(RADIATOR) SSL certificate for 802.1x PEAP/aironet1100 WLAN
Mike McCauley
mikem at open.com.au
Tue Jul 27 02:55:25 CDT 2004
On Tuesday 27 July 2004 17:40, Scott Xiao - ANTlabs wrote:
> Hi,Hugh,
> Thanks,I am arranging to get a Gemtek Access point this week to test it
> since my Aironet AP is for internal testing only and no technical support
> from Cisco and Cisco deosn't support me on that issue.If you or any friends
> in the mail list know about the issue,please let me and other people know
> ,thanks.
>
> Now I am going to purchase an SSL certificate from www.freessl.com for the
> radius server,but the one I found from that website doesn't mentione radius
> server,it seems it only works with web server.Are the the same ?Can use it?
If you plan to use the server certificate with Windows XP clients and similar,
the server certificate _must_ contain the XP server extension OID, so a
generic web client certificate will not work.
> Or do you sell any certificate as well?How much for one year,if you do ?
See our private certificate authority software CATool (www.open.com.au/catool)
Cheers.
> Thanks!
>
> Rgds
> Scott Xiao Qian / ANTlabs Singapore
> www.antlabs.com
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
> Behalf Of Hugh Irvine
> Sent: Friday, July 23, 2004 10:06 AM
> To: scottxiao at antlabs.com
> Cc: radiator at open.com.au; Terry Simons; Mike McCauley
> Subject: Re: (RADIATOR) User always get authentication succeeded after
> Timeleft expired with 802.1x PEAP/aironet1100 WLAN
>
>
>
> Hello Scott -
>
> Thanks for sending the debug which does indeed show that there are no
> accounting requests.
>
> If there are no accouning requests, then the TIMELEFT is not
> decremented, therefore the authentication will succeed and the
> Session-Timeout will always remain the same.
>
> You will need to find out why the accounting requests are not being
> sent by the access point.
>
> regards
>
> Hugh
>
> On 22 Jul 2004, at 21:25, Scott Xiao - ANTlabs wrote:
> > Hi,Hugh,
> > I checked the Radiator configure file and added the line of update the
> > timeleft for the user,so UAM works well now.But for 802.1x login,the
> > user is
> > still authenticated automatically and the timeleft ( I set to 30
> > seconds)
> > value remains.Unless I stop the radiator,the authentication will not
> > fail,
> > it seems the radiator or AP didn't send accounting stop to update the
> > mysql
> > user database....here is the log...thanks! -- Scott
> > Mon Jul 19 19:21:39 2004: DEBUG: Packet dump:
> > *** Received from 192.168.123.9 port 1814 ....
> > Code: Access-Request
> > Identifier: 156
> > Authentic: }<4><139>$)O<180>M<240><210>a3<160><212>E<151>
> > Attributes:
> > User-Name = "john"
> > Framed-MTU = 1400
> > Called-Station-Id = "000f.34db.6690"
> > Calling-Station-Id = "000c.f108.37bf"
> > Message-Authenticator =
> > <199><212><236><212><233><*B$_$<169><164>Uj<135>
> > EAP-Message =
> > <2><9><0><29><25><0><23><3><1><0><18><139><141><197><223><189><229>4<0>
> > <22>X
> > <254><231>1N<27><208><161>V
> > NAS-Port-Type = Wireless-IEEE-802-11
> > NAS-Port = 298
> > Service-Type = Framed-User
> > NAS-IP-Address = 10.0.0.1
> > NAS-Identifier = "ps-ap"
> > Proxy-State = 239
> >
> > Mon Jul 19 19:21:39 2004: DEBUG: Handling request with Handler ''
> > Mon Jul 19 19:21:39 2004: DEBUG: Deleting session for john, 10.0.0.1,
> > 298
> > Mon Jul 19 19:21:39 2004: DEBUG: Handling with Radius::AuthSQL
