(RADIATOR) 802.1X with Radiator and EnterAsys R2
Luís Guido
lguido at fccn.pt
Fri Jan 28 05:22:45 CST 2005
Hello Mike,
The patch works!!! :) Thank you very much for your excellent work and quick
reply to this issue.
This solution solves my problem! :) Thanks again.
Best Regards,
Luís Guido
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: quinta-feira, 27 de Janeiro de 2005 23:35
> To: Luís Guido
> Cc: 'Hugh Irvine'; 'Radiator MailingList'
> Subject: Re: (RADIATOR) 802.1X with Radiator and EnterAsys R2
>
> Hello Luís,
>
> thank you for the logs.
> The tcp dumps still appear to be truncated, but I can see what I need from
> the
> freeradius and radiator log files.
>
> I think the position we are at now is something like this:
>
> 1. You have observed that the R2 works with Radiator when the
> MaxFragmentSize
> is set to about 1000, but not when set to, say 1400. The symptoms are that
> after Radiator sends the first part of the server certificate to the
> client,
> the client does not acknowledge, but attempts to restart the
> authentication.
>
> 2. You have also observed that the R2 does work with freeradius even when
> the
> fragment_size is set to 1400.
>
> 3. that you therefore suspect a problem with Radiator.
>
> Is that a fair statement of the position so far?
>
> I have had a very close look at the logs you sent, especially the first
> certificate fragment sent back to the R2, after which the problem occurs.
>
> I can see in the logs that Radiator sends back 1410 octets in the EAP-
> Message,
> but that that freeradius sends back only 1012 octets in the EAP-Message,
> even
> though freeradius is apparently configured with fragment_size = 1400.
> I note that the R2 requests contain a Framed-MTU size of 1000, but clearly
> freeradius is not using that number exactly, because the resulting UDP
> packet
> also includes the signature, state, Radius packet headers etc, and is in
> total considerably longer than 1000 octets.
>
> So it seems to me that in the case of freeradius, the handshake again
> works
> only because of the shorter fragment size, even thought the fragment size
> doesnt really comply with the Framed-MTU.
>
> However, we have now added a patch to Radiator to limit the max fragment
> size
> to the Framed-MTU if present and less than the MaxFragmentSize. The patch
> fixes TLS, TTLS and PEAP.
>
> Please let us know how you get on with this.
>
> Cheers.
>
> On Friday 28 January 2005 02:10, Luís Guido wrote:
> > Hello Mike,
> >
> > There goes another test made always from the same machine/suplicant
> > (Windows XP SP1 PEAP). The users were similar except for the realm.
> > The scenario is the same as the first one with only a small difference:
> > It was used the same certificate for both Radiator and FreeRadius.
> >
> > Despite that, we have the same:
> >
> > User@(Visited Institution) -> Proxy Radius -> (Radiator | FreeRadius)
> >
> > I am not an expert but my first guess (looking o the tcpdumps) is that
> > Radiator is not using the "Framed-MTU = 1000" that EnterAsys R2 is
> sending
> > to the Radius Server and is sending bigger packets that R2 can handle.
> > The biggest packet FreeRadius send back to R2 is 1070 bytes (maybe 1000
> > plus network packet headers?) but Radiator sends 1460 byte packet....
> >
> > I have attached the output from FreeRadius (-X flag) that dumps all
> packets
> > plus some internal information; the Trace 4 from Radiator; the config
> files
> > (FreeRadius & Radiator) and the tcpdumps from both servers. If you need
> the
> > certificates I can send them too (are signed by a private testbed CA ;)
> )
> >
> > Best regards,
> > Luís Guido
> >
> > > -----Original Message-----
> > > From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]
> On
> > > Behalf Of Luís Guido
> > > Sent: quinta-feira, 27 de Janeiro de 2005 12:25
> > > To: 'Mike McCauley'
> > > Cc: 'Hugh Irvine'; 'Radiator MailingList'
> > > Subject: RE: (RADIATOR) 802.1X with Radiator and EnterAsys R2
> > >
> > > Hello Mike,
> > >
> > > See my comments inline please.
> > >
> > > > -----Original Message-----
> > > > From: Mike McCauley [mailto:mikem at open.com.au]
> > > > Sent: quarta-feira, 26 de Janeiro de 2005 22:45
> > > > To: Luís Guido
> > > > Cc: 'Hugh Irvine'; 'Radiator MailingList'
> > > > Subject: Re: (RADIATOR) 802.1X with Radiator and EnterAsys R2
> > > >
> > > > Hello again Luis,
> > > >
> > > > Further information:
> > > > The FreeRadius-PacketLog-EnterAsysR2.txt trace file does not seem to
> > > > include
> > > > the replies from Freeradius to the R2, only the incoming access
> > >
> > > requests.
> > >
> > > Your right... :( I am going to perform an authentication with
> FreeRadius
> > > in
> > > debugging mode... It will produce a very long list of "logs"... :)
> > >
> > > > Tis
> > > > make it very hard for me to tell the difference between freeradius
> and
> > > > Radiator, especially wit hth etcpdump traces unreadable.
