(RADIATOR) EAP TTLS
manuel.dominguez at bt.com
manuel.dominguez at bt.com
Mon May 16 05:01:54 CDT 2005
Hi again,
Im getting now an error at EAP_TLS authentication with demo certificates
or my own generate files.
ERR: EAP TLS error: -1, 1, 8466, 0, 617: 1 - error:140B544E:SSL
routines:SSL_GET_NEW_SESSION:ssl session id callback failed
I have rechecked and update all prerequisistes:
Net_SSLeay.pm-1.25
Digest-MD4-1.5
Digest-MD5-2.33
Digest-HMAC-1.01
Digest-SHA1-2.10
openssl 0.9.7f
This is my config:
<AuthBy FILE>
Identifier 802.1x
Filename /opt/Radiator-3.12/802.1x_users
EAPType PEAP
EAPTLS_CAFile /opt/Radiator-3.12/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile
/opt/Radiator-3.12/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile
/opt/Radiator-3.12/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword xxxxxxxx
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
</AuthBy>
<Handler NAS-Port-Type=Wireless-IEEE-802-11>
SessionDatabase NULL
AuthBy 802.1x
</Handler>
This is the full log:
Mon May 16 11:29:03 2005: DEBUG: Packet dump:
*** Received from 10.0.0.1 port 1149 ....
Code: Access-Request
Identifier: 22
Authentic: J^<0><0>,v<0><0><231>'<0><0><135><21><0><0>
Attributes:
Message-Authenticator =
<219><176>7<157><209>y<173><11><27>-C<229><186><10>MP
User-Name = "testUser"
NAS-IP-Address = 10.0.0.1
NAS-Port = 8
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
EAP-Message = <2><1><0><13><1>testUser
Framed-MTU = 1000
Mon May 16 11:29:03 2005: DEBUG: Handling request with Handler
'NAS-Port-Type=Wireless-IEEE-802-11'
Mon May 16 11:29:03 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x
Mon May 16 11:29:03 2005: DEBUG: Handling with EAP: code 2, 1, 13
Mon May 16 11:29:03 2005: DEBUG: Response type 1
Mon May 16 11:29:03 2005: DEBUG: EAP result: 3, EAP TLS Challenge
Mon May 16 11:29:03 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS
Challenge
Mon May 16 11:29:03 2005: DEBUG: Access challenged for testUser: EAP TLS
Challenge
Mon May 16 11:29:03 2005: DEBUG: Packet dump:
*** Sending to 10.0.0.1 port 1149 ....
Code: Access-Challenge
Identifier: 22
Authentic: J^<0><0>,v<0><0><231>'<0><0><135><21><0><0>
Attributes:
EAP-Message = <1><2><0><6><13>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Mon May 16 11:29:03 2005: DEBUG: Packet dump:
*** Received from 10.0.0.1 port 1149 ....
Code: Access-Request
Identifier: 23
Authentic: e/<0><0><185><5><0><0>C!<0><0>ZT<0><0>
Attributes:
Message-Authenticator = <170>f[<181><185>Z<194><203>&.j\yX<233>D
User-Name = "testUser"
State = ""
NAS-IP-Address = 10.0.0.1
NAS-Port = 8
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
Framed-MTU = 1000
EAP-Message =
<2><2><0>P<13><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>B<136>d<214><
142>A<139><236><242>tJ<24><167>3<129>O<27>F<135>[<212>No<194><228>c<181>
<244>R<231><179><129><0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0
><6><0><19><0><18><0>c<1><0>
Mon May 16 11:29:03 2005: DEBUG: Handling request with Handler
'NAS-Port-Type=Wireless-IEEE-802-11'
Mon May 16 11:29:03 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x
Mon May 16 11:29:03 2005: DEBUG: Handling with EAP: code 2, 2, 80
Mon May 16 11:29:03 2005: DEBUG: Response type 13
Mon May 16 11:29:03 2005: ERR: EAP TLS error: -1, 1, 8466, 0, 617: 1 -
error:140B544E:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback
failed
Mon May 16 11:29:03 2005: DEBUG: EAP result: 1, EAP TLS error
Mon May 16 11:29:03 2005: DEBUG: AuthBy FILE result: REJECT, EAP TLS
error
Mon May 16 11:29:03 2005: INFO: Access rejected for testUser: EAP TLS
error
Mon May 16 11:29:03 2005: DEBUG: Packet dump:
*** Sending to 10.0.0.1 port 1149 ....
Code: Access-Reject
Identifier: 23
Authentic: e/<0><0><185><5><0><0>C!<0><0>ZT<0><0>
Attributes:
EAP-Message = <4><2><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
Thanks in advance.