> > Mon Jul 19 19:21:39 2004: DEBUG: Handling with Radius::AuthSQL:
> > Mon Jul 19 19:21:39 2004: DEBUG: Handling with EAP: code 2, 9, 29
> > Mon Jul 19 19:21:39 2004: DEBUG: Response type 25
> > Mon Jul 19 19:21:39 2004: DEBUG: EAP PEAP inner authentication request
> > for
> > anonymous
> > Mon Jul 19 19:21:41 2004: DEBUG: PEAP Tunnelled request Packet dump:
> > Code: Access-Request
> > Identifier: UNDEF
> > Authentic: <165><165><180><156><234>1cd<141><251><2>g<11>,<215><2>
> > Attributes:
> > EAP-Message = <2><9><0><2><26><3>
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > User-Name = "anonymous"
> > NAS-IP-Address = 10.0.0.1
> > NAS-Identifier = "ps-ap"
> > NAS-Port = 298
> > Calling-Station-Id = "000c.f108.37bf"
> >
> > Mon Jul 19 19:21:41 2004: DEBUG: Handling request with Handler
> > 'TunnelledByPEAP=1'
> > Mon Jul 19 19:21:41 2004: DEBUG: Rewrote user name to anonymous
> > Mon Jul 19 19:21:41 2004: DEBUG: Deleting session for , 10.0.0.1, 298
> > Mon Jul 19 19:21:41 2004: DEBUG: Handling with Radius::AuthSQL
> > Mon Jul 19 19:21:41 2004: DEBUG: Handling with Radius::AuthSQL:
> > Mon Jul 19 19:21:41 2004: DEBUG: Handling with EAP: code 2, 9, 2
> > Mon Jul 19 19:21:41 2004: DEBUG: Response type 26
> > Mon Jul 19 19:21:41 2004: DEBUG: EAP result: 0,
> > Mon Jul 19 19:21:41 2004: DEBUG: Access accepted for anonymous
> > Mon Jul 19 19:21:41 2004: DEBUG: EAP result: 3, EAP PEAP inner
> > authentication redespatched to a Handler
> > Mon Jul 19 19:21:41 2004: DEBUG: Access challenged for john: EAP PEAP
> > inner
> > authentication redespatched to a Handler
> > Mon Jul 19 19:21:41 2004: DEBUG: Packet dump:
> > *** Sending to 192.168.123.9 port 1814 ....
> > Code: Access-Challenge
> > Identifier: 156
> > Authentic: }<4><139>$)O<180>M<240><210>a3<160><212>E<151>
> > Attributes:
> > EAP-Message =
> > <1><10><0>&<25><0><23><3><1><0><27>nL]<255><149>H<227>}s<225>YF<210><20
> > 7><16
> >
> >> <213><12><196>0<178>/<13>x<174><179><0><150>
> >
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > Proxy-State = 239
> >
> > Mon Jul 19 19:21:41 2004: DEBUG: Packet dump:
> > *** Received from 192.168.123.9 port 1814 ....
> > Code: Access-Request
> > Identifier: 157
> > Authentic: <212><135>3o<178><182><27><224><192>-<241><138><195>ee
> > Attributes:
> > User-Name = "john"
> > Framed-MTU = 1400
> > Called-Station-Id = "000f.34db.6690"
> > Calling-Station-Id = "000c.f108.37bf"
> > Message-Authenticator =
> > <146><195><193>C<156><240><128><26><15>|=<248><180><225>S<220>
> > EAP-Message =
> > <2><10><0>&<25><0><23><3><1><0><27><150>l<+<4><2><168><174><238>0<169>?
> > K7<20
> > 1><5><25><179>3<146><1><222><253>d<193><16><254>
> > NAS-Port-Type = Wireless-IEEE-802-11
> > NAS-Port = 298
> > Service-Type = Framed-User
> > NAS-IP-Address = 10.0.0.1
> > NAS-Identifier = "ps-ap"
> > Proxy-State = 240
> >
> > Mon Jul 19 19:21:41 2004: DEBUG: Handling request with Handler ''
> > Mon Jul 19 19:21:41 2004: DEBUG: Deleting session for john, 10.0.0.1,
> > 298
> > Mon Jul 19 19:21:41 2004: DEBUG: Handling with Radius::AuthSQL
> > Mon Jul 19 19:21:41 2004: DEBUG: Handling with Radius::AuthSQL:
> > Mon Jul 19 19:21:41 2004: DEBUG: Handling with EAP: code 2, 10, 38
> > Mon Jul 19 19:21:41 2004: DEBUG: Response type 25
> > Mon Jul 19 19:21:41 2004: DEBUG: EAP result: 0,
> > Mon Jul 19 19:21:41 2004: DEBUG: Access accepted for john
> > Mon Jul 19 19:21:41 2004: DEBUG: Packet dump:
> > *** Sending to 192.168.123.9 port 1814 ....