> > >
> > > Ok. I'm going to repeat the tests today (if I can contact the person
> with
> > > the R2).
> > > One other thing is that I am going to configure both servers with the
> > > same certificate. The previous tests were preformed with separated
> > > certificates but both signed by the same private CA.
> > >
> > > > BTW, I can see from the Radiator trace that it is sending very long
> > > > replies
> > > > back to the R2: 1460 octets altogether
> > >
> > > The FreeRadius does not pass the 1070 (from the readable part of the
> > > tcpdump
> > > file) Both certificates have approximately the same size... only Some
> > > bytes
> > > different.
> > > There goes the Radiator config portion for the 802.1X config:
> > >
> > > <Handler TunnelledByTTLS=1>
> > > RewriteUsername s/^([^@]+).*/$1/
> > > <AuthBy FILE>
> > > RewriteUsername s/^([^@]+).*/$1/
> > > EAPType MSCHAP-V2, PAP, MD5-Challenge
> > > Filename /etc/radius/roam.txt
> > > AddToReplyIfNotExist User-Name=%u
> > > </AuthBy>
> > > AuthLog localusers
> > > AcctLogFileName %D/acct_detail
> > > </Handler>
> > > <Handler TunnelledByPEAP=1>
> > > <AuthBy FILE>
> > > RewriteUsername s/^([^@]+).*/$1/
> > > UsernameMatchesWithoutRealm yes
> > > EAPType MSCHAP-V2
> > > Filename /etc/radius/roam.txt
> > > </AuthBy>
> > > AuthLog localusers
> > > </Handler>
> > >
> > > <Handler Realm=/roam.fccn.pt/>
> > > <AuthBy FILE>
> > > EAPType PEAP, TTLS, TLS
> > > EAPTLS_CAFile /etc/radius/cert/fccn_ca.pem
> > > EAPTLS_CertificateFile /etc/radius/cert/phineus.pem
> > > EAPTLS_CertificateType PEM
> > > EAPTLS_PrivateKeyFile /etc/radius/cert/phineus-
> priv.pem
> > > EAPTLS_PrivateKeyPassword phineus-testbed
> > > EAPTLS_MaxFragmentSize 1400
> > > # EAPTLS_MaxFragmentSize 1000
> > > AutoMPPEKeys
> > > SSLeayTrace 4
> > > </AuthBy>
> > > AuthLog localusers
> > > AcctLogFileName %L/localusersacct.log
> > > AccountingHandled
> > > </Handler>
> > >
> > > > Cheers.
> > > >
> > > > On Wednesday 26 January 2005 22:57, Luís Guido wrote:
> > > > > Hi Hugh, Mike, all
> > > > >
> > > > > There goes some more information.
> > > > > I don't have a EnterAsys R2 here but the authentications made from
> a
> > >
> > > VI
> > >
> > > > > (Visited Institution) with a IAS that proxy's all unknown user
> > >
> > > requests
> > >
> > > > to
> > > >
> > > > > our Nacional Proxy Server (Radiator 3.11). The Proxy Server
> forwards
> > > >
> > > > those
> > > >
> > > > > requests to the server that handles the realm roam.fccn.pt
> (Radiator
> > > >
> > > > 3.11)
> > > >
> > > > > or to the server that handles the realm eci.fccn.pt (FreeRadius
> > > > > 1.0.0-
> > > >
> > > > pre0)
> > > >
> > > > > depending on the request.
> > > > >
> > > > > The 802.1X client used for the tests was always the same
> > > > >
> > > > > I have included the Trace4 for the Radiator and a packet log for
> the
> > > > > FreeRadius for several authentication attempts.
> > > > > There is also the tcpdump for both servers.
> > > > >
> > > > > Best Regards,
> > > > > Luís Guido
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Hugh Irvine [mailto:hugh at open.com.au]
> > > > > > Sent: terça-feira, 25 de Janeiro de 2005 22:06
> > > > > > To: Luís Guido; Mike McCauley
> > > > > > Cc: Radiator MailingList
> > > > > > Subject: Re: (RADIATOR) 802.1X with Radiator and EnterAsys R2
> > > > > >
> > > > > >
> > > > > > Hello Luis -
> > > > > >
> > > > > > As always, without a copy of your configuration file and a trace
> 4
> > > > > > debug from Radiator showing what is happening it is nearly
> > >
> > > impossible
> > >
> > > > > > for us to help you. In this particular case it would also be
> very
> > > > > > useful to see a ethereal (or tcpdump, snoop, whatever) trace of
> > > > > > both the FreeRadius exchange and the Radiator exchange so we can
> > > > > > see what works and what doesn't.
> > > > > >
> > > > > > regards
> > > > > >
> > > > > > Hugh
> > > > > >
> > > > > > On 25 Jan 2005, at 22:11, Luís Guido wrote:
> > > > > > > Hi all,
> > > > > > >
> > > > > > > I guess this question was mentioned some while ago (in the
> > >
> > > beginning
> > >
> > > > of
> > > >
> > > > > > > 2004) but I can't seam to find an answer to my problem.
