(RADIATOR) Help getting EAP-TTLS working with HP 420 & Linksys WPC54G
Jennifer Mehl
jmehl at physics.ucsb.edu
Fri Aug 27 18:53:55 CDT 2004
Hi Radiator List folks,
I'm trying to set up the following:
Radiator 3.9 (RHL)
HP 420 Wireless Access Point
Linksys WPC54G Wireless client card (802.11g)
802.1x using TKIP or AES multicast cipher
w/ EAP-TTLS with demo CA and certs, and PAP inner auth
to flat file for anonymous outer auth
to LDAPv2 (openLDAP) for inner auth (password stored in SHA one-way hash)
However, it seems like the Challenge is being sent to the wireless
client but it is never replied to, finally ending in log entry "EAP TTLS
nothing to read or write."
Eventually I would like to get PEAP - EAP GTC working as well, but
that's for another day.
I would really appreciate some assistance on this. Relevant config and
log files below (minus secrets and IP addresses).
thanks everyone,
Jennifer
--
========================================
Jennifer L. Mehl
Senior Systems Administrator
University of California, Santa Barbara
Physics Computing Services
jmehl (at) physics.ucsb.edu
(805) 893-8366 work
(805) 451-7486 cell
========================================
CONFIG FILE
-----------
# Listen for authentication requests on port 1812
AuthPort 1812
# Listen for accounting requests on port 1813
AcctPort 1813
# Run as user radius (not root)
User radius
# Dictionary file lives here
DictionaryFile /etc/radiator/dictionary
# Logging parameters
Trace 4
LogDir /var/log/
LogFile /var/log/radius
# PID file
PidFile /var/run/radiusd.pid
# This is the default client - used for radpwtest
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
# This is the test wireless access point
<Client 128.111.x.x >
Secret *******
</Client>
# This is the default realm
#<Realm DEFAULT>
# AcctLogFileName /var/log/radacctlog
#<AuthBy FILE>
# Filename /etc/radiator/users
#</AuthBy>
#</Realm>
<Realm DEFAULT>
AcctLogFileName /var/log/radacctlog
<AuthBy FILE>
Filename /etc/radiator/users
EAPType TTLS
#EAPAnonymous anonymous at INNER
EAPTLS_CAFile
/usr/share/doc/Radiator-3.9/certificates/demoCA/cacert.pem
EAPTLS_CAPath /usr/share/doc/Radiator-3.9/certificates/demoCA
EAPTLS_CertificateFile
/usr/share/doc/Radiator-3.9/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile
/usr/share/doc/Radiator-3.9/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
AutoMPPEKeys
</AuthBy>
</Realm>
# This is for TTLS inner authentication request
<Handler TunnelledByTTLS=1>
#Try LDAP first
<AuthBy LDAP2>
EAPType TTLS
Host local
Port 389
AuthDN cn=Manager,dc=physics,dc=ucsb,dc=edu
AuthPassword *****
BaseDN dc=physics,dc=ucsb,dc=edu
UsernameAttr uid
PasswordAttr userPassword
Version 3
Debug 255
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
</AuthBy>
#Fallback to flat file if LDAP down
<AuthBy FILE>
Filename /etc/radiator/users
</AuthBy>
</Handler>
# Add this for PEAP inner authentication reuqest
#<Handler TunnelledByPEAP=1>
#RewriteUsername s/(.*)\\(.*)/$2/
#<AuthBy FILE>
# Filename /etc/radiator/users
# EAPType PEAP,MSCHAP-V2
#</AuthBy>
#</Handler>
LOG (debug)
-----------
Fri Aug 27 16:34:02 2004: DEBUG: Packet dump:
*** Received from 128.111.xx.xx port 1054 ....
Code: Access-Request
Identifier: 21
Authentic: kWkWkWkWkWkWkWkW
Attributes:
NAS-IP-Address = 128.111.xx.xx
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 1
Framed-MTU = 1400
User-Name = "Anonymous"
Calling-Station-Id = "000f6606ed19"
Called-Station-Id = "0001e6ff9489"
NAS-Identifier = "Physics Wireless Test"
EAP-Message = <2><1><0><14><1>Anonymous
Message-Authenticator =
<183>y<215><27><163>R<23>3<203><167><160><213>f<226><246><255>
Fri Aug 27 16:34:02 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Aug 27 16:34:02 2004: DEBUG: Deleting session for Anonymous,
128.111.xx.xx, 1
Fri Aug 27 16:34:02 2004: DEBUG: Handling with Radius::AuthFILE:
Fri Aug 27 16:34:02 2004: DEBUG: Handling with EAP: code 2, 1, 14
Fri Aug 27 16:34:02 2004: DEBUG: Response type 1
Fri Aug 27 16:34:04 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
Fri Aug 27 16:34:04 2004: DEBUG: Access challenged for Anonymous: EAP
TTLS Challenge
Fri Aug 27 16:34:04 2004: DEBUG: Packet dump:
*** Sending to 128.111.xx.xx port 1054 ....
Code: Access-Challenge
Identifier: 21
Authentic: kWkWkWkWkWkWkWkW
Attributes:
EAP-Message = <1><2><0><6><21>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Fri Aug 27 16:34:07 2004: DEBUG: Packet dump:
*** Received from 128.111.xx.xx port 1055 ....
Code: Access-Request
Identifier: 22
Authentic:
<12><242><12><242><12><242><12><242><12><242><12><242><12><242><12><242>
Attributes:
NAS-IP-Address = 128.111.xx.xx
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 1
Framed-MTU = 1400
User-Name = "Anonymous"
Calling-Station-Id = "000f6606ed19"
Called-Station-Id = "0001e6ff9489"
NAS-Identifier = "Physics Wireless Test"
EAP-Message =
<2><2><0>b<21><128><0><0><0>X<22><3><1><0>S<1><0><0>O<3><1>A/<196><245><179><241><247>k&<12>6<149>B>d<136>f<209><215><182><181>NL<157><172><19>s<245><186><244><251><249><0><0>(<0><22><0><19><0>f<0><21><0><18><0><10><0><5><0><4><0><9><0>c<0>e<0>`<0>b<0>a<0>d<0><20><0><17><0><3><0><6><0><8><1><0>
Message-Authenticator = <216><199>N<186><238><167><230>I
4$Ej<176>X<176>
Fri Aug 27 16:34:07 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Aug 27 16:34:07 2004: DEBUG: Deleting session for Anonymous,
128.111.17.14, 1
Fri Aug 27 16:34:07 2004: DEBUG: Handling with Radius::AuthFILE:
Fri Aug 27 16:34:07 2004: DEBUG: Handling with EAP: code 2, 2, 98
Fri Aug 27 16:34:07 2004: DEBUG: Response type 21
Fri Aug 27 16:34:07 2004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Fri Aug 27 16:34:07 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
Fri Aug 27 16:34:07 2004: DEBUG: Access challenged for Anonymous: EAP
TTLS Challenge
Fri Aug 27 16:34:07 2004: DEBUG: Packet dump:
*** Sending to 128.111.xx.xx port 1055 ....
Code: Access-Challenge
Identifier: 22
Authentic:
<12><242><12><242><12><242><12><242><12><242><12><242><12><242><12><242>
Attributes:
EAP-Message =
<1><3><8><10><21><192><0><0><8>P<22><3><1><0>J<2><0><0>F<3><1>A/<196><239>f<192><150>L<1>:@<192>x<196>W<129>*2<130>T<159>F<9><245><168><3><181><170><161><229><17>]
<27>&h%<142><154><239><21><215>&<193>C<196><194><237>jG<136><130>`<211><172><171><217><133><132>Fr<185><186><210><168><0><10><0><22><3><1><7><27><11><0><7><23><0><7><20><0><2><209>0<130><2><205>0<130><2>6<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use
in production)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>040316080209Z<23><13>060316080209Z0u1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<24>0<22><6><3>U<4><10><19><15>My
Test
Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1>
EAP-Message =
<1><5><0><3><129><141><0>0<129><137><2><129><129><0><216>4<7><6><214><234>/<241>.9<209><250>\y<1><149>[<215><24>e<133><15><223>d<176><132>Z<222>#<234><12>%<133>aF<28><20><24><218><160><197><239><237><136><222><218><138><6><19><247>}*3B<155><24>TE<18><240><194><220><164><183>9<192><176>/<16>HI<220><169>vN<215>)<31><207><24><157><230>G<186>)<246>J<195><171><154><249><220>v<17><159><2>x<29><136><148>:b<170><254><4><207><183><144><210><251>+<233><135>0<212>Y<207><158>N<226><136><12><132><143><250><182><218>W<2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>n<23><196><159>c<165><188>>q<129>X<13>=l?<174><155><170><162><189><20><25>az<19>o<202><250>|B8N<209><225><253>?hv<170><193><235><2>b<16><201>}<250>,<181>q<154>%<182><29><179>p<211><248>oba<
EAP-Message =
JP<13>p<12>+<154><199>1<16><208><138><21><141>'wrX<214>NUW<231><173><25>w<215><13><152><154>T<218><8><246><202>.<177>9s*<220><219>n"Gu<188><254><206>U?<214>)<181>I2^<157><225><174><232>2e<185>k<131><0><4>=0<130><4>90<130><3><162><160><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not
EAP-Message = use in production)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>040316080125Z<23><13>060316080125Z0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in productio
EAP-Message = n)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><204><181>%Q<192>7g0<140><153>0xg<240><152><248><199><214><253>W<7><220>|fd<163><137>%F<216><220><148><230><6><18>ie<144>'<244>P<8>DxJ<138>n<203>k8<164><239><179>H<237>K<182>mo<155><145><138><143><136><127><230><<9>l<172><210><205><136><162><29>)1<4><206><11>g<163><226>i@<206>o<210>,<185><173><234><3>^4<221><252><168>H<178><158><25><235><152><250>g<199><172><250>uSr<156><205>P<150>O<197><240>=a<255>_<209><12><163><0>U<2><3><1><0><1><163><130><1>+0<130><1>'0<29><6><3>U<29><14><4><22><4><20><23><2><196>#<233><210>F0D<173>f]r<193>H?<164><27>ke0<129><247><6><3>U<29>#<4><129><239>0<129><236><128><20>
EAP-Message =
<23><2><196>#<233><210>F0D<173>f]r<193>H?<164><27>ke<161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<130><1><0>0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*
EAP-Message =
<134>H<134><247><13><1><1><4><5><0><3><129><129><0>0<3>=<202><190><236>S<216><228>o<177><242><18>hEBe<219>W<136><245>tf<202><143><160><29><220>p9<5><24>2<185>)<128><227>8<17><247>'_J<28><159>;_<202><254><242>+{=P<245><215>K<160><136>qml<181><24>3<0>f<166>Q(<2><193><29>-<228><19><184>C<139>9}r1<188>DTlK<255><15><12>TL<160><177>DuY+<156><143><225><149><237><135>ix<22>O<231><212><154><184><10>fZ<248>Va#<192><160>l<21><129>0<199>6<22><3><1><0><220><13><0><0><212><2><1><2><0><207><0><205>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4>
EAP-Message = <11><19><24>Test Certificate Section1/0-<6><3>U
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Fri Aug 27 16:34:58 2004: DEBUG: Packet dump:
*** Received from 128.111.xx.xx port 1029 ....
Code: Access-Request
Identifier: 1
Authentic: \<14>\<14>\<14>\<14>\<14>\<14>\<14>\<14>
Attributes:
NAS-IP-Address = 128.111.xx.xx
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 1
Framed-MTU = 1400
User-Name = "Anonymous"
Calling-Station-Id = "000f6606ed19"
Called-Station-Id = "0001e6ff9489"
NAS-Identifier = "Physics Wireless Test"
EAP-Message = <2><1><0><14><1>Anonymous
Message-Authenticator =
<129><181><224><199><255><240>)<180><156>O<241><8>HN<134>F
Fri Aug 27 16:34:58 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Aug 27 16:34:58 2004: DEBUG: Deleting session for Anonymous,
128.111.17.14, 1
Fri Aug 27 16:34:58 2004: DEBUG: Handling with Radius::AuthFILE:
Fri Aug 27 16:34:58 2004: DEBUG: Handling with EAP: code 2, 1, 14
Fri Aug 27 16:34:58 2004: DEBUG: Response type 1
Fri Aug 27 16:34:58 2004: DEBUG: Resuming session for
Radius::Context=HASH(0x871fc40)
Fri Aug 27 16:34:58 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
Fri Aug 27 16:34:58 2004: DEBUG: Access challenged for Anonymous: EAP
TTLS Challenge
Fri Aug 27 16:34:58 2004: DEBUG: Packet dump:
*** Sending to 128.111.xx.xx port 1029 ....
Code: Access-Challenge
Identifier: 1
Authentic: \<14>\<14>\<14>\<14>\<14>\<14>\<14>\<14>
Attributes:
EAP-Message = <1><2><0><6><21>
Fri Aug 27 16:35:18 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Aug 27 16:35:18 2004: DEBUG: Deleting session for Anonymous,
128.111.17.14, 1
Fri Aug 27 16:35:18 2004: DEBUG: Handling with Radius::AuthFILE:
Fri Aug 27 16:35:18 2004: DEBUG: Handling with EAP: code 2, 3, 6
Fri Aug 27 16:35:18 2004: DEBUG: Response type 21
Fri Aug 27 16:35:18 2004: DEBUG: EAP result: 2, EAP TTLS Nothing to read
or write
Fri Aug 27 16:35:23 2004: DEBUG: Packet dump:
*** Received from 128.111.xx.xx port 1033 ....
Code: Access-Request
Identifier: 5
Authentic: <28>+<28>+<28>+<28>+<28>+<28>+<28>+<28>+
Attributes:
NAS-IP-Address = 128.111.xx.xx
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 1
Framed-MTU = 1400
User-Name = "Anonymous"
Calling-Station-Id = "000f6606ed19"
Called-Station-Id = "0001e6ff9489"
NAS-Identifier = "Physics Wireless Test"
EAP-Message = <2><3><0><6><21><0>
Message-Authenticator =
xi?<203>.<241><200>8O<128><127>T<213><194>2<234>
Fri Aug 27 16:35:23 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Aug 27 16:35:23 2004: DEBUG: Deleting session for Anonymous,
128.111.17.14, 1
Fri Aug 27 16:35:23 2004: DEBUG: Handling with Radius::AuthFILE:
Fri Aug 27 16:35:23 2004: DEBUG: Handling with EAP: code 2, 3, 6
Fri Aug 27 16:35:23 2004: DEBUG: Response type 21
Fri Aug 27 16:35:23 2004: DEBUG: EAP result: 2, EAP TTLS Nothing to read
or write
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list