(RADIATOR) SSL certificate for 802.1x PEAP/aironet1100 WLAN

Scott Xiao - ANTlabs scottxiao at antlabs.com
Tue Jul 27 02:40:52 CDT 2004 

Hi,Hugh,
Thanks,I am arranging to get a Gemtek Access point this week to test it
since my Aironet AP is for internal testing only and no technical support
from Cisco and Cisco deosn't support me on that issue.If you or any friends
in the mail list know about the issue,please let me and other people know
,thanks.

Now I am going to purchase an SSL certificate from www.freessl.com for the
radius server,but the one I found from that website doesn't mentione radius
server,it seems it only works with web server.Are the the same ?Can use it?
Or do you sell any certificate as well?How much for one year,if you do ?
Thanks!

Rgds
Scott Xiao Qian / ANTlabs Singapore
www.antlabs.com

-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
Behalf Of Hugh Irvine
Sent: Friday, July 23, 2004 10:06 AM
To: scottxiao at antlabs.com
Cc: radiator at open.com.au; Terry Simons; Mike McCauley
Subject: Re: (RADIATOR) User always get authentication succeeded after
Timeleft expired with 802.1x PEAP/aironet1100 WLAN



Hello Scott -

Thanks for sending the debug which does indeed show that there are no
accounting requests.

If there are no accouning requests, then the TIMELEFT is not
decremented, therefore the authentication will succeed and the
Session-Timeout will always remain the same.

You will need to find out why the accounting requests are not being
sent by the access point.

regards

Hugh


On 22 Jul 2004, at 21:25, Scott Xiao - ANTlabs wrote:

