(RADIATOR) Re: EAP TLS
Mike McCauley
mikem at open.com.au
Wed Jul 17 20:59:15 CDT 2002
Hi Henry,
On Thu, 18 Jul 2002 11:55, Henry Su wrote:
> Thanks, Mike. I think tried to subscribe the mail-list yesterday and I did
> get confirmation from Majordomo at open.com.au with subject "Majordomo
> results: subscribe", but I still did receive any email from mailing list.
You were not subscribed, so I have subscribed you manually.
>
> For the client config, I just use windows XP, and the network setting for
> the wireless is DHCP. There's really not much at all. I'll try a linux
> client to see if it make any difference.
OK. I dont think I can shed much light on client DHCP issues. Sorry. Perhaps
someone else on the list?
Cheers.
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Wednesday, July 17, 2002 6:43 PM
> To: henrysu at nttmcl.com
> Cc: radiator at open.com.au
> Subject: Re: EAP TLS
>
>
>
>
> Hello Henry,
>
> On Thu, 18 Jul 2002 11:27, Henry Su wrote:
> > Thanks a lot, Mike. I tried to re-install the CA on XP machine, it seems
> > worked on the radius side. I have 10 frames for eap-tls auth, and radius
> > send access-accept packet (see it in the attachment). I also have an dhcp
> > server running on the same box as radiator server, I tested it works
> > well,
>
> The log looks good.
>
> > however my client can not get an IP address, I do not know why. Do you
>
> have
>
> > any clue?
>
> No, Im afraid I cant tell from the material you sent. Allocation of an IP
> address from the DHCP server would normally be done by your client.
> Normally,
> Radiator would not be involved with address allocation.
>
> I think you need to check your client configuration.
>
> Cheers.
>
> > Thanks.
> >
> > -----Original Message-----
> > From: Mike McCauley [mailto:mikem at open.com.au]
> > Sent: Tuesday, July 16, 2002 4:33 PM
> > To: Henry Su
> > Cc: radiator at open.com.au
> > Subject: Re: EAP TLS
> >
> >
> >
> >
> > Hello Henry,
> >
> > Looks like you have not subscribed to the Radiator mailing list. I will
>
> try
>
> > to
> > help you with this problem, but you should subscribe and send all future
> > requests to the mailing list.
> >
> > In the log below, it shows that Radiator has received an EAP identity and
> > has
> > responded with a EAP-TLS start. This is the correct behaviour, and it
>
> shows
>
> > that your Radiator configuration file is OK so far.
> >
> > I suspect that the problem is in the AP or the client. The most likely
> > reason
> > is that the XP client is not configured for EAP-TLS, and it is expecting
> > something else like maybe EAP-MD5 etc. I would check your XP wireless
> > client settings first.
> >
> > Cheers.
> >
> > On Wed, 17 Jul 2002 09:00, owner-radiator at open.com.au wrote:
> > > From mikem at server1.open.com.au Tue Jul 16 18:00:41 2002
> > > Received: from alicia.nttmcl.com (alicia.nttmcl.com [216.69.69.10])
> > > by server1.open.com.au (8.11.0/8.11.0) with ESMTP id g6GN0f311978
> > > for <radiator at open.com.au>; Tue, 16 Jul 2002 18:00:41 -0500
> > > Received: from hsu (dhcp252.nttmcl.com [216.69.69.252])
> > > by alicia.nttmcl.com (8.10.1/8.10.1) with SMTP id g6GMxZ724001
> > > for <radiator at open.com.au>; Tue, 16 Jul 2002 15:59:40 -0700 (PDT)
> > > Reply-To: <henrysu at nttmcl.com>
> > > From: "Henry Su" <henrysu at nttmcl.com>
> > > To: <radiator at open.com.au>
> > > Subject: EAP TLS
> > > Date: Tue, 16 Jul 2002 16:00:03 -0700
> > > Message-ID: <AJEHKCJLENGKGEHDIOJGEEICCKAA.henrysu at nttmcl.com>
> > > MIME-Version: 1.0
> > > Content-Type: text/plain;
> > > charset="iso-8859-1"
> > > Content-Transfer-Encoding: 7bit
> > > X-Priority: 3 (Normal)
> > > X-MSMail-Priority: Normal
> > > X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
> > > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> > > Importance: Normal
> > >
> > > I am using Radiator 3.1 with patch on freeBSD4.5, my client is windows
> > > XP, AP is Orinoco AP1000, and openssl is 0.9.7 beta2.
