(RADIATOR) WPA Key problems with Cisco Aironet 1130 AG

Mike McCauley mikem at open.com.au
Mon Jul 2 17:45:19 CDT 2007 

Hello Rasmus,

Can you please provide us with the followiong information:

1. What platform are you running Radiator on?
2. What version of perl are you using?
3. Your Radiator configuration file (no secrets)
4. A complete Radiator level 4 trace file showing the problem.
5. What wireless supplicant are you using on the client?

On Monday 02 July 2007 23:42, Rasmus Brown Jensen wrote:
> Hello
>
> I'm having a bit of trouble getting the evaluation version of raditor to
> work with TKIP WPA. All the authentication process works fine, but it
> seems to have some issues delivering a WPA key to wireless clients.
> I am evaluating Cisco ACS also, and it has no problems (of course :). I
> have attached a snippet of the radiator log, a debug of the Aironet 1130
> AG access point where it doesnt work (radiator), and where it works
> (cisco ACS).
>
> Anyone has some suggestions?
>
> Regards
> Rasmus Brown Jensen
> University of Copenhagen
>
>
> Snippet of radiator log:
>
> Mon Jul  2 15:28:12 2007: DEBUG: Handling request with Handler ''
> Mon Jul  2 15:28:12 2007: DEBUG:  Deleting session for ********,
> 10.0.102.9, 593
> Mon Jul  2 15:28:12 2007: DEBUG: Handling with Radius::AuthFILE:
> AD-HUM2005
> Mon Jul  2 15:28:12 2007: DEBUG: Handling with EAP: code 2, 10, 38
> Mon Jul  2 15:28:12 2007: DEBUG: Response type 25
> Mon Jul  2 15:28:12 2007: DEBUG: EAP result: 0,
> Mon Jul  2 15:28:12 2007: DEBUG: AuthBy FILE result: ACCEPT,
> Mon Jul  2 15:28:12 2007: DEBUG: Access accepted for ********
> Mon Jul  2 15:28:12 2007: DEBUG: Packet dump:
> *** Sending to 10.0.102.9 port 1645 ....
> Code:       Access-Accept
> Identifier: 198
> Authentic:  <234>8y\<231><155>a<210><229>f<146><192>\aa<230>
> Attributes:
> 	EAP-Message = <3><10><0><4>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	MS-MPPE-Send-Key =
> <197>m<160>`<182><153><208><158>{<169>J<211><10><187>e<13><165><159><15>
> <186>A<177>|P<152><184>e{a<167><212>JX<236><150>\w<171><238><160><196>`u
> <153>pm<212><127>+V
> 	MS-MPPE-Recv-Key =
> <254>;<204><209>7:<11><17><1><211><<157><20><156><212><23>1<21><144><209
>
> ><7>B<135><160><208>S<141><166>l<172>Dlp<26><253><172><237><153><25>Q%<2
>
> 40><215><127>6<134><179>Q0w
>
>
> Cisco 1130AG debug (debug dot11 aaa manager keys)
>
> Working Cisco ACS
>
> Jul  2 13:26:14.159: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
> Jul  2 13:26:14.159: dot11_dot1x_build_ptk_handshake: building PTK msg 1
> for 0013.49fa.7f88
> Jul  2 13:26:14.164: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
> 2 from 0013.49fa.7f88
> Jul  2 13:26:14.164: dot11_dot1x_verify_eapol_header: Warning: Invalid
> key len (exp=0x20, act=0x0)
> Jul  2 13:26:14.164: Calculating MIC across (125 bytes):
> 01 03 00 79 FE 01 09 00 00 00 00 00 00 00 00 00 01 1F 7B AB 1C B1 B9 F5
> 9F B6 BC 24 02 96 1E B2 90 10 0B 46 CF 47 99 C3 15 E1 91 A7 79 90 C5 55
> F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 1A DD 18 00 50 F2 01 01 00 00 50 F2 02 01 00 00 50 F2 02 01 00 00
