(RADIATOR) Can't get PEAP to work, need help.

Mike McCauley mikem at open.com.au
Tue Jun 24 19:58:38 CDT 2003 

Hello Jerome,

On Wed, 25 Jun 2003 01:37 am, Jerome Fleury wrote:
> --On Tuesday, June 24, 2003 09:58:28 PM +1000 Mike McCauley 
<mikem at open.com.au> wrote:
> > Hello Jerome,
> >
> > On Tue, 24 Jun 2003 08:32 pm, Jerome Fleury wrote:
> >> --On mardi 24 juin 2003 09:26 +1000 Mike McCauley <mikem at open.com.au> 
wrote:
> >> > Hello Jeremy,
> >> >
> >> > thanks for the full log.
> >> >
> >> > Looks like Radiator is not seeing a completed client hello from your
> >> > client: its still waiting for the client hello to be closed off.
> >> > This is very puzzling: your client is behaving differently to other
> >> > clients we have observed.
> >> >
> >> > What PEAP client are you using?
> >>
> >> Well, this is quite strange as I use both Windows2000 client (hotfix
> >> from microsoft) and Funk Odyssey client, giving the same bad result.
> >>
> >> Maybe the source of the problem could be the AP (Cisco 1200) or the
> >> client card (Orinoco, one of the first Lucent ones indeed) ?
> >
> > OK, I have just retested here with the latest Odyssey 2.0 client and
> > Windows 2000. I can see that the latest Odyssey client does in fact act
> > differently on 2000, nevertheless Radiator worked ok here with it with a
> > successful authentication
> >
> > So now I am back to wondering why Radaitor did not respond to the client
> > hello. Normally it responds with the server certificate.
> >
> > I have looked closely again at your log file and I see something else
> > strange:
> >
> > Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465
> > Mon Jun 23 14:04:09 2003: ERR: jeje - want read
> > Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465,
> >
> > it seems not to have recognised that reason 2 is WANT_READ and instead
> > reported  an error.
> > This indicates that there is a problem with either the openssl install
> > oor the Net_SSLeay install.
> > Im sorry I did not see this before.
>
> No that's me sorry not to have precised this: I added some debug code in
> the WANT_READ condition block:
>
>                  elsif ($reason == ERROR_WANT_READ)
>                 {
>                         $self->log($main::LOG_ERR, "jeje - want read", $p);
>                         my $errs = &Net::SSLeay::print_errs();
>                         $self->log($main::LOG_ERR, "EAP TLS error: $ret,
> $reason, $state, $errs");
>                         $self->eap_failure($p->{rp}, $context);
>
>                     # Looking for more data, just ack this
>                 }
>
> So that it recognizes WANT_READ well. Sorry for giving you a bad path.

OK. I understand now.
If you are convinced the openssl/Net_SSLeay install is OK, its time to look at 
your config. Are you testing with the example eap_peap.cfg file, and the test 
certificates we supply?
May we see your config file (no secrets)?

>
> > I strongly suggest you :
> >
> > 1. Ensure there are no old versions of ssl, openssl or Net_SSLeay
> > installed on your host.
>
> No, old older versions are overrided.
>
> > 2. Compile and install openssl 0.9.7
>
> done.
>
> > 3. Compile and install Net_SSLeay 1.22 (using the Makefile.PL
> > /usr/local/ssl arg above)
>
> done (1.23)

OK. Tested OK with 1.23 here.


>
> At this point, I think I'll try on an other fresh Unix install.

OK.


Cheers.

>
> Thanks for your help Mike.
> --
> Jerome Fleury
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list