802.1x EAP-MD5 authentication

Hi,
I have problems to authenticate TK1 ethernet with 802.1x EAP-MD5 method using wpa_supplicant. The wpa_supplicant configuration file seems to be ok, if I use it on an Ubuntu 14.04 PC the authentication works.

Here are the various components logs.

wpa_supplicant launch command:

sudo wpa_supplicant -i eth0 -D wired -t -ddd -c /etc/wpa_supplicant.conf

wpa_supplicant conf:

ap_scan=0
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0

network={
	key_mgmt=IEEE8021X
	eap=MD5
	identity="hubtest"
	password="testtesttest"
}

wpa_supplicant log:

1595516226.354444: wpa_supplicant v2.1
1595516226.354536: random: Trying to read entropy from /dev/random
1595516226.354560: Successfully initialized wpa_supplicant
1595516226.354581: Initializing interface 'eth0' conf '/etc/wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A'
1595516226.354601: Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
1595516226.354616: Reading configuration file '/etc/wpa_supplicant.conf'
1595516226.354667: ap_scan=0
1595516226.354685: ctrl_interface='/var/run/wpa_supplicant'
1595516226.354711: ctrl_interface_group='0'
1595516226.354726: Line: 4 - start of a new network block
1595516226.354741: key_mgmt: 0x8
1595516226.354761: eap met hods - hexdump(len=16): 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00
1595516226.354795: identity - hexdump_ascii(len=7):
     68 75 62 74 65 73 74                              hubtest        
1595516226.354856: password - hexdump_ascii(len=12): [REMOVED]
1595516226.354872: eapol_flags=0 (0x0)
1595516226.354907: Priority group 0
1595516226.354920:    id=0 ssid=''
1595516226.355074: wpa_driver_wired_init: Added multicast membership with packet socket
1595516226.355093: Add interface eth0 to a new radio N/A
1595516226.361735: eth0: Own MAC address: 00:01:2e:71:19:49
1595516226.361768: eth0: RSN: flushing PMKID list in the driver
1595516226.361785: eth0: Setting scan request: 0.100000 sec
1595516226.361856: eth0: WPS: UUID based on MAC address: 30ebf11f-e89e-5b9d-8712-f14279bbdd66
1595516226.364970: EAPOL: SUPP_PAE entering state DISCONNECTED
1595516226.365003: EAPOL: Supplicant port status: Unauthorized
1595516226.365018: EAPOL: KEY_RX entering state NO_KEY_RECEIVE
1595516226.365033: EAPOL: SUPP_BE entering state INITIALIZE
1595516226.365045: EAP: EAP entering state DISABLED
1595516226.365849: ctrl_interface_group=0
1595516226.365968: eth0: Added interface eth0
1595516226.365988: eth0: State: DISCONNECTED -> DISCONNECTED
1595516226.366049: random: Got 20/20 bytes from /dev/random
1595516226.461908: EAPOL: External notification - EAP success=0
1595516226.461949: EAPOL: External notification - EAP fail=0
1595516226.461957: EAPOL: External notification - portControl=Auto
1595516226.461972: eth0: Already associated with a configured network - generating associated event
1595516226.461991: eth0: Event ASSOC (0) received
1595516226.462010: eth0: Association info event
1595516226.462025: FT: Stored MDIE and FTIE from (Re)Association Response - hexdump(len=0):
1595516226.462040: eth0: State: DISCONNECTED -> ASSOCIATED
1595516226.462053: eth0: Associated to a new BSS: BSSID=01:80:c2:00:00:03
1595516226.462062: Add randomness: count=1 entropy=0
1595516226.462070: random pool - hexdump(len=128): [REMOVED]
1595516226.462079: random_mix_pool - hexdump(len=8): [REMOVED]
1595516226.462087: random_mix_pool - hexdump(len=6): [REMOVED]
1595516226.462095: random pool - hexdump(len=128): [REMOVED]
1595516226.462104: eth0: Select network based on association information
1595516226.462114: eth0: Network configuration found for the current AP
1595516226.462126: eth0: WPA: clearing AP WPA IE
1595516226.462137: eth0: WPA: clearing AP RSN IE
1595516226.462146: eth0: WPA: clearing own WPA/RSN IE
1595516226.462156: eth0: Failed to get scan results
1595516226.462164: EAPOL: External notification - EAP success=0
1595516226.462172: EAPOL: External notification - EAP fail=0
