error on hostap in the proxy scenario

vamsi krishna gondi_vamsi
Fri Feb 9 08:36:46 PST 2007


hi,

i am receiving an error on hostap

No message-authenticator attribute found
Incoming radius packet did not have correct message authenticator - droped


here is my scenario,

a computer is equiped with hostap and with a radius server, this radius server acts as a proxy to the home network,

      
freeradius server as radius server
                                    ____________________________
WPA supplicant ---->     | Hostapd + visiting Radius server|    ------------ home radius server
                                    |-----------------------------------------------|
when hostap recievs request for authentication from the WPA supplicant it sends request to the visiting radius server on the computer, visiting radius checks the realm and forwards the request to the Home AAA server. the home radius server checks the realm and sends the challenge as a reply, the visiting radius server recives challenges and forward the request to HOSTAP, hostap receives the packet and then i find this error.  

No message-authenticator attribute found
Incoming radius packet did not have correct message authenticator - droped

if anyone knows the error and where the problem is (hostap or visiting radius server or home radius server)please let me know 
 

Here are the log files

HOSTAPD

ath0: STA 00:0c:41:63:9e:37 IEEE 802.1X: received EAP packet (code=2 id=0 len=22) from STA: EAP Response-Identity (1)
ath0: STA 00:0c:41:63:9e:37 IEEE 802.1X: STA identity 'vamsi at example.com'
IEEE 802.1X: 00:0c:41:63:9e:37 BE_AUTH entering state RESPONSE
Encapsulating EAP message into a RADIUS packet
ath0: RADIUS Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=84 length=172
Attribute 1 (User-Name) length=19
Value: 'vamsi at example.com'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 5 (NAS-Port) length=6
Value: 0
Attribute 30 (Called-Station-Id) length=24
Value: '00-14-6C-2D-96-68:test'
Attribute 31 (Calling-Station-Id) length=19
Value: '00-0C-41-63-9E-37'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=24
Value: 02 00 00 16 01 76 61 6d 73 69 40 65 78 61 6d 70 6c 65 2e 63 6f 6d
Attribute 80 (Message-Authenticator) length=18
Value: 30 d6 66 48 69 e3 ad 7d e1 df 3d 25 58 b3 47 e5
ath0: RADIUS Next RADIUS client retransmit in 3 seconds
IEEE 802.1X: 00:0c:41:63:9e:37 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0c:41:63:9e:37 REAUTH_TIMER entering state INITIALIZE
ath0: RADIUS Received 20 bytes from RADIUS server
ath0: RADIUS Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=84 length=20
ath0: STA 00:0c:41:63:9e:37 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.04 sec
No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator - dropped
ath0: STA 00:0c:41:63:9e:37 RADIUS: No RADIUS RX handler found (type=0 code=11 id=84) [INVALID AUTHENTICATOR] - dropping packet
 


