[RADIATOR] PEAP Unknow Problem
Raúl Tejeda Calero
raul.tejeda at satec.es
Wed Feb 16 04:45:36 CST 2011
Hi,
I´m still having problems with my PEAP-MSCHAP-V2 configuration.
But the problem seems more complex this time and I don´t sure to understand the process.
The log shows this:
Schema:
1) EAPChallenge for mikem
2) Access challenged for anonymous: EAP PEAP Challenge
3) Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler
4) EAP PEAP inner authentication request for anonymous
5) Access challenged for anonymous: EAP MSCHAP-V2 Challenge
6) Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler
7) Radius::AuthFILE looks for match with mikem [anonymous]
Radius::AuthFILE ACCEPT: : mikem [anonymous]
EAP result: 1, EAP MSCHAP-V2 Authentication failure
Thanks for the help.
Raúl Tejeda
** Details: **
Radius.cfg:
######################################################################################################
######################################################################################################
# Basic radius configuration #
# outer auth with just PEAP
<Handler NAS-IP-Address="<WLC-IP>">
<AuthBy FILE>
EAPType PEAP, MSCHAP-V2
Filename %D/users-eap
EAPTLS_CAFile %D/certificados/CAxxx.pem
EAPTLS_CAPath %D/certificados
EAPTLS_CertificateFile %D/certificados/serverxxx.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificados/serverxxx.key
EAPTLS_MaxFragmentSize 500
</AuthBy>
</Handler>
# inner auth with MS-CHAP-V2
<Handler NAS-IP-Address="<WLC-IP>",TunnelledByPEAP=1>
<AuthBy FILE>
RewriteUsername s/(.*)\\(.*)/$2/
EAPType MSCHAP-V2
Filename %D/users
EAPTLS_CAFile %D/certificados/CAxxx.pem
EAPTLS_CertificateFile %D/certificados/serverxxx.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificados/serverxxx.key
EAPTLS_MaxFragmentSize 500
</AuthBy>
</Handler>
User-Files:
######################################################################################################
######################################################################################################
users:
---------------------------------------
mikem user-password = xxxxx
users-eap:
---------------------------------------
anonymous
mikem user-password = xxxxx
COMPLETE LOG
######################################################################################################
######################################################################################################
Wed Feb 16 11:04:58 2011: NOTICE: SIGTERM received: stopping
Wed Feb 16 11:04:58 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
Wed Feb 16 11:04:58 2011: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
Wed Feb 16 11:04:58 2011: DEBUG: Creating authentication port <IP RAD>:1812
Wed Feb 16 11:04:58 2011: DEBUG: Creating accounting port <IP RAD>:1813
Wed Feb 16 11:04:58 2011: NOTICE: Server started: Radiator 4.7 on <serv radius>
Wed Feb 16 11:05:12 2011: DEBUG: Packet dump:
*** Received from <IP WLC> port 32768 ....
Code: Access-Request
Identifier: 203
Authentic: i<207><154><255><143><255>_<24><252>[<31>*2<2>i<30>
Attributes:
User-Name = "mikem"
Calling-Station-Id = "<MAC-PC>"
Called-Station-Id = "<MAC-WLC>:Prueba"
NAS-Port = 13
NAS-IP-Address = <IP WLC>
NAS-Identifier = "WLC-1"
Airespace-WLAN-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 509
EAP-Message = <2><2><0><10><1>mikem
Message-Authenticator = <12>n<27><237><234><217><3>E<20><184><6>@<129><17><140><135>
Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier ''
Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for mikem, <IP WLC>, 13
Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE:
Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 2, 10, 1
Wed Feb 16 11:05:12 2011: DEBUG: Response type 1
Wed Feb 16 11:05:12 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
Wed Feb 16 11:05:12 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
Wed Feb 16 11:05:12 2011: DEBUG: Access challenged for mikem: EAP PEAP Challenge
Wed Feb 16 11:05:12 2011: DEBUG: Packet dump:
*** Sending to <IP WLC> port 32768 ....
Code: Access-Challenge
Identifier: 203
Authentic: :<156>A<30>"<246>%{<237>KQ8<208><228><178>_
Attributes:
EAP-Message = <1><3><0><6><25>!
