Authentication failed, but I still can send packets through the interface

henry1412 henry1412
Mon Nov 24 20:01:31 PST 2008 

I used the follow settings to config 802.1x authentication.
wpa_supplicant_0.48(or xp sp2 supplicant) + hostapd_0.5.10 + freeradius_1.1 + mysql_5
wpa_supplicant installed in a client device. hostapd installed in a access device. freeradius, mysql and web pages installed in a authentication server. The authorized method was EAP/MD5 for testing.

If I set a right username and password in wpa_supplicant configuration file, I could  passed the  authentication.  Then  I  could   accessed the web pages in authentication server or internet.

Part of freeradius log:
Sending Access-Accept of id 1 to 192.168.1.7:1025
        Framed-IP-Address := 192.168.1.55
        Service-Type := Framed-User
        Framed-IP-Netmask := 255.255.254.0
        EAP-Message = 0x03010004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "test"

Part of hostapd log:
Encapsulating EAP message into a RADIUS packet
  Copied RADIUS State Attribute
IEEE 802.1X: 00:13:d7:20:00:f0 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:13:d7:20:00:f0 REAUTH_TIMER entering state INITIALIZE
RADIUS packet matching with station 00:13:d7:20:00:f0
IEEE 802.1X: 00:13:d7:20:00:f0 BE_AUTH entering state SUCCESS
IEEE 802.1X: Sending EAP Packet to 00:13:d7:20:00:f0 (identifier 1)
IEEE 802.1X: 00:13:d7:20:00:f0 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:13:d7:20:00:f0 AUTH_PAE entering state AUTHENTICATED
IEEE 802.1X: 00:13:d7:20:00:f0 BE_AUTH entering state IDLE
IEEE 802.1X: 00:13:d7:20:00:f0 - aWhile --> 0

Part of wpa_supplicant log:
Associated with 01:80:c2:00:00:03
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP method 4 (MD5) selected 
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully 
CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed (auth)01:80:c2:00:00:03)

If I set a wrong username and password in wpa_supplicant configuration file, I couldn't  passed the  authentication.  But   I  still could   accessed the web pages in authentication server or internet.

Part of freeradius log:
rad_recv: Access-Request packet from host 192.168.1.7:1024, id=1, length=173
Sending Access-Reject of id 1 to 192.168.1.7:1024
        EAP-Message = 0x04010004
        Message-Authenticator = 0x00000000000000000000000000000000

Part of hostapd log:
RADIUS packet matching with station 00:13:d7:20:00:f0
IEEE 802.1X: 00:13:d7:20:00:f0 BE_AUTH entering state FAIL
IEEE 802.1X: Sending EAP Packet to 00:13:d7:20:00:f0 (identifier 1)
IEEE 802.1X: 00:13:d7:20:00:f0 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:13:d7:20:00:f0 AUTH_PAE entering state HELD
br0: STA 00:13:d7:20:00:f0 IEEE 802.1X: authentication failed
IEEE 802.1X: 00:13:d7:20:00:f0 BE_AUTH entering state IDLE
IEEE 802.1X: 00:13:d7:20:00:f0 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:13:d7:20:00:f0 REAUTH_TIMER entering state INITIALIZE

Part of of wpa_supplicant log:
Associated with 01:80:c2:00:00:03
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP method 4 (MD5) selected
EAP: more than 50 authentication rounds - abort 
CTRL-EVENT-EAP-FAILURE EAP authentication failed 

It seemed that the accessed device didn't denied user access, even if the user didn't passed 
the authetication.  What's wrong with my configuration? Thank you very much!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20081125/dbc8bad0/attachment.htm

More information about the Hostap mailing list