(RADIATOR) Newbie EAP-TLS Difficulties
Dekelbaum, Robert
robert.dekelbaum at acs-inc.com
Thu Mar 27 09:53:49 CST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi folks,
I'm currently trying to get Radiator 3.5 demo to do 802.1x auth via
EAP-TLS with a cisco
1200-series AP and a WindowsXP supplicant, and I'm having a bit of an
issue. I'm relitively
new to 802.1x/EAP and it's been quote a while since I've had to frob
w/ RADIUS, so please bear
with me.
I've set up all of my certs, etc as described in Ken Roser's EAP-TLS
w/ Freeradius doc (including
the EKU stuff), and what is transpiring is in the Radiator debug log
included below. It looks as
if Radiator is sending challenges to the client and getting no
response. Has anybody else seen
and fixed this behavior in a similar setup? If so, what am I missing?
I'm using the
goodies/eap-tls.conf supplied with Radiator (edited only to fix paths
to my CA structure, etc).
Thanks in advance for any help,
Rob Dekelbaum
Wireless Network Engineer
ACS Defense, Inc
Wed Mar 26 13:02:17 2003: DEBUG: Reading dictionary file
'./dictionary'
Wed Mar 26 13:02:17 2003: DEBUG: Creating authentication port
192.168.12.101:1645
Wed Mar 26 13:02:17 2003: DEBUG: Creating accounting port
192.168.12.101:1646
Wed Mar 26 13:02:17 2003: INFO: Server started: Radiator 3.5 on
devbox (DEMO)
Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Received from 192.168.12.212 port 1024 ....
Code: Access-Request
Identifier: 0
Authentic: <214><147>O,<23>Ki<225><15><239><194><0><140><22><201>q
Attributes:
User-Name = "deker"
cisco-avpair = "ssid=ap1200"
NAS-IP-Address = 192.168.12.212
Called-Station-Id = "000c30529a80"
Calling-Station-Id = "000ab78b3c05"
NAS-Identifier = "AP1200-529a80"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = 19
Service-Type = Login-User
EAP-Message = <2><2><0><10><1>deker
Message-Authenticator = <216><251>f<246>><212><4>._v<8><29>w<130>Po
Wed Mar 26 13:02:58 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Mar 26 13:02:58 2003: DEBUG: Deleting session for deker,
192.168.12.212, 37
Wed Mar 26 13:02:58 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 26 13:02:58 2003: DEBUG: Handling with EAP: code 2, 2, 10
Wed Mar 26 13:02:58 2003: DEBUG: Response type 1
Wed Mar 26 13:02:58 2003: DEBUG: Access challenged for deker: EAP TLS
Challenge
Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Sending to 192.168.12.212 port 1024 ....
Code: Access-Challenge
Identifier: 0
Authentic: <214><147>O,<23>Ki<225><15><239><194><0><140><22><201>q
Attributes:
EAP-Message = <1><3><0><6><13>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Received from 192.168.12.212 port 1025 ....
Code: Access-Request
Identifier: 1
Authentic: "24z<166><159><233>G<199>D<226>f<18><1><225><231>
Attributes:
User-Name = "deker"
cisco-avpair = "ssid=ap1200"
NAS-IP-Address = 192.168.12.212
Called-Station-Id = "000c30529a80"
Calling-Station-Id = "000ab78b3c05"
NAS-Identifier = "AP1200-529a80"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = 19
Service-Type = Login-User
EAP-Message =
<2><3><0>P<13><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>><130><22>k
<232><249><5><248><136>G[<11><226>V"<131>0<157><142>"<153>B<<163>$<192
><139><198><20><247>Y<158><0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<
0><3><0><6><0><19><0><18><0>c<1><0>
Message-Authenticator =
<160><226><166>W<176><7>g<18><133><249>Ke<22>pPn
Wed Mar 26 13:02:58 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Mar 26 13:02:58 2003: DEBUG: Deleting session for deker,
192.168.12.212, 37
Wed Mar 26 13:02:58 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 26 13:02:58 2003: DEBUG: Handling with EAP: code 2, 3, 80
Wed Mar 26 13:02:58 2003: DEBUG: Response type 13
Wed Mar 26 13:02:58 2003: DEBUG: Access challenged for deker: EAP TLS
Challenge
Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Sending to 192.168.12.212 port 1025 ....
