802.1x wired EAP authentication not functioning as expected |
||||||
Issue description
Chrome OS Version: 48 stable , 49 stable
Chrome OS Platform: Chromebox devices
Network info: Previous switch model was HP ProCurve 5400zl/2610 and now they have replaced these for Meraki MS220-48LP. The network is configured for 802.1x authentication. When a device can not authenticate it is placed on the guest VLAN(10.1.128.0). The Corp VLAN is 192.168.7.0. Even though though the configuration is the same between the two site's, the device's connected to the Meraki network can not authenticate on the the Corp network.
Please specify Cr-* of the system to which this bug/feature applies (add
the label below).
Steps To Reproduce:
Requirement's:
* Linux or mac system
* Tcpreplay
- install via apt (linux) or brew (Mac)
* Access to google drive were logs' screen and packet capture are located.
* Chromebox configured for wired 802.1x authentication.
* Wireshark is handy for analysis
(1) Ensure that policy has been deployed to device via Chrome://policy (need to connect internet for the policy to download)
(2) Disconnect from all network's and then connect the chrome box to your device via ethernet
(3) Run wireshark on your device. This is the system that has wireshark on it. You should be listening to the ethernet port you have connected to the chrome box
(4) run the following command "tcpreplay -v -l30 -p1 --inf1=eth1 mera802.1.pcap"
This command will replay the Meraki packets out on to the network as if the switch was in your local environment. It will send out 1 packet per second. -l << how many times to send the packets out. -p is packets per second and --inf1 is the interface you wish to use. Select the interface attached to the Chrome box.
(5) Observe Wireshark to see event's on the wire.
Expected Result:
The minimum that you should see should be a response from the Chrome box. The response from the Chrome box should contain just a username in order to initiate the process.
As you can see from screen shot attached named req&res my local system is able to perform a response to the EAP request's. What is attached in that image is what I expect to see from the chrome box with it's MAC address and specified user name.
Actual Result:
There is nothing that is seen. It is like the Chrome box is not detecting the EAP packets. There extra information
How frequently does this problem reproduce?
Always
What is the impact to the user, and is there a workaround? If so, what is
it?
The user is not able to authenticate to the network in there preferred authentication method. The work around that the user has implemented is MAC based authentication.
Please provide any additional information below. Attach a screen shot or
log if possible.
From this snippet taken during the test. I can see that in my local environment the packet are detected on a network level but not
2016-03-24T11:56:54.648415+00:00 DEBUG shill[2454]: [VERBOSE2:eap_credentials.cc(273)] (eap_credentials) Connectable. !EAP-TLS and has a password.
2016-03-24T11:56:59.641813+00:00 NOTICE wpa_supplicant[2219]: eth0: CTRL-EVENT-EAP-STARTED EAP authentication started
2016-03-24T11:56:59.642534+00:00 DEBUG shill[2454]: [VERBOSE1:object_proxy.cc(495)] Signal received: message_type: MESSAGE_SIGNAL#012path: /fi/w1/wpa_supplicant1/Interfaces/2#012interface: fi.w1.wpa_supplicant1.Interface#012member: EAP#012sender: :1.2#012signature: ss#012serial: 6028#012#012string "started"#012string ""#012
2016-03-24T11:56:59.642754+00:00 INFO shill[2454]: [INFO:ethernet.cc(393)] In EAPEventTask with status started, parameter
2016-03-24T11:56:59.642791+00:00 INFO shill[2454]: [INFO:supplicant_eap_state_handler.cc(77)] EAP: Authentication starting.
2016-03-24T11:56:59.671308+00:00 NOTICE wpa_supplicant[2219]: eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
2016-03-24T11:56:59.671899+00:00 DEBUG shill[2454]: [VERBOSE1:object_proxy.cc(495)] Signal received: message_type: MESSAGE_SIGNAL#012path: /fi/w1/wpa_supplicant1/Interfaces/2#012interface: fi.w1.wpa_supplicant1.Interface#012member: EAP#012sender: :1.2#012signature: ss#012serial: 6029#012#012string "refuse proposed method"#012string "TLS"#012
2016-03-24T11:56:59.671955+00:00 INFO shill[2454]: [INFO:ethernet.cc(393)] In EAPEventTask with status refuse proposed method, parameter TLS
2016-03-24T11:57:00.707464+00:00 NOTICE wpa_supplicant[2219]: eth0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
2016-03-24T11:57:00.707945+00:00 DEBUG shill[2454]: [VERBOSE1:object_proxy.cc(495)] Signal received: message_type: MESSAGE_SIGNAL#012path: /fi/w1/wpa_supplicant1/Interfaces/2#012interface: fi.w1.wpa_supplicant1.Interface#012member: EAP#012sender: :1.2#012signature: ss#012serial: 6030#012#012string "completion"#012string "failure"#012
2016-03-24T11:57:00.708172+00:00 INFO shill[2454]: [INFO:ethernet.cc(393)] In EAPEventTask with status completion, parameter failure
2016-03-24T11:57:00.708212+00:00 INFO shill[2454]: [INFO:ethernet.cc(400)] EAP authentication failed!
This claims that authentication failed. I don't understand how authentication can fail even before an attempt to authenticate. I know that the device has not attempted to authenticate because the response to thew request would have been seen by me.
I don't believe that this is an issue related to the difference in switch. The meraki switch is using 802.1x version 2004 while the HP switch is using 802.1x 2001. I have tested this with a different linux system that I configured for 802.1x authentication. I found out that version is not a problem is the protocol is back ward compatible. I attempted replying the HP request packets to the Chrome box with no difference in result's.
The following snippet seems to suggest something related to authentication detail but I am unsure as to what specially
2016-03-24T12:02:15.187675+00:00 DEBUG shill[2454]: [VERBOSE1:service.cc(1204)] /service/0 OnPropertyChanged EAP.AnonymousIdentity
2016-03-24T12:02:15.194206+00:00 DEBUG shill[2454]: [VERBOSE1:service.cc(1204)] /service/0 OnPropertyChanged EAP.Identity
2016-03-24T12:02:15.198725+00:00 DEBUG shill[2454]: [VERBOSE1:service.cc(1204)] /service/0 OnPropertyChanged EAP.InnerEAP
2016-03-24T12:02:15.204277+00:00 DEBUG shill[2454]: [VERBOSE1:service.cc(1204)] /service/0 OnPropertyChanged EAP.Password
2016-03-24T12:04:27.945720+00:00 DEBUG shill[2454]: [VERBOSE1:service.cc(1204)] /service/0 OnPropertyChanged EAP.AnonymousIdentity
2016-03-24T12:04:27.954479+00:00 DEBUG shill[2454]: [VERBOSE1:service.cc(1204)] /service/0 OnPropertyChanged EAP.CACertPEM
2016-03-24T12:04:27.960457+00:00 DEBUG shill[2454]: [VERBOSE1:service.cc(1204)] /service/0 OnPropertyChanged EAP.Identity
2016-03-24T12:04:27.967340+00:00 DEBUG shill[2454]: [VERBOSE1:service.cc(1204)] /service/0 OnPropertyChanged EAP.Password
In the G drive you will find multiple file. You will see initial config, policy doc and packet capture from HP switch and Meraki switch. These capture's were taken from the original effected network. hp8021.pcap & mera802.1.pcap these two file are just one packet pcap's for use with tcpreplay. A screenshot of the radius config is also available there in order to aid in diagnosis.
URL to Gdrive: https://drive.google.com/open?id=0B9BQIK7d0CYNNnMxYjJoVHNNWGc
,
Mar 24 2016
We actually use PEAP on our network and the credentials saved in the chrome profile is for peap/mschapv2 but that should not change the eap identity request sent from the meraki switch in any way. On the network, we are seeing no response from the chromebox to the meraki challenge. The authentication simply times out and the switch sets the port to the unauth vlan.
,
Mar 24 2016
From the Chrome device's perspective, it has credentials for some non-certificate authentication (no reason to believe it's not PEAP/MSCHAPv2): 2016-03-24T11:56:54.648415+00:00 DEBUG shill[2454]: [VERBOSE2:eap_credentials.cc(273)] (eap_credentials) Connectable. !EAP-TLS and has a password. but it's seeing a RADIUS request for EAP-TLS: 2016-03-24T11:56:59.671308+00:00 NOTICE wpa_supplicant[2219]: eth0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK Feel free to share more detailed logging, which you can do by opening a crosh shell (Ctrl-Alt-T) and entering "wpa_debug excessive" in order to get a more detailed result from wpa_supplicant as to what it is sending and receiving.
,
Mar 24 2016
Sorry I don't know how to get that stuff. That was from the tech in charge. I do have the network pcaps. Perhaps that behavior can be explained by the slight difference in the EAP request from the HP and the Meraki switches. The HP EAP request has "User name:" in the request but the Meraki does not. Since the chromebox does not see User Name, it assumes cert auth instead of user/pass auth.