> > Code: Access-Accept
> > Identifier: 157
> > Authentic: <212><135>3o<178><182><27><224><192>-<241><138><195>ee
> > Attributes:
> > Session-Timeout = 30
> > EAP-Message = <3><10><0><4>
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > MS-MPPE-Send-Key =
> > "<130><182>^<193>@<204><179><231>"<250><244><140><24><164>F.<140>Yq<179
> >
> > ><191
> >>
> >> x<225><202><31>W<181><^a><0><207><152>Y<251><150><166>E"<189>JcT?
> >> <146>u<174
> >> 2^"
> >
> > MS-MPPE-Recv-Key =
> > "<157>Gq<224><175><146><250><251>-
> > ~<162><161><254><236><28>+<169>gt<153><138
> >
> >> <26>M<141><132><243><172>@<143>m<185>B-
> >> '<204><0>h<198><185>il<187>+<175>t<1
> >
> > 92><191>C<177><17>"
> > Proxy-State = 240
> >
> > Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> > *** Received from 192.168.123.9 port 1814 ....
> > Code: Access-Request
> > Identifier: 158
> > Authentic: <2><214>Y<138><226><10>8<25><254><143><21>qu<2><161><229>
> > Attributes:
> > User-Name = "john"
> > Framed-MTU = 1400
> > Called-Station-Id = "000f.34db.6690"
> > Calling-Station-Id = "000c.f108.37bf"
> > Message-Authenticator =
> > <221>q<184><190><2><202><144><182><225>*<28><130>V<129><194>0
> > EAP-Message = <2><5><0><9><1>john
> > NAS-Port-Type = Wireless-IEEE-802-11
> > NAS-Port = 298
> > Service-Type = Framed-User
> > NAS-IP-Address = 10.0.0.1
> > NAS-Identifier = "ps-ap"
> > Proxy-State = 241
> >
> > Mon Jul 19 19:22:08 2004: DEBUG: Handling request with Handler ''
> > Mon Jul 19 19:22:08 2004: DEBUG: Deleting session for john, 10.0.0.1,
> > 298
> > Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL
> > Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL:
> > Mon Jul 19 19:22:08 2004: DEBUG: Handling with EAP: code 2, 5, 9
> > Mon Jul 19 19:22:08 2004: DEBUG: Response type 1
> > Mon Jul 19 19:22:08 2004: DEBUG: Resuming session for
> > Radius::Context=HASH(0x97a1d48)
> >
> > Mon Jul 19 19:22:08 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> > Mon Jul 19 19:22:08 2004: DEBUG: Access challenged for john: EAP PEAP
> > Challenge
> > Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> > *** Sending to 192.168.123.9 port 1814 ....
> > Code: Access-Challenge
> > Identifier: 158
> > Authentic: <2><214>Y<138><226><10>8<25><254><143><21>qu<2><161><229>
> > Attributes:
> > EAP-Message = <1><6><0><6><25>!
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > Proxy-State = 241
> >
> > Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> > *** Received from 192.168.123.9 port 1814 ....
> > Code: Access-Request
> > Identifier: 159
> > Authentic: <215>x<159><31><186><217>Y<200>gd<182>#<229><187><228><159>
> > Attributes:
> > User-Name = "john"
> > Framed-MTU = 1400
> > Called-Station-Id = "000f.34db.6690"
> > Calling-Station-Id = "000c.f108.37bf"
> > Message-Authenticator =
> > <22><22><16>?0R<156><176><5><167>c<184><203><239><22>F
> > EAP-Message =
> > <2><6><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3><1>@<255><161><
> > 136>o
> > <142><195>,<166><236>\<134><151>t<20>S<175><208>"<243><24>:
> > <142>7<29><17>H<3
> > 0><173><190><212>R
> > <245><23><240><233><243>V><213><181>vs<245><252><158><194><254><179><13
> > 2><1>
> > <175><1><15><210><216>-
> > <230>YJ<163><245><224><176><0><22><0><4><0><5><0><10>
> > <0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
> > NAS-Port-Type = Wireless-IEEE-802-11
> > NAS-Port = 298
> > Service-Type = Framed-User
> > NAS-IP-Address = 10.0.0.1
> > NAS-Identifier = "ps-ap"
> > Proxy-State = 242
> >
> > Mon Jul 19 19:22:08 2004: DEBUG: Handling request with Handler ''
> > Mon Jul 19 19:22:08 2004: DEBUG: Deleting session for john, 10.0.0.1,
> > 298
> > Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL
> > Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL:
> > Mon Jul 19 19:22:08 2004: DEBUG: Handling with EAP: code 2, 6, 112
> > Mon Jul 19 19:22:08 2004: DEBUG: Response type 25
> > Mon Jul 19 19:22:08 2004: DEBUG: EAP TLS SSL_accept result: -1, 2, 8640
> > Mon Jul 19 19:22:08 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> > Mon Jul 19 19:22:08 2004: DEBUG: Access challenged for john: EAP PEAP
> > Challenge
> > Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> > *** Sending to 192.168.123.9 port 1814 ....
