(RADIATOR) Can't get PEAP to work, need help.

Jeje jeje at jeje.org
Mon Jun 23 09:52:29 CDT 2003


Following your advice, I just upgraded to the most recent SSLeay (1.22 -> 1.23), unfortunately
the same problem occurs.

--On Monday, June 23, 2003 03:18:52 PM +0200 Tom Rixom <tom.rixom at alfa-ariss.com> wrote:

> Make sure you have the correct/latest SSLeay library.
> 
> The output message that Radiator sends back looks weird:
> 
> EAP-Message = "<4><2><0><4>"
> Signature = "<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>"
> EAP-Message = "<1><3><0><6><25><0>"
> 
> Two EAP-Messages? One reject and one PEAP ack
> 
> Regards,
> 
> Tom.
> 
>> -----Original Message-----
>> From: Jerome Fleury [mailto:jeje at jeje.org]
>> Sent: Monday, June 23, 2003 2:23 PM
>> To: Hugh Irvine
>> Cc: radiator at open.com.au
>> Subject: Re: (RADIATOR) Can't get PEAP to work, need help.
>> 
>> 
>> --On Friday, June 20, 2003 10:10:46 AM +1000 Hugh Irvine 
>> <hugh at open.com.au> wrote:
>> 
>> > 
>> > Salut Jerome -
>> > 
>> > It looks like Radiator is crashing if the log stops as 
>> shown. You will need to look at the
>> > Perl output to see what the error is, but it is usually a 
>> missing module that has not been
>> > loaded. The easiest way to see what is happening is to run 
>> radiusd from the command line like
>> > this:
>> > 
>> > 	perl radiusd -foreground -log_stdout -trace 4 -config_file .....
>> > 
>> > where "...." is the name of your configuration file.
>> 
>> Thanks for help Hugh.
>> 
>> I tried this, but the server is not crashing. It just stops 
>> processing. Added some debug in the
>> EAP_25.pm code and got this:
>> 
>>  Mon Jun 23 14:04:09 2003: DEBUG: Handling request with Handler ''
>> Mon Jun 23 14:04:09 2003: DEBUG:  Deleting session for 
>> testUser, 172.30.24.10, 78
>> Mon Jun 23 14:04:09 2003: DEBUG: Handling with Radius::AuthFILE: 
>> Mon Jun 23 14:04:09 2003: DEBUG: Handling with EAP: code 2, 2, 94
>> Mon Jun 23 14:04:09 2003: DEBUG: Response type 25
>> Mon Jun 23 14:04:09 2003: DEBUG: jeje - else2
>> Mon Jun 23 14:04:09 2003: DEBUG: jeje - 25,  PEAP
>> Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: 
>> -1, 2, 8465
>> Mon Jun 23 14:04:09 2003: ERR: jeje - want read
>> Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465, 
>> Mon Jun 23 14:04:09 2003: DEBUG: Access challenged for 
>> testUser: EAP PEAP Challenge
>> Mon Jun 23 14:04:09 2003: DEBUG: Packet dump:
>> *** Sending to 172.30.24.10 port 1645 ....
>> Code:       Access-Challenge
>> Identifier: 215
>> Authentic:  NW<237>T?<254>DT<202><146><22>|z<4><219><161>
>> Attributes:
>>         EAP-Message = "<4><2><0><4>"
>>         Signature = "<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>"
>>         EAP-Message = "<1><3><0><6><25><0>"
>> 
>> 
>> It seems like I'm stuck in the ERROR_WANT_READ block code, 
>> which does nothing, and this does
>> this all the time, wether I'm doing EAP-TTLS or EAP-PEAP. It 
>> looks definitely like a
>> Radiator/SSL issue, but I'm stuck by this lack of information.
>> First I guessed it was my version of OpenSSL (it was 0.9.6c), 
