[RADIATOR] EAP-PEAP Windows XP Wired Ethernet

Indrajaya Pitra Perdana vietrha at indo.net.id
Mon Dec 19 22:06:17 CST 2011 

Dear Heikki,

I upgraded the IOS in my catalyst, the results shows a little bit 
different, seems that the certificate is doing okay, but somehow it keep 
asking for anoymous user? is there configuration that i missed? here are 
the log file and the config, thanks


/Regards,
Indrajaya Pitra Perdana/

On 12/17/2011 2:01 PM, vietrha at indo.net.id wrote:
>
> I'm using Microsoft Windows XP Professional SP 2
>
> Quoting Heikki Vatiainen<hvn at open.com.au>:
>
>> On 12/16/2011 04:13 AM, Indrajaya Pitra Perdana wrote:
>>
>>> Thanks, i give it a try, i already enable tls trace in my win xp, and i
>>> don't see there's an exchange certificate :-)
>> What client are you using? I noticed the log shows it sends EAP TLS
>> (type 13) responses while also logging about detecting PEAP authentication.
>>
>>> [1448] 11:49:36:218: PeapReadConnectionData
>>> [1448] 11:49:36:218: PeapReadUserData
>>> [1448] 11:49:36:218: RasEapGetInfo
>>> [2884] 11:49:52:515: EapPeapBegin
>>> [2884] 11:49:52:515: PeapReadConnectionData
>>> [2884] 11:49:52:515: PeapReadUserData
>>> [2884] 11:49:52:515:
>>> [2884] 11:49:52:515: EapTlsBegin(test)
>>> [2884] 11:49:52:515: State change to Initial
>>> [2884] 11:49:52:515: EapTlsBegin: Detected 8021X authentication
>>> [2884] 11:49:52:515: EapTlsBegin: Detected PEAP authentication
>>> [2884] 11:49:52:515: MaxTLSMessageLength is now 16384
>>> [2884] 11:49:52:515: EapPeapBegin done
>>> [2884] 11:49:52:515: EapPeapMakeMessage
>>> [2884] 11:49:52:515: EapPeapCMakeMessage
>>> [2884] 11:49:52:515: PEAP:PEAP_STATE_INITIAL
>>> [2884] 11:49:52:515: EapTlsCMakeMessage
>>> [2884] 11:49:52:515: EapTlsReset
>>> [2884] 11:49:52:515: State change to Initial
>>> [2884] 11:49:52:515: GetCredentials
>>> [2884] 11:49:52:515: Flag is Client and Store is Current User
>>> [2884] 11:49:52:515: GetCachedCredentials
>>> [2884] 11:49:52:515: FreeCachedCredentials
>>> [2884] 11:49:52:515: No Cert Store.  Guest Access requested
>>> [2884] 11:49:52:515: No Cert Name.  Guest access requested
>>> [2884] 11:49:52:515: Will validate server cert
>>> [2884] 11:49:52:515: MakeReplyMessage
>>> [2884] 11:49:52:515: SecurityContextFunction
>>> [2884] 11:49:52:515: InitializeSecurityContext returned 0x90312
>>> [2884] 11:49:52:515: State change to SentHello
>>> [2884] 11:49:52:515: BuildPacket
>>> [2884] 11:49:52:515:<<  Sending Response (Code: 2) packet: Id: 2,
>>> Length: 80, Type: 13, TLS blob length: 70. Flags: L
>>> [2884] 11:49:52:515: EapPeapCMakeMessage done
>>> [2884] 11:49:52:515: EapPeapMakeMessage done
>>> [1352] 11:50:22:531: EapPeapEnd
>>> [1352] 11:50:22:531: EapTlsEnd
>>> [1352] 11:50:22:531: EapTlsEnd(test)
>>> [1352] 11:50:22:531: EapPeapEnd done
>>> [1352] 11:50:22:562: EapPeapBegin
>>> [1352] 11:50:22:562: PeapReadConnectionData
>>> [1352] 11:50:22:562: PeapReadUserData
>>> [1352] 11:50:22:562:
>>> [1352] 11:50:22:562: EapTlsBegin(test)
>>> [1352] 11:50:22:562: State change to Initial
>>> [1352] 11:50:22:562: EapTlsBegin: Detected 8021X authentication
>>> [1352] 11:50:22:562: EapTlsBegin: Detected PEAP authentication
>>> [1352] 11:50:22:562: MaxTLSMessageLength is now 16384
>>> [1352] 11:50:22:562: EapPeapBegin done
>>> [1352] 11:50:22:562: EapPeapMakeMessage
>>> [1352] 11:50:22:562: EapPeapCMakeMessage
>>> [1352] 11:50:22:562: PEAP:PEAP_STATE_INITIAL
>>> [1352] 11:50:22:562: EapTlsCMakeMessage
>>> [1352] 11:50:22:562: EapTlsReset
>>> [1352] 11:50:22:562: State change to Initial
>>> [1352] 11:50:22:562: GetCredentials
>>> [1352] 11:50:22:562: Flag is Client and Store is Current User
>>> [1352] 11:50:22:562: GetCachedCredentials
>>> [1352] 11:50:22:562: FreeCachedCredentials
>>> [1352] 11:50:22:562: No Cert Store.  Guest Access requested
>>> [1352] 11:50:22:562: No Cert Name.  Guest access requested
>>> [1352] 11:50:22:562: Will validate server cert
>>> [1352] 11:50:22:562: MakeReplyMessage
>>> [1352] 11:50:22:562: SecurityContextFunction
>>> [1352] 11:50:22:562: InitializeSecurityContext returned 0x90312
>>> [1352] 11:50:22:562: State change to SentHello
>>> [1352] 11:50:22:562: BuildPacket
>>> [1352] 11:50:22:562:<<  Sending Response (Code: 2) packet: Id: 37,
