(RADIATOR) I need a little help with the log file

Mike McCauley mikem at open.com.au
Thu Apr 7 06:33:01 CDT 2005 

Hello Bill,

Im not sure whats going on here, but it doesnt seem to be a problem in your 
Radiator configuration.

It seems that the AP sends the start of an EAP conversation, to which Radiator 
sends the conventional reply.
The AP then sends (29 seconds later) what looks like a conventional (non-EAP)  
MAC-address based authentication request.

I suspect that there is a configuration problem in your AP, where your AP is 
trying to do MAC authentication as well as the wireless client trying to do 
EAP authentication.

Another possibility is that the client is not configured to accept PEAP 
authentication (or EAP authentication at all?), which Radiator is offering to 
it. Or maybe that the wireless lcient is not staybing associated to the AP. 

In any case, the AP and client appear to be behaviing differently to your 
previous tests, where we saw more of the EAP conversation happening. So... 
look for recent config changes in your AP or wireless client. If in doubt, 
reboot them both.

Cheers.

On Thursday 07 April 2005 21:06, Stewart, Bill wrote:
> Mike,
>
> 	Thanks for your input.  I've got the logfile without any errors now,
> but it seems to be stuck on sending a challenge se below.  any ideas?
>
> Thu Apr  7 06:58:39 2005: DEBUG: Packet dump:
> *** Received from 149.158.3.250 port 1208 ....
> Code:       Access-Request
> Identifier: 183
> Authentic:  <210><10><0><0>"<23><0><0><176>&<0><0><196><31><0><0>
> Attributes:
> 	Message-Authenticator =
> <242><136><231><132><27><149><220><242>sI<132>(<11>n#<204>
> 	User-Name = "LAN_KCNT\wjs"
> 	NAS-IP-Address = 149.158.3.250
> 	NAS-Port = 2
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	Calling-Station-Id = "00-01-f4-ec-97-29"
> 	EAP-Message = <2><1><0><17><1>LAN_KCNT\wjs
> 	Framed-MTU = 1000
>
> Thu Apr  7 06:58:39 2005: DEBUG: Handling request with Handler ''
> Thu Apr  7 06:58:39 2005: DEBUG:  Deleting session for LAN_KCNT\wjs,
> 149.158.3.250, 2
> Thu Apr  7 06:58:39 2005: DEBUG: Handling with Radius::AuthFILE:
> Thu Apr  7 06:58:39 2005: DEBUG: Handling with EAP: code 2, 1, 17
> Thu Apr  7 06:58:39 2005: DEBUG: Response type 1
> Thu Apr  7 06:58:40 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Thu Apr  7 06:58:40 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP
> Challenge
> Thu Apr  7 06:58:40 2005: DEBUG: Access challenged for LAN_KCNT\wjs: EAP
> PEAP Challenge
> Thu Apr  7 06:58:40 2005: DEBUG: Packet dump:
> *** Sending to 149.158.3.250 port 1208 ....
> Code:       Access-Challenge
> Identifier: 183
> Authentic:  <210><10><0><0>"<23><0><0><176>&<0><0><196><31><0><0>
> Attributes:
> 	EAP-Message = <1><2><0><6><25>!
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu Apr  7 06:59:09 2005: DEBUG: Packet dump:
> *** Received from 149.158.3.250 port 1209 ....
> Code:       Access-Request
> Identifier: 184
> Authentic:  <184>m<0><0>\\<0><0><202><10><0><0><214>x<0><0>
> Attributes:
> 	User-Name = "00-01-f4-ec-97-29"
> 	User-Password =
> "I<152><221><218><193>ia<194>g<131>"<165><244><31>'`"
> 	NAS-IP-Address = 149.158.3.250
> 	NAS-Port = 2
>
> Thu Apr  7 06:59:09 2005: DEBUG: Handling request with Handler ''
> Thu Apr  7 06:59:09 2005: DEBUG:  Deleting session for 00-01-f4-ec-97-29,
> 149.158.3.250, 2
> Thu Apr  7 06:59:09 2005: DEBUG: Handling with Radius::AuthFILE:
> Thu Apr  7 06:59:09 2005: DEBUG: Radius::AuthFILE looks for match with
> 00-01-f4-ec-97-29
> Thu Apr  7 06:59:09 2005: DEBUG: AuthBy FILE result: REJECT, No such user
> Thu Apr  7 06:59:09 2005: INFO: Access rejected for 00-01-f4-ec-97-29: No
> such user
> Thu Apr  7 06:59:09 2005: DEBUG: Packet dump:
> *** Sending to 149.158.3.250 port 1209 ....
> Code:       Access-Reject
> Identifier: 184
> Authentic:  <184>m<0><0>\\<0><0><202><10><0><0><214>x<0><0>
> Attributes:
> 	Reply-Message = "Request Denied"
>
>
> RADIUS.CFG
>
> # lsa_eap_peap.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # PEAP authentication as used by Windows XP (starting with SP1)
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> # This example will authenticate Wireless PEAP users from a Windows LSA,
> which
> # permits authentication against any Windows Active Directory Domain
> # or NT Domain.
> # It will accept requests from any client and try to handle request
> # for any realm.
> # To use this LSA, Radiator must be run on Windows as Administrator,
> # or as a user that has the 'Act as part of the operating system' security
> policy
> # enabled.
> # Note: AuthBy LSA is _only_ available on Windows 2000, 2003 and XP (not
> Home edition).
> #
> # To use this example, Radiator must be run on Windows as Administrator,
> # or as a user that has the 'Act as part of the operating system' security
> policy
> # enabled. This is not possible with Windows XP Home edition.
> #
> # Requires the Win32-Lsa perl module from Open System Consultants.
> # Install the Win32-Lsa perl module using PPM and ActivePerl 5.6.1 like
> this:
> #   ppm install --location=http://www.open.com.au/radiator/free-downloads
> Win32-Lsa
> #
> # Users will only be authenticated if they have the 'Access this computer
> from the network'
> # security policy enabled. Their other account restrictions will also be
> checked
> # CHAP passwords can only be authenticated if the user has their
> # 'Store password using reversible encryption' option enabled in their
> Account
> #
> # In order to test this, you can user the sample test certificates
> # supplied with Radiator. For production, you
> # WILL need to install a real valid server certificate and
> # key for Radiator to use. Runs with openssl on Unix and Windows.
> #
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # Requires openssl and Net_SSLeay.
> #
> # You should consider this file to be a starting point only
> # $Id: lsa_eap_peap.cfg,v 1.5 2004/06/06 04:08:13 mikem Exp $
>
> #Foreground
> LogStdout
> LogDir		c:/Program Files/Radiator
> DbDir		c:/Program Files/Radiator
> # User a lower trace level in production systems:
> Trace 		4
> AuthPort 1812
> DictionaryFile %D/dictionary
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> 	Secret	mysecret
> 	DupInterval 0
> </Client>
>
> <Client 149.158.3.250>
>         Secret mysecret
> </Client>
>
> # This is where we autneticate a PEAP inner request, which will be an EAP
> # request. The username of the inner request will be anonymous, although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> <Handler TunnelledByPEAP=1>
> 	# Authenticate with Windows LSA
> 	<AuthBy LSA>
> 		# Specifies which Windows Domain is ALWAYS to be used to
> authenticate
> 		# users (even if they specify a different domain in their
> username).
> 		# Empty string means the local machine only
> 		# Special characters are supported. Can be an Active
> 		# directory domain or a Windows NT domain controller
> 		# domain name
> 		# Empty string (the default) means the local machine
> 		Domain LAN_KCNT
>
> 		# Specifies the Windows Domain to use if the user does not
> 		# specify a doain domain in their username.
> 		# Special characters are supported. Can be an Active
> 		# directory domain or a Windows NT domain controller
> 		# domain name
> 		# Empty string (the default) means the local machine
> 		DefaultDomain LAN_KCNT
>
> 		# You can check whether each user is the member of a windows
> group
> 		# with the Group parameter. If more than one Group is
> specified, then the
> 		# user must be a member of at least one of them. Requires
> Win32::NetAdmin
> 		# (which is installed by default with ActivePerl). If no
> Group
> 		# parameters are specified, then Group checks will not be
> performed.
> 		#Group Administrators
> 		#Group Domain Users
>
> 		# You can specify which domain controller will be used to
> check group
> 		# membership with the DomainController parameter. If no
> Group parameters
> 		# are specified, DomainController wil not be used. Defaults
> to
> 		# empty string, meaning the default controller of the host
> where this
> 		# instance of Radaitor is running.
> 		DomainController kcnt1.kaman.com
>
> 		# This tells the PEAP client what types of inner EAP
> requests
> 		# we will honour
> 		EAPType MSCHAP-V2
> 	</AuthBy>
> </Handler>
>
>
> # The original PEAP request from a NAS will be sent to a matching
> # Realm or Handler in the usual way, where it will be unpacked and the
> inner authentication
> # extracted.
> # The inner authentication request will be sent again to a matching
> # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to
> select
> # a specific handler, or else you can use EAPAnonymous to set a username
> and realm
> # which can be used to select a Realm clause for the inner request.
> # This allows you to select an inner authentication method based on Realm,
> and/or the
> # fact that they were tunnelled. You can therfore act just as a PEAP
> server, or also
> # act as the AAA/H home server, and authenticate PEAP requests locally or
> proxy
> # them to another remote server based on the realm of the inner
> authenticaiton request.
> # In this basic example, both the inner and outer authentication are
> authenticated
> # from a file by AuthBy FILE
> <Handler>
> 	<AuthBy FILE>
> 		# The username of the outer authentication
> 		#  must be in this file to get anywhere. In this example,
> 		# it requires an entry for 'anonymous' which is the standard
> username
> 		# in the outer requests, and it also requires an entry for
> the
> 		# actual user name who is trying to connect (ie the 'Login
> name' entered
> 		# in the Funk Odyssey 'Edit Profile Properties' page
> 		Filename %D/users
>
> 		# EAPType sets the EAP type(s) that Radiator will honour.
> 		# Options are: MD5-Challenge, One-Time-Password
> 		# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> 		# Multiple types can be comma separated. With the default
> (most
> 		# preferred) type given first
> 		EAPType PEAP
>
> 		# EAPTLS_CAFile is the name of a file of CA certificates
> 		# in PEM format. The file can contain several CA
> certificates
> 		# Radiator will first look in EAPTLS_CAFile then in
> 		# EAPTLS_CAPath, so there usually is no need to set both
> 		EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>
> 		# EAPTLS_CAPath is the name of a directory containing CA
>     		# certificates in PEM format. The files each contain one
> 		# CA certificate. The files are looked up by the CA
> 		# subject name hash value
> 		EAPTLS_CAPath
>
> 		# EAPTLS_CertificateFile is the name of a file containing
> 		# the servers certificate. EAPTLS_CertificateType
> 		# specifies the type of the file. Can be PEM or ASN1
> 		# defaults to ASN1
> 		EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> 		EAPTLS_CertificateType PEM
>
> 		# EAPTLS_PrivateKeyFile is the name of the file containing
> 		# the servers private key. It is sometimes in the same file
> 		# as the server certificate (EAPTLS_CertificateFile)
> 		# If the private key is encrypted (usually the case)
> 		# then EAPTLS_PrivateKeyPassword is the key to descrypt it
> 		EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> 		EAPTLS_PrivateKeyPassword whatever
>
> 		# EAPTLS_RandomFile is an optional file containing
> 		# randdomness
> 		EAPTLS_RandomFile %D/certificates/random
>
> 		# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> 		# size that will be replied by Radiator. It must be small
> 		# enough to fit in a single Radius request (ie less than
> 4096)
> 		# and still leave enough space for other attributes
> 		# Aironet APs seem to need a smaller MaxFragmentSize
> 		# (eg 1024) than the default of 2048. Others need even
> smaller sizes.
> 		EAPTLS_MaxFragmentSize 1000
>
> 		# EAPTLS_DHFile if set specifies the DH group file. It
> 		# may be required if you need to use ephemeral DH keys.
> 		EAPTLS_DHFile %D/certificates/cert/dh
>
>
> 		# If EAPTLS_CRLCheck is set  and the client presents a
> certificate
> 		# then Radiator will look for a certificate revocation list
> (CRL)
> 		# for the certificate issuer
> 		# when authenticating each client. If a CRL file is not
> found, or
> 		# if the CRL says the certificate has neen revoked, the
> authentication will
> 		# fail with an error:
> 		#   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> 		# One or more CRLs can be named with the EAPTLS_CRLFile
> parameter.
> 		# Alternatively, CRLs may follow a file naming convention:
> 		#  the hash of the issuer subject name
> 		# and a suffix that depends on the serial number.
> 		# eg ab1331b2.r0, ab1331b2.r1 etc.
> 		# You can find out the hash of the issuer name in a CRL with
> 		#  openssl crl -in crl.pem -hash -noout
> 		# CRLs with tis name convention
> 		# will be searched in EAPTLS_CAPath, else in the openssl
> 		# certificates directory typically /usr/local/openssl/certs/
> 		# CRLs are expected to be in PEM format.
> 		# A CRL files can be generated with openssl like this:
> 		#  openssl ca -gencrl -revoke cert-clt.pem
> 		#  openssl ca -gencrl -out crl.pem
> 		# Use of these flags requires Net_SSLeay-1.21 or later
> 		#EAPTLS_CRLCheck
> 		#EAPTLS_CRLFile %D/certificates/crl.pem
> 		#EAPTLS_CRLFile %D/certificates/revocations.pem
>
> 		# Some clients, depending on their configuration, may
> require you to specify
> 		# MPPE send and receive keys. This _will_ be required if you
> select
> 		# 'Keys will be generated automatically for data privacy' in
> the Funk Odyssey
> 		# client Network Properties dialog.
> 		# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
> 		# in the final Access-Accept
> 		AutoMPPEKeys
>
> 		# You can enable some warning messages from the Net::SSLeay
> 		# module by setting SSLeayTrace to an integer from 1 to 4
> 		# 1=ciphers, 2=trace, 3=dump data
> 		SSLeayTrace 4
>
> 		# You can configure the User-Name that will be used for the
> inner
> 		# authentication. Defaults to 'anonymous'. This can be
> useful
> 		# when proxying the inner authentication. If tehre is a
> realm, it can
> 		# be used to choose a local Realm to handle the inner
> authentication.
> 		# %0 is replaced with the EAP identitiy
> 		# EAPAnonymous anonymous at some.other.realm
>
> 		# You can enable or disable support for TTLS Session
> Resumption and
> 		# PEAP Fast Reconnect with the EAPTLS_SessionResumption
> flag.
> 		# Default is enabled
> 		#EAPTLS_SessionResumption 0
>
> 		# You can limit how long after the initial session that a
> session can be resumed
> 		# with EAPTLS_SessionResumptionLimit (time in seconds).
> Defaults to 43200
> 		# (12 hours)
> 		#EAPTLS_SessionResumptionLimit 10
> 	</AuthBy>
> </Handler>

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list