LEAP did not work. Need some help

Tilman Baumann tilman.baumann at grandeye.com
Mon May 13 11:45:31 EDT 2013 

Hi,

I have been playing around with all sorts of EAP protocols and most seem
to work for me now.
LEAP however seems to fail, even though the freeradius server seems to
suggest that authentication has succeeded.
I'm using wired IEEE802.1x

I get such messages from freeradius -X

Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type leap
  rlm_eap_leap: Stage 2
  rlm_eap_leap: Issuing AP Challenge
  rlm_eap_leap: Successfully initiated
++[eap] returns handled
Sending Access-Challenge of id 208 to 192.168.0.54 port 1026
        EAP-Message = 0x01470017110100088fc287d5a1a1870074657374696e67
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8481d20384c6c3a4d66aeb67b66d8d2c
Finished request 667.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.54 port 1026,
id=209, length=161
        User-Name = "testing"
        NAS-Identifier = "ES-2024PWR"
        NAS-IP-Address = 192.168.0.54
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-11-35-01-00-49"
        Framed-MTU = 1400
        EAP-Message =
0x024700271101001813145dccee7bf8ef3b85f7e5ef245c1ed179087152b61dbc74657374696e67
        State = 0x8481d20384c6c3a4d66aeb67b66d8d2c
        Message-Authenticator = 0x3404530f28d66d8a680e5c620afee120
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 71 length 39
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testing at line 51
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/leap
[eap] processing type leap
  rlm_eap_leap: Stage 4
  rlm_eap_leap: NtChallengeResponse from AP is valid
[eap] Underlying EAP-Type set EAP ID to 72
++[eap] returns ok
Login OK: [testing/<via Auth-Type = EAP>] (from client private-network-2
port 4 cli 00-11-35-01-00-49)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}


I can test my account with default_eap_type = leap set in freereadius.
]# radtest -t mschap testing password 192.168.0.212 0 testing123-2
Sending Access-Request of id 220 to 192.168.0.212 port 1812
        User-Name = "testing"
        NAS-IP-Address = 192.168.0.100
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
        MS-CHAP-Challenge = 0x94a10b310e45252a
        MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000a92f06292bfd110f730e3fae51cd5b711126a6f54bc1d2ac
rad_recv: Access-Accept packet from host 192.168.0.212 port 1812,
id=220, length=84
        MS-CHAP-MPPE-Keys =
0xe52cac67419a9a22166a9e32f11580c1c0b62f9cd0bda6330000000000000000
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006



Other EAP protocols like MD5 and PEAP work fine through my
wpa_supplicant. But not LEAP.

I have attached logs with wpa_supplicant -dd


wpa_supplicant.conf is simple


ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
update_config=1

network={
        key_mgmt=IEEE8021X
        identity="testing"
        password="password"
}

I would be glad for any hints.


PS: I would like to test LEAP-FAST as well. Is freeradius with the
hostap eap lib the best way to go?
I did not really want to re-compile it, but I would if that's the way to
go. (using debian package right now)
-- 
Tilman Baumann
Oncam Grandeye
6 Huxley Road, Surrey Research Park
Guildford, GU2 7RE, United Kingdom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wpa.log
Type: text/x-log
Size: 8192 bytes
Desc: not available
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20130513/bd0347c4/attachment-0001.bin>

More information about the HostAP mailing list