> Hi,Hugh,
> I checked the Radiator configure file and added the line of update the
> timeleft for the user,so UAM works well now.But for 802.1x login,the
> user is
> still authenticated automatically and the  timeleft ( I set to 30
> seconds)
> value remains.Unless I stop the radiator,the authentication will not
> fail,
> it seems the radiator or AP didn't send accounting stop to update the
> mysql
> user database....here is the log...thanks! -- Scott
>  Mon Jul 19 19:21:39 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
> Code:       Access-Request
> Identifier: 156
> Authentic:  }<4><139>$)O<180>M<240><210>a3<160><212>E<151>
> Attributes:
> 	User-Name = "john"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "000f.34db.6690"
> 	Calling-Station-Id = "000c.f108.37bf"
> 	Message-Authenticator =
> <199><212><236><212><233><*B$_$<169><164>Uj<135>
> 	EAP-Message =
> <2><9><0><29><25><0><23><3><1><0><18><139><141><197><223><189><229>4<0>
> <22>X
> <254><231>1N<27><208><161>V
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 298
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	Proxy-State = 239
>
> Mon Jul 19 19:21:39 2004: DEBUG: Handling request with Handler ''
> Mon Jul 19 19:21:39 2004: DEBUG:  Deleting session for john, 10.0.0.1,
> 298
> Mon Jul 19 19:21:39 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:21:39 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:21:39 2004: DEBUG: Handling with EAP: code 2, 9, 29
> Mon Jul 19 19:21:39 2004: DEBUG: Response type 25
> Mon Jul 19 19:21:39 2004: DEBUG: EAP PEAP inner authentication request
> for
> anonymous
> Mon Jul 19 19:21:41 2004: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <165><165><180><156><234>1cd<141><251><2>g<11>,<215><2>
> Attributes:
> 	EAP-Message = <2><9><0><2><26><3>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	User-Name = "anonymous"
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	NAS-Port = 298
> 	Calling-Station-Id = "000c.f108.37bf"
>
> Mon Jul 19 19:21:41 2004: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Mon Jul 19 19:21:41 2004: DEBUG: Rewrote user name to anonymous
> Mon Jul 19 19:21:41 2004: DEBUG:  Deleting session for , 10.0.0.1, 298
> Mon Jul 19 19:21:41 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:21:41 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:21:41 2004: DEBUG: Handling with EAP: code 2, 9, 2
> Mon Jul 19 19:21:41 2004: DEBUG: Response type 26
> Mon Jul 19 19:21:41 2004: DEBUG: EAP result: 0,
> Mon Jul 19 19:21:41 2004: DEBUG: Access accepted for anonymous
> Mon Jul 19 19:21:41 2004: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Mon Jul 19 19:21:41 2004: DEBUG: Access challenged for john: EAP PEAP
> inner
> authentication redespatched to a Handler
> Mon Jul 19 19:21:41 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
> Code:       Access-Challenge
> Identifier: 156
> Authentic:  }<4><139>$)O<180>M<240><210>a3<160><212>E<151>
> Attributes:
> 	EAP-Message =
> <1><10><0>&<25><0><23><3><1><0><27>nL]<255><149>H<227>}s<225>YF<210><20
> 7><16
>> <213><12><196>0<178>/<13>x<174><179><0><150>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Proxy-State = 239
>
> Mon Jul 19 19:21:41 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
> Code:       Access-Request
> Identifier: 157
> Authentic:   <212><135>3o<178><182><27><224><192>-<241><138><195>ee
> Attributes:
> 	User-Name = "john"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "000f.34db.6690"
> 	Calling-Station-Id = "000c.f108.37bf"
> 	Message-Authenticator =
> <146><195><193>C<156><240><128><26><15>|=<248><180><225>S<220>
> 	EAP-Message =
> <2><10><0>&<25><0><23><3><1><0><27><150>l<+<4><2><168><174><238>0<169>?
> K7<20
> 1><5><25><179>3<146><1><222><253>d<193><16><254>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 298
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	Proxy-State = 240
>
> Mon Jul 19 19:21:41 2004: DEBUG: Handling request with Handler ''
> Mon Jul 19 19:21:41 2004: DEBUG:  Deleting session for john, 10.0.0.1,
> 298
> Mon Jul 19 19:21:41 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:21:41 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:21:41 2004: DEBUG: Handling with EAP: code 2, 10, 38
> Mon Jul 19 19:21:41 2004: DEBUG: Response type 25
> Mon Jul 19 19:21:41 2004: DEBUG: EAP result: 0,
> Mon Jul 19 19:21:41 2004: DEBUG: Access accepted for john
