Very basic understanding
EAP/MD5 and other types of EAP authentication are part of "Port based network
access control", as defined in the IEEE 802.1X standard. All you have to
know at this time are the three main actors:
-
authentication server (called AS or server in this document):
AAA server (RADIUS) which will verify user credentials and give commands
to accept or reject the user login request. -
authenticator (called client or access point - ap - in
this document):
the network access device (NAS), which will take the EAP-frames out of
the traffic on one side and translate them into RADIUS-attributes on the
other and vice versa, thus acting as pass-through device. -
supplicant (user):
the one to be authenticated, i.e. your Windows/Linux whatever machine using
the WLAN
Server configuration (
FreeRADIUS)
Assumptions:
-
You have a server that starts without any errors when doing:
./radiusd –s –X-
You have at least one properly configured client (i.e. access
point, ap).
-
You have at least one configured user and your
radtest user password 10 secret
works from a test host (e.g. localhost), i.e. you receive an Accept
message from your server.
Please take a look at the provided configuration files in order to accomplish
the setup so far. It’s really not difficult to have the system configured
this way by just correcting the supplied configuration files. The files
concerned here are in the etc directory of your
FreeRADIUS
server:
-
users
-
clients.conf
-
radiusd.conf
User configuration (users
):
Alter the existent user or add another one which will be used for test
purposes. The simplest possible configurations are given in the examples.
More complicated configurations are out of the scope of this document.
- Examples:
-
-
Auth-Type := System, User-Password = "Hello"
-
-
or
-
-
Auth-Type := Local, User-Password = "Hello"
-
-
Please note the ":=" operator. "=" instead will not work.
Sections (radiusd.conf):
The interesting part here are authorize AND authenticate
sections. (At the very bottom of the file.) Ignore all the following as
those will deal with the accounting.
- authorize {
-
-
preprocess
-
-
files
-
-
eap
-
-
}
-
-
authenticate {
-
-
eap
-
-
}
Finally, the EAP module itself has to be configured at least this way:
That’s it for
FreeRADIUS
Client configurationFirst of all: please read the documentation of your client. There are a
plenty of different clients on the market, we can’t provide any help for
them. Basically, you have to activate "Network port based 802.1X authentication",
sometimes called similar. Please see the Technical
Documentation of your AP. Then, of course, you have to find the "Authentication
Server" configuration part and supply the data about the used RADIUS server,
i.e. it’s IP-address, UDP-port and the pre-shared secret (the same one
you configured for your access point – client – in the
FreeRADIUS
configuration files). Sometimes you can supply a bunch of those servers
and sometimes you can use them for other purposes, too, like e.g. MAC-based
access control. You only have to activate the EAP-Authentication.
Please note: you can perfectly use EAP-authentication without using
WEP or providing whichever keys in the AP. Do it so for the test purposes.
Once you’ve got it running, you can setup your WEP keys, whatever. That
will allow you to analyze traffic if something goes wrong.
For Cisco AP340 it would look like following:
ap1 AP Radio Data Encryption |
|
Cisco 350 Series AP 11.23T |
|
Uptime: 7 days, 11:02:58 |
|
[][][] |
Cisco 350 Series AP 11.23T |
® Copyright 2002 |
|
|
|
Deactivate older authentication types (Open, Shared, CHAP, PAP, whatever)
to prevent misunderstanding during the test.
User configuration
Windows XP (before SP1)
Note: since WindowsXP SP1 you can't use
EAP-MD5 for wireless devices!!! EAP-MD5 is only available for wired devices.
Go to the Network Connections window. Right-click the connection corresponding
to the adapter which is going to use EAP authentication. Go to the "Authentication"
tab. If it doesn’t appear (yes, it’s weird sometimes) try to unplug and
plug your adapter till it does (if PCMCIA...) Otherwise, download the software
for the adapter configuration like e.g. ACU for the Cisco adapters and
try to de- and reactivate the card.
In the Authentication dialog, assure the box "Use IEEE802.1X network
authentication" is checked. Set your EAP type there (EAP/MD5 Challenge).
That’s all. Now deactivate and reactivate your LAN-connection on this
adapter and it should work.
Troubleshooting
Problems:
-
Problem 1:
Your AP keeps on saying "Unknown EAP authentication procedure request" or similiar all the time.
