(RADIATOR) 802.1x Authentication Unsuccessful - Could not find a handler for...
Terry Simons
galimore at mac.com
Sat Oct 4 00:33:14 CDT 2003
Mike,
I stripped my configuration down to a bare-bones one, and I'm still
having the issue I mentioned before (listed at the bottom of this
E-mail)
I've also done the following:
Upgraded to Radiator 3.7.1 w/patches as of October 3 2003.
Using D-Link DWL 900AP+, which worked with Radiator 3.6 & patches, but
is broken with Radiator 3.7 & 3.7.1.
Here's my configuration, and there are some trace level 4 log tidbits
after the configuration:
Foreground
LogStdout
LogDir /usr/local/var/log/radius.log
LogFile %L/logfile
DbDir /usr/local/etc
Trace 4
AuthPort 1812
AcctPort 1813
<Client DEFAULT>
NoIgnoreDuplicates Access-Challenge
NoIgnoreDuplicates Access-Request
DupInterval 0
</Client>
<Handler TunneledByTTLS=1>
<AuthBy FILE>
Filename /usr/local/etc/users
EAPType TTLS TLS MD5-Challenge MSCHAP-V2
EAPTLS_MaxFragmentSize 1024
EAPTLS_CAFile /etc/radiator/testCA.pem
EAPTLS_CertificateType PEM
EAPTLS_CertificateFile /etc/radiator/testServer.pem
EAPTLS_PrivateKeyFile /etc/radiator/testServer.pem
EAPTLS_PrivateKeyPassword *********
EAPTLS_SessionResumption 0
AutoMPPEKeys
</AuthBy>
</Handler>
There is some weird logging output that wasn't around in 3.6... plus
some weirdness from my AP, it seems.
It doesn't look like an Acct-Session-Id is being generated for my
authentication... (Does this happen on the AP, or does Radiator do
this?)
Also, when I stop my client, I get a stop record from the AP, it seems.
Radiator makes 3 logs of this, and complains that it couldn't find a
handler for a non existent user, literally "" and that the requests
were ignored.
Anyway... here's the complete output:
Fri Oct 3 23:27:14 2003: DEBUG: Reading users file /usr/local/etc/users
Fri Oct 3 23:27:14 2003: DEBUG: Finished reading configuration file
'/etc/radiator/radius.cfg'
Fri Oct 3 23:27:14 2003: DEBUG: Reading dictionary file
'/usr/local/etc/dictionary'
Fri Oct 3 23:27:14 2003: DEBUG: Creating authentication port
0.0.0.0:1812
Fri Oct 3 23:27:14 2003: DEBUG: Creating accounting port 0.0.0.0:1813
Fri Oct 3 23:27:14 2003: NOTICE: Server started: Radiator 3.7.1 on
icebox
Fri Oct 3 23:27:21 2003: DEBUG: Packet dump:
*** Received from 10.0.0.20 port 1248 ....
Code: Access-Request
Identifier: 91
Authentic: <212><250>?<241><192>0N]<26><146>&\D<191><27><218>
Attributes:
User-Name = "terry"
NAS-IP-Address = 10.0.0.20
NAS-Port = 0
Called-Station-Id = "00-40-05-D0-53-80"
Calling-Station-Id = "00-30-65-1D-9E-A6"
NAS-Identifier = "WardriveMe"
Framed-MTU = 1380
NAS-Port-Type = Wireless-IEEE-802-11
EAP-Message = <2><1><0><10><1>terry
Message-Authenticator =
<229><209>`C<143>G*ob<200><224>@z<141>C<171>
Fri Oct 3 23:27:21 2003: WARNING: Could not find a handler for terry:
request is ignored
Fri Oct 3 23:27:26 2003: DEBUG: Packet dump:
*** Received from 10.0.0.20 port 1249 ....
Code: Accounting-Request
Identifier: 92
Authentic: <156><165>O<146><241>u<170>I<141><240>vYN5<161><206>
Attributes:
Acct-Status-Type = Stop
User-Name = ""
Acct-Session-Id = ""
NAS-IP-Address = 10.0.0.20
NAS-Port = 0
Acct-Authentic = RADIUS
NAS-Identifier = "WardriveMe"
Acct-Delay-Time = 0
Fri Oct 3 23:27:26 2003: WARNING: Could not find a handler for :
request is ignored
Fri Oct 3 23:27:31 2003: DEBUG: Packet dump:
*** Received from 10.0.0.20 port 1249 ....
Code: Accounting-Request
Identifier: 93
Authentic: 7E<24><133>Q<135><27><168>g4<241><18><<201><10>&
Attributes:
Acct-Status-Type = Stop
User-Name = ""
Acct-Session-Id = ""
NAS-IP-Address = 10.0.0.20
NAS-Port = 0
Acct-Authentic = RADIUS
NAS-Identifier = "WardriveMe"
Acct-Delay-Time = 83886080
Fri Oct 3 23:27:31 2003: WARNING: Could not find a handler for :
request is ignored
Fri Oct 3 23:27:36 2003: DEBUG: Packet dump:
*** Received from 10.0.0.20 port 1249 ....
Code: Accounting-Request
Identifier: 94
Authentic: _@<177><173><183><176><184><20><26><219><202>{B<214><175>E
Attributes:
Acct-Status-Type = Stop
User-Name = ""
Acct-Session-Id = ""
NAS-IP-Address = 10.0.0.20
NAS-Port = 0
Acct-Authentic = RADIUS
NAS-Identifier = "WardriveMe"
Acct-Delay-Time = 167772160
Fri Oct 3 23:27:36 2003: WARNING: Could not find a handler for :
request is ignored
On Sep 26, 2003, at 12:50 AM, Mike McCauley wrote:
> Hello Terry,
>
>
> On Fri, 26 Sep 2003 03:44 pm, Terry Simons wrote:
>> Howdy,
>>
>> After upgrading to Radiator 3.7 I'm getting the following error:
>>
>> Reply-Message = "EAP TTLS inner authentication redespatched to a
>> Handler"
>>
>> Things worked just fine in 3.6... :)
>>
>> I took a look in eap_ttls.cfg, but it looks like there is a typo...
>>
>> There is a starting <Realm DEFAULT> declaration, but it ends with a
>> </Handler> tag.
>
> This is incorrect, but innocuous, and would not explain what you are
> seeing.
>
> I think we will need to see your Radiator log file at trace level 4
> showing
> what happens during authentication.
> What type of TTLS authentication are you using?
>
> What does AuthBy ACCT-TEST in your config file refer to? I
> think we
> will need to see your entore config file (no secrets)
>
> Cheers.
>
>
>>
>> That doesn't quite look right...
>>
>> I guess I'll give the eap_ttls_proxy.cfg handler method a try...
>>
>> Should this work the way I have it configured, or did I do something
>> wrong?
>>
>> Here's the offending realm definition:
>>
>> <Realm DEFAULT>
>> RewriteUsername s/^([^@]+).*/$1/
>> AcctLogFileName %L/accounting/accounting.acct
>>
>> RejectHasReason
>>
>> AuthByPolicy ContinueAlways
>>
>> AuthBy ACCT-TEST
>>
>> <AuthLog FILE>
>> Filename %L/authlog/authlog.log
>> LogSuccess 1
>> LogFailure 1
>> SuccessFormat %l,%u,%{NAS-Identifier},%N,%h,OK
>> FailureFormat %l,%u,%{NAS-Identifier},%N,%h,FAIL
>> </AuthLog>
>> RewriteUsername s/^([^@]+).*/$1/
>>
>> <AuthBy FILE>
>> Filename /usr/local/etc/users
>> EAPType TTLS TLS MD5-Challenge
>> MSCHAP-V2
>> EAPTLS_MaxFragmentSize 1024
>> EAPTLS_CAFile /etc/radiator/CA.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_CertificateFile /etc/radiator/Server.pem
>> EAPTLS_PrivateKeyFile /etc/radiator/Server.pem
>> EAPTLS_PrivateKeyPassword PrivateKey
>>
>> EAPTLS_SessionResumption 0
>> AutoMPPEKeys
>>
>> </AuthBy>
>> </Realm>
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
> Phone +61 3 9598-0985 Fax +61 3 9598-0955
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list