Code: Access-Challenge
Identifier: 1
Authentic: "24z<166><159><233>G<199>D<226>f<18><1><225><231>
Attributes:
EAP-Message =
<1><4><4><10><13><192><0><0><6>n<22><3><1><0>J<2><0><0>F<3><1>><129><2
35>R`<171><161>DGf<218>i<137><251><236>2<226><243><218>?6<180><250><25
><169><221><136><153>3<225>'<1>
{<9><131><249><25><22>S<15><209><175><189><214><12>eD<209>^<146>
G<135>p<157><13>*<178><169><224><220><186><192>8<0><4><0><22><3><1><5>
a<11><0><5>]<0><5>Z<0><2><150>0<130><2><146>0<130><1><251><160><3><2><
1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><16
2>1<11>0<9><6><3>U<4><6><19><2>US1<17>0<15><6><3>U<4><8><19><8>Marylan
d1<17>0<15><6><3>U<4><7><19><8>Elkridge1<20>0<18><6><3>U<4><10><19><11
>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<29>0<27><6><3>U<4><3><19><20>
radius.itserealm.c
EAP-Message =
om1+0)<6><9>*<134>H<134><247><13><1><9><1><22><28>robert.dekelbaum at acs
- -inc.com0<30><23><13>030317111516Z<23><13>040316111516Z0b1<11>0<9><6><
3>U<4><6><19><2>US1<17>0<15><6><3>U<4><8><19><8>Maryland1<20>0<18><6><
3>U<4><10><19><11>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<29>0<27><6><3>U<4><3><19><20>
radius.itserealm.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><
1><5><0><3><129><141><0>0<129><137><2><129><129><0><205><226><146><140
>l}<175><216><211>,9-<15><236><208><205><226><224>^ck<236>t<30><213><8
><228>-g<168>'<222>w<195>v<129>|<24>|<254>W&W<242><12>
EAP-Message =
>k<253><156><134><171><208><236><227><177><2><199>v<209><222><235>DW9<
216><6>Ox<187><250>:<246><242><206><195>]<251><246>Yd<128><0><3><207><
251><202>><11><192><220><31>$<150><213><20><163><14><133><231><227>v<1
58><151><228><208>b4<24><249>q0<204><141>\&<212></<10>L<207><16>7v<219
><167>CM<2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><
8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0
><3><129><129><0>X<255><185>E<190><128><191>gD<31><1><180>J6|a<211>_<2
30><24>-<154>y<151>
<238><144><5><10><167><236>'<3><178>`<165><4>]<253><187><254>PNy<166><
184>^<207>:<180>o<183><166><239><240><139>X<8><176><209>K<10>4e<226>$<
171>F<190><211><202>:%E~5RrapFn<26><14><208>kb<25><4><21><13>~<202><16
5><185>*<213>m<0>vR<186><23>C<162>t<11><19><16>bv<206><202>&<234><245>
+n(<163><227>
EAP-Message =
<156><30>(<154>U<254><229><0><2><190>0<130><2><186>0<130><2>#<160><3><
2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129>
<162>1<11>0<9><6><3>U<4><6><19><2>US1<17>0<15><6><3>U<4><8><19><8>Mary
land1<17>0<15><6><3>U<4><7><19><8>Elkridge1<20>0<18><6><3>U<4><10><19>
<11>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<29>0<27><6><3>U<4><3><19><20>
radius.itserealm.com1+0)<6><9>*<134>H<134><247><13><1><9><1><22><28>ro
bert.dekelbaum at acs-inc.com0<30><23><13>030317104856Z<23><13>0503161048
56Z0<129><162>1<11>0<9><6><3>U<4><6><19><2>U
EAP-Message = S1<17>0<15><6><3>U<4><8><19><8>Maryland1<17>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Received from 192.168.12.212 port 1026 ....
Code: Access-Request
Identifier: 2
Authentic: u<26><173><142><138>4<137><225><182><153>j<0>3<252>gD
Attributes:
User-Name = "deker"
cisco-avpair = "ssid=ap1200"
NAS-IP-Address = 192.168.12.212
Called-Station-Id = "000c30529a80"
Calling-Station-Id = "000ab78b3c05"
NAS-Identifier = "AP1200-529a80"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = 19
Service-Type = Login-User
EAP-Message = <2><4><0><6><13><0>
Message-Authenticator =
<246><144>R<128><142><147><224><226>%<220><173><252><165><171>}l
Wed Mar 26 13:02:58 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Mar 26 13:02:58 2003: DEBUG: Deleting session for deker,
192.168.12.212, 37
Wed Mar 26 13:02:58 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 26 13:02:58 2003: DEBUG: Handling with EAP: code 2, 4, 6
Wed Mar 26 13:02:58 2003: DEBUG: Response type 13
Wed Mar 26 13:02:58 2003: DEBUG: Access challenged for deker: EAP TLS
Challenge
Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Sending to 192.168.12.212 port 1026 ....
