DHCP

bigsman

New Member
Joined
May 12, 2023
Messages
6
Reaction score
0
Credits
56
Hi I'm a student learning IT and kind of new to the field and I have a bit of a problem on a lab that I am doing here. I have a windows pc that I want to use DHCP with a wireless NIC. I have a TP-LINK that points toward my Linux server that hosts the Radius service and also acts as the CA for my lan. I made certificates for it and for the pc and put the host certificates on the pc as well. I installed the DHCP service on my linux server and configured the dhcpd.conf to use ip addresses 172.25.25.50 - .75 and then started the service. Nmap recognizes that dhcp is on and so I went to my pc to if the SSIDs that I created were showing and they are but when I try to connect to them it never connects and just says attempting to authenticate. Is there something that I'm missing here or forgot to do? I'm sorry if this wasn't explained very well I'm still not too sure what the issue is and I'm a newbie in this field but any help would be great by people with experience.
 


f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
6,641
Reaction score
5,075
Credits
48,777
The first place to start would be to check the radius log file to see if you seen any errors about certificate or authentication errors, it could be that you configured radius to expect a certain authentication type but that your Windows pc is trying to authenticate differently. Just one question how much Linux experience do you have?
 
OP
B

bigsman

New Member
Joined
May 12, 2023
Messages
6
Reaction score
0
Credits
56
Hi thanks for replying. To be honest I'm not an active linux user and wouldn't say I'm very experienced in it either. I have only taken one class for it specifically to learn the basics of it. I'm currently in a security class and we have to use linux in it as well and I just looked back at my old labs on how to set this stuff up
 

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
6,641
Reaction score
5,075
Credits
48,777
Not to put you down but you will have an easier time with Linux if you get down the basics first before jumping into running services you don't know how to configure. Since once you get the basics down all other things build on that including configuring and running services. The first thing for anything when a service doesn't start or something isn't working correctly is checking the log file of that service, in your case that will probably be the radius log file since that Windows pc fails to authenticate. I have go to say I have added configuration of an existing radius server but never built one from scratch so that's about all the advice I can give on that when it comes to radius.
 
OP
B

bigsman

New Member
Joined
May 12, 2023
Messages
6
Reaction score
0
Credits
56
This is a lab that for security class that we are all supposed to do and this is part of my responsibility and nobody in my team seems to know how to fix this. I went into the radius log file using less and I can't find anything for today for some reason
 

Jarret B

Well-Known Member
Staff member
Joined
May 22, 2017
Messages
332
Reaction score
355
Credits
11,260

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
6,641
Reaction score
5,075
Credits
48,777
Try running tcpdump on your radius server listening for the ip of your window desktop system and listening on the radius port. So something like, so something like this.
Code:
tcpdump -i any 192.168.122.10 and port 1812
192.168.122.10 being your desktop and 1812 being the instance port of your radius instance, then have your WindowsPC authenticate and see if you see network traffic coming from your WindowsPC and back to your WindowsPC from the radius server.
 
Last edited:
OP
B

bigsman

New Member
Joined
May 12, 2023
Messages
6
Reaction score
0
Credits
56
Try running tcpdump on your radius server listening for the ip of your window desktop system and listening on the radius port. So something like, so something like this.
Code:
tcpdump -i any 192.168.122.10 and port 1812
192.168.122.10 being your desktop and 1812 being the instance port of your radius instance, then have your WindowsPC authenticate and see if you see network traffic coming from your WindowsPC and back to your WindowsPC from the radius server.
hey man that actually showed something there. My pc doesn't have an ip address assigned to it yet because we want for it to use DHCP so I just put in "tcpdump -i any and port 1812" and what I saw was that my tp-link wap would do access request to the radius server and the server just replied with access challenge. It did that the whole time.
 
OP
B

bigsman

New Member
Joined
May 12, 2023
Messages
6
Reaction score
0
Credits
56
hey man that actually showed something there. My pc doesn't have an ip address assigned to it yet because we want for it to use DHCP so I just put in "tcpdump -i any and port 1812" and what I saw was that my tp-link wap would do access request to the radius server and the server just replied with access challenge. It did that the whole time.
I tried it on my 5 GHZ connection instead and instead of just endlessly trying to authenticate it actually allows me to put in my username and password into it. Weird thing is that I don't remember ever setting it up so that you needed a username just the password so I'm not too sure what do about that either. Is there a way to not require the username in the wap's settings? When I did this in a lab earlier this year all that it did was ask me for the password so I'm not sure why it's being different I thought that I was using the same security.
 

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
6,641
Reaction score
5,075
Credits
48,777
hey man that actually showed something there. My pc doesn't have an ip address assigned to it yet because we want for it to use DHCP so I just put in "tcpdump -i any and port 1812" and what I saw was that my tp-link wap would do access request to the radius server and the server just replied with access challenge. It did that the whole time.
Yeah it slipped my mind for a second. I don't have a whole lot of experience with radius, so just searching a bit around myself. I think you have to configure "Access challenge" something like how it is mentioned here.
That's about all the help I can give otherwise I would have to spend a whole lot of my free time setting that up and I have other things I would rather do as well.
 

