(RADIATOR) 802.1x Authentication Unsuccessful - Could not find a handler for...
Hugh Irvine
hugh at open.com.au
Sat Oct 4 01:39:44 CDT 2003
Hello Terry -
You will need to have two Handlers in your configuration file:
Foreground
LogStdout
LogDir /usr/local/var/log/radius.log
LogFile %L/logfile
DbDir /usr/local/etc
Trace 4
AuthPort 1812
AcctPort 1813
<Client DEFAULT>
NoIgnoreDuplicates Access-Challenge
NoIgnoreDuplicates Access-Request
DupInterval 0
</Client>
<Handler TunneledByTTLS=1>
<AuthBy FILE>
Filename /usr/local/etc/users
EAPType TTLS, TLS, MD5-Challenge,
MSCHAP-V2
EAPTLS_MaxFragmentSize 1024
EAPTLS_CAFile /etc/radiator/testCA.pem
EAPTLS_CertificateType PEM
EAPTLS_CertificateFile /etc/radiator/testServer.pem
EAPTLS_PrivateKeyFile /etc/radiator/testServer.pem
EAPTLS_PrivateKeyPassword *********
EAPTLS_SessionResumption 0
AutoMPPEKeys
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
Filename /usr/local/etc/users
EAPType TTLS, TLS, MD5-Challenge,
MSCHAP-V2
EAPTLS_MaxFragmentSize 1024
EAPTLS_CAFile /etc/radiator/testCA.pem
EAPTLS_CertificateType PEM
EAPTLS_CertificateFile /etc/radiator/testServer.pem
EAPTLS_PrivateKeyFile /etc/radiator/testServer.pem
EAPTLS_PrivateKeyPassword *********
EAPTLS_SessionResumption 0
AutoMPPEKeys
</AuthBy>
</Handler>
Although it is more usual to have different configurations in the two
Handlers.
By means of explanation, the <Handler> at the end is the default
Handler that will be used to process the outer authentication. Then the
<Handler TunneledByTTLS = 1> will process the inner authentication.
Note that EAP is a multi-pass system with a number of radius exchanges
between client and server.
BTW - you should also use commas in the EAPType list (see above).
Have a look at the example configuration files in the goodies directory
(eap_*.cfg).
regards
Hugh
On Saturday, Oct 4, 2003, at 15:33 Australia/Melbourne, Terry Simons
wrote:
> Mike,
>
> I stripped my configuration down to a bare-bones one, and I'm still
> having the issue I mentioned before (listed at the bottom of this
> E-mail)
>
> I've also done the following:
>
> Upgraded to Radiator 3.7.1 w/patches as of October 3 2003.
>
> Using D-Link DWL 900AP+, which worked with Radiator 3.6 & patches, but
> is broken with Radiator 3.7 & 3.7.1.
>
> Here's my configuration, and there are some trace level 4 log tidbits
> after the configuration:
>
> Foreground
> LogStdout
>
> LogDir /usr/local/var/log/radius.log
> LogFile %L/logfile
> DbDir /usr/local/etc
> Trace 4
>
> AuthPort 1812
> AcctPort 1813
>
> <Client DEFAULT>
> NoIgnoreDuplicates Access-Challenge
> NoIgnoreDuplicates Access-Request
> DupInterval 0
> </Client>
>
> <Handler TunneledByTTLS=1>
> <AuthBy FILE>
> Filename /usr/local/etc/users
> EAPType TTLS TLS MD5-Challenge MSCHAP-V2
> EAPTLS_MaxFragmentSize 1024
> EAPTLS_CAFile /etc/radiator/testCA.pem
> EAPTLS_CertificateType PEM
> EAPTLS_CertificateFile /etc/radiator/testServer.pem
> EAPTLS_PrivateKeyFile /etc/radiator/testServer.pem
> EAPTLS_PrivateKeyPassword *********
>
> EAPTLS_SessionResumption 0
> AutoMPPEKeys
> </AuthBy>
> </Handler>
>
> There is some weird logging output that wasn't around in 3.6... plus
> some weirdness from my AP, it seems.
>
> It doesn't look like an Acct-Session-Id is being generated for my
> authentication... (Does this happen on the AP, or does Radiator do
> this?)
>
> Also, when I stop my client, I get a stop record from the AP, it
> seems. Radiator makes 3 logs of this, and complains that it couldn't
> find a handler for a non existent user, literally "" and that the
> requests were ignored.
>
> Anyway... here's the complete output:
>
> Fri Oct 3 23:27:14 2003: DEBUG: Reading users file
> /usr/local/etc/users
> Fri Oct 3 23:27:14 2003: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> Fri Oct 3 23:27:14 2003: DEBUG: Reading dictionary file
> '/usr/local/etc/dictionary'
> Fri Oct 3 23:27:14 2003: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Fri Oct 3 23:27:14 2003: DEBUG: Creating accounting port 0.0.0.0:1813
> Fri Oct 3 23:27:14 2003: NOTICE: Server started: Radiator 3.7.1 on
> icebox
> Fri Oct 3 23:27:21 2003: DEBUG: Packet dump:
> *** Received from 10.0.0.20 port 1248 ....