Code: Access-Challenge
Identifier: 2
Authentic: u<26><173><142><138>4<137><225><182><153>j<0>3<252>gD
Attributes:
EAP-Message =
<1><5><2>t<13><0>0<15><6><3>U<4><7><19><8>Elkridge1<20>0<18><6><3>U<4>
<10><19><11>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<29>0<27><6><3>U<4><3><19><20>
radius.itserealm.com1+0)<6><9>*<134>H<134><247><13><1><9><1><22><28>ro
bert.dekelbaum at acs-inc.com0<129><159>0<13><6><9>*<134>H<134><247><13><
1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><218>D<186><1
43><201>g<138>5<198><131><130><230><211>5L<163>S<14><135><17><184><231
>{<24><139>w<208>p<30><251>n<1><181><27><157><132>Y<227><255>#-<25>-<2
05><231><184>=+<246><163><225>$<198><130><202><133><148><162><134>C><1
56>@<150>Ek<226><<248><223><169><187><236>x<2><136>K<131>
g<9><231><147><31>$<0><238><171><245>?
EAP-Message =
<245>~<228>k<19><127><249>&l<130>J<239><235><3>:<12>8<6>zY<13>e<171><2
12><219>]<160><152><12><152><228><201><235><182>W8<224>=<2><3><1><0><1
>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0><173>x
<178><239><141><11><170><144><137><25><6><225>#,H[<244><168><133><207>
p<4><136><135><214><231>-;Q<223><187><163>c<215><133>+<181><222><198>$
<22><185>@_<134><19><244><161>"<133><181><216>3N<156><9>%<206>1A`Z<195
><19><223><203>l<183><138><133><228><165>}<128><227><206>,<145>x4<17><
184><0><<209>@<21><132>Q<26>L<231><188><175><248><197><178>*L\1<234><2
46><22><141>4<178><135>v
UT!<164>u=<143><238>iz<208>(><202><189><236><142><149><22><3><1><0><18
0><13><0><0><172><2><1><2><0><167><0><165>0<129><162>1<11>0<9><6><3>U<
4><6><19><2>US1<17>0<15><6><3>U<4><8><19><8>Maryland1<17>0<15><6><3>U<
4><7><19><8>E
EAP-Message = lkridge1<20>0<18><6><3>U<4><10><19><11>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<29>0<27><6><3>U<4><3><19><20>
radius.itserealm.com1+0)<6><9>*<134>H<134><247><13><1><9><1><22><28>ro
bert.dekelbaum at acs-inc.com<14><0><0><0>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Received from 192.168.12.212 port 1027 ....
Code: Access-Request
Identifier: 3
Authentic:
m<209><25><200>5<243>i<174><128><152><2><204><151><236><250>]
Attributes:
User-Name = "deker"
cisco-avpair = "ssid=ap1200"
NAS-IP-Address = 192.168.12.212
Called-Station-Id = "000c30529a80"
Calling-Station-Id = "000ab78b3c05"
NAS-Identifier = "AP1200-529a80"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = 19
Service-Type = Login-User
EAP-Message =
<2><5><3><215><13><128><0><0><3><205><22><3><1><3><157><11><0><2><141>
<0><2><138><0><2><135>0<130><2><131>0<130><1><236><160><3><2><1><2><2>
<1><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><162>1<11>0
<9><6><3>U<4><6><19><2>US1<17>0<15><6><3>U<4><8><19><8>Maryland1<17>0<
15><6><3>U<4><7><19><8>Elkridge1<20>0<18><6><3>U<4><10><19><11>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<29>0<27><6><3>U<4><3><19><20>
radius.itserealm.com1+0)<6><9>*<134>H<134><247><13><1><9><1><22><28>ro
bert.dekelbaum at acs-inc.com0<30><23><13>030317105216Z<23><13>0403161052
16Z
EAP-Message =
0S1<11>0<9><6><3>U<4><6><19><2>US1<17>0<15><6><3>U<4><8><19><8>Marylan
d1<20>0<18><6><3>U<4><10><19><11>ACS
Defense1<11>0<9><6><3>U<4><11><19><2>IS1<14>0<12><6><3>U<4><3><19><5>d
eker0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129>
<141><0>0<129><137><2><129><129><0><172><19>w)<170>6/<211><218><208><1
33>a<14>Y<207>R<0><173><241>T<29><187>8!<228><247><169><183>i;<8><238>
<31><161><162><9><198>4&UV$<182>~Q<145><153><137><202><0>[<171>)<189><
244>.
