12-12-2007 11:36 PM - edited 03-10-2019 03:33 PM
I can't figure this one out.
I've configured CAR for PEAP V0 using MS-CHAPv2 (I'm going to use the supplicant installed on Windows XP on wireless networks).
The test AP has been configured and the server is receiving the requests, however it seems that it doesn't receive the passwords.
If I try to connect to the wireless network I get the prompt for username/password, but it always rejects them. Here is the trace output:
12/13/2007 1:10:14: P915: Packet received from 192.168.0.1
12/13/2007 1:10:14: P915: Checking Message-Authenticator
12/13/2007 1:10:14: P915: Trace of Access-Request packet
12/13/2007 1:10:14: P915: identifier = 0
12/13/2007 1:10:14: P915: length = 126
12/13/2007 1:10:14: P915: reqauth = ef:ce:47:c1:4d:e3:47:a0:7b:f4:1d:eb:28:c3:7e:08
12/13/2007 1:10:14: P915: User-Name = alonso
12/13/2007 1:10:14: P915: NAS-IP-Address = 192.168.0.1
12/13/2007 1:10:14: P915: NAS-Port = 60
12/13/2007 1:10:14: P915: Framed-MTU = 1400
12/13/2007 1:10:14: P915: Called-Station-Id = 0018f8f7b98e
12/13/2007 1:10:14: P915: Calling-Station-Id = 001c106f09da
12/13/2007 1:10:14: P915: NAS-Identifier = 0018f8f7b98e
12/13/2007 1:10:14: P915: NAS-Port-Type = Wireless - IEEE 802.11
12/13/2007 1:10:14: P915: EAP-Message = 02:00:00:0b:01:61:6c:6f:6e:73:6f
12/13/2007 1:10:14: P915: Message-Authenticator = 6b:47:57:71:8c:97:37:61:21:d2:84:49:05:d3:96:8a
12/13/2007 1:10:14: P915: Using Client: Suesser
12/13/2007 1:10:14: P915: Using NAS: Suesser (192.168.0.1)
12/13/2007 1:10:14: P915: Request is directly from a NAS: TRUE
12/13/2007 1:10:14: P915: Authenticating and Authorizing with Service local-users
12/13/2007 1:10:14: P915: Getting User alonso's UserRecord from UserList Default
12/13/2007 1:10:14: Log: Request from Suesser (192.168.0.1): Authentication request for User alonso had no User-Password or CHAP-Password attribute in packet
12/13/2007 1:10:14: P915: Adding Message-Authenticator to response
12/13/2007 1:10:14: P915: Trace of Access-Reject packet
12/13/2007 1:10:14: P915: identifier = 0
12/13/2007 1:10:14: P915: length = 54
12/13/2007 1:10:14: P915: respauth = 19:02:50:72:df:29:db:bd:ca:99:6a:02:49:e0:66:c0
12/13/2007 1:10:14: P915: Reply-Message = Access Denied
12/13/2007 1:10:14: P915: Message-Authenticator = cb:d3:43:ed:1a:84:c7:1a:89:39:9b:ee:24:c9:50:45
12/13/2007 1:10:14: P915: Sending response to 192.168.0.1
12/13/2007 1:10:14: Log: Request from Suesser (192.168.0.1): User alonso rejected (MalformedRequest)
It's complaining about not having a password, right?
Well, the request did in fact had a password, but it doesn't matter, I get the same reply if I try to login with or without the password.
Obviously I'm missing something here, but I can't figure it out.
