(RADIATOR) Help me with 802.1x on AlliedTelesyn switch please

Pavel Paprok ppaprok at applet.cz
Thu Jan 29 11:38:46 CST 2004


Hallo,

I just trying to authorise ethernet ports on manageable switch
Allied Telesyn AT-8012M (latest software AT-S39, v3.2.0)
with enabled 802.1x by EAP/PEAP/MSCHAPv2.
radius is Radiator v3.8 one server licensed, system is RedHat9.
supplicant is latest xsupplicant (v0.8b) but with native
WinXP clients auth do not work too.
certificates are from test suite of radiator.

there should be no general error in my radiator configuration because
exactly same 802.1x eap configuration with ports of other ethernet
switches we use, wired (HP Procurve 2412,...) or wireless AP (DLink,..)
works good (with same xsupplicants and WinXP 802.1x system clients).

very basic radius configuration on Allied should be also ok because
when authorising of serial console account (manage prompt) from the radius
it works properly, but not on its ethernet ports thru 802.1x 
eap/peapmschapv2.
(auth of its serial console from config below removed for simplicity)

in manual of AlliedTelesyn switch wrotten that its 802.1x was tested with
WinXP clients and FreeRadius radius server - but Radiator should
be in 802.1x better, are so?

Please help, what should I try next to get it run?

thanks,
Pavel

--------------------------------------------------------------
here is log from x supplicant:

[root at pp2 root]# xsupplicant -i eth1 -d 5
Calling do_eapol, with device eth1
Setup on device eth1 complete
(EAPMD5) Initalized
(EAPMS-CHAP) Initalized
Done with init.
Sending EAPOL-Start #1
## eap_decode_packet ##: Got an EAP request
## eap_decode_packet ##: Type is Identity
Connection Established, authenticating...
ACQUIRED
## eap_decode_packet ##: Got an EAP failure
Failed to Authenticate
CONNECTING
## eap_decode_packet ##: Got an EAP request
## eap_decode_packet ##: Type is Identity
Connection Established, authenticating...
ACQUIRED
## eap_decode_packet ##: Got an EAP request
## eap_decode_packet ##: Type is Identity
Connection Established, authenticating...
## eap_decode_packet ##: Got an EAP request
### Type is 25, length: 6
Loading certificate /etc/1x/certs/CAroot.pem . . .
(TLS)Loaded root certificate /etc/1x/certs/CAroot.pem and dirctory (null)
     --- SSL : before/connect initialization
     --- SSL : before/connect initialization
     --- SSL : SSLv3 write client hello A
     --- SSL : SSLv3 read server hello A
Destination : 1:80:c2:0:0:3
AUTHENTICATING


....there xsupplicant stay for some time and after timeout,
(tens seconds) try again in loop.
-------------------------------------------
in same time radiator write in logfile:  (please dont be
confused by username wifi, its a wired device)


Thu Jan 29 15:55:37 2004: DEBUG: Packet dump:
*** Received from a.b.c.d port 516 ....
Code:       Access-Request
Identifier: 138
Authentic:  s<147>t R<178>;<201><5>//<13><233>[<207>f
Attributes:
        User-Name = "wifi"
        NAS-IP-Address = a.b.c.d
        NAS-Port = 3
        Called-Station-Id = "00:0C:46:22:71:20"
        Calling-Station-Id = "00:30:4F:20:F1:54"
        Framed-MTU = 1400
        NAS-Port-Type = Ethernet
        Connect-Info = "100Mbps"
        EAP-Message = <2>,<0><9><1>wifi
        Message-Authenticator = 
<190><188><255>=<233>)1<245><28><167>?<211>|<193>><241>

Thu Jan 29 15:55:37 2004: DEBUG: Handling request with Handler ''
Thu Jan 29 15:55:37 2004: DEBUG:  Deleting session for wifi, a.b.c.d, 3
Thu Jan 29 15:55:37 2004: DEBUG: Handling with Radius::AuthFILE:
Thu Jan 29 15:55:37 2004: DEBUG: Handling with EAP: code 2, 44, 9
Thu Jan 29 15:55:37 2004: DEBUG: Response type 1
Thu Jan 29 15:55:37 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Jan 29 15:55:37 2004: DEBUG: Access challenged for wifi: EAP PEAP 
Challenge
Thu Jan 29 15:55:37 2004: DEBUG: Packet dump:
*** Sending to a.b.c.d port 516 ....
Code:       Access-Challenge
Identifier: 138
Authentic:  s<147>t R<178>;<201><5>//<13><233>[<207>f
Attributes:
        EAP-Message = <1>-<0><6><25>!
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Jan 29 15:55:37 2004: DEBUG: Packet dump:
*** Received from a.b.c.d port 516 ....
Code:       Access-Request
Identifier: 140
Authentic:  u<158><154>d<168><218><1><13><12><209>~<184><181>Q<192>9
Attributes:
        User-Name = "wifi"
        NAS-IP-Address = a.b.c.d
        NAS-Port = 3
        Called-Station-Id = "00:0C:46:22:71:20"
        Calling-Station-Id = "00:30:4F:20:F1:54"
        Framed-MTU = 1400
        NAS-Port-Type = Ethernet
        Connect-Info = "100Mbps"
        EAP-Message = 
<2>-<0>n<25><129><0><0><0>d<22><3><1><0>_<1><0><0>[<3><1>@<25><30><237><158>XFH<128><183>8^o<12>S<208><178><159>7<18>6<252><133>r<250><219><174><23>T<139>N<226><0><0>4<0>9<0>8<0>5<0><22><0><19><0><10><0>3<0>2<0>/<0>f<0><5><0><4><0>c<0>b<0>a<0><21><0><18><0><9><0>e<0>d<0>`<0><20><0><17><0><8><0><6><0><3><1><0>
        Message-Authenticator = 
<190>P;<187>6<190><143><240><154><241><254><152><23><0><133><214>