>> but after upgrading to the most
>> recent one, I still have this problem.
>> 
>> I'm looking forward to any suggestion one could have.
>> 
>> 
>> > Note the list of prerequisite modules that are listed in 
>> the comment block at the top of the
>> > "eap_peap.cfg" file.
>> > 
>> > regards
>> > 
>> > Hugh
>> > 
>> > 
>> > On Thursday, Jun 19, 2003, at 23:49 Australia/Melbourne, 
>> Jerome Fleury wrote:
>> > 
>> >> Here is the test config:
>> >> 
>> >> Client: Cisco Aironet/Orinoco
>> >> 802.1X client: 2000+hotfix/Funk Odyssey
>> >> AP: Cisco Aironet 1100
>> >> 
>> >> I use the test config from goodies/eap_peap.cfg with this 
>> modification:
>> >> 
>> >>  Filename %D/users-wifi
>> >> 
>> >> (is there any special entry to put in this file ? anonymous user ?)
>> >> 
>> >> As soon as I enter my credentials (802.1X identification 
>> window from 
>> >> Windows 2000 appears), the
>> >> radius request launches from the AP:
>> >> 
>> >> .Jun 19 13:42:01.250: dot11_dot1x_run_rfsm: current state 
>> CLIENT_WAIT, 
>> >> received CLIENT_REPLY,
>> >> mac: 0060.1df0.3503
>> >> .Jun 19 13:42:01.250: dot11_dot1x_send_response_to_server: Sending 
>> >> client data to server
>> >> .Jun 19 13:42:01.251: RADIUS/ENCODE(00003489): 
>> acct_session_id: 13473
>> >> .Jun 19 13:42:01.251: RADIUS(00003489): sending
>> >> .Jun 19 13:42:01.252: RADIUS: Send to unknown id 44 
>> 172.30.19.3:1812, 
>> >> Access-Request, len 128
>> >> .Jun 19 13:42:01.252: RADIUS:  authenticator 52 44 49 1C 
>> E4 86 B3 78 - 
>> >> E9 F8 87 6C B1 59 CA FF
>> >> .Jun 19 13:42:01.252: RADIUS:  User-Name           [1]   5   "ben"
>> >> .Jun 19 13:42:01.252: RADIUS:  Framed-MTU          [12]  6   1400
>> >> .Jun 19 13:42:01.252: RADIUS:  Called-Station-Id   [30]  16  
>> >> "0002.8a5b.400f"
>> >> .Jun 19 13:42:01.252: RADIUS:  Calling-Station-Id  [31]  16  
>> >> "0060.1df0.3503"
>> >> .Jun 19 13:42:01.252: RADIUS:  NAS-Port-Type       [61]  6 
>>   802.11 
>> >> wireless           [19]
>> >> .Jun 19 13:42:01.252: RADIUS:  Message-Authenticato[80]  18  *
>> >> .Jun 19 13:42:01.252: RADIUS:  EAP-Message         [79]  8
>> >> .Jun 19 13:42:01.253: RADIUS:   02 03 00 06                
>>             
>> >>           [????]
>> >> .Jun 19 13:42:01.253: RADIUS:  NAS-Port-Type       [61]  6 
>>   Virtual   
>> >>                 [5]
>> >> .Jun 19 13:42:01.253: RADIUS:  NAS-Port            [5]   6   159
>> >> .Jun 19 13:42:01.253: RADIUS:  Service-Type        [6]   6 
>>   Login     
>> >>                 [1]
>> >> .Jun 19 13:42:01.254: RADIUS:  NAS-IP-Address      [4]   6   
>> >> 172.30.24.10
>> >> .Jun 19 13:42:01.254: RADIUS:  Nas-Identifier      [32]  9 
>>   "ap2.gre"
>> >> .Jun 19 13:42:06.253: RADIUS: Retransmit to 
>> (172.30.19.3:1812,1813) 
>> >> for id 44
>> >> .Jun 19 13:42:12.056: RADIUS: Retransmit to 
>> (172.30.19.3:1812,1813) 
>> >> for id 44
>> >> .Jun 19 13:42:17.057: RADIUS: Retransmit to 
>> (172.30.19.3:1812,1813) 
>> >> for id 44
>> >> .Jun 19 13:42:21.899: dot11_dot1x_parse_client_pak: Received EAPOL 
>> >> packet from 0060.1df0.3503