> > Code: Access-Challenge
> > Identifier: 159
> > Authentic: <215>x<159><31><186><217>Y<200>gd<182>#<229><187><228><159>
> > Attributes:
> > EAP-Message =
> > <1><7><0><132><25><128><0><0><0>z<22><3><1><0>J<2><0><0>F<3><1>@<251><1
> > 74><2
> > 24><143><24>Y<149>><171><222><234><169><131>D%<190><216>R,r(<3>Bb<194><
> > 137><
> > 8><187>u<2><248>
> > <245><23><240><233><243>V><213><181>vs<245><252><158><194><254><179><13
> > 2><1>
> > <175><1><15><210><216>-
> > <230>YJ<163><245><224><176><0><4><0><20><3><1><0><1><
> > 1><22><3><1><0>
> > =q<21>A<18><17><18><229>`<254>%<188>;
> > <164>^<245>*<1><28>f~<210>~<164><6>S8<1
> > 36><135>22<137>
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > Proxy-State = 242
> >
> > Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> > *** Received from 192.168.123.9 port 1814 ....
> > Code: Access-Request
> > Identifier: 160
> > Authentic: <142><194>m<191>%9<30><191><217>yq<162><141><238>0L
> > Attributes:
> > User-Name = "john"
> > Framed-MTU = 1400
> > Called-Station-Id = "000f.34db.6690"
> > Calling-Station-Id = "000c.f108.37bf"
> > Message-Authenticator = <163>D<198>7K<190>MU<253><226><251>~$<184><2>Y
> > EAP-Message =
> > <2><7><0>5<25><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0>
> > 9w[<189><147>cUi<229><27>?
> > rQ<190><146>Q<134><10><233><132>d<144><178><129>g<
> > 233>uu<<15><18><237>
> > NAS-Port-Type = Wireless-IEEE-802-11
> > NAS-Port = 298
> > Service-Type = Framed-User
> > NAS-IP-Address = 10.0.0.1
> > NAS-Identifier = "ps-ap"
> > Proxy-State = 243
> >
> > Mon Jul 19 19:22:08 2004: DEBUG: Handling request with Handler ''
> > Mon Jul 19 19:22:08 2004: DEBUG: Deleting session for john, 10.0.0.1,
> > 298
> > Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL
> > Mon Jul 19 19:22:08 2004: DEBUG: Handling with Radius::AuthSQL:
> > Mon Jul 19 19:22:08 2004: DEBUG: Handling with EAP: code 2, 7, 53
> > Mon Jul 19 19:22:08 2004: DEBUG: Response type 25
> > Mon Jul 19 19:22:08 2004: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> > Mon Jul 19 19:22:08 2004: DEBUG: EAP result: 3, EAP PEAP Challenge
> > Mon Jul 19 19:22:08 2004: DEBUG: Access challenged for john: EAP PEAP
> > Challenge
> > Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> > *** Sending to 192.168.123.9 port 1814 ....
> > Code: Access-Challenge
> > Identifier: 160
> > Authentic: <142><194>m<191>%9<30><191><217>yq<162><141><238>0L
> > Attributes:
> > EAP-Message =
> > <1><8><0><28><25><0><23><3><1><0><17><173><244><201>0<135><128><162>O<2
> > 51>B<
> > 128><143><232><252><237>Yn
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > Proxy-State = 243
> >
> > Mon Jul 19 19:22:08 2004: DEBUG: Packet dump:
> > *** Received from 192.168.123.9 port 1814 ....
