(RADIATOR) Can't get PEAP to work, need help.

Mike McCauley mikem at open.com.au
Mon Jun 23 07:54:36 CDT 2003 

HelloJerome,

My experience with this type of behaviour is that the real cause of the 
actually occurred long before. What happens is that Radiator declines to 
reply to a request for  some reason, and then you see a number of 
retransmissions.

We will need to see _all_ of the Radiator log file from the start of the 
authentication attempt until the end. I think then we will see why Radaitor 
is not repsonding to the clients requests.

Cheers.



On Mon, 23 Jun 2003 10:22 pm, Jerome Fleury wrote:
> --On Friday, June 20, 2003 10:10:46 AM +1000 Hugh Irvine <hugh at open.com.au> 
wrote:
> > Salut Jerome -
> >
> > It looks like Radiator is crashing if the log stops as shown. You will
> > need to look at the Perl output to see what the error is, but it is
> > usually a missing module that has not been loaded. The easiest way to see
> > what is happening is to run radiusd from the command line like this:
> >
> > 	perl radiusd -foreground -log_stdout -trace 4 -config_file .....
> >
> > where "...." is the name of your configuration file.
>
> Thanks for help Hugh.
>
> I tried this, but the server is not crashing. It just stops processing.
> Added some debug in the EAP_25.pm code and got this:
>
>  Mon Jun 23 14:04:09 2003: DEBUG: Handling request with Handler ''
> Mon Jun 23 14:04:09 2003: DEBUG:  Deleting session for testUser,
> 172.30.24.10, 78 Mon Jun 23 14:04:09 2003: DEBUG: Handling with
> Radius::AuthFILE:
> Mon Jun 23 14:04:09 2003: DEBUG: Handling with EAP: code 2, 2, 94
> Mon Jun 23 14:04:09 2003: DEBUG: Response type 25
> Mon Jun 23 14:04:09 2003: DEBUG: jeje - else2
> Mon Jun 23 14:04:09 2003: DEBUG: jeje - 25,  PEAP
> Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465
> Mon Jun 23 14:04:09 2003: ERR: jeje - want read
> Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465,
> Mon Jun 23 14:04:09 2003: DEBUG: Access challenged for testUser: EAP PEAP
> Challenge Mon Jun 23 14:04:09 2003: DEBUG: Packet dump:
> *** Sending to 172.30.24.10 port 1645 ....
> Code:       Access-Challenge
> Identifier: 215
> Authentic:  NW<237>T?<254>DT<202><146><22>|z<4><219><161>
> Attributes:
>         EAP-Message = "<4><2><0><4>"
>         Signature = "<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>"
>         EAP-Message = "<1><3><0><6><25><0>"
>
>
> It seems like I'm stuck in the ERROR_WANT_READ block code, which does
> nothing, and this does this all the time, wether I'm doing EAP-TTLS or
> EAP-PEAP. It looks definitely like a Radiator/SSL issue, but I'm stuck by
> this lack of information.
> First I guessed it was my version of OpenSSL (it was 0.9.6c), but after
> upgrading to the most recent one, I still have this problem.
>
> I'm looking forward to any suggestion one could have.
>
> > Note the list of prerequisite modules that are listed in the comment
> > block at the top of the "eap_peap.cfg" file.
> >
> > regards
> >
> > Hugh
> >
> > On Thursday, Jun 19, 2003, at 23:49 Australia/Melbourne, Jerome Fleury 
wrote:
> >> Here is the test config:
> >>
> >> Client: Cisco Aironet/Orinoco
> >> 802.1X client: 2000+hotfix/Funk Odyssey
> >> AP: Cisco Aironet 1100
> >>
> >> I use the test config from goodies/eap_peap.cfg with this modification:
> >>
> >>  Filename %D/users-wifi
> >>
> >> (is there any special entry to put in this file ? anonymous user ?)
> >>
> >> As soon as I enter my credentials (802.1X identification window from
> >> Windows 2000 appears), the
> >> radius request launches from the AP:
> >>
> >> .Jun 19 13:42:01.250: dot11_dot1x_run_rfsm: current state CLIENT_WAIT,
> >> received CLIENT_REPLY,
> >> mac: 0060.1df0.3503
> >> .Jun 19 13:42:01.250: dot11_dot1x_send_response_to_server: Sending
> >> client data to server
> >> .Jun 19 13:42:01.251: RADIUS/ENCODE(00003489): acct_session_id: 13473
> >> .Jun 19 13:42:01.251: RADIUS(00003489): sending