Workaround:
Try to assure
that all the parameters described above (at client and user sides) have
really been set. Then, try to check the following points:
-
The firmware of the network adapter and the access point are new enough
to support the latest IEEE802.1X version (momentary Draft 10 or Draft 11
should work). Update your firmware with its radio part in the other case.
-
Use the adapter software to see which versions are active, verify the links,
permutate all settings, do something! Try to use the adapter software to
set the authentication type. In my case it was the first solution I had
to set an ACU profile dictating the EAP authentication to the card instead
of „Allow Windows to set these parameters“. This now works with Windows
profiling, too, though.
-
Problem 2:
You get an Access Reject even if the identification information is correct.
In the server log you can see a weird Notification message.
Workaround:
In your user config (users file of the server configuration)
remove the "Reply-Message" attribute for the concerned user. This is currently a bug.
Some APs (e.g. Cisco) send out a Notification downstream to the user on receiving
a "Reply-Message" attribute in the "Radius Response". The Windows XP supplicant answers
with an "EAP Notification" type message instead of "EAP MD5 Challenge" message which should
be issued. FreeRadius server currently rejects every incoming EAP notification.
Exchange and log examples
Below some examples:
1. Successful login for user
The basic exchange would be like following:
- NAS Server
-
-
Access Request (1)
-
EAP Response (2)
-
Identity (1)
-
---------------->
-
-
-
Access Challenge (11)
-
EAP Request (1)
-
MD5-Challenge (4
-
<----------------
-
-
-
Access Request (1)
-
EAP Response (2)
-
MD-Challenge (4)
-
---------------->
-
-
-
Access Accept (2)
-
EAP Success (3)
-
<----------------
And the corresponding radiusd output:
- rad_recv: Access-Request packet from host 10.10.10.1:1150, id=42, length=121
-
User-Name = "artur"
-
NAS-IP-Address = 10.10.10.1
-
Called-Station-Id = "00409635bed6"
-
Calling-Station-Id = "004096426f05"
-
NAS-Identifier = "ap1"
-
NAS-Port = 38
-
Framed-MTU = 1400
-
NAS-Port-Type = Wireless-802.11
-
EAP-Message = "\002\000\000\n\001artur"
-
Message-Authenticator = 0xe16c8f1a3d9326a9025fb043c7f2ecec
-
rlm_eap: processing type md5
-
rlm_eap_md5: Issuing Challenge
-
Login OK: [artur/] (from client ap-1 port 38 cli 004096426f05)
-
Sending Access-Challenge of id 42 to 10.10.10.1:1150
-
EAP-Message = "\001*\000\026\004\020\277\301\034\265\377\002\353\210{pfV\216B\031J"
-
Message-Authenticator = 0x00000000000000000000000000000000
-
State = 0x0bb432f976422930f905808b087e88ba9610fe3ccb283c169291fb00b15a87fa66c5a418
-
rad_recv: Access-Request packet from host 10.10.10.1:1151, id=43, length=176
-
User-Name = "artur"
-
NAS-IP-Address = 10.10.10.1
-
Called-Station-Id = "00409635bed6"
-
Calling-Station-Id = "004096426f05"
-
NAS-Identifier = "ap1"
-
NAS-Port = 38
-
Framed-MTU = 1400
-
State = 0x0bb432f976422930f905808b087e88ba9610fe3ccb283c169291fb00b15a87fa66c5a418
-
NAS-Port-Type = Wireless-802.11
-
EAP-Message = "\002*\000\033\004\020]\242\222\220kzZ\006\213\376!w\363M\255\311artur"
-
Message-Authenticator = 0xa8d07be03fa8f7e6a15f593753094db4
-
rlm_eap: Request found, released from the list
-
rlm_eap: EAP_TYPE - md5
-
rlm_eap: processing type md5
-
Login OK: [artur/] (from client ap-1 port 38 cli 004096426f05)
-
Sending Access-Accept of id 43 to 10.10.10.1:1151
-
EAP-Message = "\003+\000\004"
-
Message-Authenticator = 0x00000000000000000000000000000000
FreeRADIUS EAP¨/MD5: WindowsXP as supplicant
Last touched: 03.03.2003
--Artur Hecker
阅读(2438) | 评论(0) | 转发(0) |