(RADIATOR) Enterasys R2 TTLS authent failing

Terry Simons galimore at mac.com
Thu Jan 15 14:33:40 CST 2004


Michael,

I've been doing a lot of testing with our APs and Radius accounting and  
what I've found is that every AP accounts differently.

What's worse is that many of the APs we have are not doing things  
"correctly".

For instance... It's not the ACCTSESSIONID that you want... I assume  
you're trying to account the MAC address of the authenticated user?

What you really want is the Calling_Station_ID, which most APs don't  
account, even though they do have this information in their  
authentication.

The Accounting Session ID field, from what I can gather, is actually  
just a unique identifier for the session, so this could be a timestamp  
for example, it is not always going to be a MAC address.  In fact, the  
D-Link DWL 900AP+ does something like this, while my AP 2000 APs log  
the MAC address, and my Ciscos actually account the Calling Station ID  
field, which is what you want.

I have written a script that actually takes care of this for me which I  
would be able to share if you want it.  It basically takes the Calling  
Station ID info from earlier in the authentication and sticks it in the  
accounting record for me.

There's still a lot of other stuff I need to work out for our  
accounting, and I'm going to be making a list of APs with broken  
accounting as well.

Most APs don't account the byte count from what I've seen, and I don't  
even know if that's a "standard" thing to account.

Another issue I have had is that null values don't get accounted when  
doing accounting to a file.  (I'm using DBI::CSV).

Hugh what are my options for rewriting null values in an accounting  
response?  Could I use a hook to do this?

Hope that helps,

- Terry

On Jan 13, 2004, at 2:00 AM, Michael Harlow wrote:

>
> Thanks for the clue Terry. I've tested, and the maximum value for
> EAPTLS_MaxFragmentSize is 1010. One byte larger and it fails. Can this  
> be
> set to a low value without problem? It was already set to 1024 for our
> Cisco's, now it's 1010.
>
> So I now have the R2 performing authentication, and traffic flows  
> to/from
> the client.
>
> Now I find that the start/alive/stop messages don't contain byte  
> counts.
> Bugger. At least it is authenticating I suppose.
>
> I've just started playing with the Cisco switches (2950 and 3550  
> series) and
> wired connections, it authenticates just fine, but it wont log. I  
> think the
> problem is a null session ID.
>
> ERR: Error in PostAuthHook(): replace failed: You have an error in  
> your SQL
> syntax near ' NULL, 1073983738)' at line 1 at (eval 28) line 51.
>
> The code is the eap_anon_hook.pl - $dbh->do("replace into RADLASTAUTH
> (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP) values
> ($username, $nasidentifier, $nasport, $acctsessionid, $timestamp)")
>
> Also no accounting start-stops seem to be coming thru too. I've got aaa
> accounting turned on. I'll investigate further. Maybe that bit of code  
> is
> broken in the Cisco IOS. If I cannot work it out, I'll open a case with
> Cisco. I'm a bit more aware of what's going on now, than last time I  
> tried
> all this.
>
> Thanks again, Michael.
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
> +++++
> +++++++++
>
> Tue Jan 13 19:48:58 2004: DEBUG: Packet dump:
> *** Received from 172.31.1.244 port 1812 ....
> Code:       Access-Request
> Identifier: 53
> Authentic:  <203><26>f%>S-<210>61<29>{<132>p<192>H
> Attributes:
>         NAS-IP-Address = 172.31.1.244
>         Cisco-NAS-Port = "FastEthernet0/1"
>         NAS-Port-Type = Async
>         User-Name = "outer-mike"
>         Service-Type = Framed-User
>         Framed-MTU = 1500
>         Calling-Station-Id = "00-10-a4-9d-4c-f3"
>         EAP-Message =
> <2>4<0><212><21><128><0><0><0><202><22><3><1><0><7><11><0><0><3><0><0>< 
> 0><22
>> <3><1><0><134><16><0><0><130><0><128>tZ<234>m=<175><11><225>j]<200>w at 4 
>> <24>p
> <234>Q<176>k<21><215><133>2AR<23><4><171>u<28><197><183>{1<164><196><14 
> 0><24
> 5>'<149>=<229><127><190><155>TY<171>'<154><13><137><9>C<161><176><11><2 
> 21>_9
> <243><185><204><172><217><20>
> B<197><226><136><242><202><189><135><179>- 
> \[<20>kVU<136><186>5b<20><19><156>
> <221>-<220>+=BA<152><5>X<227>! 
> <209><170><30>8<25><218><20><255><180><20>H<17
> 9>; 
> <21><230>L<129><128><169>w<207><128><208><187>2<20><3><1><0><1><1><22>< 
> 3>
> <1><0>(<198><127><178><188><11><141><151>={<244><184>3B; 
> <250>}<1>,P.*<186>3/
> I<190><244>C<9><245><130><179><16><174><143><29>?<12><162>|
>         Message-Authenticator =
> <211><128><176><233>Re<151><216><4><213>rc'<135>o1
>
> Tue Jan 13 19:48:58 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Jan 13 19:48:58 2004: DEBUG:  Deleting session for outer-mike,
> 172.31.1.244,
> Tue Jan 13 19:48:58 2004: DEBUG: Handling with Radius::AuthSQL
> Tue Jan 13 19:48:58 2004: DEBUG: Handling with Radius::AuthSQL:
> Tue Jan 13 19:48:58 2004: DEBUG: Handling with EAP: code 2, 52, 212
> Tue Jan 13 19:48:58 2004: DEBUG: Response type 21
> Tue Jan 13 19:48:58 2004: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Tue Jan 13 19:48:58 2004: DEBUG: EAP result: 3, EAP TTLS Challenge
> Tue Jan 13 19:48:58 2004: DEBUG: Access challenged for outer-mike: EAP  
> TTLS
> Challenge
> Tue Jan 13 19:48:58 2004: DEBUG: Packet dump:
> *** Sending to 172.31.1.244 port 1812 ....
> Code:       Access-Challenge
> Identifier: 53
> Authentic:  <203><26>f%>S-<210>61<29>{<132>p<192>H
> Attributes:
>         EAP-Message =
> <1>5<0>=<21><128><0><0><0>3<20><3><1><0><1><1><22><3><1><0>(G<234><135> 
> <227>
> <0>U<234>gK(!<27><233>D<22><128>X<250><221><148>: 
> oO\<246>}iG<223><30><156>5m
> <146><7><13>C<202><255>r
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Jan 13 19:48:58 2004: DEBUG: Packet dump:
> *** Received from 172.31.1.244 port 1812 ....
> Code:       Access-Request
> Identifier: 54
> Authentic:  f<149><227><253><235>F<158><154><230>w<174>i<250><212><10>9
> Attributes:
>         NAS-IP-Address = 172.31.1.244
>         Cisco-NAS-Port = "FastEthernet0/1"
>         NAS-Port-Type = Async
>         User-Name = "outer-mike"
>         Service-Type = Framed-User
>         Framed-MTU = 1500
>         Calling-Station-Id = "00-10-a4-9d-4c-f3"
>         EAP-Message =
> <2>5<0>G<21><128><0><0><0>=<23><3><1><0>8<217>,rBk<179>: 
> <13><144><240><20><1
> 4>M<196><176><215><198>5<153><245><214><231><179>%<237><203>@<137>3r<0> 
> <144>
> <193>o<159><168>$P<188><134><212>:<239>u<154>i<128>~<197>3b<132>%f'3
>         Message-Authenticator =  
> <135><185><219>P5r<235><231>)<194>M&WK<194>C
