(RADIATOR) Enterasys R2 TTLS authent failing

Michael Harlow Michael.Harlow at utas.edu.au
Mon Jan 12 22:54:05 CST 2004


I have successfully set up EAP-TTLS/PAP authenticated against a mySQL
database, for my Cisco 350 and 1200 AP, in both VxWorks and IOS versions.
However, when I try and turn on 802.1x in my Enterasys R2 AP, the client
(Odyssey) does not prompt for password, and I see the Radiator sending a
copy of a certificate to the AP, but nothing happens. The following also
appears on the console of the R2:

function send_eapol_packet_to_supplicant in file aaa_eapol_mux.c line 425:
out, cannot get cluster for pdu part of EAPOL msg!

Has anyone got an R2 working, and can help me work out which tick boxes I
need to make it behave as nicely as the Cisco's?

I've read everything I can find on the Funk and Enterasys sites.

A second unrelated problem. With the Cisco 1200's I get different accounting
records to the 350's running VxWorks rather than IOS. The IOS AP's don't
seem to log the accounting data with a NASIDENTIFIER field, just a NASPORT,
whereas the 350's running VxWorks do list their domain name (NASIDENTIFIER
and NASPORT) in the accounting data. Is this a configuration problem?


Thanks, Michael

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++

# eap_ttls.cfg
#
#Foreground
#LogStdout
LogDir          /var/log/radius
DbDir           /var/radius
Trace   4

<Client DEFAULT>
        Secret  xxxxx
        DupInterval 0
</Client>
<ClientListSQL>
        DBSource        dbi:mysql:radiator
        DBUsername      radiator
        DBAuth          xxxxx
</ClientListSQL>

<Realm DEFAULT>
        <AuthBy SQL>
                EAPType TTLS,MSCHAP-V2
                DBSource
dbi:mysql:database=RADIATOR;host=xxxxx.utas.edu.au
                DBUsername      radiator
                DBAuth          xxxxx
                AccountingTable ACCOUNTING
                AcctColumnDef   USERNAME,User-Name
                AcctColumnDef   TIME_STAMP,Timestamp,integer
                AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
                AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
                AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
                AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
                AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
                AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
                AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
                AcctColumnDef   NASIDENTIFIER,NAS-Identifier
                AcctColumnDef   NASPORT,NAS-Port,integer
                AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address

                AuthSelect select ENCRYPTEDPASSWORD from SUBSCRIBERS where
USERNAME = '%n'
                EncryptedPassword
                AcctFailedLogFileName %D/missedaccounting

                EAPTLS_CAFile %D/certificates/cacert.pem
                EAPTLS_CertificateFile %D/certificates/clio.crt
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile %D/certificates/clio.key
                EAPTLS_PrivateKeyPassword xxxxxxx
                EAPTLS_MaxFragmentSize 1024

                AutoMPPEKeys
        </AuthBy>

        PreProcessingHook
file:"/usr/local/Radiator-3.8/goodies/eap_anon_hook.pl"
        PostAuthHook file:"/usr/local/Radiator-3.8/goodies/eap_anon_hook.pl"
</Realm>


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++

Tue Jan 13 14:58:17 2004: DEBUG: Packet dump:
*** Received from 131.217.2.55 port 1177 ....
Code:       Access-Request
Identifier: 39
Authentic:  <22>\<0><0>|`<0><0><139>e<0><0>8C<0><0>
Attributes:
        Message-Authenticator =
<250>5<192><247><231>GO<21><15><<248><224>\4<136>/
        User-Name = "outer-mike"
        NAS-IP-Address = 131.217.2.55
        NAS-Port = 2
        NAS-Port-Type = Wireless-IEEE-802-11
        Calling-Station-Id = "00-01-f4-ec-32-40"
        EAP-Message = <2><181><0><15><1>outer-mike
        Framed-MTU = 1000

Tue Jan 13 14:58:17 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue Jan 13 14:58:17 2004: DEBUG:  Deleting session for outer-mike,
131.217.2.55, 2
Tue Jan 13 14:58:17 2004: DEBUG: Handling with Radius::AuthSQL
Tue Jan 13 14:58:17 2004: DEBUG: Handling with Radius::AuthSQL:
Tue Jan 13 14:58:17 2004: DEBUG: Handling with EAP: code 2, 181, 15
Tue Jan 13 14:58:17 2004: DEBUG: Response type 1
Tue Jan 13 14:58:17 2004: DEBUG: Resuming session for
Radius::Context=HASH(0x858d818)

Tue Jan 13 14:58:17 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
Tue Jan 13 14:58:17 2004: DEBUG: Access challenged for outer-mike: EAP TTLS
Challenge
Tue Jan 13 14:58:17 2004: DEBUG: Packet dump:
*** Sending to 131.217.2.55 port 1177 ....
Code:       Access-Challenge
Identifier: 39
Authentic:  <22>\<0><0>|`<0><0><139>e<0><0>8C<0><0>
Attributes:
        EAP-Message = <1><182><0><6><21>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Jan 13 14:58:17 2004: DEBUG: Packet dump:
*** Received from 131.217.2.55 port 1177 ....
Code:       Access-Request
Identifier: 40
Authentic:  d><0><0><150><3><0><0>qy<0><0>Iy<0><0>
Attributes:
        Message-Authenticator =
<180>I<18><237><159>=h<245><21><144>n<202><245><143><143>_
        User-Name = "outer-mike"
        State = ""
        NAS-IP-Address = 131.217.2.55
        NAS-Port = 2
        NAS-Port-Type = Wireless-IEEE-802-11
        Calling-Station-Id = "00-01-f4-ec-32-40"
        Framed-MTU = 1000
        EAP-Message =
<2><182><0>b<21><128><0><0><0>X<22><3><1><0>S<1><0><0>O<3><1>@<3>l<144>E-<26
><4>9zD<196><232>/<171>*[<148><183><249>T<153><190>I<11><232>5<202><219><202
><194><200><0><0>(<0><22><0><19><0>f<0><21><0><18><0><10><0><5><0><4><0><9><
0>c<0>e<0>`<0>b<0>a<0>d<0><20><0><17><0><3><0><6><0><8><1><0>

