[RADIATOR] EAP-Fast/MS-CHAPv2 with Cisco 7921g
Michael LeBlanc
mleblanc at exchange.ubc.ca
Wed Aug 27 16:51:15 CDT 2008
Hi,
I've been working on getting a Cisco 7921g wifi IP phone to use
EAP-Fast/MS-CHAPv2 with Radiator, with no luck so far. I was wondering if
anyone has had success with this configuration.
I've tried Radiator 3.17.1 and 4.3.1, and in both cases, the phone seems to
reject the MS-CHAPv2 challenge in the inner tunnel and requests
Generic-Token (the log entry is below).
I've been able to get EAP-Fast working with Generic-Token on the 7921g, and
wpa_supplicant works well with EAP-Fast/MS-CHAPv2 -- so I don't think it's a
Radiator configuration issue.
According to the vendor, the 7921g supports MS-CHAPv2 within the EAP-Fast
tunnel.
I'd very much appreciate any thoughts.
Tue Aug 26 14:31:07 2008: DEBUG: EAP-FAST Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <12><24><212><162><129><187>1%<220><169>#<147><253>M<12><250>
Attributes:
EAP-Message = <2><0><0><13><1>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = "anonymous"
NAS-IP-Address = XXXX
NAS-Identifier = "XXXX"
NAS-Port = 29
Calling-Station-Id = "XXXX"
Tue Aug 26 14:31:07 2008: DEBUG: Handling request with Handler ''
Tue Aug 26 14:31:07 2008: DEBUG: Deleting session for anonymous, XXXX
Tue Aug 26 14:31:07 2008: DEBUG: Handling with Radius::AuthFILE: EAP-FAST
Tue Aug 26 14:31:07 2008: DEBUG: Handling with EAP: code 2, 0, 13
Tue Aug 26 14:31:07 2008: DEBUG: Response type 1
Tue Aug 26 14:31:07 2008: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Tue Aug 26 14:31:07 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP
MSCHAP-V2 Challenge
Tue Aug 26 14:31:07 2008: DEBUG: Access challenged for anonymous: EAP
MSCHAP-V2 Challenge
Tue Aug 26 14:31:07 2008: DEBUG: Returned FAST inner Packet dump:
Code: Access-Challenge
Identifier: UNDEF
Authentic: <12><24><212><162><129><187>1%<220><169>#<147><253>M<12><250>
Attributes:
EAP-Message =
<1><1><0>.<26><1><1><0>)<16>3<239><161>C<204><234>j\<19>~<
155>&(q<28>FXXXX
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tue Aug 26 14:31:07 2008: DEBUG: EAP result: 3, EAP-FAST inner
authentication redespatched to a Handler
Tue Aug 26 14:31:07 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP-FAST
inner authentication redespatched to a Handler
Tue Aug 26 14:31:07 2008: DEBUG: Access challenged for anonymous: EAP-FAST
inner authentication redespatched to a Handler
Tue Aug 26 14:31:07 2008: DEBUG: Packet dump:
*** Sending to XXXX port XXXX ....
Code: Access-Challenge
Identifier: 140
Authentic: O<8><142><182>f<129>s<168><27><200><159><14>H<6><127>O
Attributes:
EAP-Message =
<1><1><0>U+<129><0><0><0>K<23><3><1><0>Fd<138>dT<219>=<156
><168>q<250><142><159>m1<206><154>,<240><231><177>%1<155><207><142><215><26>}<13
1><215><224><13>c<240><149>0<4>TeSm<26><4>*<212><192><248>&<169><207>W<156><
8><204><139>n:<160><146><171>m<181><150><202><154><219><242><174>"
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tue Aug 26 14:31:07 2008: DEBUG: Packet dump:
*** Received from XXXX port XXXX ....
Code: Access-Request
Identifier: 141
Authentic: OB<130>JX<236><237><167><226><255> <7><158><167><167>5
Attributes:
User-Name = "anonymous"
Calling-Station-Id = "XXXX"
Called-Station-Id = "XXXX"
NAS-Port = 29
NAS-IP-Address = XXXX
NAS-Identifier = "XXXX"
Airespace-WLAN-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
EAP-Message =
<2><1><0>)+<1><23><3><1><0><30>&<177><226><18><11>j<198>GA
^<250>g<11><253><224><235><230><177>.-@<140><181><192><130><194><212>n<22>%
Message-Authenticator =
@<197>Z*)<227><211><22><232>p<9><217><21><223>I<
136>
Tue Aug 26 14:31:07 2008: DEBUG: Handling request with Handler ''
Tue Aug 26 14:31:07 2008: DEBUG: Deleting session for anonymous, XXXX
Tue Aug 26 14:31:07 2008: DEBUG: Handling with Radius::AuthFILE: EAP-FAST
Tue Aug 26 14:31:07 2008: DEBUG: Handling with EAP: code 2, 1, 41
Tue Aug 26 14:31:07 2008: DEBUG: Response type 43
Tue Aug 26 14:31:07 2008: DEBUG: EAP-FAST TLS data: 80090006020100060306
Tue Aug 26 14:31:07 2008: DEBUG: EAP-FAST inner authentication request for
anonymous
Tue Aug 26 14:31:07 2008: DEBUG: EAP-FAST Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: {<203>|3<209><211><5><230><211><10><192><182><147><157>PM
Attributes:
EAP-Message = <2><1><0><6><3><6>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = "anonymous"
NAS-IP-Address = XXXXX
NAS-Identifier = "XXXXX"
NAS-Port = 29
Calling-Station-Id = " XXXXX"
Tue Aug 26 14:31:07 2008: DEBUG: Handling request with Handler ''
Tue Aug 26 14:31:07 2008: DEBUG: Deleting session for anonymous,
137.82.32.251,
29
Tue Aug 26 14:31:07 2008: DEBUG: Handling with Radius::AuthFILE: EAP-FAST
Tue Aug 26 14:31:07 2008: DEBUG: Handling with EAP: code 2, 1, 6
Tue Aug 26 14:31:07 2008: DEBUG: Response type 3
Tue Aug 26 14:31:07 2008: INFO: EAP Nak desires type 6
Tue Aug 26 14:31:07 2008: DEBUG: EAP result: 1, Desired EAP type 6 not
permitted
Tue Aug 26 14:31:07 2008: DEBUG: AuthBy FILE result: REJECT, Desired EAP
type 6
not permitted
Tue Aug 26 14:31:07 2008: INFO: Access rejected for anonymous: Desired EAP
type
6 not permitted
More information about the radiator
mailing list