> > >
> > > My problem is that it works partially, radius server get request and
>
> send
>
> > > challage, but there's no further actions going on.
> > >
> > > I'm not sure how to set users for eap-tls. I just add following
> > >
> > > # For testing 802 1x (EAP-TLS)
> > > 1x-client
> > >
> > > Is it correct?
> >
> > Yes, thats OK, but its best to have a password too, just in case someone
> > tries
> > to do a dialup connection that uses that user entry. The password is not
> > used
> > or required by EAP-TLS.
> >
> > > Could u pls point out me any clue? Thanks.
> > >
> > > Radius log:
> > > Tue Jul 16 15:13:58 2002: DEBUG: Packet dump:
> > > *** Received from 10.10.10.101 port 192 ....
> > > Code: Access-Request
> > > Identifier: 51
> > > Authentic: g<218>n<142><216><211>!<25><198><183><184><153><147><4>^P
> > > Attributes:
> > > User-Name = "1x-client"
> > > NAS-IP-Address = 10.10.10.101
> > > Called-Station-Id = "00022d2e8a1a"
> > > Calling-Station-Id = "00022d150780"
> > > NAS-Identifier = "00-02-2D-15-07-80"
> > > NAS-Port-Type = 19
> > > Framed-MTU = 1400
> > > EAP-Message = <2><4><0><14><1>1x-client
> > > Message-Authenticator =
> > > <20><2><139><180><214><231><241><189><195>J<175>(<146><230><152>F
> > >
> > > Tue Jul 16 15:13:58 2002: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT'
> > > Tue Jul 16 15:13:58 2002: DEBUG: Deleting session for 1x-client,
> > > 10.10.10.101,
> > > Tue Jul 16 15:13:58 2002: DEBUG: Handling with Radius::AuthFILE:
> > > Tue Jul 16 15:13:58 2002: DEBUG: Radius::AuthFILE looks for match with
> > > 1x-client
> > > Tue Jul 16 15:13:58 2002: DEBUG: Handling with EAP
> > > Tue Jul 16 15:13:58 2002: DEBUG: EAP code 2, 4, 14
> > > Tue Jul 16 15:13:58 2002: DEBUG: Response type 1
> > > Tue Jul 16 15:13:58 2002: DEBUG: Radius::AuthFILE CHALLENGE: EAP TLS
> > > Challenge
> > > Tue Jul 16 15:13:58 2002: DEBUG: Access challenged for 1x-client: EAP
>
> TLS
>
> > > Challenge
> > > Tue Jul 16 15:13:58 2002: DEBUG: Packet dump:
> > > *** Sending to 10.10.10.101 port 192 ....
> > > Code: Access-Challenge
> > > Identifier: 51
> > > Authentic: g<218>n<142><216><211>!<25><198><183><184><153><147><4>^P
> > > Attributes:
> > > EAP-Message = <1><5><0><6><13>
> > > Message-Authenticator =
> > > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > >
> > > Ethereal dump:
> > > Frame 193 (172 on wire, 172 captured)
> > > Arrival Time: Jul 16, 2002 14:21:26.741422000
> > > Time delta from previous packet: 30.040387000 seconds
> > > Time relative to first packet: 11703.517713000 seconds
> > > Frame Number: 193
> > > Packet Length: 172 bytes
> > > Capture Length: 172 bytes
> > > Ethernet II
> > > Destination: 00:80:c8:b9:ad:bd (D-Link_b9:ad:bd)
> > > Source: 00:02:2d:15:07:80 (Agere_15:07:80)
> > > Type: IP (0x0800)
> > > Internet Protocol, Src Addr: 10.10.10.101 (10.10.10.101), Dst Addr:
> > > 10.10.10.1 (10.10.10.1)
> > > Version: 4
> > > Header length: 20 bytes
> > > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
> > > 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> > > .... ..0. = ECN-Capable Transport (ECT): 0
> > > .... ...0 = ECN-CE: 0
> > > Total Length: 158
> > > Identification: 0x0043
> > > Flags: 0x00
> > > .0.. = Don't fragment: Not set
> > > ..0. = More fragments: Not set
> > > Fragment offset: 0
> > > Time to live: 64
> > > Protocol: UDP (0x11)
