(RADIATOR) SOS!!!!SOS...It said:Could not handle an EAP request!!

guxiaozhong guxiaozhong at 163.com
Mon May 19 06:35:02 CDT 2003


Hi,
  Who can help me to resolve this problem?detail as following:
  Log:
  
** Received from 10.0.0.10 port 1812 ....
Code:       Access-Request
Identifier: 174
Authentic:  @o<26><0><189>i<0><0><189>i<0><0><223>f<166><165>
Attributes:
        User-Name = "anonymous"
        cisco-avpair = "ssid=Test"
        NAS-IP-Address = 10.0.0.10
        Framed-MTU = 1400
        Called-Station-Id = "003002DDA37C"
        Calling-Station-Id = "00022D4147EC"
        NAS-Identifier = "Test"
        NAS-Port = 37
        NAS-Port-Type = Wireless-IEEE-802-11
        Service-Type = Login-User
        EAP-Message = <2><12><0><14><1>anonymous
        Message-Authenticator = <182><250><191><189><134><0>@<172><157>C<4><224>

<184><137><14><160>

Mon May 19 18:27:32 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon May 19 18:27:32 2003: DEBUG:  Deleting session for anonymous, 10.0.0.10, 37
Mon May 19 18:27:32 2003: DEBUG: Handling with Radius::AuthFILE:
Mon May 19 18:27:32 2003: DEBUG: Handling with EAP: code 2, 12, 14
Mon May 19 18:27:32 2003: DEBUG: Response type 1
Mon May 19 18:27:32 2003: ERR: Could not handle an EAP request: Can't locate obj

ect method "response_identity" via package "Radius::EAP_21" at /usr/lib/perl5/si

te_perl/Radius/EAP.pm line 139.

Mon May 19 18:27:32 2003: INFO: Access rejected for anonymous: Could not handle

an EAP request
Mon May 19 18:27:32 2003: DEBUG: Packet dump:
*** Sending to 10.0.0.10 port 1812 ....
Code:       Access-Reject
Identifier: 174
Authentic:  @o<26><0><189>i<0><0><189>i<0><0><223>f<166><165>
Attributes:
        Reply-Message = "Request Denied"

Mon May 19 18:27:39 2003: DEBUG: Packet dump:
   Config file:
   eap_ttls.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# EAP TTLS authentication as used by Funk Odyssey.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example will authenticate from a standard users file in
# the current directory.
# It will accept requests from any client and try to handle request
# for any realm.
# And it will print out what its doing in great detail.
#
# In order to authenticate, the clients user name must be in ./users
# (the password is irrelevant for EAP TLS).
# It will also require that the certificate installed on the client
# is within one step of the root certificate, and that the subject name
# in the client certificate is the same as the user name they are trying
# to log in as.
#
# In order to test this, you WILL need to install a server certificate and
# key for Radiator to use. Runs with openssl on Unix.
#
# There is a helpful tutorial for testing EAP TLS with Aironet wireless cards
# mentioned in http://www.missl.cs.umd.edu/wireless/eaptls/, which were
# AuthBy FILE below to suit.
#
# Requires Net_SSLeay.pm-1.21 or later from CPAN.
# Requires openssl 0.9.7beta3 or later from www.openssl.org
# Requires Digest-HMAC from CPAN
# Requires Digest-SHA1 from CPAN
#
#

Foreground
LogStdout
LogDir          .
DbDir           .
# User a lower trace level in production systems:
Trace           4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client 10.0.0.10>
        Secret  mysecret
        DupInterval 0
</Client>

# The original TTLS request from a NAS will be sent to a matching
# extracted.
# The inner authentication request will sent again to a matching
# a specific handler
# act as the AAA/H home server, and authenticate TTLS requests locally or proxy
# from a file by AuthBy FILE
<Realm DEFAULT>