-----Mensaje original-----
De: Hugh Irvine [mailto:hugh at open.com.au]
Enviado el: jueves, 12 de mayo de 2005 10:07
Para: Dominguez Jimenez,M,Manuel R
CC: radiator at open.com.au
Asunto: Re: (RADIATOR) EAP TTLS
Hello Manuel -
Well the problem now is you are trying to do MS-CHAPv2 which is failing,
probably because there are prerequisites missing (Digest-MD4).
Also note that if you do use MS-CHAPv2 you cannot use RewriteUsername in
your configuation file as the full username string as entered by the
user is used in the MS-CHAPv2 algorithm.
regards
Hugh
On 12 May 2005, at 17:14, <manuel.dominguez at bt.com> wrote:
> Thanks Hugh,
>
> I will go with PEAP, after to do some changes at the config file I got
> a new error,
>
> ERR: Could not handle an EAP request: Can't locate object method
> "response_identity" via package "Radius::EAP_26" at Radius/EAP.pm line
> 145.
>
> I have doubts about when I have to use PostAuthHook, or when to set
> EAPTLS_PEAPVersion to 1 or 0.
>
> Regards.
>
> # Config.
>
> ############### AuthBy FILE ############## <AuthBy FILE>
> Identifier 802.1x
> Filename /opt/Radiator-3.12/802.1x_users
> EAPType PEAP
> EAPTLS_CAFile
/opt/Radiator-3.12/Certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile
> /opt/Radiator-3.12/Certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile
> /opt/Radiator-3.12/Certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword XXXXX
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_PEAPVersion 0
> </AuthBy>
> <AuthBy FILE>
> Identifier Tunnelled
> EAPType MSCHAP-V2
> Filename /opt/Radiator-3.12/802.1x_users </AuthBy>
> ############### HANDLERS ############## <Handler TunnelledByPEAP=1>
> SessionDatabase NULL
> AuthBy Tunnelled
> # PostAuthHook
file:"/opt/Radiator-3.12/goodies/eap_anon_hook.pl"
> </Handler>
> <Handler NAS-IP-Address=10.0.0.1>
> SessionDatabase NULL
> RewriteUsername s/^[^\\]+\\(.*)$/$1/
> AuthBy 802.1x
> # PostAuthHook
file:"/opt/Radiator-3.12/goodies/eap_anon_hook.pl"
> </Handler>
>
>
> # Full log.
>
> Thu May 12 09:06:51 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1032 ....
> Code: Access-Request
> Identifier: 156
> Authentic: <27>*<0><0>e<10><0><0><152>f<0><0>Z<28><0><0>
> Attributes:
> Message-Authenticator =
> <129>tx<7><4>E<217>Y<159><199><155><11>^<20><203><179>
> User-Name = "TEMP\TEMPUSER"
> NAS-IP-Address = 10.0.0.1
> NAS-Port = 2
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
> EAP-Message = <2><1><0><20><1>TEMP\TEMPUSER
> Framed-MTU = 1000
>
> Thu May 12 09:06:51 2005: DEBUG: Handling request with Handler
> 'NAS-IP-Address=10.0.0.1'
> Thu May 12 09:06:51 2005: DEBUG: Rewrote user name to TEMPUSER Thu May
> 12 09:06:51 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x Thu
> May 12 09:06:51 2005: DEBUG: Handling with EAP: code 2, 1, 20 Thu May
> 12 09:06:51 2005: DEBUG: Response type 1 Thu May 12 09:06:51 2005:
> DEBUG: EAP result: 3, EAP PEAP Challenge Thu May 12 09:06:51 2005:
> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Thu May 12
> 09:06:51 2005: DEBUG: Access challenged for TEMPUSER: EAP PEAP
> Challenge Thu May 12 09:06:51 2005: DEBUG: Packet dump:
> *** Sending to 10.0.0.1 port 1032 ....
> Code: Access-Challenge
> Identifier: 156
> Authentic: <27>*<0><0>e<10><0><0><152>f<0><0>Z<28><0><0>
> Attributes:
> EAP-Message = <1><2><0><6><25>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1032 ....
