(RADIATOR) I need a little help with the log file
Mike McCauley
mikem at open.com.au
Wed Apr 6 06:54:51 CDT 2005
Hello Bill,
Your config file contains a specification for a root certificate file, which
apparently does not exist:
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
If you intend never to verify client certificates, and dont have any relevant
root certificates, you can disable EAPTLS_CAFile and instead use
EAPTLS_CAPath to point to some empty directory (EAPTLS_CAPath usually names a
directory containing multiple root certificates which are loaded when
required.
eg:
# EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CAPath %D/certificates
Or... Since you are not validating client certificates anyway, it would not be
an error to just leave EAPTLS_CAFile pointing to the test certificate we
provide.
Cheers.
On Wednesday 06 April 2005 21:28, Stewart, Bill wrote:
> Mike,
>
> O.K. attached is a doc with the screen shots of the Windows XP
> client. Below are the logfile and radius.cfg. In looking at the logfile I
> see that it is getting an error on a certificate. Does this mean I need to
> generate a certificate even though I am not going to use it? Or am I doing
> something wrong?
>
> Bill
>
> LOGFILE:
>
> Wed Apr 6 07:07:13 2005: DEBUG: Finished reading configuration file
> 'C:\Program Files\Radiator\radius.cfg'
> Wed Apr 6 07:07:13 2005: DEBUG: Reading dictionary file 'c:/Program
> Files/Radiator/dictionary'
> Wed Apr 6 07:07:13 2005: DEBUG: Creating authentication port 0.0.0.0:1812
> Wed Apr 6 07:07:13 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> Wed Apr 6 07:07:13 2005: NOTICE: Server started: Radiator 3.12 on PC148
> (LOCKED)
> Wed Apr 6 07:23:01 2005: DEBUG: Packet dump:
> *** Received from 149.158.3.250 port 1184 ....
> Code: Access-Request
> Identifier: 159
> Authentic: <251>k<0><0><205><2><0><0>i$<0><0><2>3<0><0>
> Attributes:
> User-Name = "00-01-f4-ec-97-29"
> User-Password = "I<15><157><229>!V<<206><238><207>S=<8><215>h<215>"
> NAS-IP-Address = 149.158.3.250
> NAS-Port = 2
>
> Wed Apr 6 07:23:01 2005: DEBUG: Handling request with Handler ''
> Wed Apr 6 07:23:01 2005: DEBUG: Deleting session for 00-01-f4-ec-97-29,
> 149.158.3.250, 2
> Wed Apr 6 07:23:01 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Apr 6 07:23:01 2005: DEBUG: Reading users file c:/Program
> Files/Radiator/users
> Wed Apr 6 07:23:01 2005: DEBUG: Radius::AuthFILE looks for match with
> 00-01-f4-ec-97-29
> Wed Apr 6 07:23:01 2005: DEBUG: AuthBy FILE result: REJECT, No such user
> Wed Apr 6 07:23:01 2005: INFO: Access rejected for 00-01-f4-ec-97-29: No
> such user
> Wed Apr 6 07:23:01 2005: DEBUG: Packet dump:
> *** Sending to 149.158.3.250 port 1184 ....
> Code: Access-Reject
> Identifier: 159
> Authentic: <251>k<0><0><205><2><0><0>i$<0><0><2>3<0><0>
> Attributes:
> Reply-Message = "Request Denied"
>
> Wed Apr 6 07:23:26 2005: DEBUG: Packet dump:
> *** Received from 149.158.3.250 port 1185 ....
> Code: Access-Request
> Identifier: 160
> Authentic: LQ<0><0><233>9<0><0>pL<0><0><20><9><0><0>
> Attributes:
> Message-Authenticator = <8>g<163>k<19><182><165>,oI/<`_<148><214>
> User-Name = "LAN_KCNT\wjs"
> NAS-IP-Address = 149.158.3.250
> NAS-Port = 2
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "00-01-f4-ec-97-29"
> EAP-Message = <2><1><0><17><1>LAN_KCNT\wjs
> Framed-MTU = 1000
>
> Wed Apr 6 07:23:26 2005: DEBUG: Handling request with Handler ''
> Wed Apr 6 07:23:26 2005: DEBUG: Deleting session for LAN_KCNT\wjs,
> 149.158.3.250, 2
> Wed Apr 6 07:23:26 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Apr 6 07:23:26 2005: DEBUG: Handling with EAP: code 2, 1, 17
> Wed Apr 6 07:23:26 2005: DEBUG: Response type 1
> Wed Apr 6 07:23:27 2005: ERR: TLS could not load_verify_locations
> %D/certificates/demoCA/cacert.pem, : 2824: 1 - error:02001003:system
> library:fopen:No such process
> 2824: 2 - error:2006D080:BIO routines:BIO_new_file:no such file
> 2824: 3 - error:0B084002:x509 certificate
> routines:X509_load_cert_crl_file:system lib
>
> Wed Apr 6 07:23:27 2005: DEBUG: EAP result: 1, EAP TLS Could not
> initialise context
> Wed Apr 6 07:23:27 2005: DEBUG: AuthBy FILE result: REJECT, EAP TLS Could
> not initialise context
> Wed Apr 6 07:23:27 2005: INFO: Access rejected for LAN_KCNT\wjs: EAP TLS
> Could not initialise context
> Wed Apr 6 07:23:27 2005: DEBUG: Packet dump:
> *** Sending to 149.158.3.250 port 1185 ....
