(RADIATOR) Re: EAP TLS
Mike McCauley
mikem at open.com.au
Wed Jul 17 20:42:45 CDT 2002
Hello Henry,
On Thu, 18 Jul 2002 11:27, Henry Su wrote:
> Thanks a lot, Mike. I tried to re-install the CA on XP machine, it seems
> worked on the radius side. I have 10 frames for eap-tls auth, and radius
> send access-accept packet (see it in the attachment). I also have an dhcp
> server running on the same box as radiator server, I tested it works well,
The log looks good.
> however my client can not get an IP address, I do not know why. Do you have
> any clue?
No, Im afraid I cant tell from the material you sent. Allocation of an IP
address from the DHCP server would normally be done by your client. Normally,
Radiator would not be involved with address allocation.
I think you need to check your client configuration.
Cheers.
>
> Thanks.
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Tuesday, July 16, 2002 4:33 PM
> To: Henry Su
> Cc: radiator at open.com.au
> Subject: Re: EAP TLS
>
>
>
>
> Hello Henry,
>
> Looks like you have not subscribed to the Radiator mailing list. I will try
> to
> help you with this problem, but you should subscribe and send all future
> requests to the mailing list.
>
> In the log below, it shows that Radiator has received an EAP identity and
> has
> responded with a EAP-TLS start. This is the correct behaviour, and it shows
> that your Radiator configuration file is OK so far.
>
> I suspect that the problem is in the AP or the client. The most likely
> reason
> is that the XP client is not configured for EAP-TLS, and it is expecting
> something else like maybe EAP-MD5 etc. I would check your XP wireless
> client settings first.
>
> Cheers.
>
> On Wed, 17 Jul 2002 09:00, owner-radiator at open.com.au wrote:
> > From mikem at server1.open.com.au Tue Jul 16 18:00:41 2002
> > Received: from alicia.nttmcl.com (alicia.nttmcl.com [216.69.69.10])
> > by server1.open.com.au (8.11.0/8.11.0) with ESMTP id g6GN0f311978
> > for <radiator at open.com.au>; Tue, 16 Jul 2002 18:00:41 -0500
> > Received: from hsu (dhcp252.nttmcl.com [216.69.69.252])
> > by alicia.nttmcl.com (8.10.1/8.10.1) with SMTP id g6GMxZ724001
> > for <radiator at open.com.au>; Tue, 16 Jul 2002 15:59:40 -0700 (PDT)
> > Reply-To: <henrysu at nttmcl.com>
> > From: "Henry Su" <henrysu at nttmcl.com>
> > To: <radiator at open.com.au>
> > Subject: EAP TLS
> > Date: Tue, 16 Jul 2002 16:00:03 -0700
> > Message-ID: <AJEHKCJLENGKGEHDIOJGEEICCKAA.henrysu at nttmcl.com>
> > MIME-Version: 1.0
> > Content-Type: text/plain;
> > charset="iso-8859-1"
> > Content-Transfer-Encoding: 7bit
> > X-Priority: 3 (Normal)
> > X-MSMail-Priority: Normal
> > X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> > Importance: Normal
> >
> > I am using Radiator 3.1 with patch on freeBSD4.5, my client is windows
> > XP, AP is Orinoco AP1000, and openssl is 0.9.7 beta2.
> >
> > My problem is that it works partially, radius server get request and send
> > challage, but there's no further actions going on.
> >
> > I'm not sure how to set users for eap-tls. I just add following
> >
> > # For testing 802 1x (EAP-TLS)
> > 1x-client
> >
> > Is it correct?
>
> Yes, thats OK, but its best to have a password too, just in case someone
> tries
> to do a dialup connection that uses that user entry. The password is not
> used
> or required by EAP-TLS.
>
> > Could u pls point out me any clue? Thanks.
> >
> > Radius log:
> > Tue Jul 16 15:13:58 2002: DEBUG: Packet dump:
> > *** Received from 10.10.10.101 port 192 ....
> > Code: Access-Request
> > Identifier: 51
> > Authentic: g<218>n<142><216><211>!<25><198><183><184><153><147><4>^P
> > Attributes:
> > User-Name = "1x-client"
> > NAS-IP-Address = 10.10.10.101
> > Called-Station-Id = "00022d2e8a1a"
> > Calling-Station-Id = "00022d150780"
> > NAS-Identifier = "00-02-2D-15-07-80"
> > NAS-Port-Type = 19
> > Framed-MTU = 1400
> > EAP-Message = <2><4><0><14><1>1x-client
> > Message-Authenticator =
> > <20><2><139><180><214><231><241><189><195>J<175>(<146><230><152>F
> >
> > Tue Jul 16 15:13:58 2002: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Tue Jul 16 15:13:58 2002: DEBUG: Deleting session for 1x-client,
> > 10.10.10.101,
> > Tue Jul 16 15:13:58 2002: DEBUG: Handling with Radius::AuthFILE:
> > Tue Jul 16 15:13:58 2002: DEBUG: Radius::AuthFILE looks for match with
> > 1x-client
> > Tue Jul 16 15:13:58 2002: DEBUG: Handling with EAP
> > Tue Jul 16 15:13:58 2002: DEBUG: EAP code 2, 4, 14
> > Tue Jul 16 15:13:58 2002: DEBUG: Response type 1
> > Tue Jul 16 15:13:58 2002: DEBUG: Radius::AuthFILE CHALLENGE: EAP TLS
> > Challenge
> > Tue Jul 16 15:13:58 2002: DEBUG: Access challenged for 1x-client: EAP TLS
> > Challenge
> > Tue Jul 16 15:13:58 2002: DEBUG: Packet dump:
> > *** Sending to 10.10.10.101 port 192 ....
