(RADIATOR) 802.1X with Radiator and EnterAsys R2
Luís Guido
lguido at fccn.pt
Thu Jan 27 10:10:16 CST 2005
Hello Mike,
There goes another test made always from the same machine/suplicant (Windows
XP SP1 PEAP). The users were similar except for the realm.
The scenario is the same as the first one with only a small difference:
It was used the same certificate for both Radiator and FreeRadius.
Despite that, we have the same:
User@(Visited Institution) -> Proxy Radius -> (Radiator | FreeRadius)
I am not an expert but my first guess (looking o the tcpdumps) is that
Radiator is not using the "Framed-MTU = 1000" that EnterAsys R2 is sending
to the Radius Server and is sending bigger packets that R2 can handle.
The biggest packet FreeRadius send back to R2 is 1070 bytes (maybe 1000 plus
network packet headers?) but Radiator sends 1460 byte packet....
I have attached the output from FreeRadius (-X flag) that dumps all packets
plus some internal information; the Trace 4 from Radiator; the config files
(FreeRadius & Radiator) and the tcpdumps from both servers. If you need the
certificates I can send them too (are signed by a private testbed CA ;) )
Best regards,
Luís Guido
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
> Behalf Of Luís Guido
> Sent: quinta-feira, 27 de Janeiro de 2005 12:25
> To: 'Mike McCauley'
> Cc: 'Hugh Irvine'; 'Radiator MailingList'
> Subject: RE: (RADIATOR) 802.1X with Radiator and EnterAsys R2
>
> Hello Mike,
>
> See my comments inline please.
>
> > -----Original Message-----
> > From: Mike McCauley [mailto:mikem at open.com.au]
> > Sent: quarta-feira, 26 de Janeiro de 2005 22:45
> > To: Luís Guido
> > Cc: 'Hugh Irvine'; 'Radiator MailingList'
> > Subject: Re: (RADIATOR) 802.1X with Radiator and EnterAsys R2
> >
> > Hello again Luis,
> >
> > Further information:
> > The FreeRadius-PacketLog-EnterAsysR2.txt trace file does not seem to
> > include
> > the replies from Freeradius to the R2, only the incoming access
> requests.
>
> Your right... :( I am going to perform an authentication with FreeRadius
> in
> debugging mode... It will produce a very long list of "logs"... :)
>
> > Tis
> > make it very hard for me to tell the difference between freeradius and
> > Radiator, especially wit hth etcpdump traces unreadable.
>
> Ok. I'm going to repeat the tests today (if I can contact the person with
> the R2).
> One other thing is that I am going to configure both servers with the same
> certificate. The previous tests were preformed with separated certificates
> but both signed by the same private CA.
>
> > BTW, I can see from the Radiator trace that it is sending very long
> > replies
> > back to the R2: 1460 octets altogether
>
> The FreeRadius does not pass the 1070 (from the readable part of the
> tcpdump
> file) Both certificates have approximately the same size... only Some
> bytes
> different.
> There goes the Radiator config portion for the 802.1X config:
>
> <Handler TunnelledByTTLS=1>
> RewriteUsername s/^([^@]+).*/$1/
> <AuthBy FILE>
> RewriteUsername s/^([^@]+).*/$1/
> EAPType MSCHAP-V2, PAP, MD5-Challenge
> Filename /etc/radius/roam.txt
> AddToReplyIfNotExist User-Name=%u
> </AuthBy>
> AuthLog localusers
> AcctLogFileName %D/acct_detail
> </Handler>
> <Handler TunnelledByPEAP=1>
> <AuthBy FILE>
> RewriteUsername s/^([^@]+).*/$1/
> UsernameMatchesWithoutRealm yes
> EAPType MSCHAP-V2
> Filename /etc/radius/roam.txt
> </AuthBy>
> AuthLog localusers
> </Handler>
>
> <Handler Realm=/roam.fccn.pt/>
> <AuthBy FILE>
> EAPType PEAP, TTLS, TLS
> EAPTLS_CAFile /etc/radius/cert/fccn_ca.pem
> EAPTLS_CertificateFile /etc/radius/cert/phineus.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radius/cert/phineus-priv.pem
> EAPTLS_PrivateKeyPassword phineus-testbed
> EAPTLS_MaxFragmentSize 1400
> # EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> </AuthBy>
> AuthLog localusers
> AcctLogFileName %L/localusersacct.log
> AccountingHandled
> </Handler>
>
>
> > Cheers.
> >
> >
> > On Wednesday 26 January 2005 22:57, Luís Guido wrote:
> > > Hi Hugh, Mike, all
> > >
> > > There goes some more information.
> > > I don't have a EnterAsys R2 here but the authentications made from a
> VI
> > > (Visited Institution) with a IAS that proxy's all unknown user
> requests
> > to
> > > our Nacional Proxy Server (Radiator 3.11). The Proxy Server forwards
> > those
> > > requests to the server that handles the realm roam.fccn.pt (Radiator
> > 3.11)
> > > or to the server that handles the realm eci.fccn.pt (FreeRadius 1.0.0-
> > pre0)
> > > depending on the request.
> > >
> > > The 802.1X client used for the tests was always the same
> > >
> > > I have included the Trace4 for the Radiator and a packet log for the
> > > FreeRadius for several authentication attempts.
