(RADIATOR) Enterasys R2 TTLS authent failing

Russell Owen rowen at solutionsit.com.au
Tue Jan 13 06:25:50 CST 2004


 
Not sure about your R2 problems as I only use Cisco, but I have noticed the same thing with the 350's and 1100/1200 AP's logging different info. I also noticed the PDA client from Funk display's things a bit differently when you click the details button, if you have been auth'ed through a 340/350 AP. But at the end of the day, it all worked so I didn't bother looking into it.
 
Your cisco AP's running IOS have quite a few configuration options as to what it will and won't send in accounting request. Check out the "radius-server" command and you will see what I mean. The IOS AP's also support request and reply filters on both authentication and accounting packets leaving/entering the AP, you might also want to check this out. You can deffinately change the way the NASIDENTIFIER field is sent aswell, I was playing arround with this today but can't remember the exact syntax for it, as I said before, read through the radius-server commands and it will come to you.
 
Russ.

________________________________

From: owner-radiator at open.com.au on behalf of Michael Harlow
Sent: Tue 13/01/2004 5:00 PM
To: Terry Simons; Hugh Irvine
Cc: radiator at open.com.au
Subject: RE: (RADIATOR) Enterasys R2 TTLS authent failing




Thanks for the clue Terry. I've tested, and the maximum value for
EAPTLS_MaxFragmentSize is 1010. One byte larger and it fails. Can this be
set to a low value without problem? It was already set to 1024 for our
Cisco's, now it's 1010.

So I now have the R2 performing authentication, and traffic flows to/from
the client.

Now I find that the start/alive/stop messages don't contain byte counts.
Bugger. At least it is authenticating I suppose.

I've just started playing with the Cisco switches (2950 and 3550 series) and
wired connections, it authenticates just fine, but it wont log. I think the
problem is a null session ID.

ERR: Error in PostAuthHook(): replace failed: You have an error in your SQL
syntax near ' NULL, 1073983738)' at line 1 at (eval 28) line 51.

The code is the eap_anon_hook.pl - $dbh->do("replace into RADLASTAUTH
(USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP) values
($username, $nasidentifier, $nasport, $acctsessionid, $timestamp)")

Also no accounting start-stops seem to be coming thru too. I've got aaa
accounting turned on. I'll investigate further. Maybe that bit of code is
broken in the Cisco IOS. If I cannot work it out, I'll open a case with
Cisco. I'm a bit more aware of what's going on now, than last time I tried
all this.

Thanks again, Michael.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++

Tue Jan 13 19:48:58 2004: DEBUG: Packet dump:
*** Received from 172.31.1.244 port 1812 ....
Code:       Access-Request
Identifier: 53
Authentic:  <203><26>f%>S-<210>61<29>{<132>p<192>H
Attributes:
        NAS-IP-Address = 172.31.1.244
        Cisco-NAS-Port = "FastEthernet0/1"
        NAS-Port-Type = Async
        User-Name = "outer-mike"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "00-10-a4-9d-4c-f3"
        EAP-Message =
<2>4<0><212><21><128><0><0><0><202><22><3><1><0><7><11><0><0><3><0><0><0><22
><3><1><0><134><16><0><0><130><0><128>tZ<234>m=<175><11><225>j]<200>w at 4<24>p
<234>Q<176>k<21><215><133>2AR<23><4><171>u<28><197><183>{1<164><196><140><24
5>'<149>=<229><127><190><155>TY<171>'<154><13><137><9>C<161><176><11><221>_9
<243><185><204><172><217><20>
B<197><226><136><242><202><189><135><179>-\[<20>kVU<136><186>5b<20><19><156>
<221>-<220>+=BA<152><5>X<227>!<209><170><30>8<25><218><20><255><180><20>H<17
9>;<21><230>L<129><128><169>w<207><128><208><187>2<20><3><1><0><1><1><22><3>
<1><0>(<198><127><178><188><11><141><151>={<244><184>3B;<250>}<1>,P.*<186>3/
I<190><244>C<9><245><130><179><16><174><143><29>?<12><162>|
        Message-Authenticator =
<211><128><176><233>Re<151><216><4><213>rc'<135>o1