>> >> .Jun 19 13:42:21.899: EAPOL pak dump rx
>> >> .Jun 19 13:42:21.899: EAPOL Version: 0x1  type: 0x1  length: 0x0000
>> >> 00E126C0:          01010000                        ....
>> >> .Jun 19 13:42:21.899: dot11_dot1x_run_rfsm: current state 
>> SERVER_WAIT, 
>> >> received EAP_START, mac:
>> >> 0060.1df0.3503
>> >> .Jun 19 13:42:21.900: dot11_dot1x_ignore_event: Ignore event: do 
>> >> nothing
>> >> .Jun 19 13:42:22.188: RADIUS: Tried all servers.
>> >> .Jun 19 13:42:22.188: RADIUS: No valid server found. 
>> Trying any viable 
>> >> server
>> >> .Jun 19 13:42:22.188: RADIUS: Tried all servers.
>> >> .Jun 19 13:42:22.188: RADIUS: No response from 
>> (172.30.19.3:1812,1813) 
>> >> for id 44
>> >> .Jun 19 13:42:22.188: RADIUS/DECODE: parse response no app 
>> start; FAIL
>> >> .Jun 19 13:42:22.188: RADIUS/DECODE: parse response; FAIL
>> >> 
>> >> 
>> >> As you can see, the Radius server seems not to respond, and AP 
>> >> retransmits.
>> >> 
>> >> Here are the logs on Radiator:
>> >> 
>> >> Code:       Access-Request
>> >> Identifier: 44
>> >> Authentic:  RDI<28><228><134><179>x<233><248><135>l<177>Y<202><255>
>> >> Attributes:
>> >>         User-Name = "ben"
>> >>         Framed-MTU = 1400
>> >>         Called-Station-Id = "0002.8a5b.400f"
>> >>         Calling-Station-Id = "0060.1df0.3503"
>> >>         NAS-Port-Type = 19
>> >>         Signature = 
>> >> "<14><184>;<197>Q<12>;<219>Y5<209><240><179>%<181><184>"
>> >>         EAP-Message = "<2><3><0><6><25>"
>> >>         NAS-Port-Type = Virtual
>> >>         NAS-Port = 159
>> >>         Service-Type = Login-User
>> >>         NAS-IP-Address = 172.30.24.10
>> >>         NAS-Identifier = "ap2.gre"
>> >> 
>> >> Thu Jun 19 15:42:17 2003: DEBUG: Handling request with Handler ''
>> >> Thu Jun 19 15:42:17 2003: DEBUG:  Deleting session for ben, 
>> >> 172.30.24.10, 159
>> >> Thu Jun 19 15:42:17 2003: DEBUG: Handling with Radius::AuthFILE:
>> >> Thu Jun 19 15:42:17 2003: DEBUG: Handling with EAP: code 2, 3, 6
>> >> Thu Jun 19 15:42:17 2003: DEBUG: Response type 25
>> >> 
>> >> and that's pretty all. No error to help me out.
>> >> 
>> >> Has anybody any clue about that ?
>> >> 
>> >> Thanks.
>> >> --
>> >> Jerome Fleury
>> >> ===
>> >> Archive at http://www.open.com.au/archives/radiator/
>> >> Announcements on radiator-announce at open.com.au
>> >> To unsubscribe, email 'majordomo at open.com.au' with
>> >> 'unsubscribe radiator' in the body of the message.
>> >> 
>> >> 
>> > 
>> > NB: have you included a copy of your configuration file (no 
>> secrets),
>> > together with a trace 4 debug showing what is happening?
>> > 
>> > -- 
>> > Radiator: the most portable, flexible and configurable RADIUS server
>> > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> > -
>> > Nets: internetwork inventory and management - graphical, extensible,
>> > flexible with hardware, software, platform and database 
>> independence.
>> > 
>> 
>> 
>> 
>> --
>> Jerome Fleury
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>> 



jeje.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list