1595516226.462180: EAPOL: External notification - portControl=Auto
1595516226.462191: eth0: Associated with 01:80:c2:00:00:03
1595516226.462205: eth0: WPA: Association event - clear replay counter
1595516226.462215: eth0: WPA: Clear old PTK
1595516226.462224: EAPOL: External notification - portEnabled=0
1595516226.462233: EAPOL: External notification - portValid=0
1595516226.462241: EAPOL: External notification - portEnabled=1
1595516226.462249: EAPOL: SUPP_PAE entering state CONNECTING
1595516226.462256: EAPOL: SUPP_BE entering state IDLE
1595516226.462264: EAP: EAP entering state INITIALIZE
1595516226.462271: EAP: EAP entering state IDLE
1595516226.462281: eth0: Cancelling scan request
1595516227.365987: EAPOL: startWhen --> 0
1595516227.366028: EAPOL: SUPP_PAE entering state CONNECTING
1595516227.366038: EAPOL: txStart
1595516227.366048: TX EAPOL: dst=01:80:c2:00:00:03
1595516227.366059: TX EAPOL - hexdump(len=4): 01 01 00 00
1595516227.366906: eth0: RX EAPOL from f0:9f:c2:1b:3a:27
1595516227.366930: RX EAPOL - hexdump(len=46): 01 00 00 04 03 01 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1595516227.366956: EAPOL: Received EAP-Packet frame
1595516227.366965: EAPOL: SUPP_PAE entering state RESTART
1595516227.366973: EAP: EAP entering state INITIALIZE
1595516227.366981: EAP: EAP entering state IDLE
1595516227.366989: EAPOL: SUPP_PAE entering state AUTHENTICATING
1595516227.366996: EAPOL: SUPP_BE entering state REQUEST
1595516227.367024: EAPOL: getSuppRsp
1595516227.367033: EAP: EAP entering state RECEIVED
1595516227.367057: EAP: Received EAP-Success
1595516227.367070: EAP: Status notification: completion (param=success)
1595516227.367087: EAP: Workaround for unexpected identifier field in EAP Success: reqId=1 lastId=-1 (these are supposed to be same)
1595516227.367100: EAP: EAP entering state FAILURE
1595516227.367110: eth0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
1595516227.367118: EAPOL: SUPP_PAE entering state HELD
1595516227.367126: EAPOL: Supplicant port status: Unauthorized
1595516227.367134: EAPOL: SUPP_BE entering state RECEIVE
1595516227.367142: EAPOL: SUPP_BE entering state FAIL
1595516227.367149: EAPOL: SUPP_BE entering state IDLE
1595516227.367157: EAPOL authentication completed - result=FAILURE
1595516236.211181: l2_packet_receive - recvfrom: Network is down
1595516257.392865: EAPOL: authWhile --> 0
1595516257.392917: EAPOL: startWhen --> 0
1595516259.787490: eth0: RX EAPOL from f0:9f:c2:1b:3a:27
1595516259.787545: RX EAPOL - hexdump(len=46): 01 00 00 05 01 00 00 05 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1595516259.787590: EAPOL: Received EAP-Packet frame
1595516259.787606: EAPOL: SUPP_PAE entering state RESTART
1595516259.787625: EAP: EAP entering state INITIALIZE
1595516259.787641: EAP: EAP entering state IDLE
1595516259.787657: EAPOL: SUPP_PAE entering state AUTHENTICATING
1595516259.787672: EAPOL: SUPP_BE entering state REQUEST
1595516259.787686: EAPOL: getSuppRsp
1595516259.787715: EAP: EAP entering state RECEIVED
1595516259.787749: EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
1595516259.787766: EAP: EAP entering state IDENTITY
1595516259.787793: eth0: CTRL-EVENT-EAP-STARTED EAP authentication started
1595516259.787815: EAP: Status notification: started (param=)
1595516259.787843: EAP: EAP-Request Identity data - hexdump_ascii(len=0):
1595516259.787860: EAP: using real identity - hexdump_ascii(len=7):
     68 75 62 74 65 73 74                              hubtest        
1595516259.787897: EAP: EAP entering state SEND_RESPONSE
1595516259.787912: EAP: EAP entering state IDLE
1595516259.787926: EAPOL: SUPP_BE entering state RESPONSE
1595516259.787939: EAPOL: txSuppRsp
1595516259.787954: TX EAPOL: dst=01:80:c2:00:00:03
1595516259.787968: TX EAPOL - hexdump(len=16): 01 00 00 0c 02 00 00 0c 01 68 75 62 74 65 73 74
1595516259.788002: EAPOL: SUPP_BE entering state RECEIVE
1595516260.809598: eth0: RX EAPOL from f0:9f:c2:1b:3a:27