> Code: Access-Request
> Identifier: 91
> Authentic: <212><250>?<241><192>0N]<26><146>&\D<191><27><218>
> Attributes:
> User-Name = "terry"
> NAS-IP-Address = 10.0.0.20
> NAS-Port = 0
> Called-Station-Id = "00-40-05-D0-53-80"
> Calling-Station-Id = "00-30-65-1D-9E-A6"
> NAS-Identifier = "WardriveMe"
> Framed-MTU = 1380
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2><1><0><10><1>terry
> Message-Authenticator =
> <229><209>`C<143>G*ob<200><224>@z<141>C<171>
>
> Fri Oct 3 23:27:21 2003: WARNING: Could not find a handler for terry:
> request is ignored
> Fri Oct 3 23:27:26 2003: DEBUG: Packet dump:
> *** Received from 10.0.0.20 port 1249 ....
> Code: Accounting-Request
> Identifier: 92
> Authentic: <156><165>O<146><241>u<170>I<141><240>vYN5<161><206>
> Attributes:
> Acct-Status-Type = Stop
> User-Name = ""
> Acct-Session-Id = ""
> NAS-IP-Address = 10.0.0.20
> NAS-Port = 0
> Acct-Authentic = RADIUS
> NAS-Identifier = "WardriveMe"
> Acct-Delay-Time = 0
>
> Fri Oct 3 23:27:26 2003: WARNING: Could not find a handler for :
> request is ignored
> Fri Oct 3 23:27:31 2003: DEBUG: Packet dump:
> *** Received from 10.0.0.20 port 1249 ....
> Code: Accounting-Request
> Identifier: 93
> Authentic: 7E<24><133>Q<135><27><168>g4<241><18><<201><10>&
> Attributes:
> Acct-Status-Type = Stop
> User-Name = ""
> Acct-Session-Id = ""
> NAS-IP-Address = 10.0.0.20
> NAS-Port = 0
> Acct-Authentic = RADIUS
> NAS-Identifier = "WardriveMe"
> Acct-Delay-Time = 83886080
>
> Fri Oct 3 23:27:31 2003: WARNING: Could not find a handler for :
> request is ignored
> Fri Oct 3 23:27:36 2003: DEBUG: Packet dump:
> *** Received from 10.0.0.20 port 1249 ....
> Code: Accounting-Request
> Identifier: 94
> Authentic: _@<177><173><183><176><184><20><26><219><202>{B<214><175>E
> Attributes:
> Acct-Status-Type = Stop
> User-Name = ""
> Acct-Session-Id = ""
> NAS-IP-Address = 10.0.0.20
> NAS-Port = 0
> Acct-Authentic = RADIUS
> NAS-Identifier = "WardriveMe"
> Acct-Delay-Time = 167772160
>
> Fri Oct 3 23:27:36 2003: WARNING: Could not find a handler for :
> request is ignored
>
>
>
>
> On Sep 26, 2003, at 12:50 AM, Mike McCauley wrote:
>
>> Hello Terry,
>>
>>
>> On Fri, 26 Sep 2003 03:44 pm, Terry Simons wrote:
>>> Howdy,
>>>
>>> After upgrading to Radiator 3.7 I'm getting the following error:
>>>
>>> Reply-Message = "EAP TTLS inner authentication redespatched to a
>>> Handler"
>>>
>>> Things worked just fine in 3.6... :)
>>>
>>> I took a look in eap_ttls.cfg, but it looks like there is a typo...
>>>
>>> There is a starting <Realm DEFAULT> declaration, but it ends with a
>>> </Handler> tag.
>>
>> This is incorrect, but innocuous, and would not explain what you are
>> seeing.
>>
>> I think we will need to see your Radiator log file at trace level 4
>> showing
>> what happens during authentication.
>> What type of TTLS authentication are you using?
>>
>> What does AuthBy ACCT-TEST in your config file refer to? I
>> think we
>> will need to see your entore config file (no secrets)
>>
>> Cheers.
>>
>>
>>>
>>> That doesn't quite look right...
>>>
>>> I guess I'll give the eap_ttls_proxy.cfg handler method a try...
>>>
>>> Should this work the way I have it configured, or did I do something
>>> wrong?
>>>
>>> Here's the offending realm definition:
>>>
>>> <Realm DEFAULT>
>>> RewriteUsername s/^([^@]+).*/$1/
>>> AcctLogFileName %L/accounting/accounting.acct
>>>
>>> RejectHasReason
>>>
>>> AuthByPolicy ContinueAlways
>>>
>>> AuthBy ACCT-TEST
>>>
>>> <AuthLog FILE>
>>> Filename %L/authlog/authlog.log
>>> LogSuccess 1
>>> LogFailure 1
>>> SuccessFormat %l,%u,%{NAS-Identifier},%N,%h,OK
>>> FailureFormat %l,%u,%{NAS-Identifier},%N,%h,FAIL
>>> </AuthLog>
>>> RewriteUsername s/^([^@]+).*/$1/
>>>
>>> <AuthBy FILE>
>>> Filename /usr/local/etc/users
>>> EAPType TTLS TLS MD5-Challenge
>>> MSCHAP-V2
>>> EAPTLS_MaxFragmentSize 1024
>>> EAPTLS_CAFile /etc/radiator/CA.pem
>>> EAPTLS_CertificateType PEM
>>> EAPTLS_CertificateFile /etc/radiator/Server.pem
>>> EAPTLS_PrivateKeyFile /etc/radiator/Server.pem
>>> EAPTLS_PrivateKeyPassword PrivateKey
>>>
>>> EAPTLS_SessionResumption 0
>>> AutoMPPEKeys
>>>
>>> </AuthBy>
>>> </Realm>
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>> --
>> Mike McCauley mikem at open.com.au
>> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++,
>> WWW
>> 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
>> Phone +61 3 9598-0985 Fax +61 3 9598-0955
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>> TLS,
>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list