(RADIATOR) Help me with 802.1x on AlliedTelesyn switch please
Pavel Paprok
ppaprok at applet.cz
Thu Jan 29 11:38:46 CST 2004
Hallo,
I just trying to authorise ethernet ports on manageable switch
Allied Telesyn AT-8012M (latest software AT-S39, v3.2.0)
with enabled 802.1x by EAP/PEAP/MSCHAPv2.
radius is Radiator v3.8 one server licensed, system is RedHat9.
supplicant is latest xsupplicant (v0.8b) but with native
WinXP clients auth do not work too.
certificates are from test suite of radiator.
there should be no general error in my radiator configuration because
exactly same 802.1x eap configuration with ports of other ethernet
switches we use, wired (HP Procurve 2412,...) or wireless AP (DLink,..)
works good (with same xsupplicants and WinXP 802.1x system clients).
very basic radius configuration on Allied should be also ok because
when authorising of serial console account (manage prompt) from the radius
it works properly, but not on its ethernet ports thru 802.1x
eap/peapmschapv2.
(auth of its serial console from config below removed for simplicity)
in manual of AlliedTelesyn switch wrotten that its 802.1x was tested with
WinXP clients and FreeRadius radius server - but Radiator should
be in 802.1x better, are so?
Please help, what should I try next to get it run?
thanks,
Pavel
--------------------------------------------------------------
here is log from x supplicant:
[root at pp2 root]# xsupplicant -i eth1 -d 5
Calling do_eapol, with device eth1
Setup on device eth1 complete
(EAPMD5) Initalized
(EAPMS-CHAP) Initalized
Done with init.
Sending EAPOL-Start #1
## eap_decode_packet ##: Got an EAP request
## eap_decode_packet ##: Type is Identity
Connection Established, authenticating...
ACQUIRED
## eap_decode_packet ##: Got an EAP failure
Failed to Authenticate
CONNECTING
## eap_decode_packet ##: Got an EAP request
## eap_decode_packet ##: Type is Identity
Connection Established, authenticating...
ACQUIRED
## eap_decode_packet ##: Got an EAP request
## eap_decode_packet ##: Type is Identity
Connection Established, authenticating...
## eap_decode_packet ##: Got an EAP request
### Type is 25, length: 6
Loading certificate /etc/1x/certs/CAroot.pem . . .
(TLS)Loaded root certificate /etc/1x/certs/CAroot.pem and dirctory (null)
--- SSL : before/connect initialization
--- SSL : before/connect initialization
--- SSL : SSLv3 write client hello A
--- SSL : SSLv3 read server hello A
Destination : 1:80:c2:0:0:3
AUTHENTICATING
....there xsupplicant stay for some time and after timeout,
(tens seconds) try again in loop.
-------------------------------------------
in same time radiator write in logfile: (please dont be
confused by username wifi, its a wired device)
Thu Jan 29 15:55:37 2004: DEBUG: Packet dump:
*** Received from a.b.c.d port 516 ....
Code: Access-Request
Identifier: 138
Authentic: s<147>t R<178>;<201><5>//<13><233>[<207>f
Attributes:
User-Name = "wifi"
NAS-IP-Address = a.b.c.d
NAS-Port = 3
Called-Station-Id = "00:0C:46:22:71:20"
Calling-Station-Id = "00:30:4F:20:F1:54"
Framed-MTU = 1400
NAS-Port-Type = Ethernet
Connect-Info = "100Mbps"
EAP-Message = <2>,<0><9><1>wifi
Message-Authenticator =
<190><188><255>=<233>)1<245><28><167>?<211>|<193>><241>
Thu Jan 29 15:55:37 2004: DEBUG: Handling request with Handler ''
Thu Jan 29 15:55:37 2004: DEBUG: Deleting session for wifi, a.b.c.d, 3
Thu Jan 29 15:55:37 2004: DEBUG: Handling with Radius::AuthFILE:
Thu Jan 29 15:55:37 2004: DEBUG: Handling with EAP: code 2, 44, 9
Thu Jan 29 15:55:37 2004: DEBUG: Response type 1
Thu Jan 29 15:55:37 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Jan 29 15:55:37 2004: DEBUG: Access challenged for wifi: EAP PEAP
Challenge
Thu Jan 29 15:55:37 2004: DEBUG: Packet dump:
*** Sending to a.b.c.d port 516 ....
Code: Access-Challenge
Identifier: 138
Authentic: s<147>t R<178>;<201><5>//<13><233>[<207>f
Attributes:
EAP-Message = <1>-<0><6><25>!
