(RADIATOR) autheticating wireless client through radiator against vms radius server

John Pertalion pertalionaj at appstate.edu
Fri Mar 25 13:52:08 CST 2005


Hello,

I'm having difficulty authenticating a client on a Aruba wireless 
network through Radiator against a VMS based radius server.

I've tried building up from several simpler scenarios and have had 
success.  I can't get the last part working.  I'm stumped because I'm 
not really sure of what I'm looking at in the logfile.  Any suggestions 
are gratefully appreciated.

I can authenticate through Radiator to the VMS based radius server using 
radpwtst on the box running the Radiator server with the radius.cfg 
listed below.  It's an adaptation of eap_peap.cfg in the ./goodies

I can authenticate from the Aruba switch AAA authentication test through 
Radiator to the VMS based radius server using the same radius.cfg

I can authenticate from the client on the Aruba wireless network using 
AuthBy FILE, which is basically the eap_peap.cfg.

I can't authenticate from the client on the wireless network through 
Radiator to the VMS based radius server.  I've included a log of this 
unsuccessful attempt below.  Also is my radius.cfg and a log of a 
successful login from the AAA authentication test on the wireless switch.

I'm fairly new to this, so you may need to point out the obvious.

Thanks,

John Pertalion
Appalachian State University
Boone, NC


/***********************************************************************/

my radius.cfg:

LogDir          /var/log/radius
DbDir           /etc/radiator

AuthPort        1812
AcctPort        1813

# User a lower trace level in production systems:
Trace           4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
         Secret  mysecret
         DupInterval 0
</Client>

# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1,User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
         <AuthBy RADIUS>
         #<AuthBy FILE>
                 #Filename %D/users

                 #VMS Radius Server
                 Host ####.######.edu
                 Secret ###########
                 AuthPort 1645
                 AcctPort 1646
                 Retries 3
                 RetryTimeout 5
                 StripFromReply Framed-IP-Netmask,Framed-Compression

                 #eap_peap.cfg contents
                 EAPType MSCHAP-V2
         </AuthBy>
</Handler>

<Handler User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
         <AuthBy RADIUS>
         #<AuthBy FILE>
                 #Filename %D/users

                 #VMS Radius Server
                 Host ####.######.edu
                 Secret ###########
                 AuthPort 1645
                 AcctPort 1646
                 Retries 3
                 RetryTimeout 5
                 StripFromReply Framed-IP-Netmask,Framed-Compression

                 #eap_peap.cfg contents
                 EAPType PEAP
                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
                 EAPTLS_CertificateType PEM
                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                 EAPTLS_PrivateKeyPassword whatever
                 EAPTLS_MaxFragmentSize 1000
                 AutoMPPEKeys
                 SSLeayTrace 4
                 EAPTLS_PEAPVersion 0
         </AuthBy>
</Handler>


/***********************************************************************/

Log of unsuccessful login from client:

Fri Mar 25 13:23:14 2005: DEBUG: Packet dump:
*** Received from 152.10.209.2 port 32882 ....
Code:       Access-Request
Identifier: 26
Authentic:  o<158><182><191>X<179><224><196>w<170><138><220>;<146><215>p
Attributes:
         User-Name = "pertalionaj"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 1
         NAS-Port-Type = Wireless-IEEE-802-11
         Calling-Station-Id = "0030651084D0"
         Called-Station-Id = "000B86018580"
         Framed-MTU = 1100
         EAP-Message = <2><1><0><16><1>pertalionaj
         Message-Authenticator = 
<213>]<237><3>{<189>V8<223><134>xc<254>}<19>=

