(RADIATOR) WPA Key problems with Cisco Aironet 1130 AG

Mike McCauley mikem at open.com.au
Mon Jul 2 18:16:58 CDT 2007 

Hello again Rasmus,

BTW, we have seen similar behaviour when people install the Shining Light 
OpenSSL 0.9.8 instead of 0.9.7. 
We have been able to reproduce 
your behaviour by installing 0.9.8e and fix it by installing  0.9.7m.
Suggest you install 0.9.7m from 
http://www.shininglightpro.com/download/Win32OpenSSL-0_9_7m.exe

Please let me know how you get on.

Cheers.

On Tuesday 03 July 2007 08:45, Mike McCauley wrote:
> Hello Rasmus,
>
> Can you please provide us with the followiong information:
>
> 1. What platform are you running Radiator on?
> 2. What version of perl are you using?
> 3. Your Radiator configuration file (no secrets)
> 4. A complete Radiator level 4 trace file showing the problem.
> 5. What wireless supplicant are you using on the client?
>
> On Monday 02 July 2007 23:42, Rasmus Brown Jensen wrote:
> > Hello
> >
> > I'm having a bit of trouble getting the evaluation version of raditor to
> > work with TKIP WPA. All the authentication process works fine, but it
> > seems to have some issues delivering a WPA key to wireless clients.
> > I am evaluating Cisco ACS also, and it has no problems (of course :). I
> > have attached a snippet of the radiator log, a debug of the Aironet 1130
> > AG access point where it doesnt work (radiator), and where it works
> > (cisco ACS).
> >
> > Anyone has some suggestions?
> >
> > Regards
> > Rasmus Brown Jensen
> > University of Copenhagen
> >
> >
> > Snippet of radiator log:
> >
> > Mon Jul  2 15:28:12 2007: DEBUG: Handling request with Handler ''
> > Mon Jul  2 15:28:12 2007: DEBUG:  Deleting session for ********,
> > 10.0.102.9, 593
> > Mon Jul  2 15:28:12 2007: DEBUG: Handling with Radius::AuthFILE:
> > AD-HUM2005
> > Mon Jul  2 15:28:12 2007: DEBUG: Handling with EAP: code 2, 10, 38
> > Mon Jul  2 15:28:12 2007: DEBUG: Response type 25
> > Mon Jul  2 15:28:12 2007: DEBUG: EAP result: 0,
> > Mon Jul  2 15:28:12 2007: DEBUG: AuthBy FILE result: ACCEPT,
> > Mon Jul  2 15:28:12 2007: DEBUG: Access accepted for ********
> > Mon Jul  2 15:28:12 2007: DEBUG: Packet dump:
> > *** Sending to 10.0.102.9 port 1645 ....
> > Code:       Access-Accept
> > Identifier: 198
> > Authentic:  <234>8y\<231><155>a<210><229>f<146><192>\aa<230>
> > Attributes:
> > 	EAP-Message = <3><10><0><4>
> > 	Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > 	MS-MPPE-Send-Key =
> > <197>m<160>`<182><153><208><158>{<169>J<211><10><187>e<13><165><159><15>
> > <186>A<177>|P<152><184>e{a<167><212>JX<236><150>\w<171><238><160><196>`u
> > <153>pm<212><127>+V
> > 	MS-MPPE-Recv-Key =
> > <254>;<204><209>7:<11><17><1><211><<157><20><156><212><23>1<21><144><209
> >
> > ><7>B<135><160><208>S<141><166>l<172>Dlp<26><253><172><237><153><25>Q%<2
> >
> > 40><215><127>6<134><179>Q0w
> >
> >
> > Cisco 1130AG debug (debug dot11 aaa manager keys)
> >
> > Working Cisco ACS
> >
> > Jul  2 13:26:14.159: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
> > Jul  2 13:26:14.159: dot11_dot1x_build_ptk_handshake: building PTK msg 1
> > for 0013.49fa.7f88
> > Jul  2 13:26:14.164: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
> > 2 from 0013.49fa.7f88
> > Jul  2 13:26:14.164: dot11_dot1x_verify_eapol_header: Warning: Invalid
> > key len (exp=0x20, act=0x0)