> >> .Jun 19 13:42:01.252: RADIUS: Send to unknown id 44 172.30.19.3:1812,
> >> Access-Request, len 128
> >> .Jun 19 13:42:01.252: RADIUS:  authenticator 52 44 49 1C E4 86 B3 78 -
> >> E9 F8 87 6C B1 59 CA FF
> >> .Jun 19 13:42:01.252: RADIUS:  User-Name           [1]   5   "ben"
> >> .Jun 19 13:42:01.252: RADIUS:  Framed-MTU          [12]  6   1400
> >> .Jun 19 13:42:01.252: RADIUS:  Called-Station-Id   [30]  16
> >> "0002.8a5b.400f"
> >> .Jun 19 13:42:01.252: RADIUS:  Calling-Station-Id  [31]  16
> >> "0060.1df0.3503"
> >> .Jun 19 13:42:01.252: RADIUS:  NAS-Port-Type       [61]  6   802.11
> >> wireless           [19]
> >> .Jun 19 13:42:01.252: RADIUS:  Message-Authenticato[80]  18  *
> >> .Jun 19 13:42:01.252: RADIUS:  EAP-Message         [79]  8
> >> .Jun 19 13:42:01.253: RADIUS:   02 03 00 06
> >>           [????]
> >> .Jun 19 13:42:01.253: RADIUS:  NAS-Port-Type       [61]  6   Virtual
> >>                 [5]
> >> .Jun 19 13:42:01.253: RADIUS:  NAS-Port            [5]   6   159
> >> .Jun 19 13:42:01.253: RADIUS:  Service-Type        [6]   6   Login
> >>                 [1]
> >> .Jun 19 13:42:01.254: RADIUS:  NAS-IP-Address      [4]   6
> >> 172.30.24.10
> >> .Jun 19 13:42:01.254: RADIUS:  Nas-Identifier      [32]  9   "ap2.gre"
> >> .Jun 19 13:42:06.253: RADIUS: Retransmit to (172.30.19.3:1812,1813)
> >> for id 44
> >> .Jun 19 13:42:12.056: RADIUS: Retransmit to (172.30.19.3:1812,1813)
> >> for id 44
> >> .Jun 19 13:42:17.057: RADIUS: Retransmit to (172.30.19.3:1812,1813)
> >> for id 44
> >> .Jun 19 13:42:21.899: dot11_dot1x_parse_client_pak: Received EAPOL
> >> packet from 0060.1df0.3503
> >> .Jun 19 13:42:21.899: EAPOL pak dump rx
> >> .Jun 19 13:42:21.899: EAPOL Version: 0x1  type: 0x1  length: 0x0000
> >> 00E126C0:          01010000                        ....
> >> .Jun 19 13:42:21.899: dot11_dot1x_run_rfsm: current state SERVER_WAIT,
> >> received EAP_START, mac:
> >> 0060.1df0.3503
> >> .Jun 19 13:42:21.900: dot11_dot1x_ignore_event: Ignore event: do
> >> nothing
> >> .Jun 19 13:42:22.188: RADIUS: Tried all servers.
> >> .Jun 19 13:42:22.188: RADIUS: No valid server found. Trying any viable
> >> server
> >> .Jun 19 13:42:22.188: RADIUS: Tried all servers.
> >> .Jun 19 13:42:22.188: RADIUS: No response from (172.30.19.3:1812,1813)
> >> for id 44
> >> .Jun 19 13:42:22.188: RADIUS/DECODE: parse response no app start; FAIL
> >> .Jun 19 13:42:22.188: RADIUS/DECODE: parse response; FAIL
> >>
> >>
> >> As you can see, the Radius server seems not to respond, and AP
> >> retransmits.
> >>
> >> Here are the logs on Radiator:
> >>
> >> Code:       Access-Request
> >> Identifier: 44
> >> Authentic:  RDI<28><228><134><179>x<233><248><135>l<177>Y<202><255>
> >> Attributes:
> >>         User-Name = "ben"
> >>         Framed-MTU = 1400
> >>         Called-Station-Id = "0002.8a5b.400f"
> >>         Calling-Station-Id = "0060.1df0.3503"
> >>         NAS-Port-Type = 19
> >>         Signature =
> >> "<14><184>;<197>Q<12>;<219>Y5<209><240><179>%<181><184>"
> >>         EAP-Message = "<2><3><0><6><25>"
> >>         NAS-Port-Type = Virtual
> >>         NAS-Port = 159
> >>         Service-Type = Login-User
> >>         NAS-IP-Address = 172.30.24.10
> >>         NAS-Identifier = "ap2.gre"
> >>
> >> Thu Jun 19 15:42:17 2003: DEBUG: Handling request with Handler ''
> >> Thu Jun 19 15:42:17 2003: DEBUG:  Deleting session for ben,
> >> 172.30.24.10, 159
> >> Thu Jun 19 15:42:17 2003: DEBUG: Handling with Radius::AuthFILE:
> >> Thu Jun 19 15:42:17 2003: DEBUG: Handling with EAP: code 2, 3, 6
> >> Thu Jun 19 15:42:17 2003: DEBUG: Response type 25
> >>
> >> and that's pretty all. No error to help me out.
> >>
> >> Has anybody any clue about that ?
> >>
> >> Thanks.
> >> --
> >> Jerome Fleury
> >> ===
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >
> > NB: have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
>
> --
> Jerome Fleury
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list