.D<136>b<197>:<196>D<216><5>r<3><19>^<173>U%<163><211><215>E<221><211>
<153>^<221>|<237><167>/M<175><179>[<254>U<29><198><172><24><228>b<130>
<185><227><189><8>0*<219><224><166><27><23>w<28><190><161><160><201><1
47>\Jy<18><10>C<167>wX<163><2><3><1><0><1><163><23>0<21>0<19>
EAP-Message =
<6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><2>0<13><6><9>*<134>H
<134><247><13><1><1><4><5><0><3><129><129><0><185><223><224><30>p2<246
>D<206>Vk<170><130><155>><2>Z.<159><131><246>B/<250><151>b<167><185>G<
199>:<234>f.Pon*3<193><165>s<161>2Db<202>D<2><188><197><245><14><226>,
<140>6<130>[<127>n<196>;<12>o<22><9>H<206><217><211>O%<9><213>3<222><2
21><2><25><138><196><dG<246><206><28>p<200><239>+L<250>h<243><221><148
><250><7><141><143><146>;9<236><167>$<20><209><0><177>T<14><150><206><
225><170>Vei<25><216><24>c<26><15><12><16><0><0><130><0><128>{ad<144>J
<234><206><216><191>N<138><7><211>s<181><252><188><242><20><187>s<167>
<140>Vg[<147><173><19>
<166><238><143><29>0<177><157><138>3<197>'K<205>BU<173><160><166>|<206
>j<241><205><145><11><213><145><170>
7<163>c;<200><199><230><148>)t<4><252><127><211>N<1><133><16>\<218><22
1><174>
EAP-Message =
o<199>}<133><25><207><201>lE<207><140>Z<7>'<255><147><153>#\<160>b.<3>
<172><23><245><226><19><163>P<169><181><189><228><3><0><179><212><154>
<188>&<206><<180><220><225>A<15><0><0><130><0><128>21Y_T<208><193>K4<8
><231><17><135>
?Up<143>B<207><131>^^<195><139><188><147><248><186>'K<233>Y<168><224><
229><127><20><246><180><246><151><207>?kr<181>FS<159>j<203>8<241>o<137
><25><144><243><15><147>|p<9>L<174>XP<148>?<132>$C<17><227><240>@@X<17
5>A<137>><138><209><145><191><173><165><131><184>Z<214><160><238><146>
<147><205>1<152>RY<167><169><29>D<207><13><132>(M<161><244><30><15>Ku<
194><199>H<198><12><171>C<1><235>V<8><20><3><1><0><1><1><22><3><1><0>
<182><189><30>~<251><13><206>4<152><211><188><231><140>|ly1])<246><2><
171><127><24><146><136>=7<6>2<176><255>
Message-Authenticator =
D<135>u<228><147>j<10><238>or<2>M|<205>"<177>
Wed Mar 26 13:02:58 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Mar 26 13:02:58 2003: DEBUG: Deleting session for deker,
192.168.12.212, 37
Wed Mar 26 13:02:58 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Mar 26 13:02:58 2003: DEBUG: Handling with EAP: code 2, 5, 983
Wed Mar 26 13:02:58 2003: DEBUG: Response type 13
Wed Mar 26 13:02:58 2003: DEBUG: Access challenged for deker: EAP TLS
Challenge
Wed Mar 26 13:02:58 2003: DEBUG: Packet dump:
*** Sending to 192.168.12.212 port 1027 ....
Code: Access-Challenge
Identifier: 3
Authentic:
m<209><25><200>5<243>i<174><128><152><2><204><151><236><250>]
Attributes:
EAP-Message =
<1><6><0>5<13><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0>
^<227>t<195><18>s<137><243>n<212>G<177><27><200><6><177>"<229><20><169
><177>f<154><3><224><13>z(<241><194><9><179>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1
iQA/AwUBPoMfS0oorm5NFqhaEQK8sACfZS/k8KeUWxBMZK+BAy9hEppgEq8AoK0p
W1Cf6x1oaSd+zBTaPISic5Un
=Srzl
-----END PGP SIGNATURE-----
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list