> > Jul  2 13:26:14.164: Calculating MIC across (125 bytes):
> > 01 03 00 79 FE 01 09 00 00 00 00 00 00 00 00 00 01 1F 7B AB 1C B1 B9 F5
> > 9F B6 BC 24 02 96 1E B2 90 10 0B 46 CF 47 99 C3 15 E1 91 A7 79 90 C5 55
> > F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 1A DD 18 00 50 F2 01 01 00 00 50 F2 02 01 00 00 50 F2 02 01 00 00
> > 50 F2 01 00 00
> > Jul  2 13:26:14.167: MIC key used (whole ptk):
> > 36 FD 11 6E 87 0D 7C 62 21 6C 28 B6 40 BE 0B 92 5E D4 5D 65 21 02 AA A6
> > 5E A9 57 58 70 09 FD CD 06 20 DF AA E1 89 D7 7D D6 7F 46 89 0A 62 CE 7E
> > D3 C7 B7 09 0C 29 70 21 3B 98 FB 49 72 AF E7 AF
> > Jul  2 13:26:14.168: dot11_dot1x_verify_ptk_handshake: Handshake passed
> > Jul  2 13:26:14.168: dot11_dot1x_send_ssn_eapol_key: eapol->length 121
> > Jul  2 13:26:14.168: dot11_dot1x_build_ptk_handshake: building PTK msg 3
> > for 0013.49fa.7f88
> > Jul  2 13:26:14.168: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
> > 4 from 0013.49fa.7f88
> > Jul  2 13:26:14.169: dot11_dot1x_verify_eapol_header: Warning: Invalid
> > key len (exp=0x20, act=0x0)
> > Jul  2 13:26:14.169: Calculating MIC across (99 bytes):
> > 01 03 00 5F FE 01 09 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 00
> > Jul  2 13:26:14.171: MIC key used (whole ptk):
> > 36 FD 11 6E 87 0D 7C 62 21 6C 28 B6 40 BE 0B 92 5E D4 5D 65 21 02 AA A6
> > 5E A9 57 58 70 09 FD CD 06 20 DF AA E1 89 D7 7D D6 7F 46 89 0A 62 CE 7E
> > D3 C7 B7 09 0C 29 70 21 3B 98 FB 49 72 AF E7 AF
> > Jul  2 13:26:14.172: dot11_dot1x_verify_ptk_handshake: Handshake passed
> > Jul  2 13:26:14.172: dot11_dot1x_new_key: mcst encrypt mode 0x10 gtk len
> > 32
> > Jul  2 13:26:14.172: dot11_dot1x_send_ssn_eapol_key: eapol->length 127
> > Jul  2 13:26:14.172: dot11_dot1x_build_gtk_handshake: building GTK msg 1
> > for 0013.49fa.7f88
> > Jul  2 13:26:14.173: dot11_dot1x_build_gtk_handshake:
> > dot11_dot1x_get_multicast_key len 32 index 2
> > Jul  2 13:26:14.173: dot11_dot1x_hex_dump: GTK: A4 A1 E1 05 E8 28 CE 05
> > 43 1C 54 B8 DE F9 CD 89 C5 D0 31 75 09 E5 69 D0 FF 9C 77 C2 C3 A9 97 A8
> > Jul  2 13:26:14.177: dot11_dot1x_verify_gtk_handshake: verifying GTK msg
> > 2 from 0013.49fa.7f88
> > Jul  2 13:26:14.178: dot11_dot1x_verify_eapol_header: Warning: Invalid
> > key info (exp=0x321, act=0x301
> > Jul  2 13:26:14.178: dot11_dot1x_verify_eapol_header: Warning: Invalid
> > key len (exp=0x20, act=0x0)
> > Jul  2 13:26:14.178: Calculating MIC across (99 bytes):
> > 01 03 00 5F FE 03 01 00 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 00
> > Jul  2 13:26:14.180: MIC key used (whole ptk):
> > 36 FD 11 6E 87 0D 7C 62 21 6C 28 B6 40 BE 0B 92 5E D4 5D 65 21 02 AA A6
> > 5E A9 57 58 70 09 FD CD 06 20 DF AA E1 89 D7 7D D6 7F 46 89 0A 62 CE 7E
> > D3 C7 B7 09 0C 29 70 21 3B 98 FB 49 72 AF E7 AF
> > Jul  2 13:26:14.181: %DOT11-6-ASSOC: Interface Dot11Radio0, Station
> > 0013.49fa.7f88 Associated KEY_MGMT[WPA]
> >
> > Non Working Radiator
> >
> > Jul  2 13:28:12.587: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
> > Jul  2 13:28:12.587: dot11_dot1x_build_ptk_handshake: building PTK msg 1
> > for 0013.49fa.7f88
> > Jul  2 13:28:12.592: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
> > 2 from 0013.49fa.7f88
> > Jul  2 13:28:12.592: dot11_dot1x_verify_eapol_header: Warning: Invalid
> > key len (exp=0x20, act=0x0)
