(RADIATOR) Help me with 802.1x on AlliedTelesyn switch please

Mike McCauley mikem at open.com.au
Thu Jan 29 15:16:43 CST 2004


Hello Pavel,

I cant tell exactly what the problem is at this stage. It would help if you 
sent more of the Radiator log file, since the part you sent only covers the 
beginning of the authentication process. 

Since your Radiator works with other APs and the same clients, and since this 
AP is supposed to work with FreeRadius, you might consider reducing the size 
of EAPTLS_MaxFragmentSize to less than 1024, try say 1000 or 800?

Cheers.

On Fri, 30 Jan 2004 04:38 am, Pavel Paprok wrote:
> Hallo,
>
> I just trying to authorise ethernet ports on manageable switch
> Allied Telesyn AT-8012M (latest software AT-S39, v3.2.0)
> with enabled 802.1x by EAP/PEAP/MSCHAPv2.
> radius is Radiator v3.8 one server licensed, system is RedHat9.
> supplicant is latest xsupplicant (v0.8b) but with native
> WinXP clients auth do not work too.
> certificates are from test suite of radiator.
>
> there should be no general error in my radiator configuration because
> exactly same 802.1x eap configuration with ports of other ethernet
> switches we use, wired (HP Procurve 2412,...) or wireless AP (DLink,..)
> works good (with same xsupplicants and WinXP 802.1x system clients).
>
> very basic radius configuration on Allied should be also ok because
> when authorising of serial console account (manage prompt) from the radius
> it works properly, but not on its ethernet ports thru 802.1x
> eap/peapmschapv2.
> (auth of its serial console from config below removed for simplicity)
>
> in manual of AlliedTelesyn switch wrotten that its 802.1x was tested with
> WinXP clients and FreeRadius radius server - but Radiator should
> be in 802.1x better, are so?
>
> Please help, what should I try next to get it run?
>
> thanks,
> Pavel
>
> --------------------------------------------------------------
> here is log from x supplicant:
>
> [root at pp2 root]# xsupplicant -i eth1 -d 5
> Calling do_eapol, with device eth1
> Setup on device eth1 complete
> (EAPMD5) Initalized
> (EAPMS-CHAP) Initalized
> Done with init.
> Sending EAPOL-Start #1
> ## eap_decode_packet ##: Got an EAP request
> ## eap_decode_packet ##: Type is Identity
> Connection Established, authenticating...
> ACQUIRED
> ## eap_decode_packet ##: Got an EAP failure
> Failed to Authenticate
> CONNECTING
> ## eap_decode_packet ##: Got an EAP request
> ## eap_decode_packet ##: Type is Identity
> Connection Established, authenticating...
> ACQUIRED
> ## eap_decode_packet ##: Got an EAP request
> ## eap_decode_packet ##: Type is Identity
> Connection Established, authenticating...
> ## eap_decode_packet ##: Got an EAP request
> ### Type is 25, length: 6
> Loading certificate /etc/1x/certs/CAroot.pem . . .
> (TLS)Loaded root certificate /etc/1x/certs/CAroot.pem and dirctory (null)
>      --- SSL : before/connect initialization
>      --- SSL : before/connect initialization
>      --- SSL : SSLv3 write client hello A
>      --- SSL : SSLv3 read server hello A
> Destination : 1:80:c2:0:0:3
> AUTHENTICATING
>
>
> ....there xsupplicant stay for some time and after timeout,
> (tens seconds) try again in loop.
> -------------------------------------------
> in same time radiator write in logfile:  (please dont be
> confused by username wifi, its a wired device)
>
>
> Thu Jan 29 15:55:37 2004: DEBUG: Packet dump:
> *** Received from a.b.c.d port 516 ....
> Code:       Access-Request
> Identifier: 138
> Authentic:  s<147>t R<178>;<201><5>//<13><233>[<207>f
> Attributes:
>         User-Name = "wifi"
>         NAS-IP-Address = a.b.c.d
>         NAS-Port = 3
