[RADIATOR] EAP-Fast/MS-CHAPv2 with Cisco 7921g
Hugh Irvine
hugh at open.com.au
Thu Aug 28 01:47:20 CDT 2008
Hello Michael -
Could we see your Radiator configuration file and a more complete
trace 4 debug?
thanks and regards
Hugh
On 28 Aug 2008, at 07:51, Michael LeBlanc wrote:
> Hi,
>
> I've been working on getting a Cisco 7921g wifi IP phone to use
> EAP-Fast/MS-CHAPv2 with Radiator, with no luck so far. I was
> wondering if
> anyone has had success with this configuration.
>
> I've tried Radiator 3.17.1 and 4.3.1, and in both cases, the phone
> seems to
> reject the MS-CHAPv2 challenge in the inner tunnel and requests
> Generic-Token (the log entry is below).
>
> I've been able to get EAP-Fast working with Generic-Token on the
> 7921g, and
> wpa_supplicant works well with EAP-Fast/MS-CHAPv2 -- so I don't
> think it's a
> Radiator configuration issue.
>
> According to the vendor, the 7921g supports MS-CHAPv2 within the
> EAP-Fast
> tunnel.
>
> I'd very much appreciate any thoughts.
>
> Tue Aug 26 14:31:07 2008: DEBUG: EAP-FAST Tunnelled request Packet
> dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <12><24><212><162><129><187>1%
> <220><169>#<147><253>M<12><250>
> Attributes:
> EAP-Message = <2><0><0><13><1>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> User-Name = "anonymous"
> NAS-IP-Address = XXXX
> NAS-Identifier = "XXXX"
> NAS-Port = 29
> Calling-Station-Id = "XXXX"
>
> Tue Aug 26 14:31:07 2008: DEBUG: Handling request with Handler ''
> Tue Aug 26 14:31:07 2008: DEBUG: Deleting session for anonymous, XXXX
> Tue Aug 26 14:31:07 2008: DEBUG: Handling with Radius::AuthFILE:
> EAP-FAST
> Tue Aug 26 14:31:07 2008: DEBUG: Handling with EAP: code 2, 0, 13
> Tue Aug 26 14:31:07 2008: DEBUG: Response type 1
> Tue Aug 26 14:31:07 2008: DEBUG: EAP result: 3, EAP MSCHAP-V2
> Challenge
> Tue Aug 26 14:31:07 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> MSCHAP-V2 Challenge
> Tue Aug 26 14:31:07 2008: DEBUG: Access challenged for anonymous: EAP
> MSCHAP-V2 Challenge
> Tue Aug 26 14:31:07 2008: DEBUG: Returned FAST inner Packet dump:
> Code: Access-Challenge
> Identifier: UNDEF
> Authentic: <12><24><212><162><129><187>1%
> <220><169>#<147><253>M<12><250>
> Attributes:
> EAP-Message =
> <1><1><0>.<26><1><1><0>)<16>3<239><161>C<204><234>j\<19>~<
> 155>&(q<28>FXXXX
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Aug 26 14:31:07 2008: DEBUG: EAP result: 3, EAP-FAST inner
> authentication redespatched to a Handler
> Tue Aug 26 14:31:07 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP-
> FAST
> inner authentication redespatched to a Handler
> Tue Aug 26 14:31:07 2008: DEBUG: Access challenged for anonymous:
> EAP-FAST
> inner authentication redespatched to a Handler
> Tue Aug 26 14:31:07 2008: DEBUG: Packet dump:
>
> *** Sending to XXXX port XXXX ....
> Code: Access-Challenge
> Identifier: 140
> Authentic: O<8><142><182>f<129>s<168><27><200><159><14>H<6><127>O
> Attributes:
> EAP-Message =
> <1><1><0>U+<129><0><0><0>K<23><3><1><0>Fd<138>dT<219>=<156
>> <168>q<250><142><159>m1<206><154>,<240><231><177>%
>> 1<155><207><142><215><26>}<13
> 1><215><224><13>c<240><149>0<4>TeSm<26><4>*<212><192><248>&<169><207>W
> <156><
> 8><204><139>n:<160><146><171>m<181><150><202><154><219><242><174>"
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Aug 26 14:31:07 2008: DEBUG: Packet dump:
> *** Received from XXXX port XXXX ....
> Code: Access-Request
> Identifier: 141
> Authentic: OB<130>JX<236><237><167><226><255> <7><158><167><167>5
> Attributes:
> User-Name = "anonymous"
> Calling-Station-Id = "XXXX"
> Called-Station-Id = "XXXX"
> NAS-Port = 29
> NAS-IP-Address = XXXX
> NAS-Identifier = "XXXX"
> Airespace-WLAN-Id = 6
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message =
> <2><1><0>)+<1><23><3><1><0><30>&<177><226><18><11>j<198>GA
> ^<250>g<11><253><224><235><230><177>.-
> @<140><181><192><130><194><212>n<22>%
> Message-Authenticator =
> @<197>Z*)<227><211><22><232>p<9><217><21><223>I<
> 136>
>
> Tue Aug 26 14:31:07 2008: DEBUG: Handling request with Handler ''
> Tue Aug 26 14:31:07 2008: DEBUG: Deleting session for anonymous, XXXX
> Tue Aug 26 14:31:07 2008: DEBUG: Handling with Radius::AuthFILE:
> EAP-FAST
> Tue Aug 26 14:31:07 2008: DEBUG: Handling with EAP: code 2, 1, 41
> Tue Aug 26 14:31:07 2008: DEBUG: Response type 43
> Tue Aug 26 14:31:07 2008: DEBUG: EAP-FAST TLS data:
> 80090006020100060306
> Tue Aug 26 14:31:07 2008: DEBUG: EAP-FAST inner authentication
> request for
> anonymous
> Tue Aug 26 14:31:07 2008: DEBUG: EAP-FAST Tunnelled request Packet
> dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: {<203>|3<209><211><5><230><211><10><192><182><147><157>PM
> Attributes:
> EAP-Message = <2><1><0><6><3><6>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> User-Name = "anonymous"
> NAS-IP-Address = XXXXX
> NAS-Identifier = "XXXXX"
> NAS-Port = 29
> Calling-Station-Id = " XXXXX"
>
> Tue Aug 26 14:31:07 2008: DEBUG: Handling request with Handler ''
> Tue Aug 26 14:31:07 2008: DEBUG: Deleting session for anonymous,
> 137.82.32.251,
> 29
> Tue Aug 26 14:31:07 2008: DEBUG: Handling with Radius::AuthFILE:
> EAP-FAST
> Tue Aug 26 14:31:07 2008: DEBUG: Handling with EAP: code 2, 1, 6
> Tue Aug 26 14:31:07 2008: DEBUG: Response type 3
> Tue Aug 26 14:31:07 2008: INFO: EAP Nak desires type 6
> Tue Aug 26 14:31:07 2008: DEBUG: EAP result: 1, Desired EAP type 6 not
> permitted
> Tue Aug 26 14:31:07 2008: DEBUG: AuthBy FILE result: REJECT,
> Desired EAP
> type 6
> not permitted
> Tue Aug 26 14:31:07 2008: INFO: Access rejected for anonymous:
> Desired EAP
> type
> 6 not permitted
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list