WPA TKIP/AES dynamic keys with 802.1x EAP-TLS on Cisco/MT

R1CH · April 5, 2007, 12:13am

Hello,
I am trying without much success to get a routerOS CPE to authenticate to a Cisco 1310 AP using EAP-TLS. The Cisco AP has a radius server configured (FreeRADIUS), I have setup a CA on the FreeRADIUS box and it knows about the client / master keys and certs. I configured my MT CPE to use dynamic security profile with TKIP / AES and WPA / WPA2. The Cisco AP is configured to use Open authentication with EAP and mandatory WPA key management.

Attempting to associate with the AP using MT results in this:

21:01:53 system,info device changed by admin 
21:01:54 wireless,info 00:15:F9:CC:55:00@wlan1 established connection on 2437, SSID fw-4000 
21:02:04 wireless,info 00:15:F9:CC:55:00@wlan1: lost connection, decided to deauth: IEEE 802.1X 
    authentication failed (23) 
21:02:06 wireless,info 00:15:F9:CC:55:00@wlan1: failed to connect, auth failed: association denied for 
    unknown reason (12)

However on the Cisco side of things, running with aaa/eap/dot1x debugging, I see the following:

Apr  5 01:01:54.754: dot11_auth_add_client_entry: Create new client 0015.6d53.942f for application 0x1
Apr  5 01:01:54.754: dot11_auth_initialize_client: 0015.6d53.942f is added to the client list for application 0x1
Apr  5 01:01:54.754: dot11_auth_add_client_entry: req->auth_type 0
Apr  5 01:01:54.754: dot11_auth_add_client_entry: auth_methods_inprocess: 2
Apr  5 01:01:54.755: dot11_auth_add_client_entry: eap list name: tls
Apr  5 01:01:54.755: dot11_run_auth_methods: Start auth method EAP or LEAP
Apr  5 01:01:54.755: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Apr  5 01:01:54.755: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0015.6d53.942f
Apr  5 01:01:54.755: EAPOL pak dump tx
Apr  5 01:01:54.755: EAPOL Version: 0x1  type: 0x0  length: 0x0029
Apr  5 01:01:54.755: EAP code: 0x1  id: 0x1  length: 0x0029 type: 0x1
018041D0: 01000029 01010029 01006E65 74776F72  ...)...)..networ
018041E0: 6B69643D 66772D34 3030302C 6E617369  kid=fw-4000,nasi
018041F0: 643D6170 2C706F72 7469643D 30        d=ap,portid=0
Apr  5 01:01:54.756: dot11_auth_send_msg:  sending data to requestor status 1
Apr  5 01:01:54.756: dot11_auth_send_msg: Sending EAPOL to requestor
Apr  5 01:01:54.756: dot1x-registry:registry:dot1x_ether_macaddr called
Apr  5 01:01:54.756: dot11_auth_dot1x_send_id_req_to_client: Client 0015.6d53.942f timer started for 30 seconds
Apr  5 01:01:54.780: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on Dot11Radio0.4000.
Apr  5 01:01:54.780: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
Apr  5 01:01:54.780: dot11_auth_parse_client_pak: Received EAPOL packet from 0015.6d53.942f
Apr  5 01:01:54.780: EAPOL pak dump rx
Apr  5 01:01:54.780: EAPOL Version: 0x1  type: 0x1  length: 0x0000
01803D10: 01010000                             ....
Apr  5 01:01:54.780: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 0015.6d53.942f
Apr  5 01:01:54.781: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0015.6d53.942f
Apr  5 01:01:54.781: EAPOL pak dump tx
Apr  5 01:01:54.781: EAPOL Version: 0x1  type: 0x0  length: 0x0029
Apr  5 01:01:54.781: EAP code: 0x1  id: 0x2  length: 0x0029 type: 0x1
018002E0: 01000029 01020029 01006E65 74776F72  ...)...)..networ
018002F0: 6B69643D 66772D34 3030302C 6E617369  kid=fw-4000,nasi
01800300: 643D6170 2C706F72 7469643D 30        d=ap,portid=0
Apr  5 01:01:54.781: dot11_auth_send_msg:  sending data to requestor status 1
Apr  5 01:01:54.782: dot11_auth_send_msg: Sending EAPOL to requestor
Apr  5 01:01:54.782: dot1x-registry:registry:dot1x_ether_macaddr called
Apr  5 01:01:54.782: dot11_auth_dot1x_send_id_req_to_client: Client 0015.6d53.942f timer started for 30 seconds
Apr  5 01:02:06.330: dot11_auth_client_abort: Received abort request for client 0015.6d53.942f
Apr  5 01:02:06.330: dot11_auth_client_abort: Aborting client 0015.6d53.942f for application 0x1
Apr  5 01:02:06.330: dot11_auth_delete_client_entry: 0015.6d53.942f is deleted for application 0x1

This “received abort request” I can’t figure out where it is coming from. Looking at the radius server logs shows no attempt was even made to authenticate against radius.