>         Called-Station-Id = "00:0C:46:22:71:20"
>         Calling-Station-Id = "00:30:4F:20:F1:54"
>         Framed-MTU = 1400
>         NAS-Port-Type = Ethernet
>         Connect-Info = "100Mbps"
>         EAP-Message = <2>,<0><9><1>wifi
>         Message-Authenticator =
> <190><188><255>=<233>)1<245><28><167>?<211>|<193>><241>
>
> Thu Jan 29 15:55:37 2004: DEBUG: Handling request with Handler ''
> Thu Jan 29 15:55:37 2004: DEBUG:  Deleting session for wifi, a.b.c.d, 3
> Thu Jan 29 15:55:37 2004: DEBUG: Handling with Radius::AuthFILE:
> Thu Jan 29 15:55:37 2004: DEBUG: Handling with EAP: code 2, 44, 9
> Thu Jan 29 15:55:37 2004: DEBUG: Response type 1
> Thu Jan 29 15:55:37 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Thu Jan 29 15:55:37 2004: DEBUG: Access challenged for wifi: EAP PEAP
> Challenge
> Thu Jan 29 15:55:37 2004: DEBUG: Packet dump:
> *** Sending to a.b.c.d port 516 ....
> Code:       Access-Challenge
> Identifier: 138
> Authentic:  s<147>t R<178>;<201><5>//<13><233>[<207>f
> Attributes:
>         EAP-Message = <1>-<0><6><25>!
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu Jan 29 15:55:37 2004: DEBUG: Packet dump:
> *** Received from a.b.c.d port 516 ....
> Code:       Access-Request
> Identifier: 140
> Authentic:  u<158><154>d<168><218><1><13><12><209>~<184><181>Q<192>9
> Attributes:
>         User-Name = "wifi"
>         NAS-IP-Address = a.b.c.d
>         NAS-Port = 3
>         Called-Station-Id = "00:0C:46:22:71:20"
>         Calling-Station-Id = "00:30:4F:20:F1:54"
>         Framed-MTU = 1400
>         NAS-Port-Type = Ethernet
>         Connect-Info = "100Mbps"
>         EAP-Message =
> <2>-<0>n<25><129><0><0><0>d<22><3><1><0>_<1><0><0>[<3><1>@<25><30><237><158
>>XFH<128><183>8^o<12>S<208><178><159>7<18>6<252><133>r<250><219><174><23>T<1
>39>N<226><0><0>4<0>9<0>8<0>5<0><22><0><19><0><10><0>3<0>2<0>/<0>f<0><5><0><4
>><0>c<0>b<0>a<0><21><0><18><0><9><0>e<0>d<0>`<0><20><0><17><0><8><0><6><0><3
>><1><0> Message-Authenticator =
> <190>P;<187>6<190><143><240><154><241><254><152><23><0><133><214>
>
> Thu Jan 29 15:55:37 2004: DEBUG: Handling request with Handler ''
> Thu Jan 29 15:55:37 2004: DEBUG:  Deleting session for wifi, a.b.c.d, 3
> Thu Jan 29 15:55:37 2004: DEBUG: Handling with Radius::AuthFILE:
> Thu Jan 29 15:55:37 2004: DEBUG: Handling with EAP: code 2, 45, 110
> Thu Jan 29 15:55:37 2004: DEBUG: Response type 25
> Thu Jan 29 15:55:37 2004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Thu Jan 29 15:55:37 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Thu Jan 29 15:55:37 2004: DEBUG: Access challenged for wifi: EAP PEAP
> Challenge
> Thu Jan 29 15:55:37 2004: DEBUG: Packet dump:
> *** Sending to a.b.c.d port 516 ....
> Code:       Access-Challenge
> Identifier: 140
> Authentic:  u<158><154>d<168><218><1><13><12><209>~<184><181>Q<192>9
> Attributes:
>         EAP-Message =
> <1>.<4><10><25><193><0><0><8>P<22><3><1><0>J<2><0><0>F<3><1>@<25><30><233><
>232>-<18><156><132><14>Av'<196><13><27><158>^<169><22><203><169><23><135><28
>><165>_<135>8<253><22>x
> <154>k][<167>[|o<134>L<167>yBs<195><207>-6<202><219><158><166><3><203><250>
><152>`<136><168>y<155><132><0>5<0><22><3><1><7><27><11><0><7><23><0><7><20><
>0><2><209>0<130><2><205>0<130><2>6<160><3><2><1><2><2><1><2>0<13><6><9>*<134
>>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<1
>7>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<
>30>0<28><6><3>U<4><10><19><21>OSC Demo
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec EAP-Message =
> tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23>
><13>030227061500Z<23><13>040227061500Z0u1<11>0<9><6><3>U<4><6><19><2>AU1<17>
