(RADIATOR) Can't get PEAP to work, need help.

Jerome Fleury jeje at jeje.org
Mon Jun 23 07:22:41 CDT 2003 

--On Friday, June 20, 2003 10:10:46 AM +1000 Hugh Irvine <hugh at open.com.au> wrote:

> 
> Salut Jerome -
> 
> It looks like Radiator is crashing if the log stops as shown. You will need to look at the
> Perl output to see what the error is, but it is usually a missing module that has not been
> loaded. The easiest way to see what is happening is to run radiusd from the command line like
> this:
> 
> 	perl radiusd -foreground -log_stdout -trace 4 -config_file .....
> 
> where "...." is the name of your configuration file.

Thanks for help Hugh.

I tried this, but the server is not crashing. It just stops processing. Added some debug in the
EAP_25.pm code and got this:

 Mon Jun 23 14:04:09 2003: DEBUG: Handling request with Handler ''
Mon Jun 23 14:04:09 2003: DEBUG:  Deleting session for testUser, 172.30.24.10, 78
Mon Jun 23 14:04:09 2003: DEBUG: Handling with Radius::AuthFILE: 
Mon Jun 23 14:04:09 2003: DEBUG: Handling with EAP: code 2, 2, 94
Mon Jun 23 14:04:09 2003: DEBUG: Response type 25
Mon Jun 23 14:04:09 2003: DEBUG: jeje - else2
Mon Jun 23 14:04:09 2003: DEBUG: jeje - 25,  PEAP
Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465
Mon Jun 23 14:04:09 2003: ERR: jeje - want read
Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465, 
Mon Jun 23 14:04:09 2003: DEBUG: Access challenged for testUser: EAP PEAP Challenge
Mon Jun 23 14:04:09 2003: DEBUG: Packet dump:
*** Sending to 172.30.24.10 port 1645 ....
Code:       Access-Challenge
Identifier: 215
Authentic:  NW<237>T?<254>DT<202><146><22>|z<4><219><161>
Attributes:
        EAP-Message = "<4><2><0><4>"
        Signature = "<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>"
        EAP-Message = "<1><3><0><6><25><0>"


It seems like I'm stuck in the ERROR_WANT_READ block code, which does nothing, and this does
this all the time, wether I'm doing EAP-TTLS or EAP-PEAP. It looks definitely like a
Radiator/SSL issue, but I'm stuck by this lack of information.
First I guessed it was my version of OpenSSL (it was 0.9.6c), but after upgrading to the most
recent one, I still have this problem.

I'm looking forward to any suggestion one could have.