Has anyone managed to get dynamic key management with a strong crypto and 802.1x / EAP-TLS working with MT / Cisco gear? Everything I’ve read says this should be really simple as the Cisco AP should just forward the EAP info off to the radius server and get back an OK or failure, but I can’t figure out what’s going wrong on this setup. Judging by the timestamps, it looks as if the MT is doing the actual disconnect, but why? How can 802.1x fail if the radius server never even got asked?

R1CH · April 5, 2007, 5:46am

After doing some more research on the EAP protocol, the packet types are confusing.

Here’s what I think is happening:

MT associates to Cisco
Cisco sends EAP identity request to MT (Code 0x01), using EAPOL Type 0x0 (EAP Packet)

Apr  5 01:01:54.755: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0015.6d53.942f
Apr  5 01:01:54.755: EAPOL pak dump tx
Apr  5 01:01:54.755: EAPOL Version: 0x1  type: 0x0  length: 0x0029
Apr  5 01:01:54.755: EAP code: 0x1  id: 0x1  length: 0x0029 type: 0x1
018041D0: 01000029 01010029 01006E65 74776F72  ...)...)..networ
018041E0: 6B69643D 66772D34 3030302C 6E617369  kid=fw-4000,nasi
018041F0: 643D6170 2C706F72 7469643D 30        d=ap,portid=0

MT sends “EAPOL Start” packet to Cisco

Apr  5 01:01:54.780: dot11_auth_parse_client_pak: Received EAPOL packet from 0015.6d53.942f
Apr  5 01:01:54.780: EAPOL pak dump rx
Apr  5 01:01:54.780: EAPOL Version: 0x1  type: 0x1  length: 0x0000
01803D10: 01010000                             ....

Cisco resends EAP identity request to MT
MT aborts EAP process and disassociates

I managed just once to get the MT to respond with an EAP response packet with the username “wlan1”, but attempting to reproduce yielded the same output as above. It’s almost like the Cisco AP is preemptively sending the identity request packet, and if the MT sees two identity requests, it assumes there is an error and aborts.

ARGH! I had it! MT just sent username, certificate, RADIUS was contacted and gave an Access-Accept, everything looked great…

	Interface Dot11Radio0, Station 0015.6d53.942f Associated KEY_MGMT[WPAv2]

until…

02:52:38 wireless,info 00:15:F9:CC:55:00@wlan1 established connection on 2437, SSID fw-4000 
02:52:49 wireless,info 00:15:F9:CC:55:00@wlan1: lost connection, decided to deauth: 4-way handshake timeout (15)

R1CH · April 5, 2007, 7:29am

I’m now convinced this is some kind of bug with the MT EAP implementation. I left the board sitting there trying to associate, after a ton of “802.1x failed” messages, I had another “4-way handshake timeout”. RADIUS logs showed again that a successful EAP-TLS challenge had taken place and the Access-Accept was sent along with dynamic WPA keys.

upenox · April 20, 2007, 2:38am

Yeah, I am having the EXACT same problem. Trying to get eap-tls working with an Aironet 1200 and Debian 4.0r0/FreeRadius. I have no idea what’s going on or what to do. I’m debating on going to PEAP. Have you had any updates on this problem or figured out a workaround?

R1CH · June 7, 2007, 9:48pm

Nothing new yet, unfortunately we had a surge of new customers and all my lab hardware is now sitting in the field. I should hopefully be getting another shipment this month or next month to play around with. In the meantime I’ve ruled out it being a problem with the Cisco AP - I imported the keys into my Windows keyring and my Atheros PCI card associated and authenticated with the AP just fine.

MT support suggested changing the ack-timeout value to “indoors” but I have not yet had a chance to try this.

upenox · June 7, 2007, 11:59pm

Hey R1ch - I just got EAP-TLS working with Vista(client), Aironet 1200 and FreeRadius server with Debian. I don’t know if it will help, but I more or less followed this 3-part guide and got everything up and running .

http://www.linuxjournal.com/article/8017
http://www.linuxjournal.com/node/8095/
http://www.linuxjournal.com/article/8151

Let me know if it works out.

ajescobar · June 19, 2007, 8:19pm

I am having the same problem.

I have a freeradius server, a Routerboard 532 (2.9.43) with a NMP-8602 PLUS minipci card configured as an AP and a Windows XP laptop with an ORiNOCO 802.11abg ComboCard Gold configured as a supplicant.

I followed the instructions given at: http://text.dslreports.com/forum/remark,9286052~mode=flat
This post describes how to build a FreeRADIUS server for TLS and PEAP authentication, and how to configure the Windows XP clients (supplicants).

The authetication is sucessfull after many requests.

However If I replace the Routerboard 532 (2.9.43) with any made in Chine AP the authentication is sucessfull at the first request.

Can somebody tell me if EAP-TLS is full supported in Mikrotik ?