1595516260.809637: RX EAPOL - hexdump(len=46): 01 00 00 04 04 01 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1595516260.809668: EAPOL: Received EAP-Packet frame
1595516260.809680: EAPOL: SUPP_BE entering state REQUEST
1595516260.809691: EAPOL: getSuppRsp
1595516260.809716: EAP: EAP entering state RECEIVED
1595516260.809734: EAP: Received EAP-Failure
1595516260.809746: EAP: Status notification: completion (param=failure)
1595516260.809761: EAP: Workaround for unexpected identifier field in EAP Success: reqId=1 lastId=0 (these are supposed to be same)
1595516260.809772: EAP: EAP entering state FAILURE
1595516260.809784: eth0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
1595516260.809794: EAPOL: SUPP_PAE entering state HELD
1595516260.809805: EAPOL: SUPP_BE entering state RECEIVE
1595516260.809815: EAPOL: SUPP_BE entering state FAIL
1595516260.809825: EAPOL: SUPP_BE entering state IDLE
1595516260.809836: EAPOL authentication completed - result=FAILURE
1595516290.421753: EAPOL: authWhile --> 0
1595516292.032412: l2_packet_receive - recvfrom: Network is down
1595516296.187551: eth0: RX EAPOL from f0:9f:c2:1b:3a:27
1595516296.187615: RX EAPOL - hexdump(len=46): 01 00 00 04 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1595516296.187681: EAPOL: Received EAP-Packet frame
1595516296.187726: EAPOL: SUPP_PAE entering state RESTART
1595516296.187792: EAP: EAP entering state INITIALIZE
1595516296.187811: EAP: EAP entering state IDLE
1595516296.187828: EAPOL: SUPP_PAE entering state AUTHENTICATING
1595516296.187843: EAPOL: SUPP_BE entering state REQUEST
1595516296.187856: EAPOL: getSuppRsp
1595516296.187870: EAP: EAP entering state RECEIVED
1595516296.187894: EAP: Received EAP-Success
1595516296.187909: EAP: Status notification: completion (param=success)
1595516296.187929: EAP: Workaround for unexpected identifier field in EAP Success: reqId=0 lastId=-1 (these are supposed to be same)
1595516296.187943: EAP: EAP entering state FAILURE
1595516296.187957: eth0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
1595516296.187970: EAPOL: SUPP_PAE entering state HELD
1595516296.187985: EAPOL: SUPP_BE entering state RECEIVE
1595516296.187998: EAPOL: SUPP_BE entering state FAIL
1595516296.188015: EAPOL: SUPP_BE entering state IDLE
1595516296.188036: EAPOL authentication completed - result=FAILURE
1595516312.856617: eth0: Removing interface eth0
1595516312.856665: eth0: Request to deauthenticate - bssid=01:80:c2:00:00:03 pending_bssid=00:00:00:00:00:00 reason=3 state=ASSOCIATED
1595516312.856677: eth0: Event DEAUTH (12) received
1595516312.856687: eth0: Deauthentication notification
1595516312.856716: eth0:  * reason 3 (locally generated)
1595516312.856729: Deauthentication frame IE(s) - hexdump(len=0): [NULL]
1595516312.856745: eth0: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_generated=1
1595516312.856758: eth0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="" auth_failures=1 duration=10
1595516312.856773: eth0: Auto connect disabled: do not try to re-connect
1595516312.856788: eth0: Ignore connection failure indication since interface has been put into disconnected state
1595516312.856804: eth0: State: ASSOCIATED -> DISCONNECTED
1595516312.856822: EAPOL: External notification - portEnabled=0
1595516312.856834: EAPOL: SUPP_PAE entering state DISCONNECTED
1595516312.856843: EAPOL: Supplicant port status: Unauthorized
1595516312.856851: EAPOL: SUPP_BE entering state INITIALIZE
1595516312.856860: EAP: EAP entering state DISABLED
1595516312.856868: EAPOL: External notification - portValid=0
1595516312.856879: eth0: State: DISCONNECTED -> DISCONNECTED
1595516312.856888: EAPOL: External notification - portEnabled=0
1595516312.856896: EAPOL: External notification - portValid=0
1595516312.863251: eth0: Cancelling scan request
1595516312.863271: eth0: Cancelling authentication timeout
1595516312.863300: Remove interface eth0 from radio
1595516312.863313: Remove radio
1595516312.868713: eth0: CTRL-EVENT-TERMINATING