> > > Header checksum: 0x5193 (correct)
> > > Source: 10.10.10.101 (10.10.10.101)
> > > Destination: 10.10.10.1 (10.10.10.1)
> > > User Datagram Protocol, Src Port: osu-nms (192), Dst Port: radius
> > > (1812) Source port: osu-nms (192)
> > > Destination port: radius (1812)
> > > Length: 138
> > > Checksum: 0x7249 (correct)
> > > Radius Protocol
> > > Code: Access Request (1)
> > > Packet identifier: 0xe (14)
> > > Length: 130
> > > Authenticator
> > > Attribute value pairs
> > > t:User Name(1) l:11, Value:"1x-client"
> > > t:NAS IP Address(4) l:6, Value:10.10.10.101
> > > t:Called Station Id(30) l:14, Value:"00022d2e8a1a"
> > > t:Calling Station Id(31) l:14, Value:"00022d150780"
> > > t:NAS identifier(32) l:19, Value:"00-02-2D-15-07-80"
> > > t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11(19)
> > > t:Framed MTU(12) l:6, Value:1400
> > > t:EAP Message(79) l:16
> > > Extensible Authentication Protocol
> > > Code: Response (2)
> > > Id: 1
> > > Length: 14
> > > Type: Identity [RFC2284] (1)
> > > Identity (9 bytes): 1x-client
> > > t:Message Authenticator(80) l:18,
> > > Value:6DF2CB94176DE03541C3F701AC641E08
> > >
> > > Frame 194 (88 on wire, 88 captured)
> > > Arrival Time: Jul 16, 2002 14:21:26.753859000
> > > Time delta from previous packet: 0.012437000 seconds
> > > Time relative to first packet: 11703.530150000 seconds
> > > Frame Number: 194
> > > Packet Length: 88 bytes
> > > Capture Length: 88 bytes
> > > Ethernet II
> > > Destination: 00:02:2d:15:07:80 (Agere_15:07:80)
> > > Source: 00:80:c8:b9:ad:bd (D-Link_b9:ad:bd)
> > > Type: IP (0x0800)
> > > Internet Protocol, Src Addr: 10.10.10.1 (10.10.10.1), Dst Addr:
> > > 10.10.10.101 (10.10.10.101)
> > > Version: 4
> > > Header length: 20 bytes
> > > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
> > > 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> > > .... ..0. = ECN-Capable Transport (ECT): 0
> > > .... ...0 = ECN-CE: 0
> > > Total Length: 74
> > > Identification: 0x6692
> > > Flags: 0x00
> > > .0.. = Don't fragment: Not set
> > > ..0. = More fragments: Not set
> > > Fragment offset: 0
> > > Time to live: 64
> > > Protocol: UDP (0x11)
> > > Header checksum: 0xeb97 (correct)
> > > Source: 10.10.10.1 (10.10.10.1)
> > > Destination: 10.10.10.101 (10.10.10.101)
> > > User Datagram Protocol, Src Port: radius (1812), Dst Port: osu-nms
> > > (192) Source port: radius (1812)
> > > Destination port: osu-nms (192)
> > > Length: 54
> > > Checksum: 0x1f28 (correct)
> > > Radius Protocol
> > > Code: Access challenge (11)
> > > Packet identifier: 0xe (14)
> > > Length: 46
> > > Authenticator
> > > Attribute value pairs
> > > t:EAP Message(79) l:8
> > > Extensible Authentication Protocol
> > > Code: Request (1)
> > > Id: 2
> > > Length: 6
> > > Type: EAP-TLS [RFC2716] [Aboba] (13)
> > > Flags(0x20): Start
> > > t:Message Authenticator(80) l:18,
> > > Value:249C94D64B4ED518CEBDC54A053B4982
> > >
> > >
> > > ------------------------------------------------
> > >
> > > Henry Su
> > >
> > > NTT Multimedia Communications Laboratories, Inc.
> > >
> > > 250 Cambridge Avenue Suite 300
> > >
> > > Palo Alto, CA 94306, USA (PST:UTC -8H)
> > >
> > > Tel: +1 650 833 3652
> > >
> > > Fax: +1 650 326 1878
> > >
> > > http://www.nttmcl.com/
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc
on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list