> > Code: Access-Request
> > Identifier: 161
> > Authentic: <196>]Q<207>{<131><199><244>]<255>}<198><161><139>&<231>
> > Attributes:
> > User-Name = "john"
> > Framed-MTU = 1400
> > Called-Station-Id = "000f.34db.6690"
> > Calling-Station-Id = "000c.f108.37bf"
> > Message-Authenticator =
> > U<137>|<176><173>f<30><186>I<129>Q<131><244><0><174><31>
> > EAP-Message = <2><8><0>
> > <25><0><23><3><1><0><21>w<197><141>U<R<1><26><3>|<5><227>f<215><155><13
> > 3><14
> > 5>y@<208><215>
> > NAS-Port-Type = Wireless-IEEE-802-11
> > NAS-Port = 298
> > Service-Type = Framed-User
> > NAS-IP-Address = 10.0.0.1
> > NAS-Identifier = "ps-ap"
> > Proxy-State = 244
> >
> > Mon Jul 19 19:22:08 2004: DEBUG: Handling request with Handler ''
> > Mon Jul 19 19:22:08 2004: DEBUG: Deleting session for john, 10.0.0.1,
> > 298
> > Mon Jul 19 19:22:09 2004: DEBUG: Handling with Radius::AuthSQL
> > Mon Jul 19 19:22:09 2004: DEBUG: Handling with Radius::AuthSQL:
> > Mon Jul 19 19:22:09 2004: DEBUG: Handling with EAP: code 2, 8, 32
> > Mon Jul 19 19:22:09 2004: DEBUG: Response type 25
> > Mon Jul 19 19:22:09 2004: DEBUG: EAP PEAP inner authentication request
> > for
> > anonymous
> > Mon Jul 19 19:22:09 2004: DEBUG: PEAP Tunnelled request Packet dump:
> > Code: Access-Request
> > Identifier: UNDEF
> > Authentic: <29><187><15>Q1<233><173><196>"n1<167>"<212><214><185>
> > Attributes:
> > EAP-Message = <2><8><0><5><1>john
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > User-Name = "anonymous"
> > NAS-IP-Address = 10.0.0.1
> > NAS-Identifier = "ps-ap"
> > NAS-Port = 298
> > Calling-Station-Id = "000c.f108.37bf"
> >
> > Mon Jul 19 19:22:09 2004: DEBUG: Handling request with Handler
> > 'TunnelledByPEAP=1'
> > Mon Jul 19 19:22:09 2004: DEBUG: Rewrote user name to anonymous
> > Mon Jul 19 19:22:09 2004: DEBUG: Deleting session for , 10.0.0.1, 298
> > Mon Jul 19 19:22:09 2004: DEBUG: Handling with Radius::AuthSQL
> > Mon Jul 19 19:22:09 2004: DEBUG: Handling with Radius::AuthSQL:
> > Mon Jul 19 19:22:09 2004: DEBUG: Handling with EAP: code 2, 8, 5
> > Mon Jul 19 19:22:09 2004: DEBUG: Response type 1
> > Mon Jul 19 19:22:09 2004: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> > Mon Jul 19 19:22:09 2004: DEBUG: Access challenged for anonymous: EAP
> > MSCHAP-V2 Challenge
> > Mon Jul 19 19:22:09 2004: DEBUG: EAP result: 3, EAP PEAP inner
> > authentication redespatched to a Handler
> > Mon Jul 19 19:22:09 2004: DEBUG: Access challenged for john: EAP PEAP
> > inner
> > authentication redespatched to a Handler
> > Mon Jul 19 19:22:09 2004: DEBUG: Packet dump:
> > *** Sending to 192.168.123.9 port 1814 ....
> > Code: Access-Challenge
> > Identifier: 161
> > Authentic: <196>]Q<207>{<131><199><244>]<255>}<198><161><139>&<231>
> > Attributes:
> > EAP-Message =
> > <1><9><0>3<25><0><23><3><1><0>(<224>|<156>o<171><203><148><166>2<17><17
> >
> > ><150
> >>
> >> R<185>?<131>?
> >>
> >> >C<3><137>B<161>,<160><2><253><201><195><8><164><233><14>t<13>
> >
> > ]ps<1>S
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > Proxy-State = 244
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list