Ubiquiti switch log:

Jul 24 14:37:54 UBNT daemon.notice switch: TRAPMGR: Link Up: 0/3
Jul 24 14:37:56 UBNT daemon.notice switch: DOT1X: Radius authentication failed on interface [ifName not found(96)].

Freeradius log on Ubiquiti gateway:

rad_recv: Access-Request packet from host 192.168.2.10 port 50431, id=73, length=152
    User-Name = "00012E674339"
    Called-Station-Id = "F0-9F-C2-1B-3A-28"
    Calling-Station-Id = "00-01-2E-67-43-39"
    NAS-Identifier = "F0-9F-C2-1B-3A-27"
    NAS-IP-Address = 192.168.2.10
    NAS-Port = 3
    Framed-MTU = 1500
    NAS-Port-Type = Ethernet
    EAP-Message = 0x0200001101303030313245363734333339
    Message-Authenticator = 0x8dee66d80dad44ef90b95a4915ee5cc4
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "00012E674339", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 73 to 192.168.2.10 port 50431
    Acct-Interim-Interval = 3600
    EAP-Message = 0x010100160410c903f9a4c6e77bdd588c9cd70be8ddd8
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x75fbbb5575fabfdd3c1af195d3c0fd88
Finished request 72.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.10 port 50431, id=74, length=170
    User-Name = "hubtest"
    Called-Station-Id = "F0-9F-C2-1B-3A-28"
    Calling-Station-Id = "00-01-2E-67-43-39"
    NAS-Identifier = "F0-9F-C2-1B-3A-27"
    NAS-IP-Address = 192.168.2.10
    NAS-Port = 3
    Framed-MTU = 1500
    NAS-Port-Type = Ethernet
    State = 0x75fbbb5575fabfdd3c1af195d3c0fd88
    EAP-Message = 0x02010016041009d6164d199bff5b5bab4bb6696a6815
    Message-Authenticator = 0x5f8ce9c2dd6dfff364c16df64260a63b
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "hubtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 1
[files] users: Matched entry hubtest at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] Identity does not match User-Name.  Authentication failed.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [hubtest] (from client client-5f18355b8f2a6704be68daeb port 3 cli 00-01-2E-67-43-39)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> hubtest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 73 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 73
Sending Access-Reject of id 74 to 192.168.2.10 port 50431
Waking up in 3.9 seconds.

Can you help me?

Thank you.

Ivan

I’m bad with WiFi, but one thought immediately sticks out: Newer releases will require WPA2 (or 3?), not just WPA. Perhaps you are just working with a system which has mandatory requirements for something newer than what used to work with the very outdated Ubuntu 14.04.

Hi,
I’m not talking about wifi, but 802.1x on Ehternet port, without wpa. Anyway, I wanted to say that it works on a 14.04 PC (with the same wpa_supplicant version), but not on TK1.

Ivan

I tend to associate anything WPA as WiFi, but I suppose it can be used on wired. See:
https://en.wikipedia.org/wiki/Wpa_supplicant

Regardless of being for wired or WiFi, I suspect that WPA used on something demanding WPA2 would still be an issue. One of the symptoms would be that it works on older Linux releases, but not on newer releases. I don’t know how to test if that is the issue, but thought I’d throw it out there since I know some newer systems demand WPA2 and will fail if older WPA is used.

The TK1 is also based on Ubuntu 14.04, but on Ubuntu 14.04 PC it works correctly, on the TK1 it doesn’t work. The wpa_supplicant versions are the same.

It does sound like it isn’t a release version issue.

I am not particularly useful with WPA, but your question is getting more interesting. For the above log snippet, can you say more about the “Ubiquiti switch”? Is there a particular model or hardware information available? When you use this switch with a working Ubuntu 14.04 host (or any linux host which works for that matter), what would you expect to see in the logs for success? What sticks out to me is this specific part: “[ifName not found(96)]”. Knowing more about how an interface is created and/or found might offer a clue. Incidentally, does that switch have an ability to generate a more verbose log?

Hi,
I don’t think the switch has a more verbose log. Anyway, I suppose that the main error is in the Freeradius log:

[eap] Identity does not match User-Name.  Authentication failed.

Thank you.

I have no way to help on that, but just as a general statement, many devices such as this with security will remember/cache certain credentials, and compare, then become upset when something has changed (a protection against “man in the middle”). As a simple test, have you tried rebooting the Ubiquiti switch? Does the Ubiquiti switch have a method to “clear” old data or settings for the one connection?