>
> Tue Jan 13 19:48:58 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Jan 13 19:48:58 2004: DEBUG:  Deleting session for outer-mike,
> 172.31.1.244,
> Tue Jan 13 19:48:58 2004: DEBUG: Handling with Radius::AuthSQL
> Tue Jan 13 19:48:58 2004: DEBUG: Handling with Radius::AuthSQL:
> Tue Jan 13 19:48:58 2004: DEBUG: Handling with EAP: code 2, 53, 71
> Tue Jan 13 19:48:58 2004: DEBUG: Response type 21
> Tue Jan 13 19:48:58 2004: DEBUG: EAP TTLS inner authentication request  
> for
> mike
> Tue Jan 13 19:48:58 2004: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  \)<29><166><170><248>n<220><235>M<176><235>`V<247><29>
> Attributes:
>         User-Name = "mike"
>         User-Password = "xxxxxx"
>
> Tue Jan 13 19:48:58 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Jan 13 19:48:58 2004: DEBUG:  Deleting session for mike,  
> 172.31.1.244,
> Tue Jan 13 19:48:58 2004: DEBUG: Handling with Radius::AuthSQL
> Tue Jan 13 19:48:58 2004: DEBUG: Handling with Radius::AuthSQL:
> Tue Jan 13 19:48:58 2004: DEBUG: Query is: 'select ENCRYPTEDPASSWORD  
> from
> SUBSCRIBERS where USERNAME = 'mike'':
>
> Tue Jan 13 19:48:58 2004: DEBUG: Radius::AuthSQL looks for match with  
> mike
> Tue Jan 13 19:48:58 2004: DEBUG: Radius::AuthSQL ACCEPT:
> Tue Jan 13 19:48:58 2004: ERR: Error in PostAuthHook(): replace  
> failed: You
> have an error in your SQL syntax near ' NULL, 1073983738)' at line 1 at
> (eval 28) line 51.
>
> Tue Jan 13 19:48:58 2004: DEBUG: Access accepted for mike
> Tue Jan 13 19:48:58 2004: DEBUG: EAP result: 0, EAP TTLS inner
> authentication redespatched to a Handler
> Tue Jan 13 19:48:58 2004: DEBUG: Access accepted for outer-mike
> Tue Jan 13 19:48:58 2004: DEBUG: Packet dump:
> *** Sending to 172.31.1.244 port 1812 ....
> Code:       Access-Accept
> Identifier: 54
> Authentic:  f<149><227><253><235>F<158><154><230>w<174>i<250><212><10>9
> Attributes:
>         MS-MPPE-Send-Key =
> "<213><6><150><212>2<200>I<162><159><238><219><204><211><253><244>W4<14 
> 3><16
> 1>=<189><7><193><230><239><146><196>zP<14><218><134>; 
> <144>u<199>Q<208>Z<144>
> H<178>pb<0><246><135><166>H<5>"
>         MS-MPPE-Recv-Key =
> "<238>K<195><240><131><133>,<17>P<15><153><210><138><221>U<229>K<216><2 
> 42><2
> 12>R<23><147>3D<155><251><223><215><2><0>Q<3><10><31><238><130>^I<246>< 
> 247>
> nh<171>t<253>A<144>A"
>         EAP-Message = <3>5<0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
> Behalf Of Terry Simons
> Sent: Tuesday, January 13, 2004 5:22 PM
> To: Hugh Irvine
> Cc: Michael.Harlow at utas.edu.au; radiator at open.com.au
> Subject: Re: (RADIATOR) Enterasys R2 TTLS authent failing
>
>
> Enterasys claims this is a problem with Radiator, and we have had some
> disagreements with them about this.
>
> When every other AP on the market works but theirs, I doubt it's a
> server problem. ;-)
>
> Try setting your chunk size to <= 1000 or so and see if that works... I
> believe that was the problem.
>
> - Terry
>
> On Jan 12, 2004, at 10:05 PM, Hugh Irvine wrote:
>
>>
>> Hello Michael -
>>
>> Comments below.
>>
>> On 13 Jan 2004, at 15:54, Michael Harlow wrote:
>>
>>>
>>> I have successfully set up EAP-TTLS/PAP authenticated against a mySQL
>>> database, for my Cisco 350 and 1200 AP, in both VxWorks and IOS
>>> versions.
>>> However, when I try and turn on 802.1x in my Enterasys R2 AP, the
>>> client
>>> (Odyssey) does not prompt for password, and I see the Radiator
>>> sending a
>>> copy of a certificate to the AP, but nothing happens. The following
>>> also
>>> appears on the console of the R2:
>>>
>>> function send_eapol_packet_to_supplicant in file aaa_eapol_mux.c line
>>> 425:
>>> out, cannot get cluster for pdu part of EAPOL msg!
>>>
>>
>> Sounds like a problem on the R2.
>>
>> I don't think we have tested these here.
>>
>>> Has anyone got an R2 working, and can help me work out which tick
>>> boxes I
>>> need to make it behave as nicely as the Cisco's?
>>>
>>
>> Anyone on the list?
>>
>>> I've read everything I can find on the Funk and Enterasys sites.
>>>
>>> A second unrelated problem. With the Cisco 1200's I get different
>>> accounting
>>> records to the 350's running VxWorks rather than IOS. The IOS AP's
>>> don't
>>> seem to log the accounting data with a NASIDENTIFIER field, just a
>>> NASPORT,
>>> whereas the 350's running VxWorks do list their domain name
>>> (NASIDENTIFIER
>>> and NASPORT) in the accounting data. Is this a configuration problem?
>>
>> I doubt that this is a configuration issue - different
>> hardware/software send different accounting information (if they send
>> accounting at all).
>>
>> regards
>>
>> Hugh
>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
  

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list