Cisco Access Registrar and PEAP

Unanswered Question
Dec 12th, 2007

I can't figure this one out.

I've configured CAR for PEAP V0 using MS-CHAPv2 (I'm going to use the supplicant installed on Windows XP on wireless networks).

The test AP has been configured and the server is receiving the requests, however it seems that it doesn't receive the passwords.

If I try to connect to the wireless network I get the prompt for username/password, but it always rejects them. Here is the trace output:

12/13/2007 1:10:14: P915: Packet received from 192.168.0.1

12/13/2007 1:10:14: P915: Checking Message-Authenticator

12/13/2007 1:10:14: P915: Trace of Access-Request packet

12/13/2007 1:10:14: P915: identifier = 0

12/13/2007 1:10:14: P915: length = 126

12/13/2007 1:10:14: P915: reqauth = ef:ce:47:c1:4d:e3:47:a0:7b:f4:1d:eb:28:c3:7e:08

12/13/2007 1:10:14: P915: User-Name = alonso

12/13/2007 1:10:14: P915: NAS-IP-Address = 192.168.0.1

12/13/2007 1:10:14: P915: NAS-Port = 60

12/13/2007 1:10:14: P915: Framed-MTU = 1400

12/13/2007 1:10:14: P915: Called-Station-Id = 0018f8f7b98e

12/13/2007 1:10:14: P915: Calling-Station-Id = 001c106f09da

12/13/2007 1:10:14: P915: NAS-Identifier = 0018f8f7b98e

12/13/2007 1:10:14: P915: NAS-Port-Type = Wireless - IEEE 802.11

12/13/2007 1:10:14: P915: EAP-Message = 02:00:00:0b:01:61:6c:6f:6e:73:6f

12/13/2007 1:10:14: P915: Message-Authenticator = 6b:47:57:71:8c:97:37:61:21:d2:84:49:05:d3:96:8a

12/13/2007 1:10:14: P915: Using Client: Suesser

12/13/2007 1:10:14: P915: Using NAS: Suesser (192.168.0.1)

12/13/2007 1:10:14: P915: Request is directly from a NAS: TRUE

12/13/2007 1:10:14: P915: Authenticating and Authorizing with Service local-users

12/13/2007 1:10:14: P915: Getting User alonso's UserRecord from UserList Default

12/13/2007 1:10:14: Log: Request from Suesser (192.168.0.1): Authentication request for User alonso had no User-Password or CHAP-Password attribute in packet

12/13/2007 1:10:14: P915: Adding Message-Authenticator to response

12/13/2007 1:10:14: P915: Trace of Access-Reject packet

12/13/2007 1:10:14: P915: identifier = 0

12/13/2007 1:10:14: P915: length = 54

12/13/2007 1:10:14: P915: respauth = 19:02:50:72:df:29:db:bd:ca:99:6a:02:49:e0:66:c0

12/13/2007 1:10:14: P915: Reply-Message = Access Denied

12/13/2007 1:10:14: P915: Message-Authenticator = cb:d3:43:ed:1a:84:c7:1a:89:39:9b:ee:24:c9:50:45

12/13/2007 1:10:14: P915: Sending response to 192.168.0.1

12/13/2007 1:10:14: Log: Request from Suesser (192.168.0.1): User alonso rejected (MalformedRequest)

It's complaining about not having a password, right?

Well, the request did in fact had a password, but it doesn't matter, I get the same reply if I try to login with or without the password.

Obviously I'm missing something here, but I can't figure it out.

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acorredorv Wed, 12/12/2007 - 23:37

Here is the trace output from a test using the radclient:

I've also tried to test it with the radclient and I get the same result. Here is the output from a test using the radclient:

12/13/2007 1:32:57: P956: Packet received from 127.0.0.1

12/13/2007 1:32:57: P956: Checking Message-Authenticator

12/13/2007 1:32:57: P956: Trace of Access-Request packet

12/13/2007 1:32:57: P956: identifier = 1

12/13/2007 1:32:57: P956: length = 85

12/13/2007 1:32:57: P956: reqauth = 92:19:39:4d:cc:dc:b7:78:43:de:08:3c:49:66:a4:5c

