(RADIATOR) 802.1X with Radiator and EnterAsys R2

Mike McCauley mikem at open.com.au
Wed Jan 26 16:35:28 CST 2005 

Hello Luis,

Thanks, but it looks like there is some problem with the tcpdump traces. Note 
the Visited-Proxy-RAD.txt has size 1047: not enough, and when I try to look 
at them with tcpdump or ethereal I get errors that make me think the trace 
files are corrupt or truncated.


Archive ../EnterAsys R2 - Radiator.rar

 Name             Size   Packed Ratio  Date   Time     Attr      CRC   Meth 
Ver
-------------------------------------------------------------------------------
 FreeRadius-PacketLog-EnterAsysR2.txt     7656     2082  27% 26-01-05 
13:50   .....A   81D0E536 m3b 2.9
 Visited-Proxy-FR.txt    28873     7115  24% 26-01-05 13:50   .....A   
701CA571 m3b 2.9
 Visited-Proxy-RAD.txt     1047      555  53% 26-01-05 13:27   .....A   
7A8C2E40 m3b 2.9
 Radiator-Trace4-EnterAsysR2.txt    38743     5957  15% 26-01-05 
12:27   .....A   2D727850 m3b 2.9
-------------------------------------------------------------------------------
    4            76319    15709  20%

Cheers.

On Wednesday 26 January 2005 22:57, Luís Guido wrote:
> Hi Hugh, Mike, all
>
> There goes some more information.
> I don't have a EnterAsys R2 here but the authentications made from a VI
> (Visited Institution) with a IAS that proxy's all unknown user requests to
> our Nacional Proxy Server (Radiator 3.11). The Proxy Server forwards those
> requests to the server that handles the realm roam.fccn.pt (Radiator 3.11)
> or to the server that handles the realm eci.fccn.pt (FreeRadius 1.0.0-pre0)
> depending on the request.
>
> The 802.1X client used for the tests was always the same
>
> I have included the Trace4 for the Radiator and a packet log for the
> FreeRadius for several authentication attempts.
> There is also the tcpdump for both servers.
>
> Best Regards,
> Luís Guido
>
> > -----Original Message-----
> > From: Hugh Irvine [mailto:hugh at open.com.au]
> > Sent: terça-feira, 25 de Janeiro de 2005 22:06
> > To: Luís Guido; Mike McCauley
> > Cc: Radiator MailingList
> > Subject: Re: (RADIATOR) 802.1X with Radiator and EnterAsys R2
> >
> >
> > Hello Luis -
> >
> > As always, without a copy of your configuration file and a trace 4
> > debug from Radiator showing what is happening it is nearly impossible
> > for us to help you. In this particular case it would also be very
> > useful to see a ethereal (or tcpdump, snoop, whatever) trace of both
> > the FreeRadius exchange and the Radiator exchange so we can see what
> > works and what doesn't.
> >
> > regards
> >
> > Hugh
> >
> > On 25 Jan 2005, at 22:11, Luís Guido wrote:
> > > Hi all,
> > >
> > > I guess this question was mentioned some while ago (in the beginning of
> > > 2004) but I can't seam to find an answer to my problem.
> > >
> > > Terry said
> > > (http://www.open.com.au/archives/radiator/2004-01/msg00057.html)
> > >
> > >
> > > "Enterasys claims this is a problem with Radiator, and we have had some
> > > disagreements with them about this.
> > > When every other AP on the market works but theirs, I doubt it's a
> > > server
> > > problem. ;-)
> > > Try setting your chunk size to <= 1000 or so and see if that works... I
> > > believe that was the problem."
> > >
> > > For Radiator the value for EAPTLS_MaxFragmentSize must be <= 1010 as
> > > pointed
> > > by Michael
> > > (http://www.open.com.au/archives/radiator/2004-01/msg00058.html)
> > >
> > > I have tested the R2 with FreeRadius (for PEAP):
> > > (...)
> > > 	eap {
> > > (...)
> > > 		tls {
> > > (...)
> > >                         fragment_size = 1400
> > > 		}
> > > (...)
> > > }
> > >
> > > And IAS and I have succeeded with both Radius servers.
> > >
> > > I'm not saying it is a Radiator problem or an R2 problem....
> > > One thing I know! This is one major problem for our network.
> > >
> > > Our network is a 802.1X distributed network with multiple AP vendors
> > > and
> > > multiple Radius Servers (Radiator, FreeRadius and IAS).
> > > The Radius Hierarchy is responsible for the transportation of the user
> > > credentials from a Visited Site (VS) (where the user is physically
> > > located)
> > > to the Home Site (HS) (where the user is known). Must probably the VS
> > > and HS
> > > do not know each other and have no way of knowing what is
> > > installed/configured on the other side.
> > > If the user HS have a Radiator (with EAPTLS_MaxFragmentSize > 1010)
> > > and the
> > > VS has EnterAsys R2, the user CANNOT AUTHENTICATE! In my tests, the
> > > authentication blocks when the Radiator sends the second EAP message
> > > with
> > > the server certificate (typically a big Radius packet)...
> > >
> > > The server does send the 2nd Challenge with the certificate but no
> > > response
> > > from the AP... But it does work with FreeRadius with a similar chunk
> > > size.
> > >
> > > Does anyone have any ideas?
> > > Thanks in advance!
> > >
> > > Best regards,
> > > ---------------
> > > Luís Guido
> > > FCCN - Portugal
> > >
> > >
> > > --
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive
> > (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like systems.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list