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
6,641
Reaction score
5,075
Credits
48,777
I tried it on my 5 GHZ connection instead and instead of just endlessly trying to authenticate it actually allows me to put in my username and password into it. Weird thing is that I don't remember ever setting it up so that you needed a username just the password so I'm not too sure what do about that either. Is there a way to not require the username in the wap's settings? When I did this in a lab earlier this year all that it did was ask me for the password so I'm not sure why it's being different I thought that I was using the same security.
If I remember correctly there is a way to use both certificates and username/password for authentication, you would have to look that up. I"m not sure what radius software you are using but I would look into freeradius documentation.
 

kibasnowpaw

Active Member
Joined
Jan 2, 2022
Messages
338
Reaction score
184
Credits
3,380
Your setup seems quite complex, involving multiple services and components including DHCP, RADIUS, and wireless networking. Let's try to approach it step by step:

  1. DHCP Server: Since nmap shows your DHCP service is running, this implies that your DHCP server is probably working correctly. However, you could verify this by checking the DHCP server logs to see if it's receiving requests and serving out IP addresses. The DHCP logs are typically located at /var/log/syslog in most Linux distributions.
  2. RADIUS Server: Make sure the RADIUS server is running properly and configured correctly. You can do this by checking its logs, which are typically located at /var/log/freeradius/radius.log or similar, depending on your Linux distribution. You should see logs related to authentication requests from your wireless client.
  3. TP-Link Wireless Access Point (AP): Ensure the AP is correctly set up to use WPA2-Enterprise or WPA3-Enterprise (whichever you're using) with your RADIUS server as the authentication server. You'll need to enter the IP address of the RADIUS server and the shared secret. This configuration will be found in the Wireless Security settings of your AP.
  4. Wireless Client: The client needs to be configured to use WPA2-Enterprise or WPA3-Enterprise as well, and it should have the certificate installed. You'll typically need to specify the EAP method (like PEAP or EAP-TTLS), the phase 2 authentication (like MSCHAPv2), and then the identity (username) and password. For the certificate, you might need to specify the CA certificate to trust.
  5. Certificates: Make sure the certificates are properly installed on both the RADIUS server and the client, and that they trust the CA that issued the certificates. If there's an issue with the certificates or the trust chain, the authentication will fail.
Remember that the "Attempting to authenticate" message usually indicates that the client is having trouble with the RADIUS server authentication, which could be due to any of the above points.

It's also worth mentioning that this setup, while typical in a corporate environment, is quite complex for a beginner. If you're new to this field, it might be helpful to break down the problem and learn each component (DHCP, RADIUS, 802.1X, etc.) individually before combining them all. This might make it easier to troubleshoot and understand what's going wrong.

hey man that actually showed something there. My pc doesn't have an ip address assigned to it yet because we want for it to use DHCP so I just put in "tcpdump -i any and port 1812" and what I saw was that my tp-link wap would do access request to the radius server and the server just replied with access challenge. It did that the whole time.


The "Access-Challenge" response from the RADIUS server is part of the authentication process. This message is used in challenge/response authentication methods, like EAP-TTLS and PEAP, where the RADIUS server needs more information from the client before it can authenticate it.

In the context of EAP (Extensible Authentication Protocol), the server sends an "Access-Challenge" packet back to the client to request additional identity information. The client then sends an "Access-Request" packet with this additional information, and this back-and-forth continues until the server is either satisfied (and sends an "Access-Accept" message) or decides the client cannot be authenticated (and sends an "Access-Reject" message).

If you're seeing a repeated cycle of "Access-Request" and "Access-Challenge" without ever getting to an "Access-Accept" or "Access-Reject", then it's likely there's a problem with the authentication process.

Here are a few possible reasons for this:

  1. Incorrect credentials: The client may be sending incorrect credentials (username/password). Double-check that these are correct.
  2. Certificate problems: The client or server may not trust the other's certificate, or the certificate may be expired or otherwise invalid. Double-check the certificates, their trust chains, and their validity periods.
  3. EAP configuration: The client and server may be using different EAP methods, or the server may not support the EAP method the client is using. Check the EAP configurations on both sides.
  4. RADIUS server configuration: The server may be misconfigured, such as having the wrong shared secret for the client, or not having the client in its list of allowed clients.
Check your RADIUS server logs for more detailed error messages. These logs can usually provide more information about what's going wrong in the authentication process.
 
OP
B

bigsman

New Member
Joined
May 12, 2023
Messages
6
Reaction score
0
Credits
56
If I remember correctly there is a way to use both certificates and username/password for authentication, you would have to look that up. I"m not sure what radius software you are using but I would look into freeradius documentation.
I have certificates on my computer since we're doing an enterprise and set the password. Don't know why it's asking for a username tho
 

Members online


Top