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
##Some similar messages####################################################################
Wed Feb 16 11:05:12 2011: DEBUG: Packet dump:
*** Received from <IP WLC> port 32768 ....
Code: Access-Request
Identifier: 212
Authentic: <201><161><203>W<165>C<169><14><245><177>V<217><178><164><30><216>
Attributes:
User-Name = "mikem"
Calling-Station-Id = "<MAC-PC>"
Called-Station-Id = "<MAC-WLC>:Prueba"
NAS-Port = 13
NAS-IP-Address = <IP WLC>
NAS-Identifier = "WLC-1"
Airespace-WLAN-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 509
EAP-Message = <2><11><0>!<25><0><23><3><1><0><22><185><224>-$Z<208><127>BM<146>R<173><151>]<128><196><139>:q<225>a<179>
Message-Authenticator = <194><4><19>m<210><11><252>o<12>4k<220>D<142>Bz
Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier ''
Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for mikem, <IP WLC>, 13
Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE:
Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 11, 33, 25
Wed Feb 16 11:05:12 2011: DEBUG: Response type 25
Wed Feb 16 11:05:12 2011: DEBUG: EAP PEAP inner authentication request for anonymous
Wed Feb 16 11:05:12 2011: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: W<31><131>I<185>5<14><133><132>(B<131><26>D<25>X
Attributes:
EAP-Message = <2><11><0><6><1>mikem
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = <IP WLC>
NAS-Identifier = "WLC-1"
NAS-Port = 13
Calling-Station-Id = "<MAC-PC>"
User-Name = "anonymous"
Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier ''
Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for anonymous, <IP WLC>, 13
Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE:
Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 11, 6, 1
Wed Feb 16 11:05:12 2011: DEBUG: Response type 1
Wed Feb 16 11:05:12 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
Wed Feb 16 11:05:12 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
Wed Feb 16 11:05:12 2011: DEBUG: Access challenged for anonymous: EAP PEAP Challenge
Wed Feb 16 11:05:12 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Challenge
Identifier: UNDEF
Authentic: W<31><131>I<185>5<14><133><132>(B<131><26>D<25>X
Attributes:
EAP-Message = <1><12><0><6><25>!
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Wed Feb 16 11:05:12 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
Wed Feb 16 11:05:12 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
Wed Feb 16 11:05:12 2011: DEBUG: Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler
Wed Feb 16 11:05:12 2011: DEBUG: Packet dump:
*** Sending to <IP WLC> port 32768 ....
Code: Access-Challenge
Identifier: 212
Authentic: <191><164>/<156><7>!>{=<134>:H<204><183><19>H
Attributes:
EAP-Message = <1><12><0><29><25><0><23><3><1><0><18><231><246><253>}Q<7>^+<208><141><141>N<135>D<225><160><187><213>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Wed Feb 16 11:05:12 2011: DEBUG: Packet dump:
*** Received from <IP WLC> port 32768 ....
Code: Access-Request
Identifier: 213
Authentic: <233><173>P]$<25><167><6><6><250>3<200><165><138>:u
Attributes:
User-Name = "mikem"
Calling-Station-Id = "<MAC-PC>"
Called-Station-Id = "<MAC-WLC>:Prueba"
NAS-Port = 13
NAS-IP-Address = <IP WLC>
NAS-Identifier = "WLC-1"
Airespace-WLAN-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 509
EAP-Message = <2><12><0><29><25><0><23><3><1><0><18><<248><228><171>*_j<215>0&tF:<169>[6<170><238>
Message-Authenticator = [a<239>q<192>v<222><145>,Y<230><173><172><250>?<181>
Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier ''
Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for mikem, <IP WLC>, 13
Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE:
Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 12, 29, 25
Wed Feb 16 11:05:12 2011: DEBUG: Response type 25
Wed Feb 16 11:05:12 2011: DEBUG: EAP PEAP inner authentication request for anonymous
Wed Feb 16 11:05:12 2011: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <134><206><195><16><234><142><185>m<138><152><139>E<21><234>1<
Attributes:
EAP-Message = <2><12><0><2><3><26>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = <IP WLC>
NAS-Identifier = "WLC-1"
NAS-Port = 13
Calling-Station-Id = "<MAC-PC>"
User-Name = "anonymous"
Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier ''
Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for anonymous, <IP WLC>, 13
Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE:
Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 12, 2, 3
Wed Feb 16 11:05:12 2011: DEBUG: Response type 3
Wed Feb 16 11:05:12 2011: DEBUG: EAP Nak desires type 26
Wed Feb 16 11:05:12 2011: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Wed Feb 16 11:05:12 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP MSCHAP-V2 Challenge
Wed Feb 16 11:05:12 2011: DEBUG: Access challenged for anonymous: EAP MSCHAP-V2 Challenge
Wed Feb 16 11:05:12 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Challenge
Identifier: UNDEF
Authentic: <134><206><195><16><234><142><185>m<138><152><139>E<21><234>1<
Attributes:
EAP-Message = <1><13><0>'<26><1><13><0>"<16>w<254><199><198><216><139>^f<201>^<134><222><217><204><227>w<serv radius>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Wed Feb 16 11:05:12 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
Wed Feb 16 11:05:12 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
Wed Feb 16 11:05:12 2011: DEBUG: Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler
Wed Feb 16 11:05:12 2011: DEBUG: Packet dump:
