(RADIATOR) Radiator - Linksys WRT54G - Odyssey using EAP-SIM
Mike McCauley
mikem at open.com.au
Wed Sep 13 17:40:32 CDT 2006
Hello again David,
I have just retested here with Radiator 3.15 and Radius-EAP-SIM 1.16 against
Odyssey 4.51.0.2623 EAP-SIM, although not with a Linksys WRT54G as the AP.
Works fine here. So I will need to see detailed logs of what happens with
your tests.
Cheers.
On Thursday 14 September 2006 03:40, David Pomeroy wrote:
> Thanks again Hugh.
>
> By enabling debugging on the Odyssey Client I was able to narrow down on
> the problem some more. It seems as though the client is stopping the
> EAP-SIM dialogue with Radiator because the calculated MAC and received
> AT_MAC (from the EAP-Request/SIM/Challenge packet) do not match. I was
> able to calculate the expected MAC using another tool, and verified that
> the MAC that Odyssey is expecting is correct. Is there a way to see how
> Radiator is calculating the MAC and K_aut?
>
> Thanks, Dave
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Friday, September 08, 2006 7:50 PM
> To: David Pomeroy
> Cc: Radiator (E-mail)
> Subject: Re: (RADIATOR) Radiator with Linksys WRT54G and EAP-MD5
>
>
>
> Hello David -
>
> As you say - Radiator responds to the EAP SIM/Start with a Challenge,
> the client responds and Radiator sends another Challenge.
>
> I think there must be something wrong on the client end (besides
> always using Identifier 0).
>
> There is a FAQ item here describing how to configure debugging for
> the Odyssey client:
>
> http://www.open.com.au/radiator/faq.html#170
>
> hope that helps
>
> regards
>
> Hugh
>
> On 9 Sep 2006, at 03:42, David Pomeroy wrote:
> > Setting "DupInterval 0" in the Client clause fixed my problem.
> > (Thanks Hugh!)
> >
> > Now, both Radiator and OAC claim the EAP-MD5 dialogue is
> > successful, but the Linksys WRT54G is not releasing an IP address
> > to the client machine. This may be an issue with the static WEP
> > keys. Linksys tech support claims they do not support RADIUS for
> > this device. Has anyone successfully configured a WRT54G with a
> > RADIUS server? I would like to know which EAP type was used and
> > what options were set in the router's firmware.
> >
> > Since I'm convinced this is an issue with the router, I am more
> > concerned with getting an EAP-SIM dialogue working. Using most of
> > the default settings in eap_sim.cfg, the OAC machine is saying
> > authentication failed. The EAP message exchange is taking place
> > but OAC is not responding to the last Access-Challenge message in
> > this log file. The exchange in the log file continues to loop ( 4
> > messages ). Any idea on why this is happening?
> >
> > Thanks, DaveP.
> >
> > I get the following log file. ( I XXXed out the IP addresses )
> >
> > Fri Sep 8 10:53:24 2006: DEBUG: Finished reading configuration
> > file '..\Radius-EAP-SIM\goodies\eap_sim.cfg'
> > Fri Sep 8 10:53:24 2006: DEBUG: Reading dictionary file './
> > dictionary'
> > Fri Sep 8 10:53:25 2006: DEBUG: Creating authentication port
> > 0.0.0.0:1812
> > Fri Sep 8 10:53:25 2006: DEBUG: Creating accounting port 0.0.0.0:1813
> > Fri Sep 8 10:53:25 2006: NOTICE: Server started: Radiator 3.15 on
> > radius
> > Fri Sep 8 10:54:32 2006: DEBUG: Packet dump:
> > *** Received from XXX.XXX.XXX.5 port 1041 ....
> > Code: Access-Request
> > Identifier: 0
> > Authentic:
> > 1<172><205><200>k<214><205><211><196><134><218><238><228><138>m<18>
> > Attributes:
> > NAS-IP-Address = XXX.XXX.XXX.5
> > Called-Station-Id = "0018397d4bd8"
> > Calling-Station-Id = "0020e08fc5c8"
> > NAS-Identifier = "0018397d4bd8"
> > NAS-Port = 2
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > EAP-Message = <2><1><0><5><1>
> > Message-Authenticator = <206><208>G<194>)<242>&&<167><_|
> > <171><13><145><223>
> >
> > Fri Sep 8 10:54:32 2006: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Fri Sep 8 10:54:32 2006: DEBUG: Deleting session for ,
> > XXX.XXX.XXX.5, 2
> > Fri Sep 8 10:54:32 2006: DEBUG: Handling with Radius::AuthSIM:
> > Fri Sep 8 10:54:32 2006: DEBUG: Handling with EAP: code 2, 1, 5
> > Fri Sep 8 10:54:32 2006: DEBUG: Response type 1
> > Fri Sep 8 10:54:32 2006: DEBUG: EAP result: 3, EAP SIM/Start
> > Fri Sep 8 10:54:32 2006: DEBUG: AuthBy SIM result: CHALLNGE, EAP
> > SIM/Start
> > Fri Sep 8 10:54:32 2006: DEBUG: Access challenged for : EAP SIM/Start
> > Fri Sep 8 10:54:32 2006: DEBUG: Packet dump:
> > *** Sending to XXX.XXX.XXX.5 port 1041 ....
