get from the above and the odyssey logs too.

I will then be able to do some similar tests here.

Cheers.

>
> Thanks, Dave
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Friday, September 08, 2006 7:50 PM
> To: David Pomeroy
> Cc: Radiator (E-mail)
> Subject: Re: (RADIATOR) Radiator with Linksys WRT54G and EAP-MD5
>
>
>
> Hello David -
>
> As you say - Radiator responds to the EAP SIM/Start with a Challenge,
> the client responds and Radiator sends another Challenge.
>
> I think there must be something wrong on the client end (besides
> always using Identifier 0).
>
> There is a FAQ item here describing how to configure debugging for
> the Odyssey client:
>
> 	http://www.open.com.au/radiator/faq.html#170
>
> hope that helps
>
> regards
>
> Hugh
>
> On 9 Sep 2006, at 03:42, David Pomeroy wrote:
> > Setting "DupInterval 0" in the Client clause fixed my problem.
> > (Thanks Hugh!)
> >
> > Now, both Radiator and OAC claim the EAP-MD5 dialogue is
> > successful, but the Linksys WRT54G is not releasing an IP address
> > to the client machine.  This may be an issue with the static WEP
> > keys.  Linksys tech support claims they do not support RADIUS for
> > this device.  Has anyone successfully configured a WRT54G with a
> > RADIUS server?  I would like to know which EAP type was used and
> > what options were set in the router's firmware.
> >
> > Since I'm convinced this is an issue with the router, I am more
> > concerned with getting an EAP-SIM dialogue working.  Using most of
> > the default settings in eap_sim.cfg, the OAC machine is saying
> > authentication failed.  The EAP message exchange is taking place
> > but OAC is not responding to the last Access-Challenge message in
> > this log file.  The exchange in the log file continues to loop ( 4
> > messages ).  Any idea on why this is happening?
> >
> > Thanks, DaveP.
> >
> > I get the following log file. ( I XXXed out the IP addresses )
> >
> > Fri Sep  8 10:53:24 2006: DEBUG: Finished reading configuration
> > file '..\Radius-EAP-SIM\goodies\eap_sim.cfg'
> > Fri Sep  8 10:53:24 2006: DEBUG: Reading dictionary file './
> > dictionary'
> > Fri Sep  8 10:53:25 2006: DEBUG: Creating authentication port
> > 0.0.0.0:1812
> > Fri Sep  8 10:53:25 2006: DEBUG: Creating accounting port 0.0.0.0:1813
> > Fri Sep  8 10:53:25 2006: NOTICE: Server started: Radiator 3.15 on
> > radius
> > Fri Sep  8 10:54:32 2006: DEBUG: Packet dump:
> > *** Received from XXX.XXX.XXX.5 port 1041 ....
> > Code:       Access-Request
> > Identifier: 0
> > Authentic:
> > 1<172><205><200>k<214><205><211><196><134><218><238><228><138>m<18>
> > Attributes:
> > 	NAS-IP-Address = XXX.XXX.XXX.5
> > 	Called-Station-Id = "0018397d4bd8"
> > 	Calling-Station-Id = "0020e08fc5c8"
> > 	NAS-Identifier = "0018397d4bd8"
> > 	NAS-Port = 2
> > 	Framed-MTU = 1400
> > 	NAS-Port-Type = Wireless-IEEE-802-11
> > 	EAP-Message = <2><1><0><5><1>
> > 	Message-Authenticator = <206><208>G<194>)<242>&&<167><_|
> > <171><13><145><223>
> >
> > Fri Sep  8 10:54:32 2006: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Fri Sep  8 10:54:32 2006: DEBUG:  Deleting session for ,
> > XXX.XXX.XXX.5, 2
> > Fri Sep  8 10:54:32 2006: DEBUG: Handling with Radius::AuthSIM:
> > Fri Sep  8 10:54:32 2006: DEBUG: Handling with EAP: code 2, 1, 5
> > Fri Sep  8 10:54:32 2006: DEBUG: Response type 1
> > Fri Sep  8 10:54:32 2006: DEBUG: EAP result: 3, EAP SIM/Start
> > Fri Sep  8 10:54:32 2006: DEBUG: AuthBy SIM result: CHALLNGE, EAP
> > SIM/Start
> > Fri Sep  8 10:54:32 2006: DEBUG: Access challenged for : EAP SIM/Start
> > Fri Sep  8 10:54:32 2006: DEBUG: Packet dump:
> > *** Sending to XXX.XXX.XXX.5 port 1041 ....
> > Code:       Access-Challenge
> > Identifier: 0
> > Authentic:
> > 1<172><205><200>k<214><205><211><196><134><218><238><228><138>m<18>
> > Attributes:
> > 	EAP-Message =
> > <1><2><0><20><18><10><0><0><13><1><0><0><15><2><0><4><0><0><0><1>
> > 	Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Fri Sep  8 10:54:33 2006: DEBUG: Packet dump:
> > *** Received from XXX.XXX.XXX.5 port 1041 ....