Tue Jan 13 14:58:17 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue Jan 13 14:58:17 2004: DEBUG:  Deleting session for outer-mike,
131.217.2.55, 2
Tue Jan 13 14:58:17 2004: DEBUG: Handling with Radius::AuthSQL
Tue Jan 13 14:58:17 2004: DEBUG: Handling with Radius::AuthSQL:
Tue Jan 13 14:58:17 2004: DEBUG: Handling with EAP: code 2, 182, 98
Tue Jan 13 14:58:17 2004: DEBUG: Response type 21
Tue Jan 13 14:58:17 2004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Tue Jan 13 14:58:17 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
Tue Jan 13 14:58:17 2004: DEBUG: Access challenged for outer-mike: EAP TTLS
Challenge
Tue Jan 13 14:58:17 2004: DEBUG: Packet dump:
*** Sending to 131.217.2.55 port 1177 ....
Code:       Access-Challenge
Identifier: 40
Authentic:  d><0><0><150><3><0><0>qy<0><0>Iy<0><0>
Attributes:
        EAP-Message =
<1><183><4><10><21><192><0><0><8><2><22><3><1><0>J<2><0><0>F<3><1>@<3>l<217>
<207>F9wQI<31>b<172>lYiu<227><200><157><21>T<211><181>P<208><134><186><194><
22><199>o
<153><254>&<185>-<152><228>7<155><141><192>oM<187><171><29><160>Z^Uo<200>0S<
26><166><216><204><252><234><200><22><0><10><0><22><3><1><6><228><11><0><6><
224><0><6><221><0><2><223>0<130><2><219>0<130><2>D<2><1>00<13><6><9>*<134>H<
134><247><13><1><1><4><5><0>0<129><179>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0
<15><6><3>U<4><8><19><8>Tasmania1<15>0<13><6><3>U<4><7><19><6>Hobart1<31>0<2
9><6><3>U<4><10><19><22>University of
Tasmania1<12>0<10><6><3>U<4><11><19><3>ITS1"0 <6><3>U<4><3><19><25>ITS INS
Signi
        EAP-Message = ng
Authority1-0+<6><9>*<134>H<134><247><13><1><9><1><22><30>sysprog at postoffice.
utas.edu.au0<30><23><13>040106045353Z<23><13>090104045353Z0<129><183>1<11>0<
9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Tasmania1<15>0<13><6><
3>U<4><7><19><6>Hobart1<31>0<29><6><3>U<4><10><19><22>University of
Tasmania1<21>0<19><6><3>U<4><11><19><12>IT
Resources1<29>0<27><6><3>U<4><3><19><20>clio.its.utas.edu.au1-0+<6><9>*<134>
H<134><247><13><1><9><1><22><30>syspro
        EAP-Message =
g at postoffice.utas.edu.au0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1>
<5><0><3><129><141><0>0<129><137><2><129><129><0><185>%<237>*6r<228>u<230><2
1>R<190><28>jYQr<1><240>hk(<144>BX<133><228><175><207>NB<203>)<190><131><13>
<188>sy<166>jZ\<249><154><31><228><2>m<225>9<26><179><168>:<<138><17><138><1
51><28><15><187>i<135><231><129><217><140>e<253><211><235>Z<138>kyc<146>x<24
0><241>G&Ou<193><190><197><199><24>z<216><200><25><22><204>6<155>w<130>"<<18
8><140><139>)MJ[<179><13>GB<16>z<213>?<233><129><140><200><171><236>=<228>p7
<2><3><1><0><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><
0>w<131>iE<160>(<129><191><174>8<127><17><172><<147><205>R<216><215><243>\<2
3><251>/<187><163>i%<141><130>^<232><11>6<248><207><162>*}<201><142><242><23
9><232><24>i`<2>
        EAP-Message =
<253>B<242>!a6<196>h<208><1><205><30><209>^<2><185><129>%4<16>gT<176>xu<6><5
>'<251><213><190><31><153><182><192><197><183>s,X<129><148>z<233><254>xj<22>
<29><134>P3<185>)<149>i2P<10>G<233><150>AM<253><183>ZrU<0>fn]L<217>"^<144>%<
219><0><3><248>0<130><3><244>0<130><3>]<160><3><2><1><2><2><1><0>0<13><6><9>
*<134>H<134><247><13><1><1><4><5><0>0<129><179>1<11>0<9><6><3>U<4><6><19><2>
AU1<17>0<15><6><3>U<4><8><19><8>Tasmania1<15>0<13><6><3>U<4><7><19><6>Hobart
1<31>0<29><6><3>U<4><10><19><22>University of
Tasmania1<12>0<10><6><3>U<4><11><19><3>ITS1"0 <6><3>U<4><3><19><25>ITS INS
Signing Authority1-0+
        EAP-Message = <6><9>*<134>H<134><247><13><1><9><1><22><30>sysprog at p
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

The log just keeps repeating the above sequence of packets...............

-------------------------------------------------
Michael Harlow              GPO Box 252-69
Network Engineer            Hobart Tasmania 7001
IT Resources                Ph  03 6226 1812
University of Tasmania      Mob 0438 26 1812
Michael.Harlow at utas.edu.au  Fx  03 6226 7171
-------------------------------------------------


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list