,
Mar 24 2016
The procedure (crosh/wpa_debug) should be performed on the chromebox. The "cert auth" decision is not being made by the chromebox or the network switch. It's being performed by the remote authentication RADIUS server that the switch is configured to relay EAP to.
,
Mar 24 2016
In our environment, the chromebox never responds to the EAP request that is sent by the Meraki switch (as seen in the pcaps) so no request is ever received on the radius server. A windows pc plugged into the same port will respond and authenticate fine. I will try to figure out how to get the wpa debugs so I can capture it next time I am onsite.
,
Mar 28 2016
Sorry the directions you gave were not very clear. I ran wpa_debug debug in crosh and then enabled 802.1x on the meraki switch port and plugged in the chromebox. Nothing was output on the console. Here is the net.log. Do you require any other files from the debug capture? Nothing changed from the switch perspective. The pcap shows the switch sending an eap request but no response from the chromebox.
,
Mar 28 2016
For the entirety of net.log there are no messages of the form "wpa_supplicant[xxx]: eth0:" in the logs as they are in the logs shared by djeche@ in the original report, so it appears the issue originally described isn't happening anymore or you have run into a different issue. Do you have any idea what happened there that would be different?
,
Mar 29 2016
I don't know how David got that. Those are not what I provided in my ticket. I have tried with multiple switches in the meraki 220 family and the results are the same. The chromeboxes do not respond to the eap challenge. Plug a Windows machine into the same port and everything works as expected. No combination of settings on the meraki switches makes a difference. For some reason the chromeboxes do not recognize that they are being challenged for credentials. The only differences in the eap requests from the hp and meraki is the hp has 8021x version 2001 vs meraki's version 2004 and the hp has identity: user name while the meraki identity parameter is empty.
,
Mar 29 2016
The logs shown on the initial post are from my test environment. I was testing various things in order to try better understand the issue in question.
I was under the assumption that the device might not be reacting to EAP packet's simply because it was not sync the data appropriately from the admin panel. I have replicated the customer as best I can.
[16:23:18] NetworkPropertiesUpdated: Ethernet EAP Parameters (/service/0)
[16:23:18] InitialPropertiesReceived: /service/0: Ethernet EAP Parameters State: idle Visible: 0
[16:23:18] RequestUpdate: /service/0
[16:23:18] NetworkPropertyUpdated: Ethernet EAP Parameters.ProxyConfig = "{\"mode\":\"direct\"}"
[16:23:18] NetworkPropertyUpdated: Ethernet EAP Parameters.GUID = "{e9244e97-62e1-4acf-874f-fdc1f79fae75}"
[16:23:18] RequestUpdate: /service/0
[16:23:18] NetworkPropertyUpdated: Ethernet EAP Parameters.Profile = "/profile/chronos/shill"
[16:23:18] RequestScan
[16:23:18] Configure: etherneteap.UIData="{\"onc_source\":\"user_policy\"}"
[16:23:18] Configure: etherneteap.Type="etherneteap"
[16:23:18] Configure: etherneteap.SaveCredentials=true
[16:23:18] Configure: etherneteap.ProxyConfig="{\"mode\":\"direct\"}"
[16:23:18] Configure: etherneteap.Profile="/profile/chronos/shill"
[16:23:18] Configure: etherneteap.GUID="{e9244e97-62e1-4acf-874f-fdc1f79fae75}"
[16:23:18] Configure: etherneteap.EAP.UseSystemCAs=false
[16:23:18] Configure: etherneteap.EAP.Password=******
[16:23:18] Configure: etherneteap.EAP.Identity="djechetesting"
[16:23:18] Configure: etherneteap.EAP.EAP="PEAP"
I can see from this that the policy and credential's are syncing properly. After this configuration has taken place. There is no more mention EAP with-in the log information. I have tried observing various chrome urls for extra info.
It is like the chromebox is not seeing the EAP packet's on the network. This could be the explanation to why the device is not responding and why the is no log information within the logs provided in the link.
I will provide more time accurate information and log's once I have done further test's
,
Mar 29 2016
Thanks David. Here are the eap requests from each switch for posterity's sake. Everything from the chrome logs, network packet captures, and nps logs point to the fact that the chromebox does not recognize it is receiving an eap challenge.