Tue Jan 13 19:48:58 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue Jan 13 19:48:58 2004: DEBUG:  Deleting session for outer-mike,
172.31.1.244,
Tue Jan 13 19:48:58 2004: DEBUG: Handling with Radius::AuthSQL
Tue Jan 13 19:48:58 2004: DEBUG: Handling with Radius::AuthSQL:
Tue Jan 13 19:48:58 2004: DEBUG: Handling with EAP: code 2, 52, 212
Tue Jan 13 19:48:58 2004: DEBUG: Response type 21
Tue Jan 13 19:48:58 2004: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
Tue Jan 13 19:48:58 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
Tue Jan 13 19:48:58 2004: DEBUG: Access challenged for outer-mike: EAP TTLS
Challenge
Tue Jan 13 19:48:58 2004: DEBUG: Packet dump:
*** Sending to 172.31.1.244 port 1812 ....
Code:       Access-Challenge
Identifier: 53
Authentic:  <203><26>f%>S-<210>61<29>{<132>p<192>H
Attributes:
        EAP-Message =
<1>5<0>=<21><128><0><0><0>3<20><3><1><0><1><1><22><3><1><0>(G<234><135><227>
<0>U<234>gK(!<27><233>D<22><128>X<250><221><148>:oO\<246>}iG<223><30><156>5m
<146><7><13>C<202><255>r
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Jan 13 19:48:58 2004: DEBUG: Packet dump:
*** Received from 172.31.1.244 port 1812 ....
Code:       Access-Request
Identifier: 54
Authentic:  f<149><227><253><235>F<158><154><230>w<174>i<250><212><10>9
Attributes:
        NAS-IP-Address = 172.31.1.244
        Cisco-NAS-Port = "FastEthernet0/1"
        NAS-Port-Type = Async
        User-Name = "outer-mike"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "00-10-a4-9d-4c-f3"
        EAP-Message =
<2>5<0>G<21><128><0><0><0>=<23><3><1><0>8<217>,rBk<179>:<13><144><240><20><1
4>M<196><176><215><198>5<153><245><214><231><179>%<237><203>@<137>3r<0><144>
<193>o<159><168>$P<188><134><212>:<239>u<154>i<128>~<197>3b<132>%f'3
        Message-Authenticator = <135><185><219>P5r<235><231>)<194>M&WK<194>C

Tue Jan 13 19:48:58 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue Jan 13 19:48:58 2004: DEBUG:  Deleting session for outer-mike,
172.31.1.244,
Tue Jan 13 19:48:58 2004: DEBUG: Handling with Radius::AuthSQL
Tue Jan 13 19:48:58 2004: DEBUG: Handling with Radius::AuthSQL:
Tue Jan 13 19:48:58 2004: DEBUG: Handling with EAP: code 2, 53, 71
Tue Jan 13 19:48:58 2004: DEBUG: Response type 21
Tue Jan 13 19:48:58 2004: DEBUG: EAP TTLS inner authentication request for
mike
Tue Jan 13 19:48:58 2004: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  \)<29><166><170><248>n<220><235>M<176><235>`V<247><29>
Attributes:
        User-Name = "mike"
        User-Password = "xxxxxx"

Tue Jan 13 19:48:58 2004: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Tue Jan 13 19:48:58 2004: DEBUG:  Deleting session for mike, 172.31.1.244,
Tue Jan 13 19:48:58 2004: DEBUG: Handling with Radius::AuthSQL
Tue Jan 13 19:48:58 2004: DEBUG: Handling with Radius::AuthSQL:
Tue Jan 13 19:48:58 2004: DEBUG: Query is: 'select ENCRYPTEDPASSWORD from
SUBSCRIBERS where USERNAME = 'mike'':

Tue Jan 13 19:48:58 2004: DEBUG: Radius::AuthSQL looks for match with mike
Tue Jan 13 19:48:58 2004: DEBUG: Radius::AuthSQL ACCEPT:
Tue Jan 13 19:48:58 2004: ERR: Error in PostAuthHook(): replace failed: You
have an error in your SQL syntax near ' NULL, 1073983738)' at line 1 at
(eval 28) line 51.

