not logged in | [Login]
Always use radiusd -X when debugging!
EAP/MD5 and other types of EAP authentication are part of "Port based network access control", as defined in the IEEE 802.1X standard. All you have to know at this time are the three main actors:
Your server works, according to the Basic configuration HOWTO.
Assumptions:
Alter the existent user or add another one which will be used for test purposes. The simplest possible configuration is given in the example. More complicated configurations are out of the scope of this document.
Example:
bob Cleartext-Password := "Hello"
Note the ":=" operator. "=" instead will not work.
The interesting part here are authorize AND authenticate sections. (At the very bottom of the file.) Ignore all the following as those will deal with the accounting.
authorize {
preprocess
files
eap
}
authenticate {
eap
}
Finally, the EAP module itself has to be configured at least this way:
eap {
md5 {
}
}
Note: EAP/MD5 will "just work" with default configuration.
Thats it for FreeRADIUS
First of all: please read the documentation of your client. There are a plenty of different clients on the market, we cant provide any help for them. Basically, you have to activate "Network port based 802.1X authentication", sometimes called similar. Please see the Technical Documentation of your AP. Then, of course, you have to find the "Authentication Server" configuration part and supply the data about the used RADIUS server,
i.e. its IP-address, UDP-port and the pre-shared secret (the same one you configured for your access point client in the FreeRADIUS configuration files). Sometimes you can supply a bunch of those servers and sometimes you can use them for other purposes, too, like e.g. MAC-based access control. You only have to activate the EAP-Authentication.
Please note: you can perfectly use EAP-authentication without using WEP or providing whichever keys in the AP. Do it so for the test purposes. Once youve got it running, you can setup your WEP keys, whatever. That will allow you to analyze traffic if something goes wrong.For Cisco AP350 it would look like following: http://www.cisco.com/univercd/illus/6/55/65555.gif
Deactivate older authentication types (Open, Shared, CHAP, PAP, whatever) to prevent misunderstanding during the test.
Note: since WindowsXP SP1 you can't use EAP-MD5 for wireless devices!!! EAP-MD5 is only available for wired devices.
Go to the Network Connections window. Right-click the connection corresponding to the adapter which is going to use EAP authentication. Go to the "Authentication" tab. If it doesnt appear (yes, its weird sometimes) try to unplug and plug your adapter till it does (if PCMCIA...) Otherwise, download the software for the adapter configuration like e.g. ACU for the Cisco adapters and try to de- and reactivate the card.
In the Authentication dialog, assure the box "Use IEEE802.1X network authentication" is checked. Set your EAP type there (EAP/MD5 Challenge).
Thats all. Now deactivate and reactivate your LAN-connection on this adapter and it should work.
Problem 1:
Your AP keeps on saying "Unknown EAP authentication procedure request" or similiar all the time.
Workaround:
Try to assure that all the parameters described above (at client and user sides) have really been set. Then, try to check the following points:
You get an Access Reject even if the identification information is correct. In the server log you can see a weird Notification message.
Workaround:
In your user config (users file of the server configuration)
remove the "Reply-Message" attribute for the concerned user. This is currently a bug.
Some APs (e.g. Cisco) send out a Notification downstream to the user on receiving
a "Reply-Message" attribute in the "Radius Response". The Windows XP supplicant answers
with an "EAP Notification" type message instead of "EAP MD5 Challenge" message which should
be issued. FreeRadius server currently rejects every incoming EAP notification.
Here is an example log of a successful user login
The basic exchange would be like following:
Access Challenge (11) EAP Request (1) MD5-Challenge (4 <---------------- Access Request (1) EAP Response (2) MD-Challenge (4) ----------------> Access Accept (2) EAP Success (3) <----------------
And the corresponding radiusd output:
rad_recv: Access-Request packet from host 10.10.10.1:1150, id=42, length=121
User-Name = "artur"
NAS-IP-Address = 10.10.10.1
Called-Station-Id = "00409635bed6"
Calling-Station-Id = "004096426f05"
NAS-Identifier = "ap1"
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = "\002\000\000\n\001artur"
Message-Authenticator = 0xe16c8f1a3d9326a9025fb043c7f2ecec
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
Login OK: [artur/<no User-Password attribute>] (from client ap-1 port 38 cli 004096426f05)
Sending Access-Challenge of id 42 to 10.10.10.1:1150
EAP-Message = "\001*\000\026\004\020\277\301\034\265\377\002\353\210{pfV\216B\031J"
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0bb432f976422930f905808b087e88ba9610fe3ccb283c169291fb00b15a87fa66c5a418
rad_recv: Access-Request packet from host 10.10.10.1:1151, id=43, length=176
User-Name = "artur"
NAS-IP-Address = 10.10.10.1
Called-Station-Id = "00409635bed6"
Calling-Station-Id = "004096426f05"
NAS-Identifier = "ap1"
NAS-Port = 38
Framed-MTU = 1400
State = 0x0bb432f976422930f905808b087e88ba9610fe3ccb283c169291fb00b15a87fa66c5a418
NAS-Port-Type = Wireless-802.11
EAP-Message = "\002*\000\033\004\020]\242\222\220kzZ\006\213\376!w\363M\255\311artur"
Message-Authenticator = 0xa8d07be03fa8f7e6a15f593753094db4
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - md5
rlm_eap: processing type md5
Login OK: [artur/<no User-Password attribute>] (from client ap-1 port 38 cli 004096426f05)
Sending Access-Accept of id 43 to 10.10.10.1:1151
EAP-Message = "\003+\000\004"
Message-Authenticator = 0x00000000000000000000000000000000
Last edited by Alan T. DeKok, 2011-07-14 11:32:59
Sponsored by Network RADIUS 