> Code: Access-Request
> Identifier: 157
> Authentic: $'<0><0><232>2<0><0><11>t<0><0>.r<0><0>
> Attributes:
> Message-Authenticator =
> <218>.uq<217><19><208><220>:6U<212>Y<218><15><255>
> User-Name = "TEMP\TEMPUSER"
> State = ""
> NAS-IP-Address = 10.0.0.1
> NAS-Port = 2
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
> Framed-MTU = 1000
> EAP-Message =
> <2><2><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3><1>B<130><253>
> <
> 1
> 58><166>b<154>l<164><195>#<128><248><175>{\V<236>%<29><25><12>+<168>}<
> 58>2
> 4
> 8><138><201><13><10><23><182>
> N<179>z<31><27><142><181>F<10><172><5><221>1;
> <217><195><182>.0pW<209><14
> 9>-
> <187><27><140><175>o&<146><235><0><22><0><4><0><5><0><10><0><9><0>d<0
>> b<0><3><0><6><0><19><0><18><0>c<1><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Handling request with Handler
> 'NAS-IP-Address=10.0.0.1'
> Thu May 12 09:06:52 2005: DEBUG: Rewrote user name to TEMPUSER Thu May
> 12 09:06:52 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x Thu
> May 12 09:06:52 2005: DEBUG: Handling with EAP: code 2, 2, 112 Thu May
> 12 09:06:52 2005: DEBUG: Response type 25 Thu May 12 09:06:52 2005:
> DEBUG: EAP TLS SSL_accept result: -1, 2, 8576 Thu May 12 09:06:52
> 2005: DEBUG: EAP result: 3, EAP PEAP Challenge Thu May 12 09:06:52
> 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Thu May
> 12 09:06:52 2005: DEBUG: Access challenged for TEMPUSER: EAP PEAP
> Challenge Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Sending to 10.0.0.1 port 1032 ....
> Code: Access-Challenge
> Identifier: 157
> Authentic: $'<0><0><232>2<0><0><11>t<0><0>.r<0><0>
> Attributes:
> EAP-Message =
> /shorted/
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1032 ....
> Code: Access-Request
> Identifier: 158
> Authentic: <7><2><0><0>l=<0><0>IQ<0><0><162><19><0><0>
> Attributes:
> Message-Authenticator = ga*<4><161><245>C3<188>3:<128><198> R,
> User-Name = "TEMP\TEMPUSER"
> State = ""
> NAS-IP-Address = 10.0.0.1
> NAS-Port = 2
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
> Framed-MTU = 1000
> EAP-Message = <2><3><0><6><25><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Handling request with Handler
> 'NAS-IP-Address=10.0.0.1'
> Thu May 12 09:06:52 2005: DEBUG: Rewrote user name to TEMPUSER Thu May
> 12 09:06:52 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x Thu
> May 12 09:06:52 2005: DEBUG: Handling with EAP: code 2, 3, 6 Thu May
> 12 09:06:52 2005: DEBUG: Response type 25 Thu May 12 09:06:52 2005:
> DEBUG: EAP result: 3, EAP PEAP Challenge Thu May 12 09:06:52 2005:
> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Thu May 12
> 09:06:52 2005: DEBUG: Access challenged for TEMPUSER: EAP PEAP
> Challenge Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Sending to 10.0.0.1 port 1032 ....
> Code: Access-Challenge
> Identifier: 158
> Authentic: <7><2><0><0>l=<0><0>IQ<0><0><162><19><0><0>
> Attributes:
> EAP-Message =
> /shorted/
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1032 ....
> Code: Access-Request
> Identifier: 159
> Authentic: ud<0><0><156>(<0><0>Ex<0><0><212>`<0><0>
> Attributes:
> Message-Authenticator =
> #<25><129><190><151>#=I<14><240>NH<242><27><204><172>
> User-Name = "TEMP\TEMPUSER"
> State = ""
> NAS-IP-Address = 10.0.0.1
> NAS-Port = 2
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
> Framed-MTU = 1000
> EAP-Message =
> <2><4><0><199><25><128><0><0><0><189><22><3><1><0><141><11><0><0><3><0
> >
> <
> 0><0><16><0><0><130><0><128><149>z<180><191>g<130><201>Z<19><222>;
> P<192>
> <191><231>~m<144>.<176>=<217><142>H<13><176><23><228>d<11>F<175>j<182>
> P
> <
> 18><148>&<244>><24><140>+<165>8<128>/<133><7>8<183><128><250><151>-
> A<132
>> 6<179><10>R<27>L<205><239><211><240><209><148><209><144>.;-
>> rJI<177><145
>> -<248><190><247><159><25>Gb<197><166><31>c$<15><138><197><165><182><1
>> 7
>> 3
>> w<7>f<225><128><166>p<149><17>6<199>WHy<191><129>@*<228>~g7<245><183>
>> <
>> 1
> 32>B<247>y<243>c<20><3><1><0><1><1><22><3><1><0>
> :<220>X<217>mzX<177><183>Y!<187><152>/
> <224><183>g<160>dDj<196><242><205>
> <221>@~<156><5><216><177>)
>
> Thu May 12 09:06:52 2005: DEBUG: Handling request with Handler
> 'NAS-IP-Address=10.0.0.1'
> Thu May 12 09:06:52 2005: DEBUG: Rewrote user name to TEMPUSER Thu May
> 12 09:06:52 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x Thu
> May 12 09:06:52 2005: DEBUG: Handling with EAP: code 2, 4, 199 Thu May
> 12 09:06:52 2005: DEBUG: Response type 25 Thu May 12 09:06:52 2005:
> DEBUG: EAP TLS SSL_accept result: 1, 0, 3 Thu May 12 09:06:52 2005:
> DEBUG: EAP result: 3, EAP PEAP Challenge Thu May 12 09:06:52 2005:
> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Thu May 12
> 09:06:52 2005: DEBUG: Access challenged for TEMPUSER: EAP PEAP
> Challenge Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Sending to 10.0.0.1 port 1032 ....
