(RADIATOR) WPA Key problems with Cisco Aironet 1130 AG
Rasmus Brown Jensen
rbj at hum.ku.dk
Mon Jul 2 08:42:41 CDT 2007
Hello
I'm having a bit of trouble getting the evaluation version of raditor to
work with TKIP WPA. All the authentication process works fine, but it
seems to have some issues delivering a WPA key to wireless clients.
I am evaluating Cisco ACS also, and it has no problems (of course :). I
have attached a snippet of the radiator log, a debug of the Aironet 1130
AG access point where it doesnt work (radiator), and where it works
(cisco ACS).
Anyone has some suggestions?
Regards
Rasmus Brown Jensen
University of Copenhagen
Snippet of radiator log:
Mon Jul 2 15:28:12 2007: DEBUG: Handling request with Handler ''
Mon Jul 2 15:28:12 2007: DEBUG: Deleting session for ********,
10.0.102.9, 593
Mon Jul 2 15:28:12 2007: DEBUG: Handling with Radius::AuthFILE:
AD-HUM2005
Mon Jul 2 15:28:12 2007: DEBUG: Handling with EAP: code 2, 10, 38
Mon Jul 2 15:28:12 2007: DEBUG: Response type 25
Mon Jul 2 15:28:12 2007: DEBUG: EAP result: 0,
Mon Jul 2 15:28:12 2007: DEBUG: AuthBy FILE result: ACCEPT,
Mon Jul 2 15:28:12 2007: DEBUG: Access accepted for ********
Mon Jul 2 15:28:12 2007: DEBUG: Packet dump:
*** Sending to 10.0.102.9 port 1645 ....
Code: Access-Accept
Identifier: 198
Authentic: <234>8y\<231><155>a<210><229>f<146><192>\aa<230>
Attributes:
EAP-Message = <3><10><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
MS-MPPE-Send-Key =
<197>m<160>`<182><153><208><158>{<169>J<211><10><187>e<13><165><159><15>
<186>A<177>|P<152><184>e{a<167><212>JX<236><150>\w<171><238><160><196>`u
<153>pm<212><127>+V
MS-MPPE-Recv-Key =
<254>;<204><209>7:<11><17><1><211><<157><20><156><212><23>1<21><144><209
><7>B<135><160><208>S<141><166>l<172>Dlp<26><253><172><237><153><25>Q%<2
40><215><127>6<134><179>Q0w
Cisco 1130AG debug (debug dot11 aaa manager keys)
Working Cisco ACS
Jul 2 13:26:14.159: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
Jul 2 13:26:14.159: dot11_dot1x_build_ptk_handshake: building PTK msg 1
for 0013.49fa.7f88
Jul 2 13:26:14.164: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
2 from 0013.49fa.7f88
Jul 2 13:26:14.164: dot11_dot1x_verify_eapol_header: Warning: Invalid
key len (exp=0x20, act=0x0)
Jul 2 13:26:14.164: Calculating MIC across (125 bytes):
01 03 00 79 FE 01 09 00 00 00 00 00 00 00 00 00 01 1F 7B AB 1C B1 B9 F5
9F B6 BC 24 02 96 1E B2 90 10 0B 46 CF 47 99 C3 15 E1 91 A7 79 90 C5 55
F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 1A DD 18 00 50 F2 01 01 00 00 50 F2 02 01 00 00 50 F2 02 01 00 00
50 F2 01 00 00
Jul 2 13:26:14.167: MIC key used (whole ptk):
36 FD 11 6E 87 0D 7C 62 21 6C 28 B6 40 BE 0B 92 5E D4 5D 65 21 02 AA A6
5E A9 57 58 70 09 FD CD 06 20 DF AA E1 89 D7 7D D6 7F 46 89 0A 62 CE 7E
D3 C7 B7 09 0C 29 70 21 3B 98 FB 49 72 AF E7 AF
