Wired network and CISCO ACS
Jacky
wyqjnm
Tue Mar 28 12:49:41 PST 2006
I have the same problem. I am getting "Bad request from NAS" message
from the Cisco ACS 3.1 server.
My wpa_supplicant configuration is:
============ start
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
eapol_version=2
ap_scan=0
network={
ssid=""
key_mgmt=IEEE8021X
eap=PEAP
identity="jnz\jacky"
password="jacky"
phase1="peaplabel=0 peapver=1"
phase2="auth=MSCHAPV2"
}
======== end
And my hostapd config is:
======== start
interface=eth0
driver=wired
logger_stdout=-1
logger_stdout_level=4
debug=4
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=jacky
auth_algs=3
ieee8021x=1
eap_message=hello
use_pae_group_addr=1
eap_server=0
nas_identifier=test
auth_server_addr=192.168.2.142
auth_server_port=1812
auth_server_shared_secret=cisco
=========== end
hostapd log is
============ start
Received EAPOL packet
IEEE 802.1X: 46 bytes from 00:11:56:00:00:4a
IEEE 802.1X: version=2 type=0 length=14
ignoring 28 extra octets after IEEE 802.1X packet
EAP: code=2 identifier=0 length=14 (response)
IEEE 802.1X: 00:11:56:00:00:4a BE_AUTH entering state RESPONSE
Encapsulating EAP message into a RADIUS packet
RADIUS message: code=1 (Access-Request) identifier=0 length=168
Attribute 1 (User-Name) length=11
Value: 'jnz\jacky'
Attribute 4 (NAS-IP-Address) length=6
Value: 192.168.2.41
Attribute 32 (NAS-Identifier) length=16
Value: 'frog.pnz.co.nz'
Attribute 5 (NAS-Port) length=6
Value: 0
Attribute 30 (Called-Station-Id) length=20
Value: '00-0D-61-11-7F-8A:'
Attribute 31 (Calling-Station-Id) length=19
Value: '00-11-56-00-00-4A'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=16
Value: 02 00 00 0e 01 6a 6e 7a 5c 6a 61 63 6b 79
Attribute 80 (Message-Authenticator) length=18
Value: eb 0f ae db 4b 6a 1d 5d 66 c3 99 da f0 b5 a8 27
IEEE 802.1X: 00:11:56:00:00:4a REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:11:56:00:00:4a REAUTH_TIMER entering state INITIALIZE
RADIUS message: code=3 (Access-Reject) identifier=0 length=50
Attribute 18 (?Unknown?) length=12
Attribute 80 (Message-Authenticator) length=18
Value: f2 6f 9f 3a a3 c8 85 7c 66 6f 62 ad 01 37 80 23
RADIUS packet matching with station 00:11:56:00:00:4a
eth0: STA 00:11:56:00:00:4a IEEE 802.1X: could not extract EAP-Message
from RADIUS message
IEEE 802.1X: 00:11:56:00:00:4a BE_AUTH entering state IGNORE
IEEE 802.1X: 00:11:56:00:00:4a BE_AUTH entering state FAIL
IEEE 802.1X: Sending canned EAP packet FAILURE to 00:11:56:00:00:4a
(identifier 1)
IEEE 802.1X: 00:11:56:00:00:4a REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:11:56:00:00:4a AUTH_PAE entering state HELD
eth0: STA 00:11:56:00:00:4a IEEE 802.1X: authentication failed
============ end
wpa_supplicant log is
============ start
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=5):
68 65 6c 6c 6f hello
EAP: using real identity - hexdump_ascii(len=9):
6a 6e 7a 5c 6a 61 63 6b 79 jnz\jacky
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=18): 02 00 00 0e 02 00 00 0e 01 6a 6e 7a 5c 6a 61
63 6b 79
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:0d:61:11:7f:8a
RX EAPOL - hexdump(len=46): 02 00 00 04 04 01 00 04 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: Workaround for unexpected identifier field in EAP Success: reqId=1
lastId=0 (these are supposed to be same)
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
============ end
More information about the Hostap
mailing list