Thu Jan 29 15:55:37 2004: DEBUG: Handling request with Handler ''
Thu Jan 29 15:55:37 2004: DEBUG:  Deleting session for wifi, a.b.c.d, 3
Thu Jan 29 15:55:37 2004: DEBUG: Handling with Radius::AuthFILE:
Thu Jan 29 15:55:37 2004: DEBUG: Handling with EAP: code 2, 45, 110
Thu Jan 29 15:55:37 2004: DEBUG: Response type 25
Thu Jan 29 15:55:37 2004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Thu Jan 29 15:55:37 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Jan 29 15:55:37 2004: DEBUG: Access challenged for wifi: EAP PEAP 
Challenge
Thu Jan 29 15:55:37 2004: DEBUG: Packet dump:
*** Sending to a.b.c.d port 516 ....
Code:       Access-Challenge
Identifier: 140
Authentic:  u<158><154>d<168><218><1><13><12><209>~<184><181>Q<192>9
Attributes:
        EAP-Message = 
<1>.<4><10><25><193><0><0><8>P<22><3><1><0>J<2><0><0>F<3><1>@<25><30><233><232>-<18><156><132><14>Av'<196><13><27><158>^<169><22><203><169><23><135><28><165>_<135>8<253><22>x 
<154>k][<167>[|o<134>L<167>yBs<195><207>-6<202><219><158><166><3><203><250><152>`<136><168>y<155><132><0>5<0><22><3><1><7><27><11><0><7><23><0><7><20><0><2><209>0<130><2><205>0<130><2>6<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC 
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
        EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use 
in production)1 
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>030227061500Z<23><13>040227061500Z0u1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<24>0<22><6><3>U<4><10><19><15>My 
Test 
Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1>
        EAP-Message = 
<1><5><0><3><129><141><0>0<129><137><2><129><129><0><196><186>)<217><245><205><159>@<144><133><177><255>0<165><3><215>cGR<136><231><253>9<193><13><255>m@<220>y^<160><244><236>Sa'<198>^<231><158>4<156>"<242>IS<151><30><211>$<142><196>!}R<146><166><129>yh<17><162><207><196><0><171>5s<187><229><139>2<250><146><1><187><207><226><203>5<251><178><1><212><178><141><219>O<253><134><213>N|<172>:J<23><173><161><191><141><25>&<198>Fi<17><181><137>Fy<0><177><210><215><186>x<141><197><212>s<145><235>\<164><8>!<2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0><20>m<159><141><185><184><252><248><201>FM<195>PB(^<127>3<24><136><172><19><211><137><132>EF<170>9<236>^<187><146><253><171><200><183><230><148><142><21>_<9>^<227><10>3<162><186><214><206><197>Tq<219><4>r<239>?<1><16><203>
        EAP-Message = 
T<0><161>wm<173>S<4><0>)<141><209><<197>tT<228><150>P<156><22>^zes^<202>u<161><176>F3=<4><200><229><154>q<146><194>cy<23>z*o><219><28><206>t<196><188><3><195>.%<19>mD<242><149><237>O<138><193><0><4>=0<130><4>90<130><3><162><160><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC 
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate 
Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not
        EAP-Message = use in production)1 0<30>
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


-------------------------------------------------------------------------------------------------------------
fragment of radiator config:

<Client a.b.c.d>
        Secret xxxxxx
        Identifier      8021xAllied
</Client>
<Handler Request-Type = Accounting-Request>
  <AuthBy SQL>
        DBSource        dbi:mysql:radiator
        DBUsername      radiator
        DBAuth          xxxxx
        # Just accounting, no auth
        IgnoreAuthentication
        AuthSelect
        AccountingTable inetaccounting
        AcctColumnDef   username,User-Name
        AcctColumnDef   time_stamp,Timestamp,integer
        AcctColumnDef   acctstatustype,Acct-Status-Type
        AcctColumnDef   acctinputoctets,Acct-Input-Octets,integer
        AcctColumnDef   acctoutputoctets,Acct-Output-Octets,integer
        AcctColumnDef   acctsessiontime,Acct-Session-Time,integer
        AcctColumnDef   acctterminatecause,Acct-Terminate-Cause
        AcctColumnDef   nasidentifier,NAS-Identifier
         AcctColumnDef   framedipaddress,Framed-IP-Address
    </AuthBy>
</Handler>
<Handler TunnelledByPEAP=1>
    <AuthBy SQL>
        DBSource        dbi:mysql:radiator
        DBUsername      radiator
        DBAuth          xxxxx
        AuthSelect select password from inetusers where \
             username = %0 and locked = 0
        EAPType MSCHAP-V2
   </AuthBy>
</Handler>
<Handler>
   <AuthBy FILE>
        # outer auth file, only anonymous inside
        Filename /etc/radiator/outerEAPusers
        EAPType PEAP
        EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
        EAPTLS_CertificateFile %D/certificates/cert-srv.pem
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
        EAPTLS_PrivateKeyPassword whatever
        EAPTLS_MaxFragmentSize 1024  
        SSLeayTrace 4    # 1=ciphers, 2=trace, 3=dump data
     </AuthBy>   # auth by file
</Handler>


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list