> Note the list of prerequisite modules that are listed in the comment block at the top of the
> "eap_peap.cfg" file.
> 
> regards
> 
> Hugh
> 
> 
> On Thursday, Jun 19, 2003, at 23:49 Australia/Melbourne, Jerome Fleury wrote:
> 
>> Here is the test config:
>> 
>> Client: Cisco Aironet/Orinoco
>> 802.1X client: 2000+hotfix/Funk Odyssey
>> AP: Cisco Aironet 1100
>> 
>> I use the test config from goodies/eap_peap.cfg with this modification:
>> 
>>  Filename %D/users-wifi
>> 
>> (is there any special entry to put in this file ? anonymous user ?)
>> 
>> As soon as I enter my credentials (802.1X identification window from 
>> Windows 2000 appears), the
>> radius request launches from the AP:
>> 
>> .Jun 19 13:42:01.250: dot11_dot1x_run_rfsm: current state CLIENT_WAIT, 
>> received CLIENT_REPLY,
>> mac: 0060.1df0.3503
>> .Jun 19 13:42:01.250: dot11_dot1x_send_response_to_server: Sending 
>> client data to server
>> .Jun 19 13:42:01.251: RADIUS/ENCODE(00003489): acct_session_id: 13473
>> .Jun 19 13:42:01.251: RADIUS(00003489): sending
>> .Jun 19 13:42:01.252: RADIUS: Send to unknown id 44 172.30.19.3:1812, 
>> Access-Request, len 128
>> .Jun 19 13:42:01.252: RADIUS:  authenticator 52 44 49 1C E4 86 B3 78 - 
>> E9 F8 87 6C B1 59 CA FF
>> .Jun 19 13:42:01.252: RADIUS:  User-Name           [1]   5   "ben"
>> .Jun 19 13:42:01.252: RADIUS:  Framed-MTU          [12]  6   1400
>> .Jun 19 13:42:01.252: RADIUS:  Called-Station-Id   [30]  16  
>> "0002.8a5b.400f"
>> .Jun 19 13:42:01.252: RADIUS:  Calling-Station-Id  [31]  16  
>> "0060.1df0.3503"
>> .Jun 19 13:42:01.252: RADIUS:  NAS-Port-Type       [61]  6   802.11 
>> wireless           [19]
>> .Jun 19 13:42:01.252: RADIUS:  Message-Authenticato[80]  18  *
>> .Jun 19 13:42:01.252: RADIUS:  EAP-Message         [79]  8
>> .Jun 19 13:42:01.253: RADIUS:   02 03 00 06                            
>>           [????]
>> .Jun 19 13:42:01.253: RADIUS:  NAS-Port-Type       [61]  6   Virtual   
>>                 [5]
>> .Jun 19 13:42:01.253: RADIUS:  NAS-Port            [5]   6   159
>> .Jun 19 13:42:01.253: RADIUS:  Service-Type        [6]   6   Login     
>>                 [1]
>> .Jun 19 13:42:01.254: RADIUS:  NAS-IP-Address      [4]   6   
>> 172.30.24.10
>> .Jun 19 13:42:01.254: RADIUS:  Nas-Identifier      [32]  9   "ap2.gre"
>> .Jun 19 13:42:06.253: RADIUS: Retransmit to (172.30.19.3:1812,1813) 
>> for id 44
>> .Jun 19 13:42:12.056: RADIUS: Retransmit to (172.30.19.3:1812,1813) 
>> for id 44
>> .Jun 19 13:42:17.057: RADIUS: Retransmit to (172.30.19.3:1812,1813) 
>> for id 44
>> .Jun 19 13:42:21.899: dot11_dot1x_parse_client_pak: Received EAPOL 
>> packet from 0060.1df0.3503
>> .Jun 19 13:42:21.899: EAPOL pak dump rx
>> .Jun 19 13:42:21.899: EAPOL Version: 0x1  type: 0x1  length: 0x0000
>> 00E126C0:          01010000                        ....
>> .Jun 19 13:42:21.899: dot11_dot1x_run_rfsm: current state SERVER_WAIT, 
>> received EAP_START, mac:
>> 0060.1df0.3503
>> .Jun 19 13:42:21.900: dot11_dot1x_ignore_event: Ignore event: do 
>> nothing
>> .Jun 19 13:42:22.188: RADIUS: Tried all servers.
>> .Jun 19 13:42:22.188: RADIUS: No valid server found. Trying any viable 
>> server
>> .Jun 19 13:42:22.188: RADIUS: Tried all servers.
>> .Jun 19 13:42:22.188: RADIUS: No response from (172.30.19.3:1812,1813) 
>> for id 44
>> .Jun 19 13:42:22.188: RADIUS/DECODE: parse response no app start; FAIL
>> .Jun 19 13:42:22.188: RADIUS/DECODE: parse response; FAIL
>> 
>> 
>> As you can see, the Radius server seems not to respond, and AP 
>> retransmits.
>> 
>> Here are the logs on Radiator:
>> 
>> Code:       Access-Request
>> Identifier: 44
>> Authentic:  RDI<28><228><134><179>x<233><248><135>l<177>Y<202><255>
>> Attributes:
>>         User-Name = "ben"
>>         Framed-MTU = 1400
>>         Called-Station-Id = "0002.8a5b.400f"
>>         Calling-Station-Id = "0060.1df0.3503"
>>         NAS-Port-Type = 19
>>         Signature = 
>> "<14><184>;<197>Q<12>;<219>Y5<209><240><179>%<181><184>"
>>         EAP-Message = "<2><3><0><6><25>"
>>         NAS-Port-Type = Virtual
>>         NAS-Port = 159
>>         Service-Type = Login-User
>>         NAS-IP-Address = 172.30.24.10
>>         NAS-Identifier = "ap2.gre"
>> 
>> Thu Jun 19 15:42:17 2003: DEBUG: Handling request with Handler ''
>> Thu Jun 19 15:42:17 2003: DEBUG:  Deleting session for ben, 
>> 172.30.24.10, 159
>> Thu Jun 19 15:42:17 2003: DEBUG: Handling with Radius::AuthFILE:
>> Thu Jun 19 15:42:17 2003: DEBUG: Handling with EAP: code 2, 3, 6
>> Thu Jun 19 15:42:17 2003: DEBUG: Response type 25
>> 
>> and that's pretty all. No error to help me out.
>> 
>> Has anybody any clue about that ?
>> 
>> Thanks.
>> --
>> Jerome Fleury
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>> 
>> 
> 
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> 



--
Jerome Fleury
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list