(RADIATOR) EAP TTLS

Hugh Irvine hugh at open.com.au
Wed May 11 22:45:18 CDT 2005 

Hello Manuel -

 From the debug it appears that the access point (or the client) is 
configured for PEAP (EAP type 25):

> Wed May 11 18:32:09 2005: DEBUG: Response type 3
> Wed May 11 18:32:09 2005: INFO: EAP Nak desires type 25
> Wed May 11 18:32:09 2005: DEBUG: EAP result: 1, Desired EAP type 25 not
> permitted
> Wed May 11 18:32:09 2005: DEBUG: AuthBy FILE result: REJECT, Desired 
> EAP
> type 25 not permitted

You should either configure the client for TTLS, or you should 
configure Radiator for EAP-Type PEAP.

regards

Hugh



On 12 May 2005, at 02:31, <manuel.dominguez at bt.com> wrote:

> Hi, I upgraded my radiator from 3.5 to 3.12,
>
> Im trying to put to work EAP-TTLS with Enterasys R2+Radiator 3.12 + XP
> SP1
>
> Net_SSLeay.pm-1.21, openssl 0.9.7beta3, Digest-HMAC, Digest-SHA1 are
> installed and im using my own cert files.
>
> Im getting this error:
>
> Wed May 11 18:32:09 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1025 ....
> Code:       Access-Request
> Identifier: 0
> Authentic:  <254>L<0><0>'x<0><0>9d<0><0>c,<0><0>
> Attributes:
>         Message-Authenticator =
> [=<11>E<127>k<175><155><29><1><140><13>|<25>[<218>
>         User-Name = "TEMP/TEMPUSER"
>         NAS-IP-Address = 10.0.0.1
>         NAS-Port = 2
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
>         EAP-Message = <2><1><0><20><1>TEMP/TEMPUSER
>         Framed-MTU = 1000
>
> Wed May 11 18:32:09 2005: DEBUG: Handling request with Handler
> 'NAS-IP-Address=10.0.0.1'
> Wed May 11 18:32:09 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x
> Wed May 11 18:32:09 2005: DEBUG: Handling with EAP: code 2, 1, 20
> Wed May 11 18:32:09 2005: DEBUG: Response type 1
> Wed May 11 18:32:09 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
> Wed May 11 18:32:09 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP 
> TTLS
> Challenge
> Wed May 11 18:32:09 2005: DEBUG: Access challenged for TEMP/TEMPUSER:
> EAP TTLS Challenge
> Wed May 11 18:32:09 2005: DEBUG: Packet dump:
> *** Sending to 10.0.0.1 port 1025 ....
> Code:       Access-Challenge
> Identifier: 0
> Authentic:  <254>L<0><0>'x<0><0>9d<0><0>c,<0><0>
> Attributes:
>         EAP-Message = <1><2><0><6><21>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed May 11 18:32:09 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1025 ....
> Code:       Access-Request
> Identifier: 1
> Authentic:  /F<0><0>_8<0><0><142>-<0><0><140>0<0><0>
> Attributes:
>         Message-Authenticator =
> ,<252><227><30><250><241><172>Sb<169><1><154><130><242><205><180>
>         User-Name = "TEMP/TEMPUSER"
>         State = ""
>         NAS-IP-Address = 10.0.0.1
>         NAS-Port = 2
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
>         Framed-MTU = 1000
>         EAP-Message = <2><2><0><6><3><25>
>
> Wed May 11 18:32:09 2005: DEBUG: Handling request with Handler
> 'NAS-IP-Address=10.0.0.1'
> Wed May 11 18:32:09 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x
> Wed May 11 18:32:09 2005: DEBUG: Handling with EAP: code 2, 2, 6
> Wed May 11 18:32:09 2005: DEBUG: Response type 3
> Wed May 11 18:32:09 2005: INFO: EAP Nak desires type 25
> Wed May 11 18:32:09 2005: DEBUG: EAP result: 1, Desired EAP type 25 not
> permitted
> Wed May 11 18:32:09 2005: DEBUG: AuthBy FILE result: REJECT, Desired 
> EAP
> type 25 not permitted
> Wed May 11 18:32:09 2005: INFO: Access rejected for TEMP/TEMPUSER:
> Desired EAP type 25 not permitted
> Wed May 11 18:32:09 2005: DEBUG: Packet dump:
> *** Sending to 10.0.0.1 port 1025 ....
> Code:       Access-Reject
> Identifier: 1
> Authentic:  /F<0><0>_8<0><0><142>-<0><0><140>0<0><0>
> Attributes:
>         Reply-Message = "Request Denied"
>
>
> This is my config
>
> ############### AuthBy FILE ##############
> <AuthBy FILE>
>         Identifier 802.1x
>         Filename /opt/Radiator-3.5/802.1x_users
>         EAPType TTLS
>         EAPTLS_CAFile /opt/Radiator-3.12/Certificates/demoCA/cacert.pem
>         EAPTLS_CertificateFile
> /opt/Radiator-3.12/Certificates/cert-srv.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile
> /opt/Radiator-3.12/Certificates/cert-srv.pem
>         EAPTLS_PrivateKeyPassword XXXXXXXXXXXXXXXX
>         EAPTLS_MaxFragmentSize 1000
>         AutoMPPEKeys
>         SSLeayTrace 4
> </AuthBy>
> ############### HANDLERS ##############
> <Handler NAS-IP-Address=172.23.128.4>
>         SessionDatabase NULL
>         AuthBy 802.1x
> </Handler>
>
> Any clue about what I did wrong?
>
> Thanks in advance.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list