(RADIATOR) Help getting EAP-TTLS working with HP 420 & Linksys WPC54G
Terry Simons
galimore at mac.com
Fri Aug 27 22:32:05 CDT 2004
Hi Jennifer,
I have instructions for the 420 listed at:
http://wireless.utah.edu/global/support/authenticator_playground/hp/
procurve_420_wap.html
It's not really clear if you are using RedHat as the Authentication
Server, or Supplicant OS.
I have used Mac OS X, Windows, and Linux successfully with TTLS->PAP in
one incarnation or another with the AP.
One thing you should be aware of is that if you are using Mac OS X you
need to make sure that your multicast-cipher is set to TKIP, otherwise
you won't be able to authenticate correctly (Known bug with the Accton
reference design APs, Apple is working on it).
Basically Mac OS X requires a "pure TKIP" at this time. Affected APs
include the HP 420, Foundry IronPoint 200, Extreme Summit 300si (IIRC),
and 3Com 8xxx series APs. (And probably others).
If you are using Windows, it should work with either pure TKIP or TKIP
unicast/WEP multicast mode, provided your driver behaves properly.
WPA support in Linux is very shaky at this point, so you should
probably get things working without the TKIP, if you are using Linux,
to verify that everything is configured properly.
I know the combination you are trying works with the SecureW2 TTLS
client for Windows, though I can't recall if I've tested the AEGIS
client recently, and I know I haven't used the Funk client on this
particular combination.
I am also using the Radiator test certificates.
If you want me to try to reproduce your issue I'd be happy to help.
- Terry
P.S. I saw Mike's reply, and I am typically testing with a
MaxFragmentSize of 1024, though I have seen instances when 1000 or less
is required on certain types of APs).
On Aug 27, 2004, at 5:53 PM, Jennifer Mehl wrote:
> Hi Radiator List folks,
>
> I'm trying to set up the following:
>
> Radiator 3.9 (RHL)
> HP 420 Wireless Access Point
> Linksys WPC54G Wireless client card (802.11g)
> 802.1x using TKIP or AES multicast cipher
> w/ EAP-TTLS with demo CA and certs, and PAP inner auth
> to flat file for anonymous outer auth
> to LDAPv2 (openLDAP) for inner auth (password stored in SHA one-way
> hash)
>
> However, it seems like the Challenge is being sent to the wireless
> client but it is never replied to, finally ending in log entry "EAP
> TTLS nothing to read or write."
>
> Eventually I would like to get PEAP - EAP GTC working as well, but
> that's for another day.
>
> I would really appreciate some assistance on this. Relevant config
> and log files below (minus secrets and IP addresses).
>
> thanks everyone,
> Jennifer
>
> --
> ========================================
> Jennifer L. Mehl
> Senior Systems Administrator
> University of California, Santa Barbara
> Physics Computing Services
> jmehl (at) physics.ucsb.edu
> (805) 893-8366 work
> (805) 451-7486 cell
> ========================================
>
> CONFIG FILE
> -----------
>
> # Listen for authentication requests on port 1812
> AuthPort 1812
>
> # Listen for accounting requests on port 1813
> AcctPort 1813
>
> # Run as user radius (not root)
> User radius
>
> # Dictionary file lives here
> DictionaryFile /etc/radiator/dictionary
>
> # Logging parameters
> Trace 4
> LogDir /var/log/
> LogFile /var/log/radius
>
> # PID file
> PidFile /var/run/radiusd.pid
>
> # This is the default client - used for radpwtest
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
>
> # This is the test wireless access point
> <Client 128.111.x.x >
> Secret *******
> </Client>
>
>
> # This is the default realm
>
> #<Realm DEFAULT>
> # AcctLogFileName /var/log/radacctlog
> #<AuthBy FILE>
> # Filename /etc/radiator/users
> #</AuthBy>
> #</Realm>
>
> <Realm DEFAULT>
> AcctLogFileName /var/log/radacctlog
> <AuthBy FILE>
> Filename /etc/radiator/users
> EAPType TTLS
> #EAPAnonymous anonymous at INNER
> EAPTLS_CAFile
> /usr/share/doc/Radiator-3.9/certificates/demoCA/cacert.pem
> EAPTLS_CAPath /usr/share/doc/Radiator-3.9/certificates/demoCA
> EAPTLS_CertificateFile
> /usr/share/doc/Radiator-3.9/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile
> /usr/share/doc/Radiator-3.9/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> AutoMPPEKeys
> </AuthBy>
> </Realm>
>
> # This is for TTLS inner authentication request
> <Handler TunnelledByTTLS=1>
> #Try LDAP first
> <AuthBy LDAP2>
> EAPType TTLS
> Host local
> Port 389
> AuthDN cn=Manager,dc=physics,dc=ucsb,dc=edu
> AuthPassword *****
> BaseDN dc=physics,dc=ucsb,dc=edu
> UsernameAttr uid
> PasswordAttr userPassword
> Version 3
> Debug 255
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
> </AuthBy>
> #Fallback to flat file if LDAP down
> <AuthBy FILE>
> Filename /etc/radiator/users
> </AuthBy>
> </Handler>
>
> # Add this for PEAP inner authentication reuqest
> #<Handler TunnelledByPEAP=1>
> #RewriteUsername s/(.*)\\(.*)/$2/
>
> #<AuthBy FILE>
> # Filename /etc/radiator/users
> # EAPType PEAP,MSCHAP-V2
> #</AuthBy>
> #</Handler>
>
>
> LOG (debug)
> -----------
>
> Fri Aug 27 16:34:02 2004: DEBUG: Packet dump:
> *** Received from 128.111.xx.xx port 1054 ....