> > > > > > >
> > > > > > > Terry said
> > > > > > > (http://www.open.com.au/archives/radiator/2004-
> 01/msg00057.html)
> > > > > > >
> > > > > > >
> > > > > > > "Enterasys claims this is a problem with Radiator, and we have
> > > > > > > had
> > > >
> > > > some
> > > >
> > > > > > > disagreements with them about this.
> > > > > > > When every other AP on the market works but theirs, I doubt
> it's
> > > > > > > a server
> > > > > > > problem. ;-)
> > > > > > > Try setting your chunk size to <= 1000 or so and see if that
> > > >
> > > > works... I
> > > >
> > > > > > > believe that was the problem."
> > > > > > >
> > > > > > > For Radiator the value for EAPTLS_MaxFragmentSize must be <=
> 1010
> > >
> > > as
> > >
> > > > > > > pointed
> > > > > > > by Michael
> > > > > > > (http://www.open.com.au/archives/radiator/2004-
> 01/msg00058.html)
> > > > > > >
> > > > > > > I have tested the R2 with FreeRadius (for PEAP):
> > > > > > > (...)
> > > > > > > eap {
> > > > > > > (...)
> > > > > > > tls {
> > > > > > > (...)
> > > > > > > fragment_size = 1400
> > > > > > > }
> > > > > > > (...)
> > > > > > > }
> > > > > > >
> > > > > > > And IAS and I have succeeded with both Radius servers.
> > > > > > >
> > > > > > > I'm not saying it is a Radiator problem or an R2 problem....
> > > > > > > One thing I know! This is one major problem for our network.
> > > > > > >
> > > > > > > Our network is a 802.1X distributed network with multiple AP
> > >
> > > vendors
> > >
> > > > > > > and
> > > > > > > multiple Radius Servers (Radiator, FreeRadius and IAS).
> > > > > > > The Radius Hierarchy is responsible for the transportation of
> the
> > > >
> > > > user
> > > >
> > > > > > > credentials from a Visited Site (VS) (where the user is
> > > > > > > physically located)
> > > > > > > to the Home Site (HS) (where the user is known). Must probably
> > > > > > > the
> > > >
> > > > VS
> > > >
> > > > > > > and HS
> > > > > > > do not know each other and have no way of knowing what is
> > > > > > > installed/configured on the other side.
> > > > > > > If the user HS have a Radiator (with EAPTLS_MaxFragmentSize >
> > >
> > > 1010)
> > >
> > > > > > > and the
> > > > > > > VS has EnterAsys R2, the user CANNOT AUTHENTICATE! In my
> tests,
> > >
> > > the
> > >
> > > > > > > authentication blocks when the Radiator sends the second EAP
> > >
> > > message
> > >
> > > > > > > with
> > > > > > > the server certificate (typically a big Radius packet)...
> > > > > > >
> > > > > > > The server does send the 2nd Challenge with the certificate
> but
> > > > > > > no response
> > > > > > > from the AP... But it does work with FreeRadius with a similar
> > >
> > > chunk
> > >
> > > > > > > size.
> > > > > > >
> > > > > > > Does anyone have any ideas?
> > > > > > > Thanks in advance!
> > > > > > >
> > > > > > > Best regards,
> > > > > > > ---------------
> > > > > > > Luís Guido
> > > > > > > FCCN - Portugal
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Archive at http://www.open.com.au/archives/radiator/
> > > > > > > Announcements on radiator-announce at open.com.au
> > > > > > > To unsubscribe, email 'majordomo at open.com.au' with
> > > > > > > 'unsubscribe radiator' in the body of the message.
> > > > > >
> > > > > > NB:
> > > > > >
> > > > > > Have you read the reference manual ("doc/ref.html")?
> > > > > > Have you searched the mailing list archive
> > > > > > (www.open.com.au/archives/radiator)?
> > > > > > Have you had a quick look on Google (www.google.com)?
> > > > > > Have you included a copy of your configuration file (no
> secrets),
> > > > > > together with a trace 4 debug showing what is happening?
> > > > > >
> > > > > > --
> > > > > > Radiator: the most portable, flexible and configurable RADIUS
> > > > > > server anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > > > > > -
> > > > > > Nets: internetwork inventory and management - graphical,
> > > > > > extensible, flexible with hardware, software, platform and
> database
> > >
> > > independence.
> > >
> > > > > > -
> > > > > > CATool: Private Certificate Authority for Unix and Unix-like
> > >
> > > systems.
> > >
> > > > --
> > > > Mike McCauley mikem at open.com.au
> > > > Open System Consultants Pty. Ltd Unix, Perl, Motif, C++,
> WWW
> > > > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > > > http://www.open.com.au
> > > > Phone +61 7 5598-7474 Fax +61 7 5598-7070
> > > >
> > > > Radiator: the most portable, flexible and configurable RADIUS server
> > > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
> TLS,
> > > > TTLS, PEAP etc on Unix, Windows, MacOS etc.
> > >
> > > --
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list