(RADIATOR) SOS!!!!!...SOS...It said that could not handle an EAP request

Bon sy bon at bunny.cs.qc.edu
Tue May 20 06:15:07 CDT 2003 

Guxiaozhong,

	From your log it looks like you are doing EAP-PEAP. I had this
error before when I did not install Net_SSLeay.pm-1.21 and Digest-MD4.

	I will suggest tocheck this first and hope this is helps.

Bon


On Tue, 20 May 2003, guxiaozhong wrote:

> Hi, 
>     I'm a new user on Radiator,so Who can help me resolve the following issue?I attached the log and config file,Thank you!!!
>     
>     Log:
>     
> 
> ** Received from 10.0.0.10 port 1812 ....
> Code:       Access-Request
> Identifier: 174
> Authentic:  @o<26><0><189>i<0><0><189>i<0><0><223>f<166><165>
> Attributes:
>         User-Name = "anonymous"
>         cisco-avpair = "ssid=Test"
>         NAS-IP-Address = 10.0.0.10
>         Framed-MTU = 1400
>         Called-Station-Id = "00C002DDA37C"
>         Calling-Station-Id = "00022D4147EC"
>         NAS-Identifier = "Test"
>         NAS-Port = 37
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Service-Type = Login-User
>         EAP-Message = <2><12><0><14><1>anonymous
>         Message-Authenticator = <182><250><191><189><134><0>@<172><157>C<4><224>
> 
> <184><137><14><160>
> 
> Mon May 19 18:27:32 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
> Mon May 19 18:27:32 2003: DEBUG:  Deleting session for anonymous, 10.0.0.10, 37
> Mon May 19 18:27:32 2003: DEBUG: Handling with Radius::AuthFILE:
> Mon May 19 18:27:32 2003: DEBUG: Handling with EAP: code 2, 12, 14
> Mon May 19 18:27:32 2003: DEBUG: Response type 1
> Mon May 19 18:27:32 2003: ERR: Could not handle an EAP request: Can't locate obj
> 
> ect method "response_identity" via package "Radius::EAP_21" at /usr/lib/perl5/si
> 
> te_perl/Radius/EAP.pm line 139.
> 
> Mon May 19 18:27:32 2003: INFO: Access rejected for anonymous: Could not handle
> 
> an EAP request
> Mon May 19 18:27:32 2003: DEBUG: Packet dump:
> *** Sending to 10.0.0.10 port 1812 ....
> Code:       Access-Reject
> Identifier: 174
> Authentic:  @o<26><0><189>i<0><0><189>i<0><0><223>f<166><165>
> Attributes:
>         Reply-Message = "Request Denied"
> 
> Mon May 19 18:27:39 2003: DEBUG: Packet dump:
> 
> 
> 
> 
> 
>    Config file:
> 
> 
> 
> 
> 
> 
> # eap_ttls.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # EAP TTLS authentication as used by Funk Odyssey.
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> # This example will authenticate from a standard users file in
> # the current directory.
> # It will accept requests from any client and try to handle request
> # for any realm.
> # And it will print out what its doing in great detail.
> #
> # In order to authenticate, the clients user name must be in ./users
> # (the password is irrelevant for EAP TLS).
> # It will also require that the certificate installed on the client
> # is within one step of the root certificate, and that the subject name
> # in the client certificate is the same as the user name they are trying
> # to log in as.
> #
> # In order to test this, you WILL need to install a server certificate and
> # key for Radiator to use. Runs with openssl on Unix.
> #
> # There is a helpful tutorial for testing EAP TLS with Aironet wireless cards
> # mentioned in http://www.missl.cs.umd.edu/wireless/eaptls/, which were
> # AuthBy FILE below to suit.
> #
> # Requires Net_SSLeay.pm-1.21 or later from CPAN.
> # Requires openssl 0.9.7beta3 or later from www.openssl.org
> # Requires Digest-HMAC from CPAN
> # Requires Digest-SHA1 from CPAN
> #
> #
> 
> Foreground
> LogStdout
> LogDir          .
> DbDir           .
> # User a lower trace level in production systems:
> Trace           4
> 
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client 10.0.0.10>
>         Secret  mysecret
>         DupInterval 0
> </Client>
> 
> # The original TTLS request from a NAS will be sent to a matching
> # extracted.
> # The inner authentication request will sent again to a matching
> # a specific handler
> # act as the AAA/H home server, and authenticate TTLS requests locally or proxy
> # from a file by AuthBy FILE
> <Realm DEFAULT>
> 
>         <AuthBy FILE>
>                 # Users must be in this file to get anywhere. In this example,
>                 # in the outer requests, and it also requires an entry for the
>                 # in the Funk Odyssey 'Edit Profile Properties' page
>                 Filename %D/users
> 
>                 # EAPType sets the EAP type(s) that Radiator will honour.
>                 # Options are: MD5-Challenge, One-Time-Password
>                 # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