> Code: Access-Request
> Identifier: 21
> Authentic: kWkWkWkWkWkWkWkW
> Attributes:
> NAS-IP-Address = 128.111.xx.xx
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 1
> Framed-MTU = 1400
> User-Name = "Anonymous"
> Calling-Station-Id = "000f6606ed19"
> Called-Station-Id = "0001e6ff9489"
> NAS-Identifier = "Physics Wireless Test"
> EAP-Message = <2><1><0><14><1>Anonymous
> Message-Authenticator =
> <183>y<215><27><163>R<23>3<203><167><160><213>f<226><246><255>
>
> Fri Aug 27 16:34:02 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug 27 16:34:02 2004: DEBUG: Deleting session for Anonymous,
> 128.111.xx.xx, 1
> Fri Aug 27 16:34:02 2004: DEBUG: Handling with Radius::AuthFILE:
> Fri Aug 27 16:34:02 2004: DEBUG: Handling with EAP: code 2, 1, 14
> Fri Aug 27 16:34:02 2004: DEBUG: Response type 1
> Fri Aug 27 16:34:04 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Fri Aug 27 16:34:04 2004: DEBUG: Access challenged for Anonymous: EAP
> TTLS Challenge
> Fri Aug 27 16:34:04 2004: DEBUG: Packet dump:
> *** Sending to 128.111.xx.xx port 1054 ....
> Code: Access-Challenge
> Identifier: 21
> Authentic: kWkWkWkWkWkWkWkW
> Attributes:
> EAP-Message = <1><2><0><6><21>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Aug 27 16:34:07 2004: DEBUG: Packet dump:
> *** Received from 128.111.xx.xx port 1055 ....
> Code: Access-Request
> Identifier: 22
> Authentic:
> <12><242><12><242><12><242><12><242><12><242><12><242><12><242><12><242
> >
> Attributes:
> NAS-IP-Address = 128.111.xx.xx
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 1
> Framed-MTU = 1400
> User-Name = "Anonymous"
> Calling-Station-Id = "000f6606ed19"
> Called-Station-Id = "0001e6ff9489"
> NAS-Identifier = "Physics Wireless Test"
> EAP-Message =
> <2><2><0>b<21><128><0><0><0>X<22><3><1><0>S<1><0><0>O<3><1>A/
> <196><245><179><241><247>k&<12>6<149>B>d<136>f<209><215><182><181>NL<15
> 7><172><19>s<245><186><244><251><249><0><0>(<0><22><0><19><0>f<0><21><0
> ><18><0><10><0><5><0><4><0><9><0>c<0>e<0>`<0>b<0>a<0>d<0><20><0><17><0>
> <3><0><6><0><8><1><0>
> Message-Authenticator = <216><199>N<186><238><167><230>I
> 4$Ej<176>X<176>
>
> Fri Aug 27 16:34:07 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug 27 16:34:07 2004: DEBUG: Deleting session for Anonymous,
> 128.111.17.14, 1
> Fri Aug 27 16:34:07 2004: DEBUG: Handling with Radius::AuthFILE:
> Fri Aug 27 16:34:07 2004: DEBUG: Handling with EAP: code 2, 2, 98
> Fri Aug 27 16:34:07 2004: DEBUG: Response type 21
> Fri Aug 27 16:34:07 2004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Fri Aug 27 16:34:07 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Fri Aug 27 16:34:07 2004: DEBUG: Access challenged for Anonymous: EAP
> TTLS Challenge
> Fri Aug 27 16:34:07 2004: DEBUG: Packet dump:
> *** Sending to 128.111.xx.xx port 1055 ....