> > Code: Access-Challenge
> > Identifier: 0
> > Authentic:
> > 1<172><205><200>k<214><205><211><196><134><218><238><228><138>m<18>
> > Attributes:
> > EAP-Message =
> > <1><2><0><20><18><10><0><0><13><1><0><0><15><2><0><4><0><0><0><1>
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Fri Sep 8 10:54:33 2006: DEBUG: Packet dump:
> > *** Received from XXX.XXX.XXX.5 port 1041 ....
> > Code: Access-Request
> > Identifier: 0
> > Authentic: <203><155><174>o<169>^<167>`<173>r<27>T<211>m<197><217>
> > Attributes:
> > NAS-IP-Address = XXX.XXX.XXX.5
> > Called-Station-Id = "0018397d4bd8"
> > Calling-Station-Id = "0020e08fc5c8"
> > NAS-Identifier = "0018397d4bd8"
> > NAS-Port = 2
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-IEEE-802-11
> > EAP-Message =
> > <2><2><0>4<18><10><0><0><14><5><0><16>1274040299002308<7><5><0><0><247
> >
> > ><253>q<20><152><8>e<217>c"<207><22><30><134><217><178><16><1><0><1>
> >
> > Message-Authenticator = <226><224>9<166>}
> > <233><173><192><142><141><250><185>W<22><237><19>
> >
> > Fri Sep 8 10:54:33 2006: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Fri Sep 8 10:54:33 2006: DEBUG: Deleting session for ,
> > XXX.XXX.XXX.5, 2
> > Fri Sep 8 10:54:33 2006: DEBUG: Handling with Radius::AuthSIM:
> > Fri Sep 8 10:54:33 2006: DEBUG: Handling with EAP: code 2, 2, 52
> > Fri Sep 8 10:54:33 2006: DEBUG: Response type 18
> > Fri Sep 8 10:54:33 2006: DEBUG: EAP result: 3, EAP SIM/Challenge
> > Fri Sep 8 10:54:33 2006: DEBUG: AuthBy SIM result: CHALLENGE, EAP
> > SIM/Challenge
> > Fri Sep 8 10:54:33 2006: DEBUG: Access challenged for : EAP SIM/
> > Challenge
> > Fri Sep 8 10:54:33 2006: DEBUG: Packet dump:
> > *** Sending to XXX.XXX.XXX.5 port 1041 ....
> > Code: Access-Challenge
> > Identifier: 0
> > Authentic: <203><155><174>o<169>^<167>`<173>r<27>T<211>m<197><217>
> > Attributes:
> > EAP-Message =
> > <1><3><0>x<18><11><0><0><1><9><0><0><170><170><170><170><170><170><170
> >
> > ><170><170><170><170><170><170><170><170><170><187><187><187><187><187
> > ><187><187><187><187><187><187><187><187><187><187><187><129><5><0><0>
> >
> > <19><9>Z<2>/
> > <225><174>t<154>86<19>g<217>'<18><130><9><0><0><148><173>
> > +<186><11><20><213><134>s<223>w"'<244>-
> > <142>D<227><184>g<170>R<148><238><9>n<151><229>}
> > h<141><129><11><5><0><0>v<30>Rt"\P<188><251><241>j<152>e<183>Kj
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> >
> >
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: Friday, September 08, 2006 1:52 AM
> > To: David Pomeroy
> > Cc: Radiator Tech Support
> > Subject: Re: (RADIATOR) Radiator with Linksys WRT54G and EAP-MD5
> >
> >
> >
> > Hello David -
> >
> > This appears to be a client problem, as the second access request has
> > the same Identifier 0 as the first request, and this is confusing
> > Radiator.
> >
> > You can try setting DupInterval 0 in your Client clause - please let
> > us know if this helps.
> >
> >
> > <Client ....>
> > .....
> > DupInterval 0
> > </Client>
> >
> >
> > You should probably check to see if there are any relevant updates
> > for the Odyssey client and/or XP.
> >
> > regards
> >
> > Hugh
> >
> >>>> Dear List,
> >>>>
> >>>> I am having a problem with setting up Radiator with the Linksys
> >>>> WRT54G to authenticate using EAP-MD5.
> >>>>
> >>>> I am not sure I have properly configured the WRT54G and/or Radiator
> >>>> to talk with each other. I am using Radiator installed on a
> >>>> Windows 2003 Server box and Odyssey Access Client (OAC) on a Laptop
> >>>> with XP. The Access-Request packets are making their way through
> >>>> the WRT54G to the server, but it appears that the Access-Challenge
> >>>> packets are not making it back to OAC. The reason I believe this
> >>>> is because OAC responds to the Access-Challenge packet with another
> >>>> Access-Request packet.
