[RADIATOR] EAP-Fast/MS-CHAPv2 with Cisco 7921g

Hugh Irvine hugh at open.com.au
Thu Aug 28 01:47:20 CDT 2008


Hello Michael -

Could we see your Radiator configuration file and a more complete  
trace 4 debug?

thanks and regards

Hugh


On 28 Aug 2008, at 07:51, Michael LeBlanc wrote:

> Hi,
>
> I've been working on getting a Cisco 7921g wifi IP phone to use
> EAP-Fast/MS-CHAPv2 with Radiator, with no luck so far. I was  
> wondering if
> anyone has had success with this configuration.
>
> I've tried Radiator 3.17.1 and 4.3.1, and in both cases, the phone  
> seems to
> reject the MS-CHAPv2 challenge in the inner tunnel and requests
> Generic-Token (the log entry is below).
>
> I've been able to get EAP-Fast working with Generic-Token on the  
> 7921g, and
> wpa_supplicant works well with EAP-Fast/MS-CHAPv2 -- so I don't  
> think it's a
> Radiator configuration issue.
>
> According to the vendor, the 7921g supports MS-CHAPv2 within the  
> EAP-Fast
> tunnel.
>
> I'd very much appreciate any thoughts.
>
> Tue Aug 26 14:31:07 2008: DEBUG: EAP-FAST Tunnelled request Packet  
> dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <12><24><212><162><129><187>1% 
> <220><169>#<147><253>M<12><250>
> Attributes:
>         EAP-Message = <2><0><0><13><1>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         User-Name = "anonymous"
>         NAS-IP-Address = XXXX
>         NAS-Identifier = "XXXX"
>         NAS-Port = 29
>         Calling-Station-Id = "XXXX"
>
> Tue Aug 26 14:31:07 2008: DEBUG: Handling request with Handler ''
> Tue Aug 26 14:31:07 2008: DEBUG:  Deleting session for anonymous, XXXX
> Tue Aug 26 14:31:07 2008: DEBUG: Handling with Radius::AuthFILE:  
> EAP-FAST
> Tue Aug 26 14:31:07 2008: DEBUG: Handling with EAP: code 2, 0, 13
> Tue Aug 26 14:31:07 2008: DEBUG: Response type 1
> Tue Aug 26 14:31:07 2008: DEBUG: EAP result: 3, EAP MSCHAP-V2  
> Challenge
> Tue Aug 26 14:31:07 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> MSCHAP-V2 Challenge
> Tue Aug 26 14:31:07 2008: DEBUG: Access challenged for anonymous: EAP
> MSCHAP-V2 Challenge
> Tue Aug 26 14:31:07 2008: DEBUG: Returned FAST inner Packet dump:
> Code:       Access-Challenge
> Identifier: UNDEF
> Authentic:  <12><24><212><162><129><187>1% 
> <220><169>#<147><253>M<12><250>
> Attributes:
>         EAP-Message =
> <1><1><0>.<26><1><1><0>)<16>3<239><161>C<204><234>j\<19>~<
> 155>&(q<28>FXXXX
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Aug 26 14:31:07 2008: DEBUG: EAP result: 3, EAP-FAST inner
> authentication redespatched to a Handler
> Tue Aug 26 14:31:07 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP- 
> FAST
> inner authentication redespatched to a Handler
> Tue Aug 26 14:31:07 2008: DEBUG: Access challenged for anonymous:  
> EAP-FAST
> inner authentication redespatched to a Handler
> Tue Aug 26 14:31:07 2008: DEBUG: Packet dump:
>
> *** Sending to XXXX port XXXX ....
> Code:       Access-Challenge
> Identifier: 140
> Authentic:  O<8><142><182>f<129>s<168><27><200><159><14>H<6><127>O
> Attributes:
>         EAP-Message =
> <1><1><0>U+<129><0><0><0>K<23><3><1><0>Fd<138>dT<219>=<156
>> <168>q<250><142><159>m1<206><154>,<240><231><177>% 
>> 1<155><207><142><215><26>}<13
> 1><215><224><13>c<240><149>0<4>TeSm<26><4>*<212><192><248>&<169><207>W 
> <156><
> 8><204><139>n:<160><146><171>m<181><150><202><154><219><242><174>"
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Aug 26 14:31:07 2008: DEBUG: Packet dump:
> *** Received from XXXX port XXXX ....
> Code:       Access-Request
> Identifier: 141
> Authentic:  OB<130>JX<236><237><167><226><255> <7><158><167><167>5
> Attributes:
>         User-Name = "anonymous"
>         Calling-Station-Id = "XXXX"
>         Called-Station-Id = "XXXX"
>         NAS-Port = 29
>         NAS-IP-Address = XXXX
>         NAS-Identifier = "XXXX"
>         Airespace-WLAN-Id = 6
>         Service-Type = Framed-User
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-IEEE-802-11
>         EAP-Message =
> <2><1><0>)+<1><23><3><1><0><30>&<177><226><18><11>j<198>GA
> ^<250>g<11><253><224><235><230><177>.- 
> @<140><181><192><130><194><212>n<22>%
>         Message-Authenticator =
> @<197>Z*)<227><211><22><232>p<9><217><21><223>I<
> 136>
>
> Tue Aug 26 14:31:07 2008: DEBUG: Handling request with Handler ''
> Tue Aug 26 14:31:07 2008: DEBUG:  Deleting session for anonymous, XXXX
> Tue Aug 26 14:31:07 2008: DEBUG: Handling with Radius::AuthFILE:  
> EAP-FAST
> Tue Aug 26 14:31:07 2008: DEBUG: Handling with EAP: code 2, 1, 41
> Tue Aug 26 14:31:07 2008: DEBUG: Response type 43
> Tue Aug 26 14:31:07 2008: DEBUG: EAP-FAST TLS data:  
> 80090006020100060306
> Tue Aug 26 14:31:07 2008: DEBUG: EAP-FAST inner authentication  
> request for
> anonymous
> Tue Aug 26 14:31:07 2008: DEBUG: EAP-FAST Tunnelled request Packet  
> dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  {<203>|3<209><211><5><230><211><10><192><182><147><157>PM
> Attributes:
>         EAP-Message = <2><1><0><6><3><6>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         User-Name = "anonymous"
>         NAS-IP-Address = XXXXX
>         NAS-Identifier = "XXXXX"
>         NAS-Port = 29
>         Calling-Station-Id = " XXXXX"
>
> Tue Aug 26 14:31:07 2008: DEBUG: Handling request with Handler ''
> Tue Aug 26 14:31:07 2008: DEBUG:  Deleting session for anonymous,
> 137.82.32.251,
>  29
> Tue Aug 26 14:31:07 2008: DEBUG: Handling with Radius::AuthFILE:  
> EAP-FAST
> Tue Aug 26 14:31:07 2008: DEBUG: Handling with EAP: code 2, 1, 6
> Tue Aug 26 14:31:07 2008: DEBUG: Response type 3
> Tue Aug 26 14:31:07 2008: INFO: EAP Nak desires type 6
> Tue Aug 26 14:31:07 2008: DEBUG: EAP result: 1, Desired EAP type 6 not
> permitted
> Tue Aug 26 14:31:07 2008: DEBUG: AuthBy FILE result: REJECT,  
> Desired EAP
> type 6
> not permitted
> Tue Aug 26 14:31:07 2008: INFO: Access rejected for anonymous:  
> Desired EAP
> type
> 6 not permitted
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




More information about the radiator mailing list