,
Mar 29 2016
Summarizing:
The HP pcap:
Ethernet II, Src: Hewlett-_06:02:00 (00:19:bb:06:02:00), Dst: Nearest (01:80:c2:00:00:03)
Destination: Nearest (01:80:c2:00:00:03)
Address: Nearest (01:80:c2:00:00:03)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
Source: Hewlett-_06:02:00 (00:19:bb:06:02:00)
Address: Hewlett-_06:02:00 (00:19:bb:06:02:00)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: 802.1X Authentication (0x888e)
Padding: 000000000000000000000000000000000000000000000000...
802.1X Authentication
Version: 802.1X-2001 (1)
Type: EAP Packet (0)
Length: 15
Extensible Authentication Protocol
Code: Request (1)
Id: 1
Length: 15
Type: Identity (1)
Identity: User name:
0000 01 80 c2 00 00 03 00 19 bb 06 02 00 88 8e 01 00 ................
0010 00 0f 01 01 00 0f 01 55 73 65 72 20 6e 61 6d 65 .......User name
0020 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :...............
0030 00 00 00 00 00 00 00 00 00 00 00 00 ............
The Meraki EAP packet:
Ethernet II, Src: Meraki_ce:29:b6 (88:15:44:ce:29:b6), Dst: Nearest (01:80:c2:00:00:03)
Destination: Nearest (01:80:c2:00:00:03)
Address: Nearest (01:80:c2:00:00:03)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
Source: Meraki_ce:29:b6 (88:15:44:ce:29:b6)
Address: Meraki_ce:29:b6 (88:15:44:ce:29:b6)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: 802.1X Authentication (0x888e)
Padding: 000000000000000000000000000000000000000000000000...
802.1X Authentication
Version: 802.1X-2004 (2)
Type: EAP Packet (0)
Length: 5
Extensible Authentication Protocol
Code: Request (1)
Id: 15
Length: 5
Type: Identity (1)
Identity:
0000 01 80 c2 00 00 03 88 15 44 ce 29 b6 88 8e 02 00 ........D.).....
0010 00 05 01 0f 00 05 01 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 ............
They are sent to the same destination address, are the same Ethernet type (0x888e), have slightly different version (see below) and are both of type "request".
The code in question is https://android.googlesource.com/platform/system/connectivity/shill/+/master/eap_listener.cc . Assuming the kernel delivers this packet to userspace in the same way (due to the same destination MAC address and Ethernet type), there are only 3 ways out of the eap listener method that will not trigger authentication. They each contain a message that will be preceded by "eap_listener.cc" in /var/log/net.log, even if debugging flags are not turned.
The fact that you are not seeing these logs point to the fact that either the hardware isn't passing these frames to the kernel, or the kernel isn't passing them to userspace over to the listening socket. Passing this over to the Chrome OS PM for further triage and to find someone to further repro and root cause.
,
Apr 7 2016
Kevin, not sure if this is related to all the other recent 802.1x issues?
,
Apr 7 2016
The big supplicant change happened on M51. The customer who reported the regression on wifi indicated that 8053.0.0, the first build after updating supplicant, showed the problem. 8052.0.0, the last build with the old supplicant version, did not. If the problem described in this bug was seen way back on M48/M49, it is something else. The issues described in #c3 (attempt to use a password for EAP-TLS certificate auth) and #c7 (no wpa_supplicant logs on the afflicted interface) do not match what we see in bug 599595 , either. I am able to successfully connect to our own corp network using EAP-TLS on a wired interface using a link (Pixel 1) on beta channel: 7834.42.0 / 49.0.2623.59. net.log shows a bunch of CTRL-EVENT messages from supplicant at NOTICE loglevel, starting with "eth0: Associated with..." and ending with CTRL-EVENT-CONNECTED.
,
Apr 21 2016
For this particular issue it seem's as though the problem may be related to hardware not passing packet's up the stack. When you connected to the corp network was it via ethernet or wireless ? We are experiencing this issue on chrome boxes using wired network's with EAP-PEAP method. MS-CHAPv2 is used for user authentication. Is it possible to attempt confirm that the this method is not were the problem is. I have attempted to connect via WiFi with out much problem, but when it comes to ethernet that when we experience most issue's. I am starting to doubt my set up, so I will attempt this once again with a direct ethernet connection when I get the opportunity.
,
Apr 21 2016
This only happens on wired. We do use PEAP/MSCHAPV2 for wired and wireless. The CFM does not behave well when put on the guest network. It keeps getting deauthed by the switch. This is about to be a major problem as we are setting up all of our sites with meraki switches. Our chromebox for meetings devices that we pay annual support for are about to become useless to us.