Fri Mar 25 13:23:14 2005: DEBUG: Handling request with Handler 
'User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/'
Fri Mar 25 13:23:14 2005: DEBUG:  Deleting session for pertalionaj, 
152.10.209.1, 1
Fri Mar 25 13:23:14 2005: DEBUG: Handling with Radius::AuthRADIUS
Fri Mar 25 13:23:14 2005: DEBUG: Packet dump:
*** Sending to 152.10.1.40 port 1645 ....
Code:       Access-Request
Identifier: 1
Authentic:  o<158><182><191>X<179><224><196>w<170><138><220>;<146><215>p
Attributes:
         User-Name = "pertalionaj"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 1
         NAS-Port-Type = Wireless-IEEE-802-11
         Calling-Station-Id = "0030651084D0"
         Called-Station-Id = "000B86018580"
         Framed-MTU = 1100
         EAP-Message = <2><1><0><16><1>pertalionaj
         Message-Authenticator = 
<213>]<237><3>{<189>V8<223><134>xc<254>}<19>=

Fri Mar 25 13:23:14 2005: DEBUG: AuthBy RADIUS result: IGNORE,
Fri Mar 25 13:23:15 2005: DEBUG: Packet dump:
*** Received from 152.10.1.40 port 1645 ....
Code:       Access-Reject
Identifier: 1
Authentic:  <227><131><30>.<142><137><151><8><201>Z#<173>%;<151>a
Attributes:

Fri Mar 25 13:23:15 2005: DEBUG: Received reply in AuthRADIUS for req 1 
from 152.10.1.40:1645
Fri Mar 25 13:23:15 2005: INFO: Access rejected for pertalionaj: Proxied
Fri Mar 25 13:23:15 2005: DEBUG: Packet dump:
*** Sending to 152.10.209.2 port 32882 ....
Code:       Access-Reject
Identifier: 26
Authentic:  o<158><182><191>X<179><224><196>w<170><138><220>;<146><215>p
Attributes:
         Reply-Message = "Request Denied"


/***********************************************************************/

Log of successful login from Aruba Switch:

Fri Mar 25 13:20:02 2005: DEBUG: Packet dump:
*** Received from 152.10.209.2 port 32882 ....
Code:       Access-Request
Identifier: 25
Authentic:  H<14><142><231>p<253><3><166>*<14><175>T<0><150><237><200>
Attributes:
         User-Name = "pertalionaj"
         User-Password = 
"<20>~<198><201><152>nR<172><155>1s<201>P<147><187>w"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 0
         NAS-Port-Type = Wireless-IEEE-802-11

Fri Mar 25 13:20:02 2005: DEBUG: Handling request with Handler 
'User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/'
Fri Mar 25 13:20:02 2005: DEBUG:  Deleting session for pertalionaj, 
152.10.209.1, 0
Fri Mar 25 13:20:02 2005: DEBUG: Handling with Radius::AuthRADIUS
Fri Mar 25 13:20:02 2005: DEBUG: AuthBy RADIUS creates new local socket 
'0.0.0.0' for sending requests
Fri Mar 25 13:20:02 2005: DEBUG: Packet dump:
*** Sending to 152.10.1.43 port 1645 ....
Code:       Access-Request
Identifier: 1
Authentic:  H<14><142><231>p<253><3><166>*<14><175>T<0><150><237><200>
Attributes:
         User-Name = "pertalionaj"
         User-Password = 
"<132>_J<208><163><4><249><27><214>F<244><238>t<<31><179>"
         NAS-IP-Address = 152.10.209.1
         NAS-Port = 0
         NAS-Port-Type = Wireless-IEEE-802-11

Fri Mar 25 13:20:02 2005: DEBUG: AuthBy RADIUS result: IGNORE,
Fri Mar 25 13:20:02 2005: DEBUG: Packet dump:
*** Received from 152.10.1.43 port 1645 ....
Code:       Access-Accept
Identifier: 1
Authentic:  <3>><175><152><170><196><135><141>Dh<151><<221><9>R<27>
Attributes:

Fri Mar 25 13:20:02 2005: DEBUG: Received reply in AuthRADIUS for req 1 
from 152.10.1.43:1645
Fri Mar 25 13:20:02 2005: DEBUG: Access accepted for pertalionaj
Fri Mar 25 13:20:02 2005: DEBUG: Packet dump:
*** Sending to 152.10.209.2 port 32882 ....
Code:       Access-Accept
Identifier: 25
Authentic:  H<14><142><231>p<253><3><166>*<14><175>T<0><150><237><200>
Attributes:

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list