Tue Jan 13 19:48:58 2004: DEBUG: Access accepted for mike
Tue Jan 13 19:48:58 2004: DEBUG: EAP result: 0, EAP TTLS inner
authentication redespatched to a Handler
Tue Jan 13 19:48:58 2004: DEBUG: Access accepted for outer-mike
Tue Jan 13 19:48:58 2004: DEBUG: Packet dump:
*** Sending to 172.31.1.244 port 1812 ....
Code:       Access-Accept
Identifier: 54
Authentic:  f<149><227><253><235>F<158><154><230>w<174>i<250><212><10>9
Attributes:
        MS-MPPE-Send-Key =
"<213><6><150><212>2<200>I<162><159><238><219><204><211><253><244>W4<143><16
1>=<189><7><193><230><239><146><196>zP<14><218><134>;<144>u<199>Q<208>Z<144>
H<178>pb<0><246><135><166>H<5>"
        MS-MPPE-Recv-Key =
"<238>K<195><240><131><133>,<17>P<15><153><210><138><221>U<229>K<216><242><2
12>R<23><147>3D<155><251><223><215><2><0>Q<3><10><31><238><130>^I<246><247>
nh<171>t<253>A<144>A"
        EAP-Message = <3>5<0><4>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>





















-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
Behalf Of Terry Simons
Sent: Tuesday, January 13, 2004 5:22 PM
To: Hugh Irvine
Cc: Michael.Harlow at utas.edu.au; radiator at open.com.au
Subject: Re: (RADIATOR) Enterasys R2 TTLS authent failing


Enterasys claims this is a problem with Radiator, and we have had some
disagreements with them about this.

When every other AP on the market works but theirs, I doubt it's a
server problem. ;-)

Try setting your chunk size to <= 1000 or so and see if that works... I
believe that was the problem.

- Terry

On Jan 12, 2004, at 10:05 PM, Hugh Irvine wrote:

>
> Hello Michael -
>
> Comments below.
>
> On 13 Jan 2004, at 15:54, Michael Harlow wrote:
>
>>
>> I have successfully set up EAP-TTLS/PAP authenticated against a mySQL
>> database, for my Cisco 350 and 1200 AP, in both VxWorks and IOS
>> versions.
>> However, when I try and turn on 802.1x in my Enterasys R2 AP, the
>> client
>> (Odyssey) does not prompt for password, and I see the Radiator
>> sending a
>> copy of a certificate to the AP, but nothing happens. The following
>> also
>> appears on the console of the R2:
>>
>> function send_eapol_packet_to_supplicant in file aaa_eapol_mux.c line
>> 425:
>> out, cannot get cluster for pdu part of EAPOL msg!
>>
>
> Sounds like a problem on the R2.
>
> I don't think we have tested these here.
>
>> Has anyone got an R2 working, and can help me work out which tick
>> boxes I
>> need to make it behave as nicely as the Cisco's?
>>
>
> Anyone on the list?
>
>> I've read everything I can find on the Funk and Enterasys sites.
>>
>> A second unrelated problem. With the Cisco 1200's I get different
>> accounting
>> records to the 350's running VxWorks rather than IOS. The IOS AP's
>> don't
>> seem to log the accounting data with a NASIDENTIFIER field, just a
>> NASPORT,
>> whereas the 350's running VxWorks do list their domain name
>> (NASIDENTIFIER
>> and NASPORT) in the accounting data. Is this a configuration problem?
>
> I doubt that this is a configuration issue - different
> hardware/software send different accounting information (if they send
> accounting at all).
>
> regards
>
> Hugh
>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040113/581ee560/attachment.html>


More information about the radiator mailing list