FW: xsupplicant authentication issue with HostAp + FreeRadius

Atif Ikram Atif.Ikram
Fri Aug 25 12:30:44 PDT 2006




From: Atif Ikram 
Sent: Friday, August 25, 2006 3:26 PM
To: 'hostap at shmoo.com'
Subject: xsupplicant authentication issue with HostAp + FreeRadius





I am new to HostAp and I will deeply appreciate if someone can point me
to right direction:  


Currently I have HostAP and FreeRadius running on same Linux box and
xsupplicant running on an embedded machine but on the same network.  It
is all wired network and no wifi involved.  I have configured FreeRadius
to accept any user for testing purposes as follows:


DEFAULT Auth-Type := Accept


The HostAp and FreeRadius seem to communicate fine when they get started
as the secret key is setup the same on both side's config files.


When xsupplicant attempts to authenticate via HostAp, the FreeRadius
gets the request and it accepts it but HostAp doesn't seem to be getting
the "Message-Authenticator" attribute correctly from FreeRadius.  As a
result it rejects the Radius message.  I know I am doing something wrong
and will like to get help. Again thanks in advance !


Here is the config for xsupplicant:


network_list = all

default_netname = default

logfile = /home/ikr46256/xsupplicant.log


default_interface = eth0




  type = wired

  allow_types = all


  identity = myid at mynet.net


  eap-md5 {

      username = "tester"

      password = "hello"   # Since the password has spaces, quote it.





Here is the log from HostAP:


IEEE 802.1X: 46 bytes from 00:40:4d:d0:9f:71

   IEEE 802.1X: version=2 type=0 length=19

   ignoring 23 extra octets after IEEE 802.1X packet

   EAP: code=2 identifier=10 length=19 (response)

eth0: STA 00:40:4d:d0:9f:71 IEEE 802.1X: received EAP packet (code=2
id=10 len=19) from STA: EAP Response-Identity (1)

eth0: STA 00:40:4d:d0:9f:71 IEEE 802.1X: STA identity 'myid at mynet.net'

IEEE 802.1X: 00:40:4d:d0:9f:71 BE_AUTH entering state RESPONSE

Encapsulating EAP message into a RADIUS packet

eth0: RADIUS Sending RADIUS message to authentication server

eth0: RADIUS Received RADIUS message

RADIUS message: code=2 (Access-Accept) identifier=7 length=38

   Attribute 18 (?Unknown?) length=18

No Message-Authenticator attribute found

Incoming RADIUS packet did not have correct Message-Authenticator -

eth0: STA 00:40:4d:d0:9f:71 RADIUS: No RADIUS RX handler found (type=0
code=2 id=7) [INVALID AUTHENTICATOR] - dropping packet

IEEE 802.1X: 00:d0:b7:2c:38:79 REAUTH_TIMER entering state INITIALIZE





The log for FreeRadius is as follows:

Starting - reading configuration files ...

reread_config:  reading radiusd.conf

Thread 1 handling request 0, (1 handled so far)

        Acct-Status-Type = Accounting-On

        Acct-Authentic = RADIUS

        NAS-IP-Address =

        NAS-Identifier = "ap.example.com"

        Called-Station-Id = "00-14-22-43-42-2F:"

        Acct-Terminate-Cause = NAS-Reboot

  Processing the preacct section of radiusd.conf

modcall: entering group preacct for request 0

Finished request 0

Going to the next request

Thread 1 waiting to be assigned a request

--- Walking the entire request list ---

Cleaning up request 0 ID 0 with timestamp 44ef389d

Nothing to do.  Sleeping until we see a request.

rad_recv: Access-Request packet from host, id=79,

Thread 2 handling request 1, (1 handled so far)

        User-Name = "testuser"

        User-Password = "hello"

        NAS-IP-Address =

        NAS-Port = 0


  rad_check_password: Auth-Type = Accept, accepting the user

radius_xlat:  'You are accepted'

Sending Access-Accept of id 79 to port 33250

        Reply-Message = "You are accepted"

Finished request 1

Going to the next request





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20060825/2ab5911d/attachment.htm 

More information about the Hostap mailing list