> Mon Jul 19 19:21:41 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
> Code:       Access-Accept
> Identifier: 157
> Authentic:   <212><135>3o<178><182><27><224><192>-<241><138><195>ee
> Attributes:
> 	Session-Timeout = 30
> 	EAP-Message = <3><10><0><4>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	MS-MPPE-Send-Key =
> "<130><182>^<193>@<204><179><231>"<250><244><140><24><164>F.<140>Yq<179
> ><191
>> x<225><202><31>W<181><^a><0><207><152>Y<251><150><166>E"<189>JcT?
>> <146>u<174
>> 2^"
> 	MS-MPPE-Recv-Key =
> "<157>Gq<224><175><146><250><251>-
> ~<162><161><254><236><28>+<169>gt<153><138
>> <26>M<141><132><243><172>@<143>m<185>B-
>> '<204><0>h<198><185>il<187>+<175>t<1
> 92><191>C<177><17>"
> 	Proxy-State = 240
>
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
> Code:       Access-Request
> Identifier: 158
> Authentic:  <2><214>Y<138><226><10>8<25><254><143><21>qu<2><161><229>
> Attributes:
> 	User-Name = "john"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "000f.34db.6690"
> 	Calling-Station-Id = "000c.f108.37bf"
> 	Message-Authenticator =
> <221>q<184><190><2><202><144><182><225>*<28><130>V<129><194>0
> 	EAP-Message = <2><5><0><9><1>john
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 298
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	Proxy-State = 241
>
> Mon Jul 19 19:22:08 2004: DEBUG: Handling request with Handler ''
> Mon Jul 19 19:22:08 2004: DEBUG:  Deleting session for john, 10.0.0.1,
> 298
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with EAP: code 2, 5, 9
> Mon Jul 19 19:22:08 2004: DEBUG: Response type 1
> Mon Jul 19 19:22:08 2004: DEBUG: Resuming session for
> Radius::Context=HASH(0x97a1d48)
>
> Mon Jul 19 19:22:08 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Jul 19 19:22:08 2004: DEBUG: Access challenged for john: EAP PEAP
> Challenge
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
> Code:       Access-Challenge
> Identifier: 158
> Authentic:  <2><214>Y<138><226><10>8<25><254><143><21>qu<2><161><229>
> Attributes:
> 	EAP-Message = <1><6><0><6><25>!
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Proxy-State = 241
>
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
> Code:       Access-Request
> Identifier: 159
> Authentic:  <215>x<159><31><186><217>Y<200>gd<182>#<229><187><228><159>
> Attributes:
> 	User-Name = "john"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "000f.34db.6690"
> 	Calling-Station-Id = "000c.f108.37bf"
> 	Message-Authenticator =
> <22><22><16>?0R<156><176><5><167>c<184><203><239><22>F
> 	EAP-Message =
> <2><6><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3><1>@<255><161><
> 136>o
> <142><195>,<166><236>\<134><151>t<20>S<175><208>"<243><24>:
> <142>7<29><17>H<3
> 0><173><190><212>R
> <245><23><240><233><243>V><213><181>vs<245><252><158><194><254><179><13
> 2><1>
> <175><1><15><210><216>-
> <230>YJ<163><245><224><176><0><22><0><4><0><5><0><10>
> <0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 298
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	Proxy-State = 242
>
> Mon Jul 19 19:22:08 2004: DEBUG: Handling request with Handler ''
> Mon Jul 19 19:22:08 2004: DEBUG:  Deleting session for john, 10.0.0.1,
> 298
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with EAP: code 2, 6, 112
> Mon Jul 19 19:22:08 2004: DEBUG: Response type 25
> Mon Jul 19 19:22:08 2004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8640
> Mon Jul 19 19:22:08 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Jul 19 19:22:08 2004: DEBUG: Access challenged for john: EAP PEAP
> Challenge
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
> Code:       Access-Challenge
> Identifier: 159
> Authentic:  <215>x<159><31><186><217>Y<200>gd<182>#<229><187><228><159>
> Attributes:
> 	EAP-Message =
> <1><7><0><132><25><128><0><0><0>z<22><3><1><0>J<2><0><0>F<3><1>@<251><1
> 74><2
> 24><143><24>Y<149>><171><222><234><169><131>D%<190><216>R,r(<3>Bb<194><
> 137><
> 8><187>u<2><248>
> <245><23><240><233><243>V><213><181>vs<245><252><158><194><254><179><13
> 2><1>
> <175><1><15><210><216>-
> <230>YJ<163><245><224><176><0><4><0><20><3><1><0><1><
> 1><22><3><1><0>
> =q<21>A<18><17><18><229>`<254>%<188>;
> <164>^<245>*<1><28>f~<210>~<164><6>S8<1
> 36><135>22<137>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Proxy-State = 242
>
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
> Code:       Access-Request
> Identifier: 160
> Authentic:  <142><194>m<191>%9<30><191><217>yq<162><141><238>0L
