LEAP did not work. Need some help

Dan Williams dcbw
Mon May 13 09:18:30 PDT 2013 

On Mon, 2013-05-13 at 16:45 +0100, Tilman Baumann wrote:
> Hi,
> 
> I have been playing around with all sorts of EAP protocols and most seem
> to work for me now.
> LEAP however seems to fail, even though the freeradius server seems to
> suggest that authentication has succeeded.
> I'm using wired IEEE802.1x

LEAP is only used for WiFi networks, not wired ones.  Next, I believe
you mean "EAP-FAST", which is Cisco's replacement for LEAP.  There isn't
a "LEAP-FAST".  Perhaps that was a mistype?

Dan

> I get such messages from freeradius -X
> 
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type leap
>   rlm_eap_leap: Stage 2
>   rlm_eap_leap: Issuing AP Challenge
>   rlm_eap_leap: Successfully initiated
> ++[eap] returns handled
> Sending Access-Challenge of id 208 to 192.168.0.54 port 1026
>         EAP-Message = 0x01470017110100088fc287d5a1a1870074657374696e67
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x8481d20384c6c3a4d66aeb67b66d8d2c
> Finished request 667.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.54 port 1026,
> id=209, length=161
>         User-Name = "testing"
>         NAS-Identifier = "ES-2024PWR"
>         NAS-IP-Address = 192.168.0.54
>         NAS-Port = 4
>         NAS-Port-Type = Ethernet
>         Calling-Station-Id = "00-11-35-01-00-49"
>         Framed-MTU = 1400
>         EAP-Message =
> 0x024700271101001813145dccee7bf8ef3b85f7e5ef245c1ed179087152b61dbc74657374696e67
>         State = 0x8481d20384c6c3a4d66aeb67b66d8d2c
>         Message-Authenticator = 0x3404530f28d66d8a680e5c620afee120
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "testing", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 71 length 39
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry testing at line 51
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING: Auth-Type already set.  Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/leap
> [eap] processing type leap
>   rlm_eap_leap: Stage 4
>   rlm_eap_leap: NtChallengeResponse from AP is valid
> [eap] Underlying EAP-Type set EAP ID to 72
> ++[eap] returns ok
> Login OK: [testing/<via Auth-Type = EAP>] (from client private-network-2
> port 4 cli 00-11-35-01-00-49)
> # Executing section post-auth from file
> /etc/freeradius/sites-enabled/default
> +- entering group post-auth {...}
> 
> 
> I can test my account with default_eap_type = leap set in freereadius.
> ]# radtest -t mschap testing password 192.168.0.212 0 testing123-2
> Sending Access-Request of id 220 to 192.168.0.212 port 1812
>         User-Name = "testing"
>         NAS-IP-Address = 192.168.0.100
>         NAS-Port = 0
>         Message-Authenticator = 0x00000000000000000000000000000000
>         MS-CHAP-Challenge = 0x94a10b310e45252a
>         MS-CHAP-Response =
> 0x0001000000000000000000000000000000000000000000000000a92f06292bfd110f730e3fae51cd5b711126a6f54bc1d2ac
> rad_recv: Access-Accept packet from host 192.168.0.212 port 1812,
> id=220, length=84
>         MS-CHAP-MPPE-Keys =
> 0xe52cac67419a9a22166a9e32f11580c1c0b62f9cd0bda6330000000000000000
>         MS-MPPE-Encryption-Policy = 0x00000001
>         MS-MPPE-Encryption-Types = 0x00000006
> 
> 
> 
> Other EAP protocols like MD5 and PEAP work fine through my
> wpa_supplicant. But not LEAP.
> 
> I have attached logs with wpa_supplicant -dd
> 
> 
> wpa_supplicant.conf is simple
> 
> 
> ctrl_interface=/var/run/wpa_supplicant
> ap_scan=0
> update_config=1
> 
> network={
>         key_mgmt=IEEE8021X
>         identity="testing"
>         password="password"
> }
> 
> I would be glad for any hints.
> 
> 
> PS: I would like to test LEAP-FAST as well. Is freeradius with the
> hostap eap lib the best way to go?
> I did not really want to re-compile it, but I would if that's the way to
> go. (using debian package right now)
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap

More information about the Hostap mailing list