(RADIATOR) 802.1X with Radiator and EnterAsys R2
Luís Guido
lguido at fccn.pt
Thu Jan 27 06:24:55 CST 2005
Hello Mike,
See my comments inline please.
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: quarta-feira, 26 de Janeiro de 2005 22:45
> To: Luís Guido
> Cc: 'Hugh Irvine'; 'Radiator MailingList'
> Subject: Re: (RADIATOR) 802.1X with Radiator and EnterAsys R2
>
> Hello again Luis,
>
> Further information:
> The FreeRadius-PacketLog-EnterAsysR2.txt trace file does not seem to
> include
> the replies from Freeradius to the R2, only the incoming access requests.
Your right... :( I am going to perform an authentication with FreeRadius in
debugging mode... It will produce a very long list of "logs"... :)
> Tis
> make it very hard for me to tell the difference between freeradius and
> Radiator, especially wit hth etcpdump traces unreadable.
Ok. I'm going to repeat the tests today (if I can contact the person with
the R2).
One other thing is that I am going to configure both servers with the same
certificate. The previous tests were preformed with separated certificates
but both signed by the same private CA.
> BTW, I can see from the Radiator trace that it is sending very long
> replies
> back to the R2: 1460 octets altogether
The FreeRadius does not pass the 1070 (from the readable part of the tcpdump
file) Both certificates have approximately the same size... only Some bytes
different.
There goes the Radiator config portion for the 802.1X config:
<Handler TunnelledByTTLS=1>
RewriteUsername s/^([^@]+).*/$1/
<AuthBy FILE>
RewriteUsername s/^([^@]+).*/$1/
EAPType MSCHAP-V2, PAP, MD5-Challenge
Filename /etc/radius/roam.txt
AddToReplyIfNotExist User-Name=%u
</AuthBy>
AuthLog localusers
AcctLogFileName %D/acct_detail
</Handler>
<Handler TunnelledByPEAP=1>
<AuthBy FILE>
RewriteUsername s/^([^@]+).*/$1/
UsernameMatchesWithoutRealm yes
EAPType MSCHAP-V2
Filename /etc/radius/roam.txt
</AuthBy>
AuthLog localusers
</Handler>
<Handler Realm=/roam.fccn.pt/>
<AuthBy FILE>
EAPType PEAP, TTLS, TLS
EAPTLS_CAFile /etc/radius/cert/fccn_ca.pem
EAPTLS_CertificateFile /etc/radius/cert/phineus.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radius/cert/phineus-priv.pem
EAPTLS_PrivateKeyPassword phineus-testbed
EAPTLS_MaxFragmentSize 1400
# EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
AuthLog localusers
AcctLogFileName %L/localusersacct.log
AccountingHandled
</Handler>
> Cheers.
>
>
> On Wednesday 26 January 2005 22:57, Luís Guido wrote:
> > Hi Hugh, Mike, all
> >
> > There goes some more information.
> > I don't have a EnterAsys R2 here but the authentications made from a VI
> > (Visited Institution) with a IAS that proxy's all unknown user requests
> to
> > our Nacional Proxy Server (Radiator 3.11). The Proxy Server forwards
> those
> > requests to the server that handles the realm roam.fccn.pt (Radiator
> 3.11)
> > or to the server that handles the realm eci.fccn.pt (FreeRadius 1.0.0-
> pre0)
> > depending on the request.
> >
> > The 802.1X client used for the tests was always the same
> >
> > I have included the Trace4 for the Radiator and a packet log for the
> > FreeRadius for several authentication attempts.
> > There is also the tcpdump for both servers.
> >
> > Best Regards,
> > Luís Guido
> >
> > > -----Original Message-----
> > > From: Hugh Irvine [mailto:hugh at open.com.au]
> > > Sent: terça-feira, 25 de Janeiro de 2005 22:06
> > > To: Luís Guido; Mike McCauley
> > > Cc: Radiator MailingList
> > > Subject: Re: (RADIATOR) 802.1X with Radiator and EnterAsys R2
> > >
> > >
> > > Hello Luis -
> > >
> > > As always, without a copy of your configuration file and a trace 4
> > > debug from Radiator showing what is happening it is nearly impossible
> > > for us to help you. In this particular case it would also be very
> > > useful to see a ethereal (or tcpdump, snoop, whatever) trace of both
> > > the FreeRadius exchange and the Radiator exchange so we can see what
> > > works and what doesn't.