        <AuthBy FILE>
                # Users must be in this file to get anywhere. In this example,
                # in the outer requests, and it also requires an entry for the
                # in the Funk Odyssey 'Edit Profile Properties' page
                Filename %D/users

                # EAPType sets the EAP type(s) that Radiator will honour.
                # Options are: MD5-Challenge, One-Time-Password
                # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
                # Multiple types can be comma separated. With the default (most
                # preferred) type given first
                EAPType TTLS

                # EAPTLS_CAFile is the name of a file of CA certificates
                # in PEM format. The file can contain several CA certificates
                # EAPTLS_CAPath is the name of a directory containing CA

                # EAPTLS_CertificateFile is the name of a file containing
                # defaults to ASN1
                EAPTLS_CertificateFile %D/certificates/cert-srv.pem
                EAPTLS_CertificateType PEM

                # EAPTLS_PrivateKeyFile is the name of the file containing
                # the servers private key. It is sometimes in the same file
                # as the server certificate (EAPTLS_CertificateFile)
                # If the private key is encrypted (usually the case)
                # then EAPTLS_PrivateKeyPassword is the key to descrypt it
                EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                EAPTLS_PrivateKeyPassword whatever

                # EAPTLS_RandomFile is an optional file containing
                # randdomness
#               EAPTLS_RandomFile %D/certificates/random

                # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
                # size that will be replied by Radiator. It must be small
                # EAPTLS_DHFile if set specifies the DH group file. It
                # may be required if you need to use ephemeral DH keys.
#               EAPTLS_DHFile %D/certificates/cert/dh


                # for the certificate issuer
                # fail with an error:
                # Alternatively, CRLs may follow a file naming convention:
                #  the hash of the issuer subject name
                # You can find out the hash of the issuer name in a CRL with
                #  openssl crl -in crl.pem -hash -noout
                # CRLs with tis name convention
                # will be searched in EAPTLS_CAPath, else in the openssl
                #  openssl ca -gencrl -out crl.pem
                # Use of these flags requires Net_SSLeay-1.21 or later
                #EAPTLS_CRLCheck
                #EAPTLS_CRLFile %D/certificates/crl.pem
                #EAPTLS_CRLFile %D/certificates/revocations.pem
                # client Network Properties dialog.
                # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
                # in the final Access-Accept
                AutoMPPEKeys

                # You can enable some warning messages from the Net::SSLeay
                # module by setting SSLeayTrace to an integer from 1 to 4
                # 1=ciphers, 2=trace, 3=dump data
                #SSLeayTrace 4

                # You can configure the User-Name that will be used for the inne
r
                # authentication. Defaults to 'anonymous'. This can be useful
                # when proxying the inner authentication. If tehre is a realm, i
t can
                # be used to choose a local Realm to handle the inner authentica
tion.
                # %0 is replaced with the EAP identitiy
                # EAPAnonymous anonymous at some.other.realm

                # You can enable or disable support for TTLS Session Resumption
and
                # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
                # Default is enabled
                #EAPTLS_SessionResumption 0

                # You can limit how long after the initial session that a sessio
n can be resumed
                # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults
 to 43200
                # (12 hours)
                #EAPTLS_SessionResumptionLimit 10
        </AuthBy>


        # These hooks fix the problem with some implementations of TTLS, where t
he
        # accounting requests have the User-Name of anonymous, instead of the re
al
        # users name. After authenticating the inner TTLS request, the
        # PostAuthHook caches the _real_ user name in an SQL table,
        # The PreProcessingHook replaces the 'anonymous' user name in accounting
 requests with the
        # real user name that was previously cached for the NAS and NAS-Port.
        # You can see the correct real User-Name logged in the AcctLogFileName
#       PreProcessingHook file:"goodies/eap_anon_hook.pl"
#       PostAuthHook file:"goodies/eap_anon_hook.pl"
#       AcctLogFileName %D/detail
</Realm>


























-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030519/f0c80bdb/attachment.html>


More information about the radiator mailing list