Freeradius proxy server Log

Module: Loaded files
files: usersfile = "/usr/local/radius/etc/raddb/users"
files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: header = "%t"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/radius/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded attr_filter
attr_filter: attrsfile = "/usr/local/radius/etc/raddb/attrs"
Module: Instantiated attr_filter (attr_filter.post-proxy)
Initializing the thread pool...
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.2.1 port 32797, id=6, length=172
User-Name = "vamsi at example.com"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "00-14-6C-2D-96-68:test"
Calling-Station-Id = "00-0C-41-63-9E-37"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100160176616d7369406578616d706c652e636f6d
Message-Authenticator = 0xfc294d717766228ca192244fb7fb4fdd
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall[authorize]: module "unix" returns notfound for request 0
rlm_realm: Looking up realm "example.com" for User-Name = "vamsi at example.com"
rlm_realm: Found realm "example.com"
rlm_realm: Proxying request from user vamsi to realm example.com
rlm_realm: Adding Realm = "example.com"
rlm_realm: Preparing to proxy authentication request to realm "example.com"
modcall[authorize]: module "suffix" returns updated for request 0
rlm_eap: Request is supposed to be proxied to Realm example.com. Not doing EAP.
modcall[authorize]: module "eap" returns noop for request 0
modcall[authorize]: module "files" returns noop for request 0
modcall[authorize]: module "expiration" returns noop for request 0
modcall[authorize]: module "logintime" returns noop for request 0
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
Sending Access-Request of id 0 to 192.168.2.2 port 1812
User-Name = "vamsi at example.com"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "00-14-6C-2D-96-68:test"
Calling-Station-Id = "00-0C-41-63-9E-37"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100160176616d7369406578616d706c652e636f6d
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x36
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Challenge packet from host 192.168.2.2 port 1812, id=0, length=67
EAP-Message = 0x010200060d20
Message-Authenticator = 0x288ae9dc209ee56b770989b732866ea3
State = 0x65d253b8c2a41a0199caf4238686c5ac
Proxy-State = 0x36
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
attr_filter: Matched entry example.com at line 78
modcall[post-proxy]: module "attr_filter.post-proxy" returns updated for request 0
modcall[post-proxy]: module "eap" returns noop for request 0
modcall: leaving group post-proxy (returns updated) for request 0
Sending Access-Challenge of id 6 to 192.168.2.1 port 32797
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 6 with timestamp 45cca049
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.2.1 port 32797, id=7, length=172
User-Name = "vamsi at example.com"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "00-14-6C-2D-96-68:test"
Calling-Station-Id = "00-0C-41-63-9E-37"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300160176616d7369406578616d706c652e636f6d
Message-Authenticator = 0xcddafa7bac6b4588863f37ac2f2c8f64
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
modcall[authorize]: module "unix" returns notfound for request 1
rlm_realm: Looking up realm "example.com" for User-Name = "vamsi at example.com"
rlm_realm: Found realm "example.com"
rlm_realm: Proxying request from user vamsi to realm example.com
rlm_realm: Adding Realm = "example.com"
rlm_realm: Preparing to proxy authentication request to realm "example.com"
modcall[authorize]: module "suffix" returns updated for request 1
rlm_eap: Request is supposed to be proxied to Realm example.com. Not doing EAP.
modcall[authorize]: module "eap" returns noop for request 1
modcall[authorize]: module "files" returns noop for request 1
modcall[authorize]: module "expiration" returns noop for request 1
modcall[authorize]: module "logintime" returns noop for request 1
modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
Sending Access-Request of id 1 to 192.168.2.2 port 1812
User-Name = "vamsi at example.com"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "00-14-6C-2D-96-68:test"
Calling-Station-Id = "00-0C-41-63-9E-37"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300160176616d7369406578616d706c652e636f6d
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x37
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Challenge packet from host 192.168.2.2 port 1812, id=1, length=67
EAP-Message = 0x010400060d20
Message-Authenticator = 0xbd8c0c961b4776663862e485580916cc
State = 0xe268b49f14e466fa6c110c25a9d37ba1
Proxy-State = 0x37
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 1
attr_filter: Matched entry example.com at line 78
modcall[post-proxy]: module "attr_filter.post-proxy" returns updated for request 1
modcall[post-proxy]: module "eap" returns noop for request 1
modcall: leaving group post-proxy (returns updated) for request 1
Sending Access-Challenge of id 7 to 192.168.2.1 port 32797
Finished request 1
Going to the next request
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 7 with timestamp 45cca062
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.2.1 port 32797, id=8, length=172
User-Name = "vamsi at example.com"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "00-14-6C-2D-96-68:test"
Calling-Station-Id = "00-0C-41-63-9E-37"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400160176616d7369406578616d706c652e636f6d
Message-Authenticator = 0x5ab02f96858376f10932ff80039a8a38
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
modcall[authorize]: module "unix" returns notfound for request 2
rlm_realm: Looking up realm "example.com" for User-Name = "vamsi at example.com"
rlm_realm: Found realm "example.com"
rlm_realm: Proxying request from user vamsi to realm example.com
rlm_realm: Adding Realm = "example.com"
rlm_realm: Preparing to proxy authentication request to realm "example.com"
modcall[authorize]: module "suffix" returns updated for request 2
rlm_eap: Request is supposed to be proxied to Realm example.com. Not doing EAP.
modcall[authorize]: module "eap" returns noop for request 2
modcall[authorize]: module "files" returns noop for request 2
modcall[authorize]: module "expiration" returns noop for request 2
modcall[authorize]: module "logintime" returns noop for request 2
modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns updated) for request 2
Sending Access-Request of id 2 to 192.168.2.2 port 1812
User-Name = "vamsi at example.com"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "00-14-6C-2D-96-68:test"
Calling-Station-Id = "00-0C-41-63-9E-37"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400160176616d7369406578616d706c652e636f6d
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x38
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Challenge packet from host 192.168.2.2 port 1812, id=2, length=67
EAP-Message = 0x010500060d20
Message-Authenticator = 0x7a4d7c7be2ee2496a775e196a2eb7917
State = 0x7434f3c23d39bd4e387f775b92f550fd
Proxy-State = 0x38
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 2
attr_filter: Matched entry example.com at line 78
modcall[post-proxy]: module "attr_filter.post-proxy" returns updated for request 2
modcall[post-proxy]: module "eap" returns noop for request 2
modcall: leaving group post-proxy (returns updated) for request 2
Sending Access-Challenge of id 8 to 192.168.2.1 port 32797
Finished request 2
Going to the next request
Waking up in 1 seconds...
--- Walking the entire request list ---
 

Home Freeradius log

rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/root/ssl/serverkey.pem"
tls: certificate_file = "/root/ssl/servercert.pem"
tls: CA_file = "/root/ssl/CA_nlab/cacert.pem"
tls: private_key_password = "pw4server"
tls: dh_file = "/usr/local/etc/raddb/cert/dh"
tls: random_file = "/usr/local/etc/raddb/cert/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
[/usr/local/etc/raddb/users]:97 WARNING! Changing 'User-Password =' to 'User-Password ==' ?for comparing RADIUS attribute in check item list for user adam
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 192.168.2.2:1812
Listening on accounting 192.168.2.2:1813
Listening on proxy 192.168.2.2:1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.1:1814, id=0, length=175
User-Name = "vamsi at example.com"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "00-14-6C-2D-96-68:test"
Calling-Station-Id = "00-0C-41-63-9E-37"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100160176616d7369406578616d706c652e636f6d
Message-Authenticator = 0x10ea46dd1ac88f57ad11aef57787cb42
Proxy-State = 0x36
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "example.com" for User-Name = "vamsi at example.com"
rlm_realm: Found realm "example.com"
rlm_realm: Adding Stripped-User-Name = "vamsi"
rlm_realm: Proxying request from user vamsi to realm example.com
rlm_realm: Adding Realm = "example.com"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 22
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry vamsi at line 98
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 192.168.2.1 port 1814
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x65d253b8c2a41a0199caf4238686c5ac
Proxy-State = 0x36
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 45cca457
Nothing to do. Sleeping until we see a request.
 



thanking you,
gondi.

Vamsi Krishna GONDI,
16 rue Jean Pierre Laurens,
Fontenay Aux Roses, 92260,
France.
Ph no. +33 (0)6 20 38 51 53


 
____________________________________________________________________________________
Never Miss an Email
Stay connected with Yahoo! Mail on your mobile.  Get started!
http://mobile.yahoo.com/services?promote=mail




More information about the Hostap mailing list