*** Sending to <IP WLC> port 32768 ....
Code: Access-Challenge
Identifier: 213
Authentic: [<146><163><18>Y<205><217>!;[<244><149><146>'d<147>
Attributes:
EAP-Message = <1><13><0>><25><0><23><3><1><0>3<146>N0:#\f<216><162><12>p<181>]<249>`<159><170>|%j<247><20>y<22>10<246>o<209><170><21><194><147>{<207><194><185><152>e<5><149><235><241>v<10><173>_<30>Btk
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Wed Feb 16 11:05:12 2011: DEBUG: Packet dump:
*** Received from <IP WLC> port 32768 ....
Code: Access-Request
Identifier: 214
Authentic: <243>'<235><188><26><13><226><180>9X7?<167>r[<192>
Attributes:
User-Name = "mikem"
Calling-Station-Id = "<MAC-PC>"
Called-Station-Id = "<MAC-WLC>:Prueba"
NAS-Port = 13
NAS-IP-Address = <IP WLC>
NAS-Identifier = "WLC-1"
Airespace-WLAN-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 509
EAP-Message = <2><13><0>W<25><0><23><3><1><0>L/4>0o<214>_<204>\<247><26>v<193>a<189>wT<214>t<177>YX<206><219><196><141>E<19><216><190>7g<215><161>#<176><11><0><162>;<127><183>@<253><255>[r<14><12>><134>k-<171>Z<1>M<146><179>{<165><135><217>|<157>D<218><166><216><189><27><173>'<169>!<156>
Message-Authenticator = <213><253>$<9>x<214>0<222><178><14>S<183><215>3<213><27>
Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier ''
Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for mikem, <IP WLC>, 13
Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE:
Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 13, 87, 25
Wed Feb 16 11:05:12 2011: DEBUG: Response type 25
Wed Feb 16 11:05:12 2011: DEBUG: EAP PEAP inner authentication request for anonymous
Wed Feb 16 11:05:12 2011: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <147><157><28><11><16><21><16><216><133>P<153><224>'Q<142><15>
Attributes:
EAP-Message = <2><13><0><<26><2><13><0>;1<196><192><1><248><8><179><247>|<24>Pd<204><26><149><177><156><0><0><0><0><0><0><0><0>iS_<168><157>v<220>?tav<2><169><196><255>j<149><178><162><14><187>^<155>c<0>mikem
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = <IP WLC>
NAS-Identifier = "WLC-1"
NAS-Port = 13
Calling-Station-Id = "<MAC-PC>"
User-Name = "anonymous"
Wed Feb 16 11:05:12 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<IP WLC>"', Identifier ''
Wed Feb 16 11:05:12 2011: DEBUG: Deleting session for anonymous, <IP WLC>, 13
Wed Feb 16 11:05:12 2011: DEBUG: Handling with Radius::AuthFILE:
Wed Feb 16 11:05:12 2011: DEBUG: Handling with EAP: code 2, 13, 60, 26
Wed Feb 16 11:05:12 2011: DEBUG: Response type 26
Wed Feb 16 11:05:12 2011: DEBUG: Reading users file /etc/radiator/users-eap
Wed Feb 16 11:05:12 2011: DEBUG: Radius::AuthFILE looks for match with mikem [anonymous]
Wed Feb 16 11:05:12 2011: DEBUG: Radius::AuthFILE ACCEPT: : mikem [anonymous]
Wed Feb 16 11:05:12 2011: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
Wed Feb 16 11:05:12 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP-V2 Authentication failure
Wed Feb 16 11:05:12 2011: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure
Wed Feb 16 11:05:12 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Reject
Identifier: UNDEF
Authentic: <147><157><28><11><16><21><16><216><133>P<153><224>'Q<142><15>
Attributes:
EAP-Message = <4><13><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
######################################################################################################
######################################################################################################
More information about the radiator
mailing list