>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<24
>>0<22><6><3>U<4><10><19><15>My Test
> Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><159>0<13
>><6><9>*<134>H<134><247><13><1><1> EAP-Message =
> <1><5><0><3><129><141><0>0<129><137><2><129><129><0><196><186>)<217><245><2
>05><159>@<144><133><177><255>0<165><3><215>cGR<136><231><253>9<193><13><255>
>m@<220>y^<160><244><236>Sa'<198>^<231><158>4<156>"<242>IS<151><30><211>$<142
>><196>!}R<146><166><129>yh<17><162><207><196><0><171>5s<187><229><139>2<250>
><146><1><187><207><226><203>5<251><178><1><212><178><141><219>O<253><134><21
>3>N|<172>:J<23><173><161><191><141><25>&<198>Fi<17><181><137>Fy<0><177><210>
><215><186>x<141><197><212>s<145><235>\<164><8>!<2><3><1><0><1><163><23>0<21>
>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<
>134><247><13><1><1><4><5><0><3><129><129><0><20>m<159><141><185><184><252><2
>48><201>FM<195>PB(^<127>3<24><136><172><19><211><137><132>EF<170>9<236>^<187
>><146><253><171><200><183><230><148><142><21>_<9>^<227><10>3<162><186><214><
>206><197>Tq<219><4>r<239>?<1><16><203> EAP-Message =
> T<0><161>wm<173>S<4><0>)<141><209><<197>tT<228><150>P<156><22>^zes^<202>u<1
>61><176>F3=<4><200><229><154>q<146><194>cy<23>z*o><219><28><206>t<196><188><
>3><195>.%<19>mD<242><149><237>O<138><193><0><4>=0<130><4>90<130><3><162><160
>><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><
>202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<1
>8>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo
> Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1/0-<6><3>U<4><3><19>&OSC Test CA (do not
>         EAP-Message = use in production)1 0<30>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
> ---------------------------------------------------------------------------
>---------------------------------- fragment of radiator config:
>
> <Client a.b.c.d>
>         Secret xxxxxx
>         Identifier      8021xAllied
> </Client>
> <Handler Request-Type = Accounting-Request>
>   <AuthBy SQL>
>         DBSource        dbi:mysql:radiator
>         DBUsername      radiator
>         DBAuth          xxxxx
>         # Just accounting, no auth
>         IgnoreAuthentication
>         AuthSelect
>         AccountingTable inetaccounting
>         AcctColumnDef   username,User-Name
>         AcctColumnDef   time_stamp,Timestamp,integer
>         AcctColumnDef   acctstatustype,Acct-Status-Type
>         AcctColumnDef   acctinputoctets,Acct-Input-Octets,integer
>         AcctColumnDef   acctoutputoctets,Acct-Output-Octets,integer
>         AcctColumnDef   acctsessiontime,Acct-Session-Time,integer
>         AcctColumnDef   acctterminatecause,Acct-Terminate-Cause
>         AcctColumnDef   nasidentifier,NAS-Identifier
>          AcctColumnDef   framedipaddress,Framed-IP-Address
>     </AuthBy>
> </Handler>
> <Handler TunnelledByPEAP=1>
>     <AuthBy SQL>
>         DBSource        dbi:mysql:radiator
>         DBUsername      radiator
>         DBAuth          xxxxx
>         AuthSelect select password from inetusers where \
>              username = %0 and locked = 0
>         EAPType MSCHAP-V2
>    </AuthBy>
> </Handler>
> <Handler>
>    <AuthBy FILE>
>         # outer auth file, only anonymous inside
>         Filename /etc/radiator/outerEAPusers
>         EAPType PEAP
>         EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>         EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>         EAPTLS_PrivateKeyPassword whatever
>         EAPTLS_MaxFragmentSize 1024
>         SSLeayTrace 4    # 1=ciphers, 2=trace, 3=dump data
>      </AuthBy>   # auth by file
> </Handler>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list