(RADIATOR) 802.1X TTLS/MD5

Kevin Schmidt kps at ucsb.edu
Sun Sep 7 13:48:18 CDT 2003 

I'm trying to do a little 802.1X experimentation and am having limited
success, so any pointers are welcome.  It's probably something really
obvious, but I haven't figured it out yet.

The environment consists of Radiator 3.6+patches on a FreeBSD 4.8-STABLE
box (openssl 0.9.7a).  The supplicant is Windows XP Pro with
Meetinghouse 2.1.0, configured for TTLS and EAP-MD5.  The authenticator
is an HP2524 with F.05.17 firmware, though I also tried a Foundry
BigIron 4000 (07.6.04bT53).  Doing plain-vanilla EAP-MD5 without
TTLS/PEAP worked, but the security issues preclude me from using it
(esp. once I add wireless).

I've attached copies of my test radius.cfg (based on
goodies/eap_multi.cfg), logfile, and test password file.  The logfile
shows the start of radiusd, an authentication attempt (forced by doing
"aaa port auth 19 initialize" on the HP2524), and radiusd shutdown.  It
appears to be stuck in some kind of loop, as the SSL cert is repeatedly
sent to the authenticator.  Towards the end, the following lines appear
in the logfile:

Sun Sep  7 11:23:52 2003: DEBUG: EAP result: 1, EAP TLS Handshake
unsuccessful:  48130: 1 - error:14094417:SSL
routines:SSL3_READ_BYTES:sslv3 alert illegal parameter

Sun Sep  7 11:23:52 2003: INFO: Access rejected for kevin.schmidt: EAP
TLS Handshake unsuccessful:  48130: 1 - error:14094417:SSL
routines:SSL3_READ_BYTES:sslv3 alert illegal parameter

The radius.cfg file is definitely not one I'd use in production, esp.
since it would have to get more complicated to accommodate
authentication of administrator logins to the HP2524 in addition to
authenticating end users via 802.1X.

Any comments or suggestions are welcome, and I'd be happy to provide
additional details if necessary.

Thanks,

Kevin Schmidt                                kps at ucsb.edu
Campus Network Programmer                    (805) 893-7779
Office of Information Technology             (805) 893-5051 FAX
University of California, Santa Barbara      
North Hall 2124
Santa Barbara, CA 93106-3201                 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.cfg
Type: application/octet-stream
Size: 1510 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030907/5045c4b6/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logfile
Type: application/octet-stream
Size: 42338 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030907/5045c4b6/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eap.txt
Type: application/octet-stream
Size: 164 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030907/5045c4b6/attachment-0002.obj>

More information about the radiator mailing list