(RADIATOR) EapTLS question

Markus Moeller huaraz at moeller.plus.com
Tue Feb 19 15:34:48 CST 2008 

The final part of my setup is to support EapTLS for wireless.  As I don't have yet an AP to test with I was using Lucents VitalAAA radius client.

The client gives me an error message: State attribute is missing in Access-Challenge

Is this a configuration error or an incompatible client ?

Thank you
Markus

P.S. Config extract is attached.

VitalAAA client log:

2008/02/19 21:19:35.898 {AWT-EventQueue-0} <tls.certandkeymanager> Installed ClientCert EMAILADDRESS=markus at moeller.plus.com, CN=Test LAB, OU=Engineering, O=HOME L=London, ST=London, C=GB as RSA
2008/02/19 21:19:35.902 {AWT-EventQueue-0} <tls.certandkeymanager> Installed ServerSet EMAILADDRESS=markus at moeller.plus.com, CN=Test LAB, OU=Engineering, O=HOME L=London, ST=London, C=GB as RSA
2008/02/19 21:19:35.903 {AWT-EventQueue-0} <tls.certandkeymanager> Installed ServerSet EMAILADDRESS=markus at moeller.plus.com, CN=Test LAB, OU=Engineering, O=HOME L=London, ST=London, C=GB as DHE_RSA
2008/02/19 21:19:35.910 {AWT-EventQueue-0} <callback.eap.tls> Creating new client
2008/02/19 21:19:35.916 {Radius Client Driver} <radiusClient> Xmit: Access-Request to 10.142.161.97:1812
        User-Name = "testuser at company.com"
        EAP-Message = 
            code = Response
            Identifier = 1
            Type = Identity
            Type-Data = "testuser at company.com"
        Message-Authenticator = "00000000000000000000000000000000"

2008/02/19 21:19:36.246 {Radius Client Listener 0.0.0.0:35536} <radiusClient> Recv: Access-Challenge after 336 ms.
        EAP-Message = 
            code = Request
            Identifier = 2
            Type = TLS
            Type-Data = " "
        Message-Authenticator = "A0497AC4DB527F89BAA9F5353261293E"

2008/02/19 21:19:36.248 {Basic Callback} <tls.protocolhandler> client/5 >>> Transmitting ClientHello
2008/02/19 21:19:36.248 {Basic Callback} <callback.eap.tls> Enter nwkDataAvailable( ByteBuffer[] array )
2008/02/19 21:19:36.249 {Basic Callback} <callback.eap.tls> Sending a 0 byte message to the EAP TLS client
2008/02/19 21:19:36.249 {Basic Callback} <callback.eap.tls> Received a 62 byte message from the EAP TLS client
2008/02/19 21:19:36.249 {Basic Callback} <radiusclient.callback.challenge> (ERROR) State attribute is missing in Access-Challenge
2008/02/19 21:19:36.249 {Basic Callback} <callback.eap.tls> Closing client 


Radiator Trace output


/usr/bin/radiusd -config_file /etc/radiator/radius.cfg -log_stdout -trace 5 -foreground
Tue Feb 19 20:58:05 2008: DEBUG: include /etc/radiator/readclients.pl|
Tue Feb 19 20:58:05 2008: NOTICE: Reading clients file /etc/radiator/clients
Tue Feb 19 20:58:06 2008: DEBUG: Creating TACACSPLUS port 0.0.0.0:49
Tue Feb 19 20:58:06 2008: DEBUG: Creating StreamServer tcp port 0.0.0.0:9443
Tue Feb 19 20:58:06 2008: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
Tue Feb 19 20:58:06 2008: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
Tue Feb 19 20:58:06 2008: DEBUG: Creating authentication port 0.0.0.0:1812
Tue Feb 19 20:58:06 2008: DEBUG: Creating accounting port 0.0.0.0:1813
Tue Feb 19 20:58:06 2008: NOTICE: Server started: Radiator 4.0 on radius-server1
Tue Feb 19 20:58:25 2008: DEBUG: Packet dump:
*** Received from 10.128.55.23 port 35536 ....

Packet length = 73
01 00 00 49 60 b4 20 bb 38 51 d9 d4 7a cb 93 3d
be 70 39 9b 01 0f 6d 6f 65 6c 6d 61 40 64 62 2e
63 6f 6d 4f 14 02 01 00 12 01 6d 6f 65 6c 6d 61
40 64 62 2e 63 6f 6d 50 12 10 f6 7b 50 45 19 e8
7f c4 f2 d4 5c 51 28 7c 5b
Code:       Access-Request
Identifier: 0
Authentic:  `<180> <187>8Q<217><212>z<203><147>=<190>p9<155>
Attributes:
        User-Name = "testuser at company.com"
        EAP-Message = <2><1><0><18><1>testuser at company.com
        Message-Authenticator = <16><246>{PE<25><232><127><196><242><212>\Q(|[

Tue Feb 19 20:58:25 2008: DEBUG: PreHandlerHook added LDAP  Attributes:
Tue Feb 19 20:58:25 2008: DEBUG: User-Mail = markus at moeller.plus.com
Tue Feb 19 20:58:25 2008: DEBUG: USER-PRINCIPAL-NAME = testuser at company.com
Tue Feb 19 20:58:25 2008: DEBUG: Handling request with Handler 'Device-Class=Wlan'
Tue Feb 19 20:58:25 2008: DEBUG:  Deleting session for testuser at company.com, 192.168.100.1, 
Tue Feb 19 20:58:25 2008: DEBUG: Handling with Radius::AuthFILE: EapTLS
Tue Feb 19 20:58:25 2008: DEBUG: Handling with EAP: code 2, 1, 18, 1
Tue Feb 19 20:58:25 2008: DEBUG: Response type 1
Tue Feb 19 20:58:25 2008: DEBUG: EAP result: 3, EAP TLS Challenge
Tue Feb 19 20:58:25 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
Tue Feb 19 20:58:25 2008: DEBUG: Access challenged for testuser at company.com: EAP TLS Challenge
Tue Feb 19 20:58:25 2008: DEBUG: Packet dump:
*** Sending to 10.128.55.23 port 35536 ....

Packet length = 46
0b 00 00 2e ee dd 2f 22 e4 0d 03 25 f6 81 56 5d
d8 de 57 b1 4f 08 01 02 00 06 0d 20 50 12 a0 49
7a c4 db 52 7f 89 ba a9 f5 35 32 61 29 3e
Code:       Access-Challenge
Identifier: 0
Authentic:  `<180> <187>8Q<217><212>z<203><147>=<190>p9<155>
Attributes:
        EAP-Message = <1><2><0><6><13> 
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080219/641efc37/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.cfg
Type: application/octet-stream
Size: 6061 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080219/641efc37/attachment.obj>

More information about the radiator mailing list