(RADIATOR) 802.1X with Radiator and EnterAsys R2

Mike McCauley mikem at open.com.au
Thu Jan 27 17:34:49 CST 2005


Hello Luís,

thank you for the logs.
The tcp dumps still appear to be truncated, but I can see what I need from the 
freeradius and radiator log files.

I think the position we are at now is something like this:

1. You have observed that the R2 works with Radiator when the MaxFragmentSize 
is set to about 1000, but not when set to, say 1400. The symptoms are that 
after Radiator sends the first part of the server certificate to the client, 
the client does not acknowledge, but attempts to restart the authentication. 

2. You have also observed that the R2 does work with freeradius even when the 
fragment_size is set to 1400.

3. that you therefore suspect a problem with Radiator.

Is that a fair statement of the position so far?

I have had a very close look at the logs you sent, especially the first 
certificate fragment sent back to the R2, after which the problem occurs.

I can see in the logs that Radiator sends back 1410 octets in the EAP-Message, 
but that that freeradius sends back only 1012 octets in the EAP-Message, even 
though freeradius is apparently configured with fragment_size = 1400.
I note that the R2 requests contain a Framed-MTU size of 1000, but clearly 
freeradius is not using that number exactly, because the resulting UDP packet 
also includes the signature, state, Radius packet headers etc, and is in 
total considerably longer than 1000 octets.

So it seems to me that in the case of freeradius, the handshake again works 
only because of the shorter fragment size, even thought the fragment size 
doesnt really comply with the Framed-MTU.

However, we have now added a patch to Radiator to limit the max fragment size 
to the Framed-MTU if present and less than the MaxFragmentSize. The patch 
fixes TLS, TTLS and PEAP.

Please let us know how you get on with this.

Cheers.