>>> Length: 80, Type: 13, TLS blob length: 70. Flags: L
>>> [1352] 11:50:22:562: EapPeapCMakeMessage done
>>> [1352] 11:50:22:562: EapPeapMakeMessage done
>>> [1448] 11:50:52:578: EapPeapEnd
>>> [1448] 11:50:52:578: EapTlsEnd
>>> [1448] 11:50:52:578: EapTlsEnd(test)
>>> [1448] 11:50:52:578: EapPeapEnd done
>>> [1448] 11:51:52:593: PeapReadConnectionData
>>> [1448] 11:51:52:593: PeapReadUserData
>>> [1448] 11:51:52:593: RasEapGetInfo
>>> [1352] 12:02:42:625: PeapReadConnectionData
>>> [1352] 12:02:42:640: PeapReadUserData
>>> [1352] 12:02:42:640: RasEapGetInfo
>>> [1352] 12:02:42:640: PeapReDoUserData
>>> [1352] 12:02:42:640: EapTlsInvokeIdentityUI
>>> [1352] 12:02:42:640: GetCertInfo
>>> [1352] 12:03:42:640: PeapReadConnectionData
>>> [1352] 12:03:42:640: PeapReadUserData
>>> [1352] 12:03:42:640: RasEapGetInfo
>>> [1352] 12:03:42:671: EapPeapBegin
>>> [1352] 12:03:42:671: PeapReadConnectionData
>>> [1352] 12:03:42:671: PeapReadUserData
>>> [1352] 12:03:42:671:
>>> [1352] 12:03:42:671: EapTlsBegin(GHOST\indrajaya)
>>> [1352] 12:03:42:671: State change to Initial
>>> [1352] 12:03:42:671: EapTlsBegin: Detected 8021X authentication
>>> [1352] 12:03:42:671: EapTlsBegin: Detected PEAP authentication
>>> [1352] 12:03:42:671: MaxTLSMessageLength is now 16384
>>> [1352] 12:03:42:671: EapPeapBegin done
>>> [1352] 12:03:42:671: EapPeapMakeMessage
>>> [1352] 12:03:42:671: EapPeapCMakeMessage
>>> [1352] 12:03:42:671: PEAP:PEAP_STATE_INITIAL
>>> [1352] 12:03:42:671: EapTlsCMakeMessage
>>> [1352] 12:03:42:671: EapTlsReset
>>> [1352] 12:03:42:671: State change to Initial
>>> [1352] 12:03:42:671: GetCredentials
>>> [1352] 12:03:42:671: Flag is Client and Store is Current User
>>> [1352] 12:03:42:671: GetCachedCredentials
>>> [1352] 12:03:42:671: FreeCachedCredentials
>>> [1352] 12:03:42:671: No Cert Store.  Guest Access requested
>>> [1352] 12:03:42:671: No Cert Name.  Guest access requested
>>> [1352] 12:03:42:671: Will validate server cert
>>> [1352] 12:03:42:671: MakeReplyMessage
>>> [1352] 12:03:42:671: SecurityContextFunction
>>> [1352] 12:03:42:671: InitializeSecurityContext returned 0x90312
>>> [1352] 12:03:42:671: State change to SentHello
>>> [1352] 12:03:42:671: BuildPacket
>>> [1352] 12:03:42:671:<<  Sending Response (Code: 2) packet: Id: 3,
>>> Length: 80, Type: 13, TLS blob length: 70. Flags: L
>>> [1352] 12:03:42:671: EapPeapCMakeMessage done
>>> [1352] 12:03:42:671: EapPeapMakeMessage done
>>> [2004] 12:04:12:687: EapPeapEnd
>>> [2004] 12:04:12:687: EapTlsEnd
>>> [2004] 12:04:12:687: EapTlsEnd(ghost\indrajaya)
>>> [2004] 12:04:12:687: EapPeapEnd done
>>> [2004] 12:04:42:734: EapPeapBegin
>>> [2004] 12:04:42:734: PeapReadConnectionData
>>> [2004] 12:04:42:734: PeapReadUserData
>>>
>>> /Regards,
>>> Indrajaya Pitra Perdana/
>>>
>>> On 12/15/2011 6:04 PM, Heikki Vatiainen wrote:
>>>> On 12/15/2011 06:18 AM, Indrajaya Pitra Perdana wrote:
>>>>
>>>>> The problem still persist even i created my own certificate using the
>>>>> steps in mkcertificate.sh goodies , my windows didn't respon to the eap
>>>>> challenge sent by Radiator, do u have any clue on this? or perhaps the
>>>>> problem is within my 2950 catalyst ? thanks :-)
>>>> You could try enabling debug for EAP authentication on the switch to see
>>>> how it reacts to EAP messages.
>>>>
>>>> Meanwhile you could also try running wireshark on Windows to see if the
>>>> challenge with the certificate is sent by the switch to the XP box.
>>>>
>>>> One thing you could try first is to use even lower value for
>>>> EAPTLS_MaxFragmentSize
>>>>
>>>> The messages before certifcate are much smaller and so this challenge
>>>> would be the first that can reach the maximum size.
>>>>
>>>> Thanks!
>>>>
>>
>> --
>> Heikki Vatiainen<hvn at open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111220/4d50a701/attachment-0001.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radius.log
Url: http://www.open.com.au/pipermail/radiator/attachments/20111220/4d50a701/attachment-0002.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radius.cfg
Url: http://www.open.com.au/pipermail/radiator/attachments/20111220/4d50a701/attachment-0003.pl

More information about the radiator mailing list