> Code: Access-Challenge
> Identifier: 159
> Authentic: ud<0><0><156>(<0><0>Ex<0><0><212>`<0><0>
> Attributes:
> EAP-Message =
> <1><5><0>5<25><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0>
> <209><213>s<238><141>Ke<206><158><2><216><229>p<172><252><224><187>6-
> <20
> 2><245><14>0<255><143>J<222>Kh<135><233><148>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1032 ....
> Code: Access-Request
> Identifier: 160
> Authentic: T_<0><0><Z<0><0>A><0><0><193>5<0><0>
> Attributes:
> Message-Authenticator =
> %<214><31><136><189><182>I<24>5X<129>w<192>6<237>h
> User-Name = "TEMP\TEMPUSER"
> State = ""
> NAS-IP-Address = 10.0.0.1
> NAS-Port = 2
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
> Framed-MTU = 1000
> EAP-Message = <2><5><0><6><25><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Handling request with Handler
> 'NAS-IP-Address=10.0.0.1'
> Thu May 12 09:06:52 2005: DEBUG: Rewrote user name to TEMPUSER Thu May
> 12 09:06:52 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x Thu
> May 12 09:06:52 2005: DEBUG: Handling with EAP: code 2, 5, 6 Thu May
> 12 09:06:52 2005: DEBUG: Response type 25 Thu May 12 09:06:52 2005:
> DEBUG: EAP result: 3, EAP PEAP Challenge Thu May 12 09:06:52 2005:
> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Thu May 12
> 09:06:52 2005: DEBUG: Access challenged for TEMPUSER: EAP PEAP
> Challenge Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Sending to 10.0.0.1 port 1032 ....
> Code: Access-Challenge
> Identifier: 160
> Authentic: T_<0><0><Z<0><0>A><0><0><193>5<0><0>
> Attributes:
> EAP-Message =
> <1><6><0><28><25><0><23><3><1><0><17>j<240><156>b<226><182>n<153>u<144
> >
> <
> 152><130><186><224><147><128><5>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1032 ....
> Code: Access-Request
> Identifier: 161
> Authentic: '<11><0><0>*U<0><0><28><24><0><0><164>&<0><0>
> Attributes:
> Message-Authenticator =
>> <131><1><146><151><253><247><20><236><152><236><132>\N<215><228>
> User-Name = "TEMP\TEMPUSER"
> State = ""
> NAS-IP-Address = 10.0.0.1
> NAS-Port = 2
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
> Framed-MTU = 1000
> EAP-Message = <2><6><0>+<25><0><23><3><1><0>
> <245>D<141><3>"<140><169>m<16><3><236><6>E<173>n1<153><182><177>g<185>
> <
> 1
> 81>w<235><169>M<168>Py<203>w<190>
>
> Thu May 12 09:06:52 2005: DEBUG: Handling request with Handler
> 'NAS-IP-Address=10.0.0.1'
> Thu May 12 09:06:52 2005: DEBUG: Rewrote user name to TEMPUSER Thu May
> 12 09:06:52 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x Thu
> May 12 09:06:52 2005: DEBUG: Handling with EAP: code 2, 6, 43 Thu May
> 12 09:06:52 2005: DEBUG: Response type 25 Thu May 12 09:06:52 2005:
> DEBUG: EAP PEAP inner authentication request for anonymous Thu May 12
> 09:06:52 2005: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic:
> <175><219><173><215><163><157><138><23><218>||<177>/<164>)<13>
> Attributes:
> EAP-Message = <2><6><0><16><1>TEMP\TEMPUSER
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> User-Name = "anonymous"
> NAS-IP-Address = 10.0.0.1
> NAS-Port = 2
> Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
>
> Thu May 12 09