hostapd for authentication of win wifi clients

Bob Beers bbeers at ieee.org
Tue Jul 27 14:45:47 EDT 2004



Gunter Burchardt wrote:
> Hello Bob,

Thanks for the reply Gunter,
> 
> The radius server sends a access reject. The hostapd-conf seams to be
> ok. Look through the radiusd log and find out why it rejects the user.


the radiusd output was this:
=======================
rad_recv: Access-Request packet from host 172.16.87.23:1035, id=1, length=147
         User-Name = "bob"
         NAS-IP-Address = 172.16.87.23
         NAS-Port = 1
         Called-Station-Id = "00-09-5B-41-10-B4:dugtrio"
         Calling-Station-Id = "00-06-25-A9-99-27"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 11Mbps 802.11b"
         EAP-Message = 0x0200000801626f62
         Message-Authenticator = 0xf73763202777a44e03088760ef182feb
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
   modcall[authorize]: module "preprocess" returns ok for request 1
   modcall[authorize]: module "chap" returns noop for request 1
   modcall[authorize]: module "mschap" returns noop for request 1
     rlm_realm: No '@' in User-Name = "bob", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 1
   rlm_eap: EAP packet type response id 0 length 8
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 1
     users: Matched bob at 90
radius_xlat:  'Hello, bob'
   modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
   rad_check_password:  Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
( this looks like the answer to why it rejects the user )

auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 172.16.87.23:1035, id=1, length=147
Sending Access-Reject of id 1 to 172.16.87.23:1035
         Reply-Message = "Hello, bob"
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 1 with timestamp 410132a1
Nothing to do.  Sleeping until we see a request.



Another hostap user sent me this tidbit:

-----------------------
 >bob     Auth-Type := Local, User-Password == "bob"
 >>          Reply-Message = "Hello, %u"
 >>
 >> Ok here, too?
 >>

Dunno; but I wonder why you'd tell Radius to do "Local" auth, when
you're doing  EAP - or at least, you would like to.
-----------------------


So, I'd guess I need to say Auth-Type := EAP in my users file for
  radiusd.  But then I have to configure all of the EAP and TLS and
  PEAP sections?  This link, [1], tells me to build a wad of
  certificates, but I would like to use user/password authentication.
Does anyone have another howto reference?

I'll try it again with Auth-Type := EAP, and post the results.

> 
> A patch is available for WPA on windows. This patch works on first
> view, but a reauthentication causes a disconnect. So there is only
> only one secure wlan possibility in Windows: WEP rekeying using 802.1x.
> This is available in Windows XP.
> 
> regards
> gunter
> 

[1] <http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm>

-- 
Bob Beers
MIEEE 2415966




More information about the HostAP mailing list