Community discussions

MikroTik App
 
iDen
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 96
Joined: Wed Sep 15, 2010 2:26 pm
Location: Tbilisi, Georgia

[help] WDS + WPA2-EAP + FreeRadius = failure

Fri Sep 17, 2010 10:27 am

Hello
I'm trying to do WDS WPA2-EAP TLS authentication of 2 RB600
Simple WDS AP+station without EAP is working.
I've already searched forum for related topics. but they didn't help me.

So what do i have:
2x RB600
CentOS 5.5
=> freeradius2-2.1.7-7.el5 + mysql Ver 14.12 Distrib 5.0.77, + daloRADIUS 0.9.8 (SVN 0.9.9)
This setup works perfectly with Ubiquiti Nanobridge M5 EAP-TTLS.

What i've done on RB's:
Wireless interface: WDS static, AP bridge + station on other RB. SSID,FQ,Band = same
Time and date adjusted for proper cert authentication.
Most things i'm doing through winbox gui.

AP bridge security profile and rad. server:
[admin@RB600_test1] > /radius print
Flags: X - disabled 
 #   SERVICE          CALLED-ID       DOMAIN       ADDRESS         SECRET      
 0   wireless                                      192.168.0.29    secret
AP Security profile:
Image Image Image

So how should i configure WDS station ??? here what i have on it:

Image Image Image

Here's debug of radius:
It's says that it can't identify username. what should i write in db as username? as i knew EAP-TLS is using certificate authentication without usernames and passwords like EAP-TTLS is doing.
Also i've attached full freeradius debug with initial radius boot log, loaded modules and rad configurations.
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.22 port 41953, id=93, length=201
	Service-Type = Framed-User
	Framed-MTU = 1400
	Acct-Session-Id = "82100859"
	Acct-Multi-Session-Id = "00-0C-42-31-5C-70-00-0C-42-23-48-0A-82-10-00-00-00-00-08-59"
	Calling-Station-Id = "00-0C-42-23-48-0A"
	Called-Station-Id = "00-0C-42-31-5C-70:MikroTik-test"
	EAP-Message = 0x0200000501
	Message-Authenticator = 0x99441f609c780c7b28d234de47b36283
	NAS-Identifier = "RB600_test1"
	NAS-IP-Address = 192.168.0.22
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Proxy reply, or no User-Name.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 5
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns noop
++[files] returns noop
[sql] 	expand: %{User-Name} -> 
[sql] sql_set_user escaped user --> ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = ''           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = ''           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User  not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
[b]Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] UserIdentity Unknown 
[eap] Identity Unknown, authentication failed
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [<no User-Name attribute>] (from client RB600_test1 port 0 cli 00-0C-42-23-48-0A)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> 
++[attr_filter.access_reject] returns noop
Delaying reject of request 0 for 1 seconds[/b]
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.22 port 41953, id=93, length=201
Waiting to send Access-Reject to client RB600_test1 port 41953 - ID: 93
Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 192.168.0.22 port 41953, id=93, length=201
Waiting to send Access-Reject to client RB600_test1 port 41953 - ID: 93
Sending delayed reject for request 0
Sending Access-Reject of id 93 to 192.168.0.22 port 41953
Waking up in 4.9 seconds.
Cleaning up request 0 ID 93 with timestamp +35
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.22 port 54462, id=94, length=201
	Service-Type = Framed-User
	Framed-MTU = 1400
	Acct-Session-Id = "8210085a"
	Acct-Multi-Session-Id = "00-0C-42-31-5C-70-00-0C-42-23-48-0A-82-10-00-00-00-00-08-5A"
	Calling-Station-Id = "00-0C-42-23-48-0A"
	Called-Station-Id = "00-0C-42-31-5C-70:MikroTik-test"
	EAP-Message = 0x0200000501
	Message-Authenticator = 0xed7b325c353b295032cd7532f1b225cb
	NAS-Identifier = "RB600_test1"
	NAS-IP-Address = 192.168.0.22
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Proxy reply, or no User-Name.  Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 5
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns noop
++[files] returns noop
[sql] 	expand: %{User-Name} -> 
[sql] sql_set_user escaped user --> ''
rlm_sql (sql): Reserving sql socket id: 2
[sql] 	expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = ''           ORDER BY id
[sql] 	expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = ''           ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
[sql] User  not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] UserIdentity Unknown 
[eap] Identity Unknown, authentication failed
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [<no User-Name attribute>] (from client RB600_test1 port 0 cli 00-0C-42-23-48-0A)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> 
++[attr_filter.access_reject] returns noop
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.22 port 54462, id=94, length=201
Waiting to send Access-Reject to client RB600_test1 port 54462 - ID: 94
Waking up in 0.4 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 94 to 192.168.0.22 port 54462
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.22 port 54462, id=94, length=201
Sending duplicate reply to client RB600_test1 port 54462 - ID: 94
Sending Access-Reject of id 94 to 192.168.0.22 port 54462
Waking up in 4.9 seconds.
Cleaning up request 1 ID 94 with timestamp +73
Ready to process requests.
error:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] UserIdentity Unknown
[eap] Identity Unknown, authentication failed
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [<no User-Name attribute>] (from client RB600_test1 port 0 cli 00-0C-42-23-48-0A)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
++[attr_filter.access_reject] returns noop
You do not have the required permissions to view the files attached to this post.
MTCNA
 
User avatar
calman
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Fri Feb 06, 2009 12:16 pm

Re: [help] WDS + WPA2-EAP + FreeRadius = failure

Fri Sep 17, 2010 11:50 am

Mikrotik don't support eap ttls or peap as client! you can use eap tls with certificate on both sides.

This setup works perfectly with Ubiquiti Nanobridge M5 EAP-TTLS.
I tested ttls and peap with nanobridges an rocket, do not work really well, when the station is reset the link is established but not working...
 
iDen
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 96
Joined: Wed Sep 15, 2010 2:26 pm
Location: Tbilisi, Georgia

Re: [help] WDS + WPA2-EAP + FreeRadius = failure

Fri Sep 17, 2010 12:26 pm

Mikrotik don't support eap ttls or peap as client! you can use eap tls with certificate on both sides.
man read carefully first strings of my message :)
Hello
I'm trying to do WDS WPA2-EAP TLS authentication of 2 RB600
i told about ttls to notify that generally my radius-sql-daloradius is working. and TTLS radius module depends on pre-configured TLS module.

from debug i can see that radius can't obtain useridentity from client.
than i've found some kind of "solution" with two variants and uncommented next strings in eap.conf (first time, the first time. and the second time commented first and uncommented second one)
check_cert_issuer = "/C=ZZ/ST=Yyyyy/L=yyyyy/O=Xxx"
or
check_cert_cn = %{User-Name}
But it didn't worked

maybe someone can help me with proper configuration ??? radius can't get user identity.... what is proper config for eap.conor mikrotik side configuration for AP and station ?
MTCNA

Who is online

Users browsing this forum: nikkit8888, Reinis and 29 guests