12/13/2007 1:32:57: P956: User-Name = alonso

12/13/2007 1:32:57: P956: NAS-Port = 1

12/13/2007 1:32:57: P956: Calling-Station-Id = alonso

12/13/2007 1:32:57: P956: NAS-Identifier = localhost

12/13/2007 1:32:57: P956: EAP-Message = 02:00:00:0b:01:61:6c:6f:6e:73:6f

12/13/2007 1:32:57: P956: Message-Authenticator = 93:88:8d:ca:cc:85:15:d8:14:d6:fd:52:4a:fd:8c:d1

12/13/2007 1:32:57: P956: Using Client: localhost

12/13/2007 1:32:57: P956: Running Client localhost IncomingScript: ParseServiceHints

12/13/2007 1:32:57: P956: Rex: environ->get( "Request-Type" ) -> "Access-Request"

12/13/2007 1:32:57: P956: Rex: environ->get( "Request-Type" ) -> "Access-Request"

12/13/2007 1:32:57: P956: Rex: environ->get( "User-Name" ) -> ""

12/13/2007 1:32:57: P956: Rex: request->get( "User-Name", 0 ) -> "alonso"

12/13/2007 1:32:57: P956: Using NAS: localhost (127.0.0.1)

12/13/2007 1:32:57: P956: Request is directly from a NAS: TRUE

12/13/2007 1:32:57: P956: Authenticating and Authorizing with Service local-users

12/13/2007 1:32:57: P956: Getting User alonso's UserRecord from UserList Default

12/13/2007 1:32:57: Log: Request from localhost (127.0.0.1): Authentication request for User alonso had no User-Password or CHAP-Password attribute in packet

12/13/2007 1:32:57: P956: Adding Message-Authenticator to response

12/13/2007 1:32:57: P956: Trace of Access-Reject packet

12/13/2007 1:32:57: P956: identifier = 1

12/13/2007 1:32:57: P956: length = 54

12/13/2007 1:32:57: P956: respauth = c6:e0:88:d7:f2:a6:23:20:a8:e2:fc:83:f6:35:f8:89

12/13/2007 1:32:57: P956: Reply-Message = Access Denied

12/13/2007 1:32:57: P956: Message-Authenticator = 6e:c1:eb:e6:fa:12:5d:0a:19:82:78:1b:8f:71:e8:f2

12/13/2007 1:32:57: P956: Sending response to 127.0.0.1

12/13/2007 1:32:57: Log: Request from localhost (127.0.0.1): User alonso rejected (MalformedRequest)

Same thing, and you can be sure I didn't missed the password as the radclient won't do the request without it ;)

acorredorv Thu, 12/13/2007 - 06:56

I thought it may be usefull to have the configurations:

--> ls services/eap-mschapv2/

[ Services/eap-mschapv2 ]

Name = eap-mschapv2

Description =

Type = eap-mschapv2

IncomingScript~ =

OutgoingScript~ =

AuthenticationTimeout = 120

UserService = local-users

SystemID =

--> ls services/peap-v0-service/

[ Services/peap-v0-service ]

Name = peap-v0-service

Description =

Type = peap-v0

IncomingScript~ =

OutgoingScript~ =

MaximumMessageSize = 1024

PrivateKeyPassword = cisco

ServerCertificateFile = /cisco-ar/certs/tomcat/server-cert.pem

ServerRSAKeyFile = /cisco-ar/certs/tomcat/server-key.pem

CACertificateFile = /cisco-ar/certs/tomcat/server-cert.pem

CACertificatePath =

ClientVerificationMode = none

VerificationDepth = 4

EnableSessionCache = True

SessionTimeout = "5 Minutes"

AuthenticationTimeout = 120

TunnelService = eap-mschapv2

EnableWPS = FALSE

--> ls clients/Suesser/

[ Clients/Suesser ]

Name = Suesser

Description = "Home Access Point"

IPAddress = 192.168.0.1

SharedSecret = imtestingcar

Type = NAS

Vendor =

IncomingScript~ =

OutgoingScript~ =

EnableDynamicAuthorization = FALSE

NetMask =

EnableNotifications = FALSE

If it wasn't for the fact that it is not working, I would be pretty sure that the configuration is correct. But somehow I suspect that I overlooked something real easy.

acorredorv Fri, 12/14/2007 - 11:01

Anyone?

I've already tried it with a different server and Cisco1231 AP's, same thing!

I'm desperate for help.

Actions

This Discussion