> Code: Access-Challenge
> Identifier: 22
> Authentic:
> <12><242><12><242><12><242><12><242><12><242><12><242><12><242><12><242
> >
> Attributes:
> EAP-Message =
> <1><3><8><10><21><192><0><0><8>P<22><3><1><0>J<2><0><0>F<3><1>A/
> <196><239>f<192><150>L<1>:
> @<192>x<196>W<129>*2<130>T<159>F<9><245><168><3><181><170><161><229><17
> >]
> <27>&h%<142><154><239><21><215>&<193>C<196><194><237>jG<136><130>`<211>
> <172><171><217><133><132>Fr<185><186><210><168><0><10><0><22><3><1><7><
> 27><11><0><7><23><0><7><20><0><2><209>0<130><2><205>0<130><2>6<160><3><
> 2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><
> 202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victor
> ia1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><2
> 1>OSC Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Sec
> EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not
> use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30>
> <23><13>040316080209Z<23><13>060316080209Z0u1<11>0<9><6><3>U<4><6><19><
> 2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9
> >Melbourne1<24>0<22><6><3>U<4><10><19><15>My Test
> Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><159>
> 0<13><6><9>*<134>H<134><247><13><1><1>
> EAP-Message =
> <1><5><0><3><129><141><0>0<129><137><2><129><129><0><216>4<7><6><214><2
> 34>/
> <241>.9<209><250>\y<1><149>[<215><24>e<133><15><223>d<176><132>Z<222>#<
> 234><12>%<133>aF<28><20><24><218><160><197><239><237><136><222><218><13
> 8><6><19><247>}*3B<155><24>TE<18><240><194><220><164><183>9<192><176>/
> <16>HI<220><169>vN<215>)<31><207><24><157><230>G<186>)<246>J<195><171><
> 154><249><220>v<17><159><2>x<29><136><148>:
> b<170><254><4><207><183><144><210><251>+<233><135>0<212>Y<207><158>N<22
> 6><136><12><132><143><250><182><218>W<2><3><1><0><1><163><23>0<21>0<19>
> <6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<
> 134><247><13><1><1><4><5><0><3><129><129><0>n<23><196><159>c<165><188>>
> q<129>X<13>=l?
> <174><155><170><162><189><20><25>az<19>o<202><250>|B8N<209><225><253>?
> hv<170><193><235><2>b<16><201>}<250>,<181>q<154>%<182><29><179>p<211><2
> 48>oba<
> EAP-Message =
> JP<13>p<12>+<154><199>1<16><208><138><21><141>'wrX<214>NUW<231><173><25
> >w<215><13><152><154>T<218><8><246><202>.<177>9s*<220><219>n"Gu<188><25
> 4><206>U?
> <214>)<181>I2^<157><225><174><232>2e<185>k<131><0><4>=0<130><4>90<130><
> 3><162><160><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1>
> <4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4>
> <8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><
> 3>U<4><10><19><21>OSC Demo
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not
> EAP-Message = use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30>
> <23><13>040316080125Z<23><13>060316080125Z0<129><202>1<11>0<9><6><3>U<4
> ><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4>
> <7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in productio
> EAP-Message = n)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<129
> ><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<
> 129><137><2><129><129><0><204><181>%Q<192>7g0<140><153>0xg<240><152><24
> 8><199><214><253>W<7><220>|fd<163><137>%F<216><220><148><230><6><18>ie<
> 144>'<244>P<8>DxJ<138>n<203>k8<164><239><179>H<237>K<182>mo<155><145><1
> 38><143><136><127><230><<9>l<172><210><205><136><162><29>)1<4><206><11>
> g<163><226>i@<206>o<210>,<185><173><234><3>^4<221><252><168>H<178><158>
> <25><235><152><250>g<199><172><250>uSr<156><205>P<150>O<197><240>=a<255
> >_<209><12><163><0>U<2><3><1><0><1><163><130><1>+0<130><1>'0<29><6><3>U
> <29><14><4><22><4><20><23><2><196>#<233><210>F0D<173>f]r<193>H?
> <164><27>ke0<129><247><6><3>U<29>#<4><129><239>0<129><236><128><20>
> EAP-Message =
> <23><2><196>#<233><210>F0D<173>f]r<193>H?
