(RADIATOR) SOS!!!!!...SOS...It said that could not handle an EAP request
guxiaozhong
guxiaozhong at 163.com
Tue May 20 03:47:31 CDT 2003
Hi,
I'm a new user on Radiator,so Who can help me resolve the following issue?I attached the log and config file,Thank you!!!
Log:
** Received from 10.0.0.10 port 1812 ....
Code: Access-Request
Identifier: 174
Authentic: @o<26><0><189>i<0><0><189>i<0><0><223>f<166><165>
Attributes:
User-Name = "anonymous"
cisco-avpair = "ssid=Test"
NAS-IP-Address = 10.0.0.10
Framed-MTU = 1400
Called-Station-Id = "00C002DDA37C"
Calling-Station-Id = "00022D4147EC"
NAS-Identifier = "Test"
NAS-Port = 37
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login-User
EAP-Message = <2><12><0><14><1>anonymous
Message-Authenticator = <182><250><191><189><134><0>@<172><157>C<4><224>
<184><137><14><160>
Mon May 19 18:27:32 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon May 19 18:27:32 2003: DEBUG: Deleting session for anonymous, 10.0.0.10, 37
Mon May 19 18:27:32 2003: DEBUG: Handling with Radius::AuthFILE:
Mon May 19 18:27:32 2003: DEBUG: Handling with EAP: code 2, 12, 14
Mon May 19 18:27:32 2003: DEBUG: Response type 1
Mon May 19 18:27:32 2003: ERR: Could not handle an EAP request: Can't locate obj
ect method "response_identity" via package "Radius::EAP_21" at /usr/lib/perl5/si
te_perl/Radius/EAP.pm line 139.
Mon May 19 18:27:32 2003: INFO: Access rejected for anonymous: Could not handle
an EAP request
Mon May 19 18:27:32 2003: DEBUG: Packet dump:
*** Sending to 10.0.0.10 port 1812 ....
Code: Access-Reject
Identifier: 174
Authentic: @o<26><0><189>i<0><0><189>i<0><0><223>f<166><165>
Attributes:
Reply-Message = "Request Denied"
Mon May 19 18:27:39 2003: DEBUG: Packet dump:
Config file:
# eap_ttls.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# EAP TTLS authentication as used by Funk Odyssey.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate from a standard users file in
# the current directory.
# It will accept requests from any client and try to handle request
# for any realm.
# And it will print out what its doing in great detail.
#
# In order to authenticate, the clients user name must be in ./users
# (the password is irrelevant for EAP TLS).
# It will also require that the certificate installed on the client
# is within one step of the root certificate, and that the subject name
# in the client certificate is the same as the user name they are trying
# to log in as.
#
# In order to test this, you WILL need to install a server certificate and
# key for Radiator to use. Runs with openssl on Unix.
#
# There is a helpful tutorial for testing EAP TLS with Aironet wireless cards
# mentioned in http://www.missl.cs.umd.edu/wireless/eaptls/, which were
# AuthBy FILE below to suit.
#
# Requires Net_SSLeay.pm-1.21 or later from CPAN.
# Requires openssl 0.9.7beta3 or later from www.openssl.org
# Requires Digest-HMAC from CPAN
# Requires Digest-SHA1 from CPAN
#
#
Foreground
LogStdout
LogDir .
DbDir .
# User a lower trace level in production systems:
Trace 4
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client 10.0.0.10>
Secret mysecret
DupInterval 0
</Client>
# The original TTLS request from a NAS will be sent to a matching
# extracted.
# The inner authentication request will sent again to a matching
# a specific handler
# act as the AAA/H home server, and authenticate TTLS requests locally or proxy
# from a file by AuthBy FILE
<Realm DEFAULT>
<AuthBy FILE>
# Users must be in this file to get anywhere. In this example,
# in the outer requests, and it also requires an entry for the
# in the Funk Odyssey 'Edit Profile Properties' page
Filename %D/users
# EAPType sets the EAP type(s) that Radiator will honour.
# Options are: MD5-Challenge, One-Time-Password
# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
# Multiple types can be comma separated. With the default (most
# preferred) type given first
EAPType TTLS
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA certificates
# EAPTLS_CAPath is the name of a directory containing CA
# EAPTLS_CertificateFile is the name of a file containing
# defaults to ASN1
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile is the name of the file containing
# the servers private key. It is sometimes in the same file
# as the server certificate (EAPTLS_CertificateFile)
# If the private key is encrypted (usually the case)
# then EAPTLS_PrivateKeyPassword is the key to descrypt it
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
# EAPTLS_RandomFile is an optional file containing
# randdomness
# EAPTLS_RandomFile %D/certificates/random
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# EAPTLS_DHFile if set specifies the DH group file. It
# may be required if you need to use ephemeral DH keys.
# EAPTLS_DHFile %D/certificates/cert/dh
# for the certificate issuer
# fail with an error:
# Alternatively, CRLs may follow a file naming convention:
# the hash of the issuer subject name
# You can find out the hash of the issuer name in a CRL with
# openssl crl -in crl.pem -hash -noout
# CRLs with tis name convention
# will be searched in EAPTLS_CAPath, else in the openssl
# openssl ca -gencrl -out crl.pem
# Use of these flags requires Net_SSLeay-1.21 or later
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
# client Network Properties dialog.
# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
# in the final Access-Accept
AutoMPPEKeys
# You can enable some warning messages from the Net::SSLeay
# module by setting SSLeayTrace to an integer from 1 to 4
# 1=ciphers, 2=trace, 3=dump data
#SSLeayTrace 4
# You can configure the User-Name that will be used for the inne
r
# authentication. Defaults to 'anonymous'. This can be useful
# when proxying the inner authentication. If tehre is a realm, i
t can
# be used to choose a local Realm to handle the inner authentica
tion.
# %0 is replaced with the EAP identitiy
# EAPAnonymous anonymous at some.other.realm
# You can enable or disable support for TTLS Session Resumption
and
# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
# Default is enabled
#EAPTLS_SessionResumption 0
# You can limit how long after the initial session that a sessio
n can be resumed
# with EAPTLS_SessionResumptionLimit (time in seconds). Defaults
to 43200
# (12 hours)
#EAPTLS_SessionResumptionLimit 10
</AuthBy>
# These hooks fix the problem with some implementations of TTLS, where t
he
# accounting requests have the User-Name of anonymous, instead of the re
al
# users name. After authenticating the inner TTLS request, the
# PostAuthHook caches the _real_ user name in an SQL table,
# The PreProcessingHook replaces the 'anonymous' user name in accounting
requests with the
# real user name that was previously cached for the NAS and NAS-Port.
# You can see the correct real User-Name logged in the AcctLogFileName
# PreProcessingHook file:"goodies/eap_anon_hook.pl"
# PostAuthHook file:"goodies/eap_anon_hook.pl"
# AcctLogFileName %D/detail
</Realm>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list