Jul 2 13:26:14.168: dot11_dot1x_verify_ptk_handshake: Handshake passed
Jul 2 13:26:14.168: dot11_dot1x_send_ssn_eapol_key: eapol->length 121
Jul 2 13:26:14.168: dot11_dot1x_build_ptk_handshake: building PTK msg 3
for 0013.49fa.7f88
Jul 2 13:26:14.168: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
4 from 0013.49fa.7f88
Jul 2 13:26:14.169: dot11_dot1x_verify_eapol_header: Warning: Invalid
key len (exp=0x20, act=0x0)
Jul 2 13:26:14.169: Calculating MIC across (99 bytes):
01 03 00 5F FE 01 09 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
Jul 2 13:26:14.171: MIC key used (whole ptk):
36 FD 11 6E 87 0D 7C 62 21 6C 28 B6 40 BE 0B 92 5E D4 5D 65 21 02 AA A6
5E A9 57 58 70 09 FD CD 06 20 DF AA E1 89 D7 7D D6 7F 46 89 0A 62 CE 7E
D3 C7 B7 09 0C 29 70 21 3B 98 FB 49 72 AF E7 AF
Jul 2 13:26:14.172: dot11_dot1x_verify_ptk_handshake: Handshake passed
Jul 2 13:26:14.172: dot11_dot1x_new_key: mcst encrypt mode 0x10 gtk len
32
Jul 2 13:26:14.172: dot11_dot1x_send_ssn_eapol_key: eapol->length 127
Jul 2 13:26:14.172: dot11_dot1x_build_gtk_handshake: building GTK msg 1
for 0013.49fa.7f88
Jul 2 13:26:14.173: dot11_dot1x_build_gtk_handshake:
dot11_dot1x_get_multicast_key len 32 index 2
Jul 2 13:26:14.173: dot11_dot1x_hex_dump: GTK: A4 A1 E1 05 E8 28 CE 05
43 1C 54 B8 DE F9 CD 89 C5 D0 31 75 09 E5 69 D0 FF 9C 77 C2 C3 A9 97 A8
Jul 2 13:26:14.177: dot11_dot1x_verify_gtk_handshake: verifying GTK msg
2 from 0013.49fa.7f88
Jul 2 13:26:14.178: dot11_dot1x_verify_eapol_header: Warning: Invalid
key info (exp=0x321, act=0x301
Jul 2 13:26:14.178: dot11_dot1x_verify_eapol_header: Warning: Invalid
key len (exp=0x20, act=0x0)
Jul 2 13:26:14.178: Calculating MIC across (99 bytes):
01 03 00 5F FE 03 01 00 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
Jul 2 13:26:14.180: MIC key used (whole ptk):
36 FD 11 6E 87 0D 7C 62 21 6C 28 B6 40 BE 0B 92 5E D4 5D 65 21 02 AA A6
5E A9 57 58 70 09 FD CD 06 20 DF AA E1 89 D7 7D D6 7F 46 89 0A 62 CE 7E
D3 C7 B7 09 0C 29 70 21 3B 98 FB 49 72 AF E7 AF
Jul 2 13:26:14.181: %DOT11-6-ASSOC: Interface Dot11Radio0, Station
0013.49fa.7f88 Associated KEY_MGMT[WPA]
Non Working Radiator
Jul 2 13:28:12.587: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
Jul 2 13:28:12.587: dot11_dot1x_build_ptk_handshake: building PTK msg 1
for 0013.49fa.7f88
Jul 2 13:28:12.592: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
2 from 0013.49fa.7f88
Jul 2 13:28:12.592: dot11_dot1x_verify_eapol_header: Warning: Invalid
key len (exp=0x20, act=0x0)
Jul 2 13:28:12.592: Calculating MIC across (125 bytes):
01 03 00 79 FE 01 09 00 00 00 00 00 00 00 00 00 01 1F 7B AB 1C B1 B9 F5
9F B6 BC 24 02 96 1E B2 90 10 0B 46 CF 47 99 C3 15 E1 91 A7 79 90 C5 55
FA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 1A DD 18 00 50 F2 01 01 00 00 50 F2 02 01 00 00 50 F2 02 01 00 00
