EAP

Jouni Malinen jkmaline at cc.hut.fi
Sun Jul 25 10:37:03 EDT 2004 

On Sun, Jul 25, 2004 at 12:08:28PM +0200, Karl Rothenhöfer wrote:

> I collected some information from hostapd and radiusd, which I attach to
> this mail. I must admit that I don't understand very much of it and I
> wonder, wheter it helps to diagnose, what is going on and define how to
> improve.

> #wep_key_len_broadcast=5
> #wep_key_len_unicast=5

Are these commented out on purpose? Or were you just using EAP-MD5
without WEP?

> Xeron:/etc/init.d # ./hostapd ../hostapd.conf.radius
> Configuration file: ../hostapd.conf.radius

This is not running the configuration file you sent (it had
daemonize=1)..

> wlan1: STA 00:0a:e9:05:48:05 IEEE 802.11: associated (aid 1)
> wlan1: STA 00:0a:e9:05:48:05 IEEE 802.1X: received EAPOL-Start from STA
> IEEE 802.1X: Sending EAP Request-Identity to 00:0a:e9:05:48:05 (identifier 0)
> Received 46 bytes management frame
> RX frame - hexdump(len=46): 08 02 00 00 00 0a e9 05 48 05 00 02 dd 34 b6 7d 00 02 dd 34 b6 7d 00 00 aa aa 03 00 00 00 88 8e 01 00 00 0a 01 00 00 0a 01 68 65 6c 6c 6f
> DATA
> Not ToDS data frame (fc=0x0208)

Hmm.. That's odd.. It looks like hostapd receive a copy of its own
message somehow..

> IEEE 802.1X: 00:0a:e9:05:48:05 TX status - version=1 type=0 length=10 - ack=1

Client acknowledged the EAP-Request-Identity packet..

> IEEE 802.1X: 00:0a:e9:05:48:05 Port Timers TICK (timers: 0 0 3599 29)
...
> IEEE 802.1X: 00:0a:e9:05:48:05 Port Timers TICK (timers: 0 0 3599 15)

.. but took more than 14 seconds to reply..

> Received 45 bytes management frame
> RX frame - hexdump(len=45): 08 01 02 01 00 02 dd 34 b6 7d 00 0a e9 05 48 05 00 02 dd 34 b6 7d a0 69 aa aa 03 00 00 00 88 8e 01 00 00 09 02 00 00 09 01 6b 61 72 6c
> DATA
> IEEE 802.1X: 13 bytes from 00:0a:e9:05:48:05
>    IEEE 802.1X: version=1 type=0 length=9
>    EAP: code=2 identifier=0 length=9 (response)
> wlan1: STA 00:0a:e9:05:48:05 IEEE 802.1X: received EAP packet (code=2 id=0 len=9) from STA: EAP Response-Identity (1)
> wlan1: STA 00:0a:e9:05:48:05 IEEE 802.1X: STA identity 'karl'

OK, valid response.

> Sending RADIUS message to authentication server

> Received 31 bytes from RADIUS server
> Received RADIUS message
> RADIUS message: code=3 (Access-Reject) identifier=0 length=31

But your RADIUS server is configured to reject users with identity
'karl'.


> rad_recv: Access-Request packet from host 127.0.0.1:1025, id=139, length=148
>         User-Name = "karl"
>         EAP-Message = 0x02000009016b61726c
>   modcall[authorize]: module "eap" returns updated for request 0
>     users: Matched karl at 1
>   rad_check_password:  Found Auth-Type Local
> auth: type Local
> auth: No User-Password or CHAP-Password attribute in the request
> auth: Failed to validate the user.

Looks like your FreeRADIUS user configuration is incorrect. Auth-Type
must be EAP (not Local) and you will need to set User-Password if you
are using EAP-MD5. For example:

test             Auth-Type := EAP, User-Password == "test"

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list