> >>>>
> >>>> I have set up the WRT54G to do RADIUS 802.1X authentication using
> >>>> static WEP keys. Maybe this is the problem? Has anyone got the
> >>>> WRT54G to work using this configuration? Is there some other step
> >>>> I am missing?
> >>>>
> >>>> Below is the log file to illustrate the problem described above.
> >>>>
> >>>> Thanks in advance, DaveP.
> >>>>
> >>>> Thu Sep 7 13:17:53 2006: DEBUG: Finished reading configuration
> >>>> file 'C:\Program Files\Radiator\radius.cfg'
> >>>> Thu Sep 7 13:17:53 2006: DEBUG: Reading dictionary file 'c:/
> >>>> Program Files/Radiator/dictionary'
> >>>> Thu Sep 7 13:17:53 2006: DEBUG: Creating authentication port
> >>>> 0.0.0.0:1812
> >>>> Thu Sep 7 13:17:53 2006: DEBUG: Creating accounting port
> >>>> 0.0.0.0:1813
> >>>> Thu Sep 7 13:17:53 2006: NOTICE: Server started: Radiator 3.15 on
> >>>> radius
> >>>> Thu Sep 7 13:20:01 2006: DEBUG: Packet dump:
> >>>> *** Received from 192.168.1.1 port 4210 ....
> >>>> Code: Access-Request
> >>>> Identifier: 0
> >>>> Authentic: <143>0]`<169>&<252><25><211><177>X<197><191>\<190>p
> >>>> Attributes:
> >>>> User-Name = "mikem"
> >>>> NAS-IP-Address = 192.168.1.1
> >>>> Called-Station-Id = "0018397d4bd8"
> >>>> Calling-Station-Id = "0020e08fc5c8"
> >>>> NAS-Identifier = "0018397d4bd8"
> >>>> NAS-Port = 2
> >>>> Framed-MTU = 1400
> >>>> NAS-Port-Type = Wireless-IEEE-802-11
> >>>> EAP-Message = <2><0><0><10><1>mikem
> >>>> Message-Authenticator = o<159><228><231><176>y
> >>>> +*<2><251><222><178><194>y^<164>
> >>>>
> >>>> Thu Sep 7 13:20:01 2006: DEBUG: Handling request with Handler
> >>>> 'Realm=DEFAULT'
> >>>> Thu Sep 7 13:20:01 2006: DEBUG: Deleting session for mikem,
> >>>> 192.168.1.1, 2
> >>>> Thu Sep 7 13:20:01 2006: DEBUG: Handling with Radius::AuthFILE:
> >>>> Thu Sep 7 13:20:01 2006: DEBUG: Handling with EAP: code 2, 0, 10
> >>>> Thu Sep 7 13:20:01 2006: DEBUG: Response type 1
> >>>> Thu Sep 7 13:20:01 2006: DEBUG: EAP result: 3, EAP MD5-Challenge
> >>>> Thu Sep 7 13:20:01 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> >>>> MD5-Challenge
> >>>> Thu Sep 7 13:20:01 2006: DEBUG: Access challenged for mikem: EAP
> >>>> MD5-Challenge
> >>>> Thu Sep 7 13:20:01 2006: DEBUG: Packet dump:
> >>>> *** Sending to 192.168.1.1 port 4210 ....
> >>>> Code: Access-Challenge
> >>>> Identifier: 0
> >>>> Authentic: <143>0]`<169>&<252><25><211><177>X<197><191>\<190>p
> >>>> Attributes:
> >>>> EAP-Message =
> >>>> <1><1><0><28><4><16>U<254><243><219><135><166>z#<5>m<153><175><216>
> >>>> <
> >>>> 24
> >>>> 2><220>!radius
> >>>> Message-Authenticator =
> >>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>>>
> >>>> Thu Sep 7 13:20:01 2006: DEBUG: Packet dump:
> >>>> *** Received from 192.168.1.1 port 4212 ....
> >>>> Code: Access-Request
> >>>> Identifier: 0
> >>>> Authentic: Y1<168><149><5<200><0>-<27><215><140>\G<128><155>
> >>>> Attributes:
> >>>> User-Name = "mikem"
> >>>> NAS-IP-Address = 192.168.1.1
> >>>> Called-Station-Id = "0018397d4bd8"
> >>>> Calling-Station-Id = "0020e08fc5c8"
> >>>> NAS-Identifier = "0018397d4bd8"
> >>>> NAS-Port = 2
> >>>> Framed-MTU = 1400
> >>>> NAS-Port-Type = Wireless-IEEE-802-11
> >>>> EAP-Message =
> >>>> <2><1><0><22><4><16>o<30><3><242><203><180>K<136>c<20><237>5<133><1
> >>>> 9
> >>>> 5>
> >>>> <234>s
> >>>> Message-Authenticator = <213>
> >>>> $u<164><246><252><183><238>^<228><161><182>%<16>,<189>
> >>>>
> >>>> Thu Sep 7 13:20:01 2006: INFO: Duplicate request id 0 received
> >>>> from 192.168.1.1(4212): ignored
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list