On Friday 28 January 2005 02:10, Luís Guido wrote:
> Hello Mike,
>
> There goes another test made always from the same machine/suplicant
> (Windows XP SP1 PEAP). The users were similar except for the realm.
> The scenario is the same as the first one with only a small difference:
> It was used the same certificate for both Radiator and FreeRadius.
>
> Despite that, we have the same:
>
> User@(Visited Institution) -> Proxy Radius -> (Radiator | FreeRadius)
>
> I am not an expert but my first guess (looking o the tcpdumps) is that
> Radiator is not using the "Framed-MTU = 1000" that EnterAsys R2 is sending
> to the Radius Server and is sending bigger packets that R2 can handle.
> The biggest packet FreeRadius send back to R2 is 1070 bytes (maybe 1000
> plus network packet headers?) but Radiator sends 1460 byte packet....
>
> I have attached the output from FreeRadius (-X flag) that dumps all packets
> plus some internal information; the Trace 4 from Radiator; the config files
> (FreeRadius & Radiator) and the tcpdumps from both servers. If you need the
> certificates I can send them too (are signed by a private testbed CA ;) )
>
> Best regards,
> Luís Guido
>
> > -----Original Message-----
> > From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
> > Behalf Of Luís Guido
> > Sent: quinta-feira, 27 de Janeiro de 2005 12:25
> > To: 'Mike McCauley'
> > Cc: 'Hugh Irvine'; 'Radiator MailingList'
> > Subject: RE: (RADIATOR) 802.1X with Radiator and EnterAsys R2
> >
> > Hello Mike,
> >
> > See my comments inline please.
> >
> > > -----Original Message-----
> > > From: Mike McCauley [mailto:mikem at open.com.au]
> > > Sent: quarta-feira, 26 de Janeiro de 2005 22:45
> > > To: Luís Guido
> > > Cc: 'Hugh Irvine'; 'Radiator MailingList'
> > > Subject: Re: (RADIATOR) 802.1X with Radiator and EnterAsys R2
> > >
> > > Hello again Luis,
> > >
> > > Further information:
> > > The FreeRadius-PacketLog-EnterAsysR2.txt trace file does not seem to
> > > include
> > > the replies from Freeradius to the R2, only the incoming access
> >
> > requests.
> >
> > Your right... :(  I am going to perform an authentication with FreeRadius
> > in
> > debugging mode... It will produce a very long list of "logs"... :)
> >
> > > Tis
> > > make it very hard for me to tell the difference between freeradius and
> > > Radiator, especially wit hth etcpdump traces unreadable.
> >
> > Ok. I'm going to repeat the tests today (if I can contact the person with
> > the R2).
> > One other thing is that I am going to configure both servers with the
> > same certificate. The previous tests were preformed with separated
> > certificates but both signed by the same private CA.
> >
> > > BTW, I can see from the Radiator trace that it is sending very long
> > > replies
> > > back to the R2: 1460 octets altogether
> >
> > The FreeRadius does not pass the 1070 (from the readable part of the
> > tcpdump
> > file) Both certificates have approximately the same size... only Some
> > bytes
> > different.
> > There goes the Radiator config portion for the 802.1X config:
> >
> > <Handler TunnelledByTTLS=1>
> >         RewriteUsername s/^([^@]+).*/$1/
> >         <AuthBy FILE>
> >                 RewriteUsername s/^([^@]+).*/$1/
> >                 EAPType MSCHAP-V2, PAP, MD5-Challenge
> >                 Filename             /etc/radius/roam.txt
> >                 AddToReplyIfNotExist User-Name=%u
> >         </AuthBy>
> >         AuthLog localusers
> >         AcctLogFileName %D/acct_detail
> > </Handler>
> > <Handler TunnelledByPEAP=1>
> >       <AuthBy FILE>
> >                 RewriteUsername s/^([^@]+).*/$1/
> >                 UsernameMatchesWithoutRealm    yes
> >                 EAPType MSCHAP-V2
> >                 Filename /etc/radius/roam.txt
> >         </AuthBy>
> >         AuthLog localusers
> > </Handler>
> >
> > <Handler Realm=/roam.fccn.pt/>
> >         <AuthBy FILE>
> >                 EAPType                         PEAP, TTLS, TLS
> >                 EAPTLS_CAFile /etc/radius/cert/fccn_ca.pem
> >                 EAPTLS_CertificateFile /etc/radius/cert/phineus.pem
> >                 EAPTLS_CertificateType          PEM
> >                 EAPTLS_PrivateKeyFile /etc/radius/cert/phineus-priv.pem
> >                 EAPTLS_PrivateKeyPassword      phineus-testbed
> >                 EAPTLS_MaxFragmentSize          1400
> > #                 EAPTLS_MaxFragmentSize          1000
> >                 AutoMPPEKeys
> >                 SSLeayTrace                     4
> >         </AuthBy>
> >         AuthLog localusers
> >         AcctLogFileName %L/localusersacct.log
> >         AccountingHandled
> > </Handler>
> >
> > > Cheers.
> > >
> > > On Wednesday 26 January 2005 22:57, Luís Guido wrote:
> > > > Hi Hugh, Mike, all
> > > >
> > > > There goes some more information.
> > > > I don't have a EnterAsys R2 here but the authentications made from a
> >
> > VI
> >
> > > > (Visited Institution) with a IAS that proxy's all unknown user
> >
> > requests
> >
> > > to
> > >
> > > > our Nacional Proxy Server (Radiator 3.11). The Proxy Server forwards
> > >
> > > those
> > >
> > > > requests to the server that handles the realm roam.fccn.pt (Radiator
> > >
> > > 3.11)
> > >
> > > > or to the server that handles the realm eci.fccn.pt (FreeRadius
> > > > 1.0.0-
> > >
> > > pre0)
> > >
> > > > depending on the request.
> > > >
> > > > The 802.1X client used for the tests was always the same
> > > >
> > > > I have included the Trace4 for the Radiator and a packet log for the
> > > > FreeRadius for several authentication attempts.
> > > > There is also the tcpdump for both servers.