> > Code:       Access-Request
> > Identifier: 0
> > Authentic:  <203><155><174>o<169>^<167>`<173>r<27>T<211>m<197><217>
> > Attributes:
> > 	NAS-IP-Address = XXX.XXX.XXX.5
> > 	Called-Station-Id = "0018397d4bd8"
> > 	Calling-Station-Id = "0020e08fc5c8"
> > 	NAS-Identifier = "0018397d4bd8"
> > 	NAS-Port = 2
> > 	Framed-MTU = 1400
> > 	NAS-Port-Type = Wireless-IEEE-802-11
> > 	EAP-Message =
> > <2><2><0>4<18><10><0><0><14><5><0><16>1274040299002308<7><5><0><0><247
> >
> > ><253>q<20><152><8>e<217>c"<207><22><30><134><217><178><16><1><0><1>
> >
> > 	Message-Authenticator = <226><224>9<166>}
> > <233><173><192><142><141><250><185>W<22><237><19>
> >
> > Fri Sep  8 10:54:33 2006: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Fri Sep  8 10:54:33 2006: DEBUG:  Deleting session for ,
> > XXX.XXX.XXX.5, 2
> > Fri Sep  8 10:54:33 2006: DEBUG: Handling with Radius::AuthSIM:
> > Fri Sep  8 10:54:33 2006: DEBUG: Handling with EAP: code 2, 2, 52
> > Fri Sep  8 10:54:33 2006: DEBUG: Response type 18
> > Fri Sep  8 10:54:33 2006: DEBUG: EAP result: 3, EAP SIM/Challenge
> > Fri Sep  8 10:54:33 2006: DEBUG: AuthBy SIM result: CHALLENGE, EAP
> > SIM/Challenge
> > Fri Sep  8 10:54:33 2006: DEBUG: Access challenged for : EAP SIM/
> > Challenge
> > Fri Sep  8 10:54:33 2006: DEBUG: Packet dump:
> > *** Sending to XXX.XXX.XXX.5 port 1041 ....
> > Code:       Access-Challenge
> > Identifier: 0
> > Authentic:  <203><155><174>o<169>^<167>`<173>r<27>T<211>m<197><217>
> > Attributes:
> > 	EAP-Message =
> > <1><3><0>x<18><11><0><0><1><9><0><0><170><170><170><170><170><170><170
> >
> > ><170><170><170><170><170><170><170><170><170><187><187><187><187><187
> > ><187><187><187><187><187><187><187><187><187><187><187><129><5><0><0>
> >
> > <19><9>Z<2>/
> > <225><174>t<154>86<19>g<217>'<18><130><9><0><0><148><173>
> > +<186><11><20><213><134>s<223>w"'<244>-
> > <142>D<227><184>g<170>R<148><238><9>n<151><229>}
> > h<141><129><11><5><0><0>v<30>Rt"\P<188><251><241>j<152>e<183>Kj
> > 	Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> >
> >
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: Friday, September 08, 2006 1:52 AM
> > To: David Pomeroy
> > Cc: Radiator Tech Support
> > Subject: Re: (RADIATOR) Radiator with Linksys WRT54G and EAP-MD5
> >
> >
> >
> > Hello David -
> >
> > This appears to be a client problem, as the second access request has
> > the same Identifier 0 as the first request, and this is confusing
> > Radiator.
> >
> > You can try setting DupInterval 0 in your Client clause - please let
> > us know if this helps.
> >
> >
> > <Client ....>
> > 	.....
> > 	DupInterval 0
> > </Client>
> >
> >
> > You should probably check to see if there are any relevant updates
> > for the Odyssey client and/or XP.
> >
> > regards
> >
> > Hugh
> >
> >>>> Dear List,
> >>>>
> >>>> I am having a problem with setting up Radiator with the Linksys
> >>>> WRT54G to authenticate using EAP-MD5.
> >>>>
> >>>> I am not sure I have properly configured the WRT54G and/or Radiator
> >>>> to talk with each other.  I am using Radiator installed on a
> >>>> Windows 2003 Server box and Odyssey Access Client (OAC) on a Laptop
> >>>> with XP.  The Access-Request packets are making their way through
> >>>> the WRT54G to the server, but it appears that the Access-Challenge
> >>>> packets are not making it back to OAC.  The reason I believe this
> >>>> is because OAC responds to the Access-Challenge packet with another
> >>>> Access-Request packet.
> >>>>
> >>>> I have set up the WRT54G to do RADIUS 802.1X authentication using
> >>>> static WEP keys.  Maybe this is the problem?  Has anyone got the
> >>>> WRT54G to work using this configuration?  Is there some other step
> >>>> I am missing?
> >>>>
> >>>> Below is the log file to illustrate the problem described above.