> > >
> > > regards
> > >
> > > Hugh
> > >
> > > On 25 Jan 2005, at 22:11, Luís Guido wrote:
> > > > Hi all,
> > > >
> > > > I guess this question was mentioned some while ago (in the beginning
> of
> > > > 2004) but I can't seam to find an answer to my problem.
> > > >
> > > > Terry said
> > > > (http://www.open.com.au/archives/radiator/2004-01/msg00057.html)
> > > >
> > > >
> > > > "Enterasys claims this is a problem with Radiator, and we have had
> some
> > > > disagreements with them about this.
> > > > When every other AP on the market works but theirs, I doubt it's a
> > > > server
> > > > problem. ;-)
> > > > Try setting your chunk size to <= 1000 or so and see if that
> works... I
> > > > believe that was the problem."
> > > >
> > > > For Radiator the value for EAPTLS_MaxFragmentSize must be <= 1010 as
> > > > pointed
> > > > by Michael
> > > > (http://www.open.com.au/archives/radiator/2004-01/msg00058.html)
> > > >
> > > > I have tested the R2 with FreeRadius (for PEAP):
> > > > (...)
> > > > eap {
> > > > (...)
> > > > tls {
> > > > (...)
> > > > fragment_size = 1400
> > > > }
> > > > (...)
> > > > }
> > > >
> > > > And IAS and I have succeeded with both Radius servers.
> > > >
> > > > I'm not saying it is a Radiator problem or an R2 problem....
> > > > One thing I know! This is one major problem for our network.
> > > >
> > > > Our network is a 802.1X distributed network with multiple AP vendors
> > > > and
> > > > multiple Radius Servers (Radiator, FreeRadius and IAS).
> > > > The Radius Hierarchy is responsible for the transportation of the
> user
> > > > credentials from a Visited Site (VS) (where the user is physically
> > > > located)
> > > > to the Home Site (HS) (where the user is known). Must probably the
> VS
> > > > and HS
> > > > do not know each other and have no way of knowing what is
> > > > installed/configured on the other side.
> > > > If the user HS have a Radiator (with EAPTLS_MaxFragmentSize > 1010)
> > > > and the
> > > > VS has EnterAsys R2, the user CANNOT AUTHENTICATE! In my tests, the
> > > > authentication blocks when the Radiator sends the second EAP message
> > > > with
> > > > the server certificate (typically a big Radius packet)...
> > > >
> > > > The server does send the 2nd Challenge with the certificate but no
> > > > response
> > > > from the AP... But it does work with FreeRadius with a similar chunk
> > > > size.
> > > >
> > > > Does anyone have any ideas?
> > > > Thanks in advance!
> > > >
> > > > Best regards,
> > > > ---------------
> > > > Luís Guido
> > > > FCCN - Portugal
> > > >
> > > >
> > > > --
> > > > Archive at http://www.open.com.au/archives/radiator/
> > > > Announcements on radiator-announce at open.com.au
> > > > To unsubscribe, email 'majordomo at open.com.au' with
> > > > 'unsubscribe radiator' in the body of the message.
> > >
> > > NB:
> > >
> > > Have you read the reference manual ("doc/ref.html")?
> > > Have you searched the mailing list archive
> > > (www.open.com.au/archives/radiator)?
> > > Have you had a quick look on Google (www.google.com)?
> > > Have you included a copy of your configuration file (no secrets),
> > > together with a trace 4 debug showing what is happening?
> > >
> > > --
> > > Radiator: the most portable, flexible and configurable RADIUS server
> > > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > > -
> > > Nets: internetwork inventory and management - graphical, extensible,
> > > flexible with hardware, software, platform and database independence.
> > > -
> > > CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list