(RADIATOR) Can't get PEAP to work, need help.

Mike McCauley mikem at open.com.au
Tue Jun 24 06:58:28 CDT 2003


Hello Jerome,


On Tue, 24 Jun 2003 08:32 pm, Jerome Fleury wrote:
> --On mardi 24 juin 2003 09:26 +1000 Mike McCauley <mikem at open.com.au> wrote:
> > Hello Jeremy,
> >
> > thanks for the full log.
> >
> > Looks like Radiator is not seeing a completed client hello from your
> > client: its still waiting for the client hello to be closed off.
> > This is very puzzling: your client is behaving differently to other
> > clients we have observed.
> >
> > What PEAP client are you using?
>
> Well, this is quite strange as I use both Windows2000 client (hotfix from
> microsoft) and Funk Odyssey client, giving the same bad result.
>
> Maybe the source of the problem could be the AP (Cisco 1200) or the client
> card (Orinoco, one of the first Lucent ones indeed) ?

OK, I have just retested here with the latest Odyssey 2.0 client and Windows 
2000. I can see that the latest Odyssey client does in fact act differently 
on 2000, nevertheless Radiator worked ok here with it with a successful 
authentication

So now I am back to wondering why Radaitor did not respond to the client 
hello. Normally it responds with the server certificate.

I have looked closely again at your log file and I see something else strange:

Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465
Mon Jun 23 14:04:09 2003: ERR: jeje - want read
Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465, 

it seems not to have recognised that reason 2 is WANT_READ and instead 
reported  an error.
This indicates that there is a problem with either the openssl install oor the 
Net_SSLeay install.
Im sorry I did not see this before.

You mentioned previously that you installed the 'latest' openssl but I think 
you did not say which version.

Here we use openssl 0.9.7 and Net_SSLeay 1.22.

Caution: openssl 0.9.7 behaves differntly to older version in that it installs 
it libs and headers in a different place (defaults to /usr/local/ssl). If you 
have an older version or an RPM installed version, its possible that 
Net_SSLeay will link with the wrong version.
I usually let openssl install in its default place (/usr/local/ssl) then 
configure Net_SSleay to use it with

perl Makefile.PL /usr/local/ssl

I strongly suggest you :

1. Ensure there are no old versions of ssl, openssl or Net_SSLeay installed on 
your host.
2. Compile and install openssl 0.9.7
3. Compile and install Net_SSLeay 1.22 (using the Makefile.PL /usr/local/ssl 
arg above)

Cheers.


>
> --
> Jerome Fleury
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list