>                 # Multiple types can be comma separated. With the default (most
>                 # preferred) type given first
>                 EAPType TTLS
> 
>                 # EAPTLS_CAFile is the name of a file of CA certificates
>                 # in PEM format. The file can contain several CA certificates
>                 # EAPTLS_CAPath is the name of a directory containing CA
> 
>                 # EAPTLS_CertificateFile is the name of a file containing
>                 # defaults to ASN1
>                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>                 EAPTLS_CertificateType PEM
> 
>                 # EAPTLS_PrivateKeyFile is the name of the file containing
>                 # the servers private key. It is sometimes in the same file
>                 # as the server certificate (EAPTLS_CertificateFile)
>                 # If the private key is encrypted (usually the case)
>                 # then EAPTLS_PrivateKeyPassword is the key to descrypt it
>                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>                 EAPTLS_PrivateKeyPassword whatever
> 
>                 # EAPTLS_RandomFile is an optional file containing
>                 # randdomness
> #               EAPTLS_RandomFile %D/certificates/random
> 
>                 # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
>                 # size that will be replied by Radiator. It must be small
>                 # EAPTLS_DHFile if set specifies the DH group file. It
>                 # may be required if you need to use ephemeral DH keys.
> #               EAPTLS_DHFile %D/certificates/cert/dh
> 
> 
>                 # for the certificate issuer
>                 # fail with an error:
>                 # Alternatively, CRLs may follow a file naming convention:
>                 #  the hash of the issuer subject name
>                 # You can find out the hash of the issuer name in a CRL with
>                 #  openssl crl -in crl.pem -hash -noout
>                 # CRLs with tis name convention
>                 # will be searched in EAPTLS_CAPath, else in the openssl
>                 #  openssl ca -gencrl -out crl.pem
>                 # Use of these flags requires Net_SSLeay-1.21 or later
>                 #EAPTLS_CRLCheck
>                 #EAPTLS_CRLFile %D/certificates/crl.pem
>                 #EAPTLS_CRLFile %D/certificates/revocations.pem
>                 # client Network Properties dialog.
>                 # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
>                 # in the final Access-Accept
>                 AutoMPPEKeys
> 
>                 # You can enable some warning messages from the Net::SSLeay
>                 # module by setting SSLeayTrace to an integer from 1 to 4
>                 # 1=ciphers, 2=trace, 3=dump data
>                 #SSLeayTrace 4
> 
>                 # You can configure the User-Name that will be used for the inne
> r
>                 # authentication. Defaults to 'anonymous'. This can be useful
>                 # when proxying the inner authentication. If tehre is a realm, i
> t can
>                 # be used to choose a local Realm to handle the inner authentica
> tion.
>                 # %0 is replaced with the EAP identitiy
>                 # EAPAnonymous anonymous at some.other.realm
> 
>                 # You can enable or disable support for TTLS Session Resumption
> and
>                 # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
>                 # Default is enabled
>                 #EAPTLS_SessionResumption 0
> 
>                 # You can limit how long after the initial session that a sessio
> n can be resumed
>                 # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults
>  to 43200
>                 # (12 hours)
>                 #EAPTLS_SessionResumptionLimit 10
>         </AuthBy>
> 
> 
>         # These hooks fix the problem with some implementations of TTLS, where t
> he
>         # accounting requests have the User-Name of anonymous, instead of the re
> al
>         # users name. After authenticating the inner TTLS request, the
>         # PostAuthHook caches the _real_ user name in an SQL table,
>         # The PreProcessingHook replaces the 'anonymous' user name in accounting
>  requests with the
>         # real user name that was previously cached for the NAS and NAS-Port.
>         # You can see the correct real User-Name logged in the AcctLogFileName
> #       PreProcessingHook file:"goodies/eap_anon_hook.pl"
> #       PostAuthHook file:"goodies/eap_anon_hook.pl"
> #       AcctLogFileName %D/detail
> </Realm>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list