Thanks in advance
12-12-2007 11:37 PM
Here is the trace output from a test using the radclient:
I've also tried to test it with the radclient and I get the same result. Here is the output from a test using the radclient:
12/13/2007 1:32:57: P956: Packet received from 127.0.0.1
12/13/2007 1:32:57: P956: Checking Message-Authenticator
12/13/2007 1:32:57: P956: Trace of Access-Request packet
12/13/2007 1:32:57: P956: identifier = 1
12/13/2007 1:32:57: P956: length = 85
12/13/2007 1:32:57: P956: reqauth = 92:19:39:4d:cc:dc:b7:78:43:de:08:3c:49:66:a4:5c
12/13/2007 1:32:57: P956: User-Name = alonso
12/13/2007 1:32:57: P956: NAS-Port = 1
12/13/2007 1:32:57: P956: Calling-Station-Id = alonso
12/13/2007 1:32:57: P956: NAS-Identifier = localhost
12/13/2007 1:32:57: P956: EAP-Message = 02:00:00:0b:01:61:6c:6f:6e:73:6f
12/13/2007 1:32:57: P956: Message-Authenticator = 93:88:8d:ca:cc:85:15:d8:14:d6:fd:52:4a:fd:8c:d1
12/13/2007 1:32:57: P956: Using Client: localhost
12/13/2007 1:32:57: P956: Running Client localhost IncomingScript: ParseServiceHints
12/13/2007 1:32:57: P956: Rex: environ->get( "Request-Type" ) -> "Access-Request"
12/13/2007 1:32:57: P956: Rex: environ->get( "Request-Type" ) -> "Access-Request"
12/13/2007 1:32:57: P956: Rex: environ->get( "User-Name" ) -> ""
12/13/2007 1:32:57: P956: Rex: request->get( "User-Name", 0 ) -> "alonso"
12/13/2007 1:32:57: P956: Using NAS: localhost (127.0.0.1)
12/13/2007 1:32:57: P956: Request is directly from a NAS: TRUE
12/13/2007 1:32:57: P956: Authenticating and Authorizing with Service local-users
12/13/2007 1:32:57: P956: Getting User alonso's UserRecord from UserList Default
12/13/2007 1:32:57: Log: Request from localhost (127.0.0.1): Authentication request for User alonso had no User-Password or CHAP-Password attribute in packet
12/13/2007 1:32:57: P956: Adding Message-Authenticator to response
12/13/2007 1:32:57: P956: Trace of Access-Reject packet
12/13/2007 1:32:57: P956: identifier = 1
12/13/2007 1:32:57: P956: length = 54
12/13/2007 1:32:57: P956: respauth = c6:e0:88:d7:f2:a6:23:20:a8:e2:fc:83:f6:35:f8:89
12/13/2007 1:32:57: P956: Reply-Message = Access Denied
12/13/2007 1:32:57: P956: Message-Authenticator = 6e:c1:eb:e6:fa:12:5d:0a:19:82:78:1b:8f:71:e8:f2
12/13/2007 1:32:57: P956: Sending response to 127.0.0.1
12/13/2007 1:32:57: Log: Request from localhost (127.0.0.1): User alonso rejected (MalformedRequest)
Same thing, and you can be sure I didn't missed the password as the radclient won't do the request without it ;)
12-13-2007 06:56 AM
I thought it may be usefull to have the configurations:
--> ls services/eap-mschapv2/
[ Services/eap-mschapv2 ]
Name = eap-mschapv2
Description =
Type = eap-mschapv2
IncomingScript~ =
OutgoingScript~ =
AuthenticationTimeout = 120
UserService = local-users
SystemID =
--> ls services/peap-v0-service/
[ Services/peap-v0-service ]
Name = peap-v0-service
Description =
Type = peap-v0
IncomingScript~ =
OutgoingScript~ =
MaximumMessageSize = 1024
PrivateKeyPassword = cisco
ServerCertificateFile = /cisco-ar/certs/tomcat/server-cert.pem
ServerRSAKeyFile = /cisco-ar/certs/tomcat/server-key.pem
CACertificateFile = /cisco-ar/certs/tomcat/server-cert.pem
CACertificatePath =
ClientVerificationMode = none
VerificationDepth = 4
EnableSessionCache = True
SessionTimeout = "5 Minutes"
AuthenticationTimeout = 120
TunnelService = eap-mschapv2
EnableWPS = FALSE
--> ls clients/Suesser/
[ Clients/Suesser ]
Name = Suesser
Description = "Home Access Point"
IPAddress = 192.168.0.1
SharedSecret = imtestingcar
Type = NAS
Vendor =
IncomingScript~ =
OutgoingScript~ =
EnableDynamicAuthorization = FALSE
NetMask =
EnableNotifications = FALSE
If it wasn't for the fact that it is not working, I would be pretty sure that the configuration is correct. But somehow I suspect that I overlooked something real easy.
12-14-2007 11:01 AM
Anyone?
I've already tried it with a different server and Cisco1231 AP's, same thing!
I'm desperate for help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide