(RADIATOR) 802.1X with Radiator and EnterAsys R2

Mike McCauley mikem at open.com.au
Wed Jan 26 16:44:48 CST 2005


Hello again Luis,

Further information:
The FreeRadius-PacketLog-EnterAsysR2.txt trace file does not seem to include 
the replies from Freeradius to the R2, only the incoming access requests. Tis 
make it very hard for me to tell the difference between freeradius and 
Radiator, especially wit hth etcpdump traces unreadable.

BTW, I can see from the Radiator trace that it is sending very long replies 
back to the R2: 1460 octets altogether

Cheers.


On Wednesday 26 January 2005 22:57, Luís Guido wrote:
> Hi Hugh, Mike, all
>
> There goes some more information.
> I don't have a EnterAsys R2 here but the authentications made from a VI
> (Visited Institution) with a IAS that proxy's all unknown user requests to
> our Nacional Proxy Server (Radiator 3.11). The Proxy Server forwards those
> requests to the server that handles the realm roam.fccn.pt (Radiator 3.11)
> or to the server that handles the realm eci.fccn.pt (FreeRadius 1.0.0-pre0)
> depending on the request.
>
> The 802.1X client used for the tests was always the same
>
> I have included the Trace4 for the Radiator and a packet log for the
> FreeRadius for several authentication attempts.
> There is also the tcpdump for both servers.
>
> Best Regards,
> Luís Guido
>
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: terça-feira, 25 de Janeiro de 2005 22:06
> > To: Luís Guido; Mike McCauley
> > Cc: Radiator MailingList
> > Subject: Re: (RADIATOR) 802.1X with Radiator and EnterAsys R2
> >
> >
> > Hello Luis -
> >
> > As always, without a copy of your configuration file and a trace 4
> > debug from Radiator showing what is happening it is nearly impossible
> > for us to help you. In this particular case it would also be very
> > useful to see a ethereal (or tcpdump, snoop, whatever) trace of both
> > the FreeRadius exchange and the Radiator exchange so we can see what
> > works and what doesn't.
> >
> > regards
> >
> > Hugh
> >
> > On 25 Jan 2005, at 22:11, Luís Guido wrote:
> > > Hi all,
> > >
> > > I guess this question was mentioned some while ago (in the beginning of
> > > 2004) but I can't seam to find an answer to my problem.
> > >
> > > Terry said
> > > (http://www.open.com.au/archives/radiator/2004-01/msg00057.html)
> > >
> > >
> > > "Enterasys claims this is a problem with Radiator, and we have had some
> > > disagreements with them about this.
> > > When every other AP on the market works but theirs, I doubt it's a
> > > server
> > > problem. ;-)
> > > Try setting your chunk size to <= 1000 or so and see if that works... I
> > > believe that was the problem."
> > >
> > > For Radiator the value for EAPTLS_MaxFragmentSize must be <= 1010 as
> > > pointed
> > > by Michael
> > > (http://www.open.com.au/archives/radiator/2004-01/msg00058.html)
> > >
> > > I have tested the R2 with FreeRadius (for PEAP):
> > > (...)
> > > 	eap {
> > > (...)
> > > 		tls {
> > > (...)
> > >                         fragment_size = 1400
> > > 		}
> > > (...)
> > > }
> > >
> > > And IAS and I have succeeded with both Radius servers.
> > >
> > > I'm not saying it is a Radiator problem or an R2 problem....
> > > One thing I know! This is one major problem for our network.
> > >
> > > Our network is a 802.1X distributed network with multiple AP vendors
> > > and
> > > multiple Radius Servers (Radiator, FreeRadius and IAS).
> > > The Radius Hierarchy is responsible for the transportation of the user
> > > credentials from a Visited Site (VS) (where the user is physically
> > > located)
> > > to the Home Site (HS) (where the user is known). Must probably the VS
> > > and HS
> > > do not know each other and have no way of knowing what is
> > > installed/configured on the other side.
> > > If the user HS have a Radiator (with EAPTLS_MaxFragmentSize > 1010)
> > > and the
> > > VS has EnterAsys R2, the user CANNOT AUTHENTICATE! In my tests, the
> > > authentication blocks when the Radiator sends the second EAP message
> > > with
> > > the server certificate (typically a big Radius packet)...
> > >
> > > The server does send the 2nd Challenge with the certificate but no
> > > response
> > > from the AP... But it does work with FreeRadius with a similar chunk
> > > size.
> > >
> > > Does anyone have any ideas?
> > > Thanks in advance!
> > >
> > > Best regards,
> > > ---------------
> > > Luís Guido
> > > FCCN - Portugal
> > >
> > >
> > > --
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive
> > (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list