> > Code: Access-Challenge
> > Identifier: 51
> > Authentic: g<218>n<142><216><211>!<25><198><183><184><153><147><4>^P
> > Attributes:
> > EAP-Message = <1><5><0><6><13>
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Ethereal dump:
> > Frame 193 (172 on wire, 172 captured)
> > Arrival Time: Jul 16, 2002 14:21:26.741422000
> > Time delta from previous packet: 30.040387000 seconds
> > Time relative to first packet: 11703.517713000 seconds
> > Frame Number: 193
> > Packet Length: 172 bytes
> > Capture Length: 172 bytes
> > Ethernet II
> > Destination: 00:80:c8:b9:ad:bd (D-Link_b9:ad:bd)
> > Source: 00:02:2d:15:07:80 (Agere_15:07:80)
> > Type: IP (0x0800)
> > Internet Protocol, Src Addr: 10.10.10.101 (10.10.10.101), Dst Addr:
> > 10.10.10.1 (10.10.10.1)
> > Version: 4
> > Header length: 20 bytes
> > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
> > 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> > .... ..0. = ECN-Capable Transport (ECT): 0
> > .... ...0 = ECN-CE: 0
> > Total Length: 158
> > Identification: 0x0043
> > Flags: 0x00
> > .0.. = Don't fragment: Not set
> > ..0. = More fragments: Not set
> > Fragment offset: 0
> > Time to live: 64
> > Protocol: UDP (0x11)
> > Header checksum: 0x5193 (correct)
> > Source: 10.10.10.101 (10.10.10.101)
> > Destination: 10.10.10.1 (10.10.10.1)
> > User Datagram Protocol, Src Port: osu-nms (192), Dst Port: radius (1812)
> > Source port: osu-nms (192)
> > Destination port: radius (1812)
> > Length: 138
> > Checksum: 0x7249 (correct)
> > Radius Protocol
> > Code: Access Request (1)
> > Packet identifier: 0xe (14)
> > Length: 130
> > Authenticator
> > Attribute value pairs
> > t:User Name(1) l:11, Value:"1x-client"
> > t:NAS IP Address(4) l:6, Value:10.10.10.101
> > t:Called Station Id(30) l:14, Value:"00022d2e8a1a"
> > t:Calling Station Id(31) l:14, Value:"00022d150780"
> > t:NAS identifier(32) l:19, Value:"00-02-2D-15-07-80"
> > t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11(19)
> > t:Framed MTU(12) l:6, Value:1400
> > t:EAP Message(79) l:16
> > Extensible Authentication Protocol
> > Code: Response (2)
> > Id: 1
> > Length: 14
> > Type: Identity [RFC2284] (1)
> > Identity (9 bytes): 1x-client
> > t:Message Authenticator(80) l:18,
> > Value:6DF2CB94176DE03541C3F701AC641E08
> >
> > Frame 194 (88 on wire, 88 captured)
> > Arrival Time: Jul 16, 2002 14:21:26.753859000
> > Time delta from previous packet: 0.012437000 seconds
> > Time relative to first packet: 11703.530150000 seconds
> > Frame Number: 194
> > Packet Length: 88 bytes
> > Capture Length: 88 bytes
> > Ethernet II
> > Destination: 00:02:2d:15:07:80 (Agere_15:07:80)
> > Source: 00:80:c8:b9:ad:bd (D-Link_b9:ad:bd)
> > Type: IP (0x0800)
> > Internet Protocol, Src Addr: 10.10.10.1 (10.10.10.1), Dst Addr:
> > 10.10.10.101 (10.10.10.101)
> > Version: 4
> > Header length: 20 bytes
> > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
> > 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> > .... ..0. = ECN-Capable Transport (ECT): 0
> > .... ...0 = ECN-CE: 0
> > Total Length: 74
> > Identification: 0x6692
> > Flags: 0x00
> > .0.. = Don't fragment: Not set
> > ..0. = More fragments: Not set
> > Fragment offset: 0
> > Time to live: 64
> > Protocol: UDP (0x11)
> > Header checksum: 0xeb97 (correct)
> > Source: 10.10.10.1 (10.10.10.1)
> > Destination: 10.10.10.101 (10.10.10.101)
> > User Datagram Protocol, Src Port: radius (1812), Dst Port: osu-nms (192)
> > Source port: radius (1812)
> > Destination port: osu-nms (192)
> > Length: 54
> > Checksum: 0x1f28 (correct)
> > Radius Protocol
> > Code: Access challenge (11)
> > Packet identifier: 0xe (14)
> > Length: 46
> > Authenticator
> > Attribute value pairs
> > t:EAP Message(79) l:8
> > Extensible Authentication Protocol
> > Code: Request (1)
> > Id: 2
> > Length: 6
> > Type: EAP-TLS [RFC2716] [Aboba] (13)
> > Flags(0x20): Start
> > t:Message Authenticator(80) l:18,
> > Value:249C94D64B4ED518CEBDC54A053B4982
> >
> >
> > ------------------------------------------------
> >
> > Henry Su
> >
> > NTT Multimedia Communications Laboratories, Inc.
> >
> > 250 Cambridge Avenue Suite 300
> >
> > Palo Alto, CA 94306, USA (PST:UTC -8H)
> >
> > Tel: +1 650 833 3652
> >
> > Fax: +1 650 326 1878
> >
> > http://www.nttmcl.com/
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list