> 50 F2 01 00 00
> Jul  2 13:26:14.167: MIC key used (whole ptk):
> 36 FD 11 6E 87 0D 7C 62 21 6C 28 B6 40 BE 0B 92 5E D4 5D 65 21 02 AA A6
> 5E A9 57 58 70 09 FD CD 06 20 DF AA E1 89 D7 7D D6 7F 46 89 0A 62 CE 7E
> D3 C7 B7 09 0C 29 70 21 3B 98 FB 49 72 AF E7 AF
> Jul  2 13:26:14.168: dot11_dot1x_verify_ptk_handshake: Handshake passed
> Jul  2 13:26:14.168: dot11_dot1x_send_ssn_eapol_key: eapol->length 121
> Jul  2 13:26:14.168: dot11_dot1x_build_ptk_handshake: building PTK msg 3
> for 0013.49fa.7f88
> Jul  2 13:26:14.168: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
> 4 from 0013.49fa.7f88
> Jul  2 13:26:14.169: dot11_dot1x_verify_eapol_header: Warning: Invalid
> key len (exp=0x20, act=0x0)
> Jul  2 13:26:14.169: Calculating MIC across (99 bytes):
> 01 03 00 5F FE 01 09 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00
> Jul  2 13:26:14.171: MIC key used (whole ptk):
> 36 FD 11 6E 87 0D 7C 62 21 6C 28 B6 40 BE 0B 92 5E D4 5D 65 21 02 AA A6
> 5E A9 57 58 70 09 FD CD 06 20 DF AA E1 89 D7 7D D6 7F 46 89 0A 62 CE 7E
> D3 C7 B7 09 0C 29 70 21 3B 98 FB 49 72 AF E7 AF
> Jul  2 13:26:14.172: dot11_dot1x_verify_ptk_handshake: Handshake passed
> Jul  2 13:26:14.172: dot11_dot1x_new_key: mcst encrypt mode 0x10 gtk len
> 32
> Jul  2 13:26:14.172: dot11_dot1x_send_ssn_eapol_key: eapol->length 127
> Jul  2 13:26:14.172: dot11_dot1x_build_gtk_handshake: building GTK msg 1
> for 0013.49fa.7f88
> Jul  2 13:26:14.173: dot11_dot1x_build_gtk_handshake:
> dot11_dot1x_get_multicast_key len 32 index 2
> Jul  2 13:26:14.173: dot11_dot1x_hex_dump: GTK: A4 A1 E1 05 E8 28 CE 05
> 43 1C 54 B8 DE F9 CD 89 C5 D0 31 75 09 E5 69 D0 FF 9C 77 C2 C3 A9 97 A8
> Jul  2 13:26:14.177: dot11_dot1x_verify_gtk_handshake: verifying GTK msg
> 2 from 0013.49fa.7f88
> Jul  2 13:26:14.178: dot11_dot1x_verify_eapol_header: Warning: Invalid
> key info (exp=0x321, act=0x301
> Jul  2 13:26:14.178: dot11_dot1x_verify_eapol_header: Warning: Invalid
> key len (exp=0x20, act=0x0)
> Jul  2 13:26:14.178: Calculating MIC across (99 bytes):
> 01 03 00 5F FE 03 01 00 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00
> Jul  2 13:26:14.180: MIC key used (whole ptk):
> 36 FD 11 6E 87 0D 7C 62 21 6C 28 B6 40 BE 0B 92 5E D4 5D 65 21 02 AA A6
> 5E A9 57 58 70 09 FD CD 06 20 DF AA E1 89 D7 7D D6 7F 46 89 0A 62 CE 7E
> D3 C7 B7 09 0C 29 70 21 3B 98 FB 49 72 AF E7 AF
> Jul  2 13:26:14.181: %DOT11-6-ASSOC: Interface Dot11Radio0, Station
> 0013.49fa.7f88 Associated KEY_MGMT[WPA]
>
> Non Working Radiator
>
> Jul  2 13:28:12.587: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
> Jul  2 13:28:12.587: dot11_dot1x_build_ptk_handshake: building PTK msg 1
> for 0013.49fa.7f88
> Jul  2 13:28:12.592: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
> 2 from 0013.49fa.7f88
> Jul  2 13:28:12.592: dot11_dot1x_verify_eapol_header: Warning: Invalid
> key len (exp=0x20, act=0x0)
> Jul  2 13:28:12.592: Calculating MIC across (125 bytes):
> 01 03 00 79 FE 01 09 00 00 00 00 00 00 00 00 00 01 1F 7B AB 1C B1 B9 F5
> 9F B6 BC 24 02 96 1E B2 90 10 0B 46 CF 47 99 C3 15 E1 91 A7 79 90 C5 55