50 F2 01 00 00
Jul 2 13:28:12.595: MIC key used (whole ptk):
E1 67 71 DB 2D D9 D2 63 E5 25 74 8E 7B 92 14 16 F5 15 54 D0 CE 75 BC 12
04 EF CC FD 33 DA 94 1E 5E 71 FA 8E A5 92 C3 8E AD 61 02 39 EB 24 61 6E
CF AB E8 37 85 49 C2 7C 51 BB 9D DC 51 75 3F 20
Jul 2 13:28:12.596: Client 0013.49fa.7f88 failed: Dot1x MIC mismatch
Jul 2 13:28:12.596: dot11_dot1x_verify_ptk_handshake:
Jul 2 13:28:12.596: dot11_dot1x_verify_mic failed for 2nd msg
Jul 2 13:28:12.687: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
Jul 2 13:28:12.687: dot11_dot1x_build_ptk_handshake: building PTK msg 1
for 0013.49fa.7f88
Jul 2 13:28:12.690: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
2 from 0013.49fa.7f88
Jul 2 13:28:12.690: dot11_dot1x_verify_eapol_header: Warning: Invalid
key len (exp=0x20, act=0x0)
Jul 2 13:28:12.690: Calculating MIC across (125 bytes):
01 03 00 79 FE 01 09 00 00 00 00 00 00 00 00 00 02 1F 7B AB 1C B1 B9 F5
9F B6 BC 24 02 96 1E B2 90 10 0B 46 CF 47 99 C3 15 E1 91 A7 79 90 C5 55
FB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 1A DD 18 00 50 F2 01 01 00 00 50 F2 02 01 00 00 50 F2 02 01 00 00
50 F2 01 00 00
Jul 2 13:28:12.692: MIC key used (whole ptk):
28 3E EB 75 E0 B8 CA 5C 9F E2 BD B7 CC 8D 62 B2 70 1E 23 BF 32 7B CF 12
94 87 03 98 F4 F4 49 25 36 6F 0E FD 60 DD 82 7E 62 F5 18 A5 26 C7 B3 F3
F1 BC 1D 66 41 F2 56 FD F5 9C 8C 27 DA AD 56 DC
Jul 2 13:28:12.694: Client 0013.49fa.7f88 failed: Dot1x MIC mismatch
Jul 2 13:28:12.694: dot11_dot1x_verify_ptk_handshake:
Jul 2 13:28:12.694: dot11_dot1x_verify_mic failed for 2nd msg
Jul 2 13:28:12.787: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
Jul 2 13:28:12.787: dot11_dot1x_build_ptk_handshake: building PTK msg 1
for 0013.49fa.7f88
Jul 2 13:28:12.790: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
2 from 0013.49fa.7f88
Jul 2 13:28:12.790: dot11_dot1x_verify_eapol_header: Warning: Invalid
key len (exp=0x20, act=0x0)
Jul 2 13:28:12.790: Calculating MIC across (125 bytes):
01 03 00 79 FE 01 09 00 00 00 00 00 00 00 00 00 03 1F 7B AB 1C B1 B9 F5
9F B6 BC 24 02 96 1E B2 90 10 0B 46 CF 47 99 C3 15 E1 91 A7 79 90 C5 55
FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 1A DD 18 00 50 F2 01 01 00 00 50 F2 02 01 00 00 50 F2 02 01 00 00
50 F2 01 00 00
Jul 2 13:28:12.792: MIC key used (whole ptk):
4C A5 7C FA A1 77 80 9A F3 C9 66 5E A5 23 CC 0B 15 C2 81 97 93 EF 31 57
B7 C5 AF 10 79 17 5E FC 45 BC 4E 2E 40 F9 35 6C 1A 3D C0 5E EE 19 AA 04
C7 E0 4C B3 85 1C 45 A5 10 CD D5 04 83 B8 AB 3D
Jul 2 13:28:12.794: Client 0013.49fa.7f88 failed: Dot1x MIC mismatch
Jul 2 13:28:12.794: dot11_dot1x_verify_ptk_handshake:
Jul 2 13:28:12.794: dot11_dot1x_verify_mic failed for 2nd msg
Jul 2 13:28:12.887: %DOT11-7-AUTH_FAILED: Station 0013.49fa.7f88
Authentication failed
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list