> Code: Access-Reject
> Identifier: 160
> Authentic: LQ<0><0><233>9<0><0>pL<0><0><20><9><0><0>
> Attributes:
> Reply-Message = "Request Denied"
>
>
> RADIUS.CFG
>
> # lsa_eap_peap.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # PEAP authentication as used by Windows XP (starting with SP1)
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> # This example will authenticate Wireless PEAP users from a Windows LSA,
> which
> # permits authentication against any Windows Active Directory Domain
> # or NT Domain.
> # It will accept requests from any client and try to handle request
> # for any realm.
> # To use this LSA, Radiator must be run on Windows as Administrator,
> # or as a user that has the 'Act as part of the operating system' security
> policy
> # enabled.
> # Note: AuthBy LSA is _only_ available on Windows 2000, 2003 and XP (not
> Home edition).
> #
> # To use this example, Radiator must be run on Windows as Administrator,
> # or as a user that has the 'Act as part of the operating system' security
> policy
> # enabled. This is not possible with Windows XP Home edition.
> #
> # Requires the Win32-Lsa perl module from Open System Consultants.
> # Install the Win32-Lsa perl module using PPM and ActivePerl 5.6.1 like
> this:
> # ppm install --location=http://www.open.com.au/radiator/free-downloads
> Win32-Lsa
> #
> # Users will only be authenticated if they have the 'Access this computer
> from the network'
> # security policy enabled. Their other account restrictions will also be
> checked
> # CHAP passwords can only be authenticated if the user has their
> # 'Store password using reversible encryption' option enabled in their
> Account
> #
> # In order to test this, you can user the sample test certificates
> # supplied with Radiator. For production, you
> # WILL need to install a real valid server certificate and
> # key for Radiator to use. Runs with openssl on Unix and Windows.
> #
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # Requires openssl and Net_SSLeay.
> #
> # You should consider this file to be a starting point only
> # $Id: lsa_eap_peap.cfg,v 1.5 2004/06/06 04:08:13 mikem Exp $
>
> #Foreground
> LogStdout
> LogDir c:/Program Files/Radiator
> DbDir c:/Program Files/Radiator
> # User a lower trace level in production systems:
> Trace 4
> AuthPort 1812
> DictionaryFile %D/dictionary
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Client 149.158.3.250>
> Secret mysecret
> </Client>
>
> # This is where we autneticate a PEAP inner request, which will be an EAP
> # request. The username of the inner request will be anonymous, although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> <Handler TunnelledByPEAP=1>
> # Authenticate with Windows LSA
> <AuthBy LSA>
> # Specifies which Windows Domain is ALWAYS to be used to
> authenticate
> # users (even if they specify a different domain in their
> username).
> # Empty string means the local machine only
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> # Empty string (the default) means the local machine
> Domain LAN_KCNT
>
> # Specifies the Windows Domain to use if the user does not
> # specify a doain domain in their username.
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> # Empty string (the default) means the local machine
> DefaultDomain LAN_KCNT
>
> # You can check whether each user is the member of a windows
> group
> # with the Group parameter. If more than one Group is
> specified, then the
> # user must be a member of at least one of them. Requires
> Win32::NetAdmin
> # (which is installed by default with ActivePerl). If no
> Group
> # parameters are specified, then Group checks will not be
> performed.
> #Group Administrators
> #Group Domain Users
>
> # You can specify which domain controller will be used to
> check group
> # membership with the DomainController parameter. If no
> Group parameters
> # are specified, DomainController wil not be used. Defaults
> to
> # empty string, meaning the default controller of the host
> where this
> # instance of Radaitor is running.
> DomainController kcnt1.kaman.com
>
> # This tells the PEAP client what types of inner EAP
> requests
> # we will honour
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
>
> # The original PEAP request from a NAS will be sent to a matching
> # Realm or Handler in the usual way, where it will be unpacked and the
> inner authentication
> # extracted.
> # The inner authentication request will be sent again to a matching
> # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to
> select
> # a specific handler, or else you can use EAPAnonymous to set a username
> and realm
> # which can be used to select a Realm clause for the inner request.
> # This allows you to select an inner authentication method based on Realm,
> and/or the
> # fact that they were tunnelled. You can therfore act just as a PEAP
> server, or also
> # act as the AAA/H home server, and authenticate PEAP requests locally or
> proxy
> # them to another remote server based on the realm of the inner
> authenticaiton request.
> # In this basic example, both the inner and outer authentication are
> authenticated
> # from a file by AuthBy FILE
> <Handler>
> <AuthBy FILE>
> # The username of the outer authentication
> # must be in this file to get anywhere. In this example,
> # it requires an entry for 'anonymous' which is the standard
> username
> # in the outer requests, and it also requires an entry for
> the
> # actual user name who is trying to connect (ie the 'Login
> name' entered
> # in the Funk Odyssey 'Edit Profile Properties' page
> Filename %D/users
>
> # EAPType sets the EAP type(s) that Radiator will honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the default
> (most
> # preferred) type given first
> EAPType PEAP
>
> # EAPTLS_CAFile is the name of a file of CA certificates
> # in PEM format. The file can contain several CA
> certificates
> # Radiator will first look in EAPTLS_CAFile then in
> # EAPTLS_CAPath, so there usually is no need to set both
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>
> # EAPTLS_CAPath is the name of a directory containing CA
> # certificates in PEM format. The files each contain one
> # CA certificate. The files are looked up by the CA
> # subject name hash value
> EAPTLS_CAPath
>
> # EAPTLS_CertificateFile is the name of a file containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
>
> # EAPTLS_PrivateKeyFile is the name of the file containing
> # the servers private key. It is sometimes in the same file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to descrypt it
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
>
> # EAPTLS_RandomFile is an optional file containing
> # randdomness
> EAPTLS_RandomFile %D/certificates/random
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be small
> # enough to fit in a single Radius request (ie less than
> 4096)
> # and still leave enough space for other attributes
> # Aironet APs seem to need a smaller MaxFragmentSize
> # (eg 1024) than the default of 2048. Others need even
> smaller sizes.
> EAPTLS_MaxFragmentSize 1000
>
> # EAPTLS_DHFile if set specifies the DH group file. It
> # may be required if you need to use ephemeral DH keys.
> EAPTLS_DHFile %D/certificates/cert/dh
>
>
> # If EAPTLS_CRLCheck is set and the client presents a
> certificate
> # then Radiator will look for a certificate revocation list
> (CRL)
> # for the certificate issuer
> # when authenticating each client. If a CRL file is not
> found, or
> # if the CRL says the certificate has neen revoked, the
> authentication will
> # fail with an error:
> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> # One or more CRLs can be named with the EAPTLS_CRLFile
> parameter.
> # Alternatively, CRLs may follow a file naming convention:
> # the hash of the issuer subject name
> # and a suffix that depends on the serial number.
> # eg ab1331b2.r0, ab1331b2.r1 etc.
> # You can find out the hash of the issuer name in a CRL with
> # openssl crl -in crl.pem -hash -noout
> # CRLs with tis name convention
> # will be searched in EAPTLS_CAPath, else in the openssl
> # certificates directory typically /usr/local/openssl/certs/
> # CRLs are expected to be in PEM format.
> # A CRL files can be generated with openssl like this:
> # openssl ca -gencrl -revoke cert-clt.pem
> # openssl ca -gencrl -out crl.pem
> # Use of these flags requires Net_SSLeay-1.21 or later
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> # Some clients, depending on their configuration, may
> require you to specify
> # MPPE send and receive keys. This _will_ be required if you
> select
> # 'Keys will be generated automatically for data privacy' in
> the Funk Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can enable some warning messages from the Net::SSLeay
> # module by setting SSLeayTrace to an integer from 1 to 4
> # 1=ciphers, 2=trace, 3=dump data
> SSLeayTrace 4
>
> # You can configure the User-Name that will be used for the
> inner
> # authentication. Defaults to 'anonymous'. This can be
> useful
> # when proxying the inner authentication. If tehre is a
> realm, it can
> # be used to choose a local Realm to handle the inner
> authentication.
> # %0 is replaced with the EAP identitiy
> # EAPAnonymous anonymous at some.other.realm
>
> # You can enable or disable support for TTLS Session
> Resumption and
> # PEAP Fast Reconnect with the EAPTLS_SessionResumption
> flag.
> # Default is enabled
> #EAPTLS_SessionResumption 0
>
> # You can limit how long after the initial session that a
> session can be resumed
> # with EAPTLS_SessionResumptionLimit (time in seconds).
> Defaults to 43200
> # (12 hours)
> #EAPTLS_SessionResumptionLimit 10
> </AuthBy>
> </Handler>
>
> > -----Original Message-----
> > From: Mike McCauley [mailto:mikem at open.com.au]
> > Sent: Tuesday, April 05, 2005 5:48 PM
> > To: Stewart, Bill
> > Cc: 'radiator at open.com.au'; Frati, Louis
> > Subject: Re: (RADIATOR) I need a little help with the log file
> >
> >
> > Hello Bill,
> >
> > I see that you have commented out most of the configuration
> > parameters to do
> > with EAP certificates. That is why the TLS modules are unable
> > to start up
> > properly. I suggest you use the lsa_eap_peap.cfg as
> > delivered. If you do not
> > want to use certificates, you should disable this in each client.
> >
> > Cheers.
> >
> > On Tuesday 05 April 2005 22:08, Stewart, Bill wrote:
> > > Mike,
> > >
> > > We are using the lsa_eap_peap.cfg file. Here is what we have.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list