> > > >
> > > > Best Regards,
> > > > Luís Guido
> > > >
> > > > > -----Original Message-----
> > > > > From: Hugh Irvine [mailto:hugh at open.com.au]
> > > > > Sent: terça-feira, 25 de Janeiro de 2005 22:06
> > > > > To: Luís Guido; Mike McCauley
> > > > > Cc: Radiator MailingList
> > > > > Subject: Re: (RADIATOR) 802.1X with Radiator and EnterAsys R2
> > > > >
> > > > >
> > > > > Hello Luis -
> > > > >
> > > > > As always, without a copy of your configuration file and a trace 4
> > > > > debug from Radiator showing what is happening it is nearly
> >
> > impossible
> >
> > > > > for us to help you. In this particular case it would also be very
> > > > > useful to see a ethereal (or tcpdump, snoop, whatever) trace of
> > > > > both the FreeRadius exchange and the Radiator exchange so we can
> > > > > see what works and what doesn't.
> > > > >
> > > > > regards
> > > > >
> > > > > Hugh
> > > > >
> > > > > On 25 Jan 2005, at 22:11, Luís Guido wrote:
> > > > > > Hi all,
> > > > > >
> > > > > > I guess this question was mentioned some while ago (in the
> >
> > beginning
> >
> > > of
> > >
> > > > > > 2004) but I can't seam to find an answer to my problem.
> > > > > >
> > > > > > Terry said
> > > > > > (http://www.open.com.au/archives/radiator/2004-01/msg00057.html)
> > > > > >
> > > > > >
> > > > > > "Enterasys claims this is a problem with Radiator, and we have
> > > > > > had
> > >
> > > some
> > >
> > > > > > disagreements with them about this.
> > > > > > When every other AP on the market works but theirs, I doubt it's
> > > > > > a server
> > > > > > problem. ;-)
> > > > > > Try setting your chunk size to <= 1000 or so and see if that
> > >
> > > works... I
> > >
> > > > > > believe that was the problem."
> > > > > >
> > > > > > For Radiator the value for EAPTLS_MaxFragmentSize must be <= 1010
> >
> > as
> >
> > > > > > pointed
> > > > > > by Michael
> > > > > > (http://www.open.com.au/archives/radiator/2004-01/msg00058.html)
> > > > > >
> > > > > > I have tested the R2 with FreeRadius (for PEAP):
> > > > > > (...)
> > > > > > 	eap {
> > > > > > (...)
> > > > > > 		tls {
> > > > > > (...)
> > > > > >                         fragment_size = 1400
> > > > > > 		}
> > > > > > (...)
> > > > > > }
> > > > > >
> > > > > > And IAS and I have succeeded with both Radius servers.
> > > > > >
> > > > > > I'm not saying it is a Radiator problem or an R2 problem....
> > > > > > One thing I know! This is one major problem for our network.
> > > > > >
> > > > > > Our network is a 802.1X distributed network with multiple AP
> >
> > vendors
> >
> > > > > > and
> > > > > > multiple Radius Servers (Radiator, FreeRadius and IAS).
> > > > > > The Radius Hierarchy is responsible for the transportation of the
> > >
> > > user
> > >
> > > > > > credentials from a Visited Site (VS) (where the user is
> > > > > > physically located)
> > > > > > to the Home Site (HS) (where the user is known). Must probably
> > > > > > the
> > >
> > > VS
> > >
> > > > > > and HS
> > > > > > do not know each other and have no way of knowing what is
> > > > > > installed/configured on the other side.
> > > > > > If the user HS have a Radiator (with EAPTLS_MaxFragmentSize >
> >
> > 1010)
> >
> > > > > > and the
> > > > > > VS has EnterAsys R2, the user CANNOT AUTHENTICATE! In my tests,
> >
> > the
> >
> > > > > > authentication blocks when the Radiator sends the second EAP
> >
> > message
> >
> > > > > > with
> > > > > > the server certificate (typically a big Radius packet)...
> > > > > >
> > > > > > The server does send the 2nd Challenge with the certificate but
> > > > > > no response
> > > > > > from the AP... But it does work with FreeRadius with a similar
> >
> > chunk
> >
> > > > > > size.
> > > > > >
> > > > > > Does anyone have any ideas?
> > > > > > Thanks in advance!
> > > > > >
> > > > > > Best regards,
> > > > > > ---------------
> > > > > > Luís Guido
> > > > > > FCCN - Portugal
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Archive at http://www.open.com.au/archives/radiator/
> > > > > > Announcements on radiator-announce at open.com.au
> > > > > > To unsubscribe, email 'majordomo at open.com.au' with
> > > > > > 'unsubscribe radiator' in the body of the message.
> > > > >
> > > > > NB:
> > > > >
> > > > > Have you read the reference manual ("doc/ref.html")?
> > > > > Have you searched the mailing list archive
> > > > > (www.open.com.au/archives/radiator)?
> > > > > Have you had a quick look on Google (www.google.com)?
> > > > > Have you included a copy of your configuration file (no secrets),
> > > > > together with a trace 4 debug showing what is happening?
> > > > >
> > > > > --
> > > > > Radiator: the most portable, flexible and configurable RADIUS
> > > > > server anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > > > > -
> > > > > Nets: internetwork inventory and management - graphical,
> > > > > extensible, flexible with hardware, software, platform and database
> >
> > independence.
> >
> > > > > -
> > > > > CATool: Private Certificate Authority for Unix and Unix-like
> >
> > systems.
> >
> > > --
> > > Mike McCauley                               mikem at open.com.au
> > > Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> > > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > > http://www.open.com.au
> > > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> > >
> > > Radiator: the most portable, flexible and configurable RADIUS server
> > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > > TTLS, PEAP etc on Unix, Windows, MacOS etc.
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list