,
Apr 27 2016
,
May 3 2016
,
May 3 2016
> Ensure that policy has been deployed to device via Chrome://policy I don't have a way to enroll in this domain, so I configured the ethernet parameters by hand locally; see attached screenshot. Prior to configuring these parameters, I saw this error when replaying the mera802.1.pcap file: 2016-05-03T12:12:00.472126-07:00 INFO shill[1326]: [INFO:ethernet.cc(415)] EAP Service lacks 802.1X credentials; not doing EAP authentication. After configuring the network, I see this: 2016-05-03T12:17:04.975379-07:00 DEBUG wpa_supplicant[548]: eth0: Added interface eth0 2016-05-03T12:17:04.975416-07:00 DEBUG wpa_supplicant[548]: eth0: State: INACTIVE -> DISCONNECTED 2016-05-03T12:17:04.979190-07:00 WARNING shill[24410]: [WARNING:eap_credentials.cc(130)] PopulateSupplicantProperties: No certificate authorities are configured. Server certificates will be accepted unconditionally. [...] 2016-05-03T12:17:04.988198-07:00 INFO shill[24410]: [INFO:ethernet.cc(406)] Supplicant state changed to disconnected 2016-05-03T12:17:04.988291-07:00 INFO shill[24410]: [INFO:ethernet.cc(406)] Supplicant state changed to associated 2016-05-03T12:17:05.659021-07:00 DEBUG wpa_supplicant[548]: l2_packet_receive: src=88:15:44:ce:29:b6 len=46 2016-05-03T12:17:05.659041-07:00 DEBUG wpa_supplicant[548]: eth0: RX EAPOL from 88:15:44:ce:29:b6 2016-05-03T12:17:05.659047-07:00 DEBUG wpa_supplicant[548]: EAPOL: Received EAP-Packet frame 2016-05-03T12:17:05.659052-07:00 DEBUG wpa_supplicant[548]: EAPOL: SUPP_PAE entering state RESTART 2016-05-03T12:17:05.659057-07:00 DEBUG wpa_supplicant[548]: EAP: EAP entering state INITIALIZE 2016-05-03T12:17:05.659062-07:00 DEBUG wpa_supplicant[548]: EAP: EAP entering state IDLE 2016-05-03T12:17:05.659067-07:00 DEBUG wpa_supplicant[548]: EAPOL: SUPP_PAE entering state AUTHENTICATING 2016-05-03T12:17:05.659071-07:00 DEBUG wpa_supplicant[548]: EAPOL: SUPP_BE entering state REQUEST 2016-05-03T12:17:05.659077-07:00 DEBUG wpa_supplicant[548]: EAPOL: getSuppRsp 2016-05-03T12:17:05.659081-07:00 DEBUG wpa_supplicant[548]: EAP: EAP entering state RECEIVED 2016-05-03T12:17:05.659086-07:00 DEBUG wpa_supplicant[548]: EAP: Received EAP-Request id=187 method=1 vendor=0 vendorMethod=0 2016-05-03T12:17:05.659091-07:00 DEBUG wpa_supplicant[548]: EAP: EAP entering state IDENTITY 2016-05-03T12:17:05.659095-07:00 NOTICE wpa_supplicant[548]: eth0: CTRL-EVENT-EAP-STARTED EAP authentication started [...] 2016-05-03T12:17:05.659354-07:00 INFO shill[24410]: [INFO:ethernet.cc(393)] In EAPEventTask with status started, parameter 2016-05-03T12:17:05.659362-07:00 INFO shill[24410]: [INFO:supplicant_eap_state_handler.cc(77)] EAP: Authentication starting. (more context is attached) This is running a local build of canary channel which roughly corresponds to 52.0.2721.0 / 8272.0.0. shill and Chrome are built from the ToT. One possibility is that the newer version of wpa_supplicant accounts for the different result. Another possibility is that we aren't quite using the same configuration (maybe some part of the ONC configuration is getting lost in translation).
,
May 5 2016
Yes we already have our policy set to not validate server certs. Thanks, Ben
,
May 5 2016
@cernekee Do you think that the root of the issue could be related to how we handle self signed cert's ? Also it could be an ONC configuration problem. Have you tried pulling the config for Admin console you may see different result's.
,
May 5 2016
There's no cert in the mera802.1.pcap file, so if that test case still reproduces the failure I don't think it's related to certs. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by pstew@chromium.org
, Mar 24 2016