(RADIATOR) Radiator hangs with EAP (PEAP)

Hugh Irvine hugh at open.com.au
Tue Oct 14 16:10:02 CDT 2003 

Hello Mark -

There appear to be two problems here.

The first is your configuration file which should only contain Handlers 
(otherwise the Realm DEFAULT will catch everything).

<Handler TunnelledByPEAP=1>
         <AuthBy FILE>
                 Filename %D/users
                 EAPType PEAP,MSCHAP-V2
         </AuthBy>
</Handler>

<Handler>
         <AuthBy FILE>
                 Filename %D/users
                 EAPType PEAP
                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
                 EAPTLS_CertificateType PEM
                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                 EAPTLS_PrivateKeyPassword whatever
                 EAPTLS_MaxFragmentSize 1000
                 AutoMPPEKeys
                 SSLeayTrace 4
         </AuthBy>
</Handler>

The second problem appears to be a configuration issue with the access 
point, because Radiator is sending back an access challenge but then 
receiving nothing further.

regards

Hugh

On Tuesday, Oct 14, 2003, at 20:33 Australia/Melbourne, Mark Verwoerd 
wrote:

> Hello Hugh,
>
> On work we want to setup a wireless network with 802.1x that
> authenticates users to our LDAP server with Radiator 3.7.1.
> The LDAP and Wireless parts work fine, but the EAP PEAP part in
> radiator doesn't.
>
> The AccessPoints are propperly configured, the shared secret is correct
> and 802.1x is enabled.
> For testing i'm using the eap_peap.cfg from the goodies, only changed
> the log en pid stuff. So it Auths by File (%D/users)
>
> CFG:
> LogDir          /var/log/radiator
> LogFile         %L/%Y/%m%d.log
> PidFile         /var/log/radiator/radiator.pid
> DbDir           /usr/local/radiator
> Trace           4
>
> AuthPort        1645
> AcctPort        1646
>
> #Accesspoints:
> <Client 145.48.64.5>
>         Secret testing123
>         IgnoreAcctSignature
> </Client>
>
> <Client DEFAULT>
>         Secret  mysecret
>         DupInterval 0
> </Client>
>
> <Handler TunnelledByPEAP=1>
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType PEAP,MSCHAP-V2
>         </AuthBy>
> </Handler>
>
> <Realm DEFAULT>
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType PEAP
>                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>                 EAPTLS_PrivateKeyPassword whatever
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>         </AuthBy>
> </Realm>
>
>
> On a laptop with WinxP Pro the 'WEP key will be provided for me' option
> is checked. And EAP-Type = EAP (PEAP)
> When my laptop finds the AccessPoint (Avaya AP-1000) it asks for a
> username & password, i fill in fred with password fred and it hangs
> ....
>
> LOG:
>
> Tue Oct 14 12:06:39 2003: DEBUG: Packet dump:
> *** Received from 145.48.64.5 port 192 ....
> Code:       Access-Request
> Identifier: 11
> Authentic:
> T=r<246><229><9><196><246>9<187><196><239><3><189><192><153>
> Attributes:
>         User-Name = "fred"
>         NAS-IP-Address = 145.48.64.5
>         Called-Station-Id = "00022d75a1ac"
>         Calling-Station-Id = "00601df7f7d0"
>         NAS-Identifier = "AP-1000-HSB-05"
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Framed-MTU = 1400
>         EAP-Message = <2><1><0><9><1>fred
>         Message-Authenticator =
> <166><197><<21><15><208>oT|<128><206><193><255><232>+<234>
>
> Tue Oct 14 12:06:39 2003: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Oct 14 12:06:39 2003: DEBUG:  Deleting session for fred,
> 145.48.64.5,
> Tue Oct 14 12:06:39 2003: DEBUG: Handling with Radius::AuthFILE:
> Tue Oct 14 12:06:39 2003: DEBUG: Handling with EAP: code 2, 1, 9
> Tue Oct 14 12:06:39 2003: DEBUG: Response type 1
> Tue Oct 14 12:06:39 2003: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Oct 14 12:06:39 2003: DEBUG: Access challenged for fred: EAP PEAP
> Challenge
> Tue Oct 14 12:06:39 2003: DEBUG: Packet dump:
> *** Sending to 145.48.64.5 port 192 ....
> Code:       Access-Challenge
> Identifier: 11
> Authentic:
> T=r<246><229><9><196><246>9<187><196><239><3><189><192><153>
> Attributes:
>         EAP-Message = <1><2><0><6><25>!
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Where is it waiting on ? or .. what is wrong with the cfg ? or .. what
> do i miss here :x
>
>
> Thanks for your time,
>
> Mark
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list