> > > There is also the tcpdump for both servers.
> > >
> > > Best Regards,
> > > Luís Guido
> > >
> > > > -----Original Message-----
> > > > From: Hugh Irvine [mailto:hugh at open.com.au]
> > > > Sent: terça-feira, 25 de Janeiro de 2005 22:06
> > > > To: Luís Guido; Mike McCauley
> > > > Cc: Radiator MailingList
> > > > Subject: Re: (RADIATOR) 802.1X with Radiator and EnterAsys R2
> > > >
> > > >
> > > > Hello Luis -
> > > >
> > > > As always, without a copy of your configuration file and a trace 4
> > > > debug from Radiator showing what is happening it is nearly
> impossible
> > > > for us to help you. In this particular case it would also be very
> > > > useful to see a ethereal (or tcpdump, snoop, whatever) trace of both
> > > > the FreeRadius exchange and the Radiator exchange so we can see what
> > > > works and what doesn't.
> > > >
> > > > regards
> > > >
> > > > Hugh
> > > >
> > > > On 25 Jan 2005, at 22:11, Luís Guido wrote:
> > > > > Hi all,
> > > > >
> > > > > I guess this question was mentioned some while ago (in the
> beginning
> > of
> > > > > 2004) but I can't seam to find an answer to my problem.
> > > > >
> > > > > Terry said
> > > > > (http://www.open.com.au/archives/radiator/2004-01/msg00057.html)
> > > > >
> > > > >
> > > > > "Enterasys claims this is a problem with Radiator, and we have had
> > some
> > > > > disagreements with them about this.
> > > > > When every other AP on the market works but theirs, I doubt it's a
> > > > > server
> > > > > problem. ;-)
> > > > > Try setting your chunk size to <= 1000 or so and see if that
> > works... I
> > > > > believe that was the problem."
> > > > >
> > > > > For Radiator the value for EAPTLS_MaxFragmentSize must be <= 1010
> as
> > > > > pointed
> > > > > by Michael
> > > > > (http://www.open.com.au/archives/radiator/2004-01/msg00058.html)
> > > > >
> > > > > I have tested the R2 with FreeRadius (for PEAP):
> > > > > (...)
> > > > > eap {
> > > > > (...)
> > > > > tls {
> > > > > (...)
> > > > > fragment_size = 1400
> > > > > }
> > > > > (...)
> > > > > }
> > > > >
> > > > > And IAS and I have succeeded with both Radius servers.
> > > > >
> > > > > I'm not saying it is a Radiator problem or an R2 problem....
> > > > > One thing I know! This is one major problem for our network.
> > > > >
> > > > > Our network is a 802.1X distributed network with multiple AP
> vendors
> > > > > and
> > > > > multiple Radius Servers (Radiator, FreeRadius and IAS).
> > > > > The Radius Hierarchy is responsible for the transportation of the
> > user
> > > > > credentials from a Visited Site (VS) (where the user is physically
> > > > > located)
> > > > > to the Home Site (HS) (where the user is known). Must probably the
> > VS
> > > > > and HS
> > > > > do not know each other and have no way of knowing what is
> > > > > installed/configured on the other side.
> > > > > If the user HS have a Radiator (with EAPTLS_MaxFragmentSize >
> 1010)
> > > > > and the
> > > > > VS has EnterAsys R2, the user CANNOT AUTHENTICATE! In my tests,
> the
> > > > > authentication blocks when the Radiator sends the second EAP
> message
> > > > > with
> > > > > the server certificate (typically a big Radius packet)...
> > > > >
> > > > > The server does send the 2nd Challenge with the certificate but no
> > > > > response
> > > > > from the AP... But it does work with FreeRadius with a similar
> chunk
> > > > > size.
> > > > >
> > > > > Does anyone have any ideas?
> > > > > Thanks in advance!
> > > > >
> > > > > Best regards,
> > > > > ---------------
> > > > > Luís Guido
> > > > > FCCN - Portugal
> > > > >
> > > > >
> > > > > --
> > > > > Archive at http://www.open.com.au/archives/radiator/
> > > > > Announcements on radiator-announce at open.com.au
> > > > > To unsubscribe, email 'majordomo at open.com.au' with
> > > > > 'unsubscribe radiator' in the body of the message.
> > > >
> > > > NB:
> > > >
> > > > Have you read the reference manual ("doc/ref.html")?
> > > > Have you searched the mailing list archive
> > > > (www.open.com.au/archives/radiator)?
> > > > Have you had a quick look on Google (www.google.com)?
> > > > Have you included a copy of your configuration file (no secrets),
> > > > together with a trace 4 debug showing what is happening?
> > > >
> > > > --
> > > > Radiator: the most portable, flexible and configurable RADIUS server
> > > > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > > > -
> > > > Nets: internetwork inventory and management - graphical, extensible,
> > > > flexible with hardware, software, platform and database
> independence.
> > > > -
> > > > CATool: Private Certificate Authority for Unix and Unix-like
> systems.
> >
> > --
> > Mike McCauley mikem at open.com.au
> > Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au
> > Phone +61 7 5598-7474 Fax +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EnterAsys R2 - Radiator.rar
Type: application/octet-stream
Size: 19369 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050127/bbc29167/attachment.obj>
More information about the radiator
mailing list