> >>>>
> >>>> Thanks in advance, DaveP.
> >>>>
> >>>> Thu Sep  7 13:17:53 2006: DEBUG: Finished reading configuration
> >>>> file 'C:\Program Files\Radiator\radius.cfg'
> >>>> Thu Sep  7 13:17:53 2006: DEBUG: Reading dictionary file 'c:/
> >>>> Program Files/Radiator/dictionary'
> >>>> Thu Sep  7 13:17:53 2006: DEBUG: Creating authentication port
> >>>> 0.0.0.0:1812
> >>>> Thu Sep  7 13:17:53 2006: DEBUG: Creating accounting port
> >>>> 0.0.0.0:1813
> >>>> Thu Sep  7 13:17:53 2006: NOTICE: Server started: Radiator 3.15 on
> >>>> radius
> >>>> Thu Sep  7 13:20:01 2006: DEBUG: Packet dump:
> >>>> *** Received from 192.168.1.1 port 4210 ....
> >>>> Code:       Access-Request
> >>>> Identifier: 0
> >>>> Authentic:  <143>0]`<169>&<252><25><211><177>X<197><191>\<190>p
> >>>> Attributes:
> >>>> 	User-Name = "mikem"
> >>>> 	NAS-IP-Address = 192.168.1.1
> >>>> 	Called-Station-Id = "0018397d4bd8"
> >>>> 	Calling-Station-Id = "0020e08fc5c8"
> >>>> 	NAS-Identifier = "0018397d4bd8"
> >>>> 	NAS-Port = 2
> >>>> 	Framed-MTU = 1400
> >>>> 	NAS-Port-Type = Wireless-IEEE-802-11
> >>>> 	EAP-Message = <2><0><0><10><1>mikem
> >>>> 	Message-Authenticator = o<159><228><231><176>y
> >>>> +*<2><251><222><178><194>y^<164>
> >>>>
> >>>> Thu Sep  7 13:20:01 2006: DEBUG: Handling request with Handler
> >>>> 'Realm=DEFAULT'
> >>>> Thu Sep  7 13:20:01 2006: DEBUG:  Deleting session for mikem,
> >>>> 192.168.1.1, 2
> >>>> Thu Sep  7 13:20:01 2006: DEBUG: Handling with Radius::AuthFILE:
> >>>> Thu Sep  7 13:20:01 2006: DEBUG: Handling with EAP: code 2, 0, 10
> >>>> Thu Sep  7 13:20:01 2006: DEBUG: Response type 1
> >>>> Thu Sep  7 13:20:01 2006: DEBUG: EAP result: 3, EAP MD5-Challenge
> >>>> Thu Sep  7 13:20:01 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> >>>> MD5-Challenge
> >>>> Thu Sep  7 13:20:01 2006: DEBUG: Access challenged for mikem: EAP
> >>>> MD5-Challenge
> >>>> Thu Sep  7 13:20:01 2006: DEBUG: Packet dump:
> >>>> *** Sending to 192.168.1.1 port 4210 ....
> >>>> Code:       Access-Challenge
> >>>> Identifier: 0
> >>>> Authentic:  <143>0]`<169>&<252><25><211><177>X<197><191>\<190>p
> >>>> Attributes:
> >>>> 	EAP-Message =
> >>>> <1><1><0><28><4><16>U<254><243><219><135><166>z#<5>m<153><175><216>
> >>>> <
> >>>> 24
> >>>> 2><220>!radius
> >>>> 	Message-Authenticator =
> >>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>>>
> >>>> Thu Sep  7 13:20:01 2006: DEBUG: Packet dump:
> >>>> *** Received from 192.168.1.1 port 4212 ....
> >>>> Code:       Access-Request
> >>>> Identifier: 0
> >>>> Authentic:  Y1<168><149><5<200><0>-<27><215><140>\G<128><155>
> >>>> Attributes:
> >>>> 	User-Name = "mikem"
> >>>> 	NAS-IP-Address = 192.168.1.1
> >>>> 	Called-Station-Id = "0018397d4bd8"
> >>>> 	Calling-Station-Id = "0020e08fc5c8"
> >>>> 	NAS-Identifier = "0018397d4bd8"
> >>>> 	NAS-Port = 2
> >>>> 	Framed-MTU = 1400
> >>>> 	NAS-Port-Type = Wireless-IEEE-802-11
> >>>> 	EAP-Message =
> >>>> <2><1><0><22><4><16>o<30><3><242><203><180>K<136>c<20><237>5<133><1
> >>>> 9
> >>>> 5>
> >>>> <234>s
> >>>> 	Message-Authenticator = <213>
> >>>> $u<164><246><252><183><238>^<228><161><182>%<16>,<189>
> >>>>
> >>>> Thu Sep  7 13:20:01 2006: INFO: Duplicate request id 0 received
> >>>> from 192.168.1.1(4212): ignored
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list