(RADIATOR) 802.1X TTLS/MD5

Mike McCauley mikem at open.com.au
Sun Sep 7 18:21:59 CDT 2003


On Mon, 8 Sep 2003 04:48 am, Kevin Schmidt wrote:
> I'm trying to do a little 802.1X experimentation and am having limited
> success, so any pointers are welcome.  It's probably something really
> obvious, but I haven't figured it out yet.
>
> The environment consists of Radiator 3.6+patches on a FreeBSD 4.8-STABLE
> box (openssl 0.9.7a).  The supplicant is Windows XP Pro with
> Meetinghouse 2.1.0, configured for TTLS and EAP-MD5.  The authenticator
> is an HP2524 with F.05.17 firmware, though I also tried a Foundry
> BigIron 4000 (07.6.04bT53).  Doing plain-vanilla EAP-MD5 without
> TTLS/PEAP worked, but the security issues preclude me from using it
> (esp. once I add wireless).
>
> I've attached copies of my test radius.cfg (based on
> goodies/eap_multi.cfg), logfile, and test password file.  The logfile
> shows the start of radiusd, an authentication attempt (forced by doing
> "aaa port auth 19 initialize" on the HP2524), and radiusd shutdown.  It
> appears to be stuck in some kind of loop, as the SSL cert is repeatedly
> sent to the authenticator.  Towards the end, the following lines appear
> in the logfile:
>
> Sun Sep  7 11:23:52 2003: DEBUG: EAP result: 1, EAP TLS Handshake
> unsuccessful:  48130: 1 - error:14094417:SSL
> routines:SSL3_READ_BYTES:sslv3 alert illegal parameter
>
> Sun Sep  7 11:23:52 2003: INFO: Access rejected for kevin.schmidt: EAP
> TLS Handshake unsuccessful:  48130: 1 - error:14094417:SSL
> routines:SSL3_READ_BYTES:sslv3 alert illegal parameter
>
> The radius.cfg file is definitely not one I'd use in production, esp.
> since it would have to get more complicated to accommodate
> authentication of administrator logins to the HP2524 in addition to
> authenticating end users via 802.1X.
>
> Any comments or suggestions are welcome, and I'd be happy to provide
> additional details if necessary.

Looks to me like Radiator delivered the server certificate to the client, 
after which things go badly.
I suspect that the client didnt like the certificate for some reason. Usually 
that means that the client is configured to check the server certificate, but 
the servers root certificate has not yet been installed on the client.
Is that possible?

The Radiator FAQ has some tips for how to find out what the problem in the 
client might be.

Cheers.

>
> Thanks,
>
> Kevin Schmidt                                kps at ucsb.edu
> Campus Network Programmer                    (805) 893-7779
> Office of Information Technology             (805) 893-5051 FAX
> University of California, Santa Barbara
> North Hall 2124
> Santa Barbara, CA 93106-3201

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list