> Attributes:
> 	User-Name = "john"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "000f.34db.6690"
> 	Calling-Station-Id = "000c.f108.37bf"
> 	Message-Authenticator = <163>D<198>7K<190>MU<253><226><251>~$<184><2>Y
> 	EAP-Message =
> <2><7><0>5<25><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0>
> 9w[<189><147>cUi<229><27>?
> rQ<190><146>Q<134><10><233><132>d<144><178><129>g<
> 233>uu<<15><18><237>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 298
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	Proxy-State = 243
>
> Mon Jul 19 19:22:08 2004: DEBUG: Handling request with Handler ''
> Mon Jul 19 19:22:08 2004: DEBUG:  Deleting session for john, 10.0.0.1,
> 298
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:22:08 2004: DEBUG: Handling with EAP: code 2, 7, 53
> Mon Jul 19 19:22:08 2004: DEBUG: Response type 25
> Mon Jul 19 19:22:08 2004: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Mon Jul 19 19:22:08 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> Mon Jul 19 19:22:08 2004: DEBUG: Access challenged for john: EAP PEAP
> Challenge
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
> Code:       Access-Challenge
> Identifier: 160
> Authentic:  <142><194>m<191>%9<30><191><217>yq<162><141><238>0L
> Attributes:
> 	EAP-Message =
> <1><8><0><28><25><0><23><3><1><0><17><173><244><201>0<135><128><162>O<2
> 51>B<
> 128><143><232><252><237>Yn
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Proxy-State = 243
>
> Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1814 ....
> Code:       Access-Request
> Identifier: 161
> Authentic:  <196>]Q<207>{<131><199><244>]<255>}<198><161><139>&<231>
> Attributes:
> 	User-Name = "john"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "000f.34db.6690"
> 	Calling-Station-Id = "000c.f108.37bf"
> 	Message-Authenticator =
> U<137>|<176><173>f<30><186>I<129>Q<131><244><0><174><31>
> 	EAP-Message = <2><8><0>
> <25><0><23><3><1><0><21>w<197><141>U<R<1><26><3>|<5><227>f<215><155><13
> 3><14
> 5>y@<208><215>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 298
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	Proxy-State = 244
>
> Mon Jul 19 19:22:08 2004: DEBUG: Handling request with Handler ''
> Mon Jul 19 19:22:08 2004: DEBUG:  Deleting session for john, 10.0.0.1,
> 298
> Mon Jul 19 19:22:09 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:22:09 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:22:09 2004: DEBUG: Handling with EAP: code 2, 8, 32
> Mon Jul 19 19:22:09 2004: DEBUG: Response type 25
> Mon Jul 19 19:22:09 2004: DEBUG: EAP PEAP inner authentication request
> for
> anonymous
> Mon Jul 19 19:22:09 2004: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <29><187><15>Q1<233><173><196>"n1<167>"<212><214><185>
> Attributes:
> 	EAP-Message = <2><8><0><5><1>john
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	User-Name = "anonymous"
> 	NAS-IP-Address = 10.0.0.1
> 	NAS-Identifier = "ps-ap"
> 	NAS-Port = 298
> 	Calling-Station-Id = "000c.f108.37bf"
>
> Mon Jul 19 19:22:09 2004: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Mon Jul 19 19:22:09 2004: DEBUG: Rewrote user name to anonymous
> Mon Jul 19 19:22:09 2004: DEBUG:  Deleting session for , 10.0.0.1, 298
> Mon Jul 19 19:22:09 2004: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 19 19:22:09 2004: DEBUG: Handling with Radius::AuthSQL:
> Mon Jul 19 19:22:09 2004: DEBUG: Handling with EAP: code 2, 8, 5
> Mon Jul 19 19:22:09 2004: DEBUG: Response type 1
> Mon Jul 19 19:22:09 2004: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Mon Jul 19 19:22:09 2004: DEBUG: Access challenged for anonymous: EAP
> MSCHAP-V2 Challenge
> Mon Jul 19 19:22:09 2004: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Mon Jul 19 19:22:09 2004: DEBUG: Access challenged for john: EAP PEAP
> inner
> authentication redespatched to a Handler
> Mon Jul 19 19:22:09 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1814 ....
> Code:       Access-Challenge
> Identifier: 161
> Authentic:  <196>]Q<207>{<131><199><244>]<255>}<198><161><139>&<231>
> Attributes:
> 	EAP-Message =
> <1><9><0>3<25><0><23><3><1><0>(<224>|<156>o<171><203><148><166>2<17><17
> ><150
>> R<185>?<131>?
>> >C<3><137>B<161>,<160><2><253><201><195><8><164><233><14>t<13>
> ]ps<1>S
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Proxy-State = 244

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list