Hello!
Szeretnek osszerakni wifi auth-hoz radius-t eap-ttls/eap-peap, ldap, kodolt jelszavakkal es hasonlokkal.
Elakadtam az eap resznel (sima radtest-el okes a dolog), ha radeapclient-el tesztelni akarnam akkor az tortenik, h szerver megtalalja a usert, visszakuld egy access-challange uzenetet es befejezi, mikozben a kliens meg uzenne neki:
...
rad_recv: Access-Request packet from host 127.0.0.1 port 52650, id=76, length=69
User-Name = "steve"
NAS-IP-Address = 127.0.0.1
Message-Authenticator = 0xafa8ae1b1aaa6fb0a6cbd0719b507e94
NAS-Port = 0
EAP-Message = 0x02d2000a017374657665
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "steve", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 210 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry steve at line 206
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 76 to 127.0.0.1 port 52650
Service-Type = Framed-User
Framed-Protocol = SLIP
Framed-IP-Address = 192.20.126.200
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x01d300160410b7703d97cfb88bff2835ec9a9aedde83
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xae48086bae9b0cd33d7dacc7cd15f18d
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 76 with timestamp +94
Ready to process requests.
localhost-rol kliens:
# radeapclient -s -X localhost auth testing123
+++> About to send encoded packet:
User-Name = "steve"
Cleartext-Password = "testing"
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "steve"
Message-Authenticator = 0x30
NAS-Port = 0
Received response ID 76, code 11, length = 131
Service-Type = Framed-User
Framed-Protocol = SLIP
Framed-IP-Address = 192.20.126.200
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x01d300160410b7703d97cfb88bff2835ec9a9aedde83
Message-Authenticator = 0xe65c832fea00201e76a340cc0e38cf37
State = 0xae48086bae9b0cd33d7dacc7cd15f18d
<+++ EAP decoded packet:
Service-Type = Framed-User
Framed-Protocol = SLIP
Framed-IP-Address = 192.20.126.200
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x01d300160410b7703d97cfb88bff2835ec9a9aedde83
Message-Authenticator = 0xe65c832fea00201e76a340cc0e38cf37
State = 0xae48086bae9b0cd33d7dacc7cd15f18d
EAP-Id = 211
EAP-Code = Request
EAP-Type-MD5 = 0x10b7703d97cfb88bff2835ec9a9aedde83
+++> About to send encoded packet:
User-Name = "steve"
Cleartext-Password = "testing"
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 211
Message-Authenticator = 0x00000000000000000000000000000000
NAS-Port = 0
EAP-Type-MD5 = 0x106e2008d8fc099a16335131c045fc6df6
State = 0xae48086bae9b0cd33d7dacc7cd15f18d
^C
# cat re.txt
User-Name = "steve"
Cleartext-Password = "testing"
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "steve"
Message-Authenticator = 0
NAS-Port = 0
A freeradius szerver 2.1.4-es forrasbol sima dpkg-buildpackage-el keszitett debian csomag (nem modositgattam a konfigokon, amennyire neztem benne volt ami kellett alapbol, pl tls).
Mit ronthattam el vagy mi hianyzik?
- 2406 megtekintés
Hozzászólások
Talaltam egy ilyet ( http://deployingradius.com/documents/configuration/eap-problems.html ), de ez mar tls-es eap-ra vonatkozik amennyire tudom meg md5-nel meg az nem jon a kepbe, vagy tevedek?
Problem: A lot of text scrolls by, the server sends an Access-Challenge, and then prints out a message saying Cleaning up request .... After that, nothing more happens.
Diagnosis: The client does not like the server certificate.
Solution: On a testing system, un-check Validate Server Certificate as noted in the EAP page.
Solution: On a production system, ensure that the client has been configured with the certificates from the proper Certificate Authority and Server certificate, as noted in the EAP page.
Solution: On a production system, ensure that the client has Server certificate has the proper Windows OID's.
--
Don't Panic if you see me laughing,
that's not a bug, just a feature.
- A hozzászóláshoz be kell jelentkezni
Egy ujabb szinttel elorebb a megoldashoz (leirom hatha masnak is jo lehet kesobb), az elobb emlitett oldalon talaltam eap teszteleshez egesz jo leirast ( http://deployingradius.com/scripts/eapol_test/ ), mint kiderult a radeapclient nemigazan hasznalhato erre, ezert maradt a eapol_test hasznalata.
Ugyhogy jelenleg ott tartok, h eap-ttls-en belul eap nelkuli auth-al mukodik, vagyis ha eap-ttls pap/chap/mschap tesztet futtatok akkor success valaszt visszakapom:
RADIUS packet matching with station
MS-MPPE-Send-Key (sign) - hexdump(len=32): c8 97 0d c2 22 14 02 c5 81 d9 92 4e a3 62 dc f6 72 61 26 be a2 bc 95 6a d5 0d 1c c9 46 f2 16 b9
MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 10 14 d1 2a 6c 6b 42 cc ba 97 f6 6a 96 6c c5 24 5b 9e f4 cb 56 62 70 e7 09 b5 af a9 5c b2 86 f4
decapsulated EAP packet (code=3 id=6 len=4) from RADIUS server: EAP Success
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): 10 14 d1 2a 6c 6b 42 cc ba 97 f6 6a 96 6c c5 24 5b 9e f4 cb 56 62 70 e7 09 b5 af a9 5c b2 86 f4
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
Ha eap-ttls eap-md5/eap-mschapv2, eap-peap eap-mschapv2 -t akarom tesztelni akkor viszont elhasal:
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=6 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
EAPOL: EAP key not available
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0 mismatch: 1
FAILURE
Otlet vkinek h hol lehet a gond vagy mit ellenorizzek?
--
Don't Panic if you see me laughing,
that's not a bug, just a feature.
- A hozzászóláshoz be kell jelentkezni
Ezt is sikerult megoldani, mint kiderult ezekhez a kapcsolatokhoz kell az inner tunnel amihez pedig a local proxy, amit korabban kikapcsoltam, mert ezt nem hangoztattak, csak h ha masik radiushoz akarsz kapcsolodni akkor kell...
--
Don't Panic if you see me laughing,
that's not a bug, just a feature.
- A hozzászóláshoz be kell jelentkezni