> > Jul  2 13:28:12.592: Calculating MIC across (125 bytes):
> > 01 03 00 79 FE 01 09 00 00 00 00 00 00 00 00 00 01 1F 7B AB 1C B1 B9 F5
> > 9F B6 BC 24 02 96 1E B2 90 10 0B 46 CF 47 99 C3 15 E1 91 A7 79 90 C5 55
> > FA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 1A DD 18 00 50 F2 01 01 00 00 50 F2 02 01 00 00 50 F2 02 01 00 00
> > 50 F2 01 00 00
> > Jul  2 13:28:12.595: MIC key used (whole ptk):
> > E1 67 71 DB 2D D9 D2 63 E5 25 74 8E 7B 92 14 16 F5 15 54 D0 CE 75 BC 12
> > 04 EF CC FD 33 DA 94 1E 5E 71 FA 8E A5 92 C3 8E AD 61 02 39 EB 24 61 6E
> > CF AB E8 37 85 49 C2 7C 51 BB 9D DC 51 75 3F 20
> > Jul  2 13:28:12.596: Client 0013.49fa.7f88 failed: Dot1x MIC mismatch
> > Jul  2 13:28:12.596: dot11_dot1x_verify_ptk_handshake:
> > Jul  2 13:28:12.596: dot11_dot1x_verify_mic failed for 2nd msg
> > Jul  2 13:28:12.687: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
> > Jul  2 13:28:12.687: dot11_dot1x_build_ptk_handshake: building PTK msg 1
> > for 0013.49fa.7f88
> > Jul  2 13:28:12.690: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
> > 2 from 0013.49fa.7f88
> > Jul  2 13:28:12.690: dot11_dot1x_verify_eapol_header: Warning: Invalid
> > key len (exp=0x20, act=0x0)
> > Jul  2 13:28:12.690: Calculating MIC across (125 bytes):
> > 01 03 00 79 FE 01 09 00 00 00 00 00 00 00 00 00 02 1F 7B AB 1C B1 B9 F5
> > 9F B6 BC 24 02 96 1E B2 90 10 0B 46 CF 47 99 C3 15 E1 91 A7 79 90 C5 55
> > FB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 1A DD 18 00 50 F2 01 01 00 00 50 F2 02 01 00 00 50 F2 02 01 00 00
> > 50 F2 01 00 00
> > Jul  2 13:28:12.692: MIC key used (whole ptk):
> > 28 3E EB 75 E0 B8 CA 5C 9F E2 BD B7 CC 8D 62 B2 70 1E 23 BF 32 7B CF 12
> > 94 87 03 98 F4 F4 49 25 36 6F 0E FD 60 DD 82 7E 62 F5 18 A5 26 C7 B3 F3
> > F1 BC 1D 66 41 F2 56 FD F5 9C 8C 27 DA AD 56 DC
> > Jul  2 13:28:12.694: Client 0013.49fa.7f88 failed: Dot1x MIC mismatch
> > Jul  2 13:28:12.694: dot11_dot1x_verify_ptk_handshake:
> > Jul  2 13:28:12.694: dot11_dot1x_verify_mic failed for 2nd msg
> > Jul  2 13:28:12.787: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
> > Jul  2 13:28:12.787: dot11_dot1x_build_ptk_handshake: building PTK msg 1
> > for 0013.49fa.7f88
> > Jul  2 13:28:12.790: dot11_dot1x_verify_ptk_handshake: verifying PTK msg
> > 2 from 0013.49fa.7f88
> > Jul  2 13:28:12.790: dot11_dot1x_verify_eapol_header: Warning: Invalid
> > key len (exp=0x20, act=0x0)
> > Jul  2 13:28:12.790: Calculating MIC across (125 bytes):
> > 01 03 00 79 FE 01 09 00 00 00 00 00 00 00 00 00 03 1F 7B AB 1C B1 B9 F5
> > 9F B6 BC 24 02 96 1E B2 90 10 0B 46 CF 47 99 C3 15 E1 91 A7 79 90 C5 55
> > FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > 00 00 1A DD 18 00 50 F2 01 01 00 00 50 F2 02 01 00 00 50 F2 02 01 00 00
> > 50 F2 01 00 00
> > Jul  2 13:28:12.792: MIC key used (whole ptk):
> > 4C A5 7C FA A1 77 80 9A F3 C9 66 5E A5 23 CC 0B 15 C2 81 97 93 EF 31 57
> > B7 C5 AF 10 79 17 5E FC 45 BC 4E 2E 40 F9 35 6C 1A 3D C0 5E EE 19 AA 04
> > C7 E0 4C B3 85 1C 45 A5 10 CD D5 04 83 B8 AB 3D
> > Jul  2 13:28:12.794: Client 0013.49fa.7f88 failed: Dot1x MIC mismatch
> > Jul  2 13:28:12.794: dot11_dot1x_verify_ptk_handshake:
> > Jul  2 13:28:12.794: dot11_dot1x_verify_mic failed for 2nd msg
> > Jul  2 13:28:12.887: %DOT11-7-AUTH_FAILED: Station 0013.49fa.7f88
> > Authentication failed
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list