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jan 29 15:55:37 2004: DEBUG: Packet dump:
*** Received from a.b.c.d port 516 ....
Code: Access-Request
Identifier: 140
Authentic: u<158><154>d<168><218><1><13><12><209>~<184><181>Q<192>9
Attributes:
User-Name = "wifi"
NAS-IP-Address = a.b.c.d
NAS-Port = 3
Called-Station-Id = "00:0C:46:22:71:20"
Calling-Station-Id = "00:30:4F:20:F1:54"
Framed-MTU = 1400
NAS-Port-Type = Ethernet
Connect-Info = "100Mbps"
EAP-Message =
<2>-<0>n<25><129><0><0><0>d<22><3><1><0>_<1><0><0>[<3><1>@<25><30><237><158>XFH<128><183>8^o<12>S<208><178><159>7<18>6<252><133>r<250><219><174><23>T<139>N<226><0><0>4<0>9<0>8<0>5<0><22><0><19><0><10><0>3<0>2<0>/<0>f<0><5><0><4><0>c<0>b<0>a<0><21><0><18><0><9><0>e<0>d<0>`<0><20><0><17><0><8><0><6><0><3><1><0>
Message-Authenticator =
<190>P;<187>6<190><143><240><154><241><254><152><23><0><133><214>
Thu Jan 29 15:55:37 2004: DEBUG: Handling request with Handler ''
Thu Jan 29 15:55:37 2004: DEBUG: Deleting session for wifi, a.b.c.d, 3
Thu Jan 29 15:55:37 2004: DEBUG: Handling with Radius::AuthFILE:
Thu Jan 29 15:55:37 2004: DEBUG: Handling with EAP: code 2, 45, 110
Thu Jan 29 15:55:37 2004: DEBUG: Response type 25
Thu Jan 29 15:55:37 2004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Thu Jan 29 15:55:37 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
Thu Jan 29 15:55:37 2004: DEBUG: Access challenged for wifi: EAP PEAP
Challenge
Thu Jan 29 15:55:37 2004: DEBUG: Packet dump:
*** Sending to a.b.c.d port 516 ....
Code: Access-Challenge
Identifier: 140
Authentic: u<158><154>d<168><218><1><13><12><209>~<184><181>Q<192>9
Attributes:
EAP-Message =
<1>.<4><10><25><193><0><0><8>P<22><3><1><0>J<2><0><0>F<3><1>@<25><30><233><232>-<18><156><132><14>Av'<196><13><27><158>^<169><22><203><169><23><135><28><165>_<135>8<253><22>x
<154>k][<167>[|o<134>L<167>yBs<195><207>-6<202><219><158><166><3><203><250><152>`<136><168>y<155><132><0>5<0><22><3><1><7><27><11><0><7><23><0><7><20><0><2><209>0<130><2><205>0<130><2>6<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use
in production)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>030227061500Z<23><13>040227061500Z0u1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<24>0<22><6><3>U<4><10><19><15>My
Test
Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1>
EAP-Message =
<1><5><0><3><129><141><0>0<129><137><2><129><129><0><196><186>)<217><245><205><159>@<144><133><177><255>0<165><3><215>cGR<136><231><253>9<193><13><255>m@<220>y^<160><244><236>Sa'<198>^<231><158>4<156>"<242>IS<151><30><211>$<142><196>!}R<146><166><129>yh<17><162><207><196><0><171>5s<187><229><139>2<250><146><1><187><207><226><203>5<251><178><1><212><178><141><219>O<253><134><213>N|<172>:J<23><173><161><191><141><25>&<198>Fi<17><181><137>Fy<0><177><210><215><186>x<141><197><212>s<145><235>\<164><8>!<2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0><20>m<159><141><185><184><252><248><201>FM<195>PB(^<127>3<24><136><172><19><211><137><132>EF<170>9<236>^<187><146><253><171><200><183><230><148><142><21>_<9>^<227><10>3<162><186><214><206><197>Tq<219><4>r<239>?<1><16><203>
EAP-Message =
T<0><161>wm<173>S<4><0>)<141><209><<197>tT<228><150>P<156><22>^zes^<202>u<161><176>F3=<4><200><229><154>q<146><194>cy<23>z*o><219><28><206>t<196><188><3><195>.%<19>mD<242><149><237>O<138><193><0><4>=0<130><4>90<130><3><162><160><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not
EAP-Message = use in production)1 0<30>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
-------------------------------------------------------------------------------------------------------------
fragment of radiator config:
<Client a.b.c.d>
Secret xxxxxx
Identifier 8021xAllied
</Client>
<Handler Request-Type = Accounting-Request>
<AuthBy SQL>
DBSource dbi:mysql:radiator
DBUsername radiator
DBAuth xxxxx
# Just accounting, no auth
IgnoreAuthentication
AuthSelect
AccountingTable inetaccounting
AcctColumnDef username,User-Name
AcctColumnDef time_stamp,Timestamp,integer
AcctColumnDef acctstatustype,Acct-Status-Type
AcctColumnDef acctinputoctets,Acct-Input-Octets,integer
AcctColumnDef acctoutputoctets,Acct-Output-Octets,integer
AcctColumnDef acctsessiontime,Acct-Session-Time,integer
AcctColumnDef acctterminatecause,Acct-Terminate-Cause
AcctColumnDef nasidentifier,NAS-Identifier
AcctColumnDef framedipaddress,Framed-IP-Address
</AuthBy>
</Handler>
<Handler TunnelledByPEAP=1>
<AuthBy SQL>
DBSource dbi:mysql:radiator
DBUsername radiator
DBAuth xxxxx
AuthSelect select password from inetusers where \
username = %0 and locked = 0
EAPType MSCHAP-V2
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
# outer auth file, only anonymous inside
Filename /etc/radiator/outerEAPusers
EAPType PEAP
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1024
SSLeayTrace 4 # 1=ciphers, 2=trace, 3=dump data
</AuthBy> # auth by file
</Handler>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list