> FA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 1A DD 18 00 50 F2 01 01 00 00 50 F2 02 01 00 00 50 F2 02 01 00 00
> 50 F2 01 00 00
> Jul  2 13:28:12.595: MIC key used (whole ptk):
> E1 67 71 DB 2D D9 D2 63 E5 25 74 8E 7B 92 14 16 F5 15 54 D0 CE 75 BC 12
> 04 EF CC FD 33 DA 94 1E 5E 71 FA 8E A5 92 C3 8E AD 61 02 39 EB 24 61 6E
> CF AB E8 37 85 49 C2 7C 51 BB 9D DC 51 75 3F 20
> Jul  2 13:28:12.596: Client 0013.49fa.7f88 failed: Dot1x MIC mismatch
> Jul  2 13:28:12.596: dot11_dot1x_verify_ptk_handshake:
> Jul  2 13:28:12.596: dot11_dot1x_verify_mic failed for 2nd msg
> Jul  2 13:28:12.687: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
> Jul  2 13:28:12.687: dot11_dot1x_build_ptk_handshake: building PTK msg 1
> for 0013.49fa.7f88
> Jul  2 13:28:12.690: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
> 2 from 0013.49fa.7f88
> Jul  2 13:28:12.690: dot11_dot1x_verify_eapol_header: Warning: Invalid
> key len (exp=0x20, act=0x0)
> Jul  2 13:28:12.690: Calculating MIC across (125 bytes):
> 01 03 00 79 FE 01 09 00 00 00 00 00 00 00 00 00 02 1F 7B AB 1C B1 B9 F5
> 9F B6 BC 24 02 96 1E B2 90 10 0B 46 CF 47 99 C3 15 E1 91 A7 79 90 C5 55
> FB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 1A DD 18 00 50 F2 01 01 00 00 50 F2 02 01 00 00 50 F2 02 01 00 00
> 50 F2 01 00 00
> Jul  2 13:28:12.692: MIC key used (whole ptk):
> 28 3E EB 75 E0 B8 CA 5C 9F E2 BD B7 CC 8D 62 B2 70 1E 23 BF 32 7B CF 12
> 94 87 03 98 F4 F4 49 25 36 6F 0E FD 60 DD 82 7E 62 F5 18 A5 26 C7 B3 F3
> F1 BC 1D 66 41 F2 56 FD F5 9C 8C 27 DA AD 56 DC
> Jul  2 13:28:12.694: Client 0013.49fa.7f88 failed: Dot1x MIC mismatch
> Jul  2 13:28:12.694: dot11_dot1x_verify_ptk_handshake:
> Jul  2 13:28:12.694: dot11_dot1x_verify_mic failed for 2nd msg
> Jul  2 13:28:12.787: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
> Jul  2 13:28:12.787: dot11_dot1x_build_ptk_handshake: building PTK msg 1
> for 0013.49fa.7f88
> Jul  2 13:28:12.790: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
> 2 from 0013.49fa.7f88
> Jul  2 13:28:12.790: dot11_dot1x_verify_eapol_header: Warning: Invalid
> key len (exp=0x20, act=0x0)
> Jul  2 13:28:12.790: Calculating MIC across (125 bytes):
> 01 03 00 79 FE 01 09 00 00 00 00 00 00 00 00 00 03 1F 7B AB 1C B1 B9 F5
> 9F B6 BC 24 02 96 1E B2 90 10 0B 46 CF 47 99 C3 15 E1 91 A7 79 90 C5 55
> FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 1A DD 18 00 50 F2 01 01 00 00 50 F2 02 01 00 00 50 F2 02 01 00 00
> 50 F2 01 00 00
> Jul  2 13:28:12.792: MIC key used (whole ptk):
> 4C A5 7C FA A1 77 80 9A F3 C9 66 5E A5 23 CC 0B 15 C2 81 97 93 EF 31 57
> B7 C5 AF 10 79 17 5E FC 45 BC 4E 2E 40 F9 35 6C 1A 3D C0 5E EE 19 AA 04
> C7 E0 4C B3 85 1C 45 A5 10 CD D5 04 83 B8 AB 3D
> Jul  2 13:28:12.794: Client 0013.49fa.7f88 failed: Dot1x MIC mismatch
> Jul  2 13:28:12.794: dot11_dot1x_verify_ptk_handshake:
> Jul  2 13:28:12.794: dot11_dot1x_verify_mic failed for 2nd msg
> Jul  2 13:28:12.887: %DOT11-7-AUTH_FAILED: Station 0013.49fa.7f88
> Authentication failed
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list