> <164><27>ke<161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U<4>
> <6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><
> 7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<130>
> <1><0>0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><6><9>*
> EAP-Message =
> <134>H<134><247><13><1><1><4><5><0><3><129><129><0>0<3>=<202><190><236>
> S<216><228>o<177><242><18>hEBe<219>W<136><245>tf<202><143><160><29><220
> >p9<5><24>2<185>)<128><227>8<17><247>'_J<28><159>;
> _<202><254><242>+{=P<245><215>K<160><136>qml<181><24>3<0>f<166>Q(<2><19
> 3><29>-
> <228><19><184>C<139>9}r1<188>DTlK<255><15><12>TL<160><177>DuY+<156><143
> ><225><149><237><135>ix<22>O<231><212><154><184><10>fZ<248>Va#<192><160
> >l<21><129>0<199>6<22><3><1><0><220><13><0><0><212><2><1><2><0><207><0>
> <205>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><
> 19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<
> 4><10><19><21>OSC Demo Certificates1!0<31><6><3>U<4>
> EAP-Message = <11><19><24>Test Certificate Section1/0-<6><3>U
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Aug 27 16:34:58 2004: DEBUG: Packet dump:
> *** Received from 128.111.xx.xx port 1029 ....
> Code: Access-Request
> Identifier: 1
> Authentic: \<14>\<14>\<14>\<14>\<14>\<14>\<14>\<14>
> Attributes:
> NAS-IP-Address = 128.111.xx.xx
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 1
> Framed-MTU = 1400
> User-Name = "Anonymous"
> Calling-Station-Id = "000f6606ed19"
> Called-Station-Id = "0001e6ff9489"
> NAS-Identifier = "Physics Wireless Test"
> EAP-Message = <2><1><0><14><1>Anonymous
> Message-Authenticator =
> <129><181><224><199><255><240>)<180><156>O<241><8>HN<134>F
>
> Fri Aug 27 16:34:58 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug 27 16:34:58 2004: DEBUG: Deleting session for Anonymous,
> 128.111.17.14, 1
> Fri Aug 27 16:34:58 2004: DEBUG: Handling with Radius::AuthFILE:
> Fri Aug 27 16:34:58 2004: DEBUG: Handling with EAP: code 2, 1, 14
> Fri Aug 27 16:34:58 2004: DEBUG: Response type 1
> Fri Aug 27 16:34:58 2004: DEBUG: Resuming session for
> Radius::Context=HASH(0x871fc40)
>
> Fri Aug 27 16:34:58 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Fri Aug 27 16:34:58 2004: DEBUG: Access challenged for Anonymous: EAP
> TTLS Challenge
> Fri Aug 27 16:34:58 2004: DEBUG: Packet dump:
> *** Sending to 128.111.xx.xx port 1029 ....
> Code: Access-Challenge
> Identifier: 1
> Authentic: \<14>\<14>\<14>\<14>\<14>\<14>\<14>\<14>
> Attributes:
> EAP-Message = <1><2><0><6><21>
>
> Fri Aug 27 16:35:18 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug 27 16:35:18 2004: DEBUG: Deleting session for Anonymous,
> 128.111.17.14, 1
> Fri Aug 27 16:35:18 2004: DEBUG: Handling with Radius::AuthFILE:
> Fri Aug 27 16:35:18 2004: DEBUG: Handling with EAP: code 2, 3, 6
> Fri Aug 27 16:35:18 2004: DEBUG: Response type 21
> Fri Aug 27 16:35:18 2004: DEBUG: EAP result: 2, EAP TTLS Nothing to
> read or write
> Fri Aug 27 16:35:23 2004: DEBUG: Packet dump:
> *** Received from 128.111.xx.xx port 1033 ....
> Code: Access-Request
> Identifier: 5
> Authentic: <28>+<28>+<28>+<28>+<28>+<28>+<28>+<28>+
> Attributes:
> NAS-IP-Address = 128.111.xx.xx
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 1
> Framed-MTU = 1400
> User-Name = "Anonymous"
> Calling-Station-Id = "000f6606ed19"
> Called-Station-Id = "0001e6ff9489"
> NAS-Identifier = "Physics Wireless Test"
> EAP-Message = <2><3><0><6><21><0>
> Message-Authenticator =
> xi?<203>.<241><200>8O<128><127>T<213><194>2<234>
>
> Fri Aug 27 16:35:23 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug 27 16:35:23 2004: DEBUG: Deleting session for Anonymous,
> 128.111.17.14, 1
> Fri Aug 27 16:35:23 2004: DEBUG: Handling with Radius::AuthFILE:
> Fri Aug 27 16:35:23 2004: DEBUG: Handling with EAP: code 2, 3, 6
> Fri Aug 27 16:35:23 2004: DEBUG: Response type 21
> Fri Aug 27 16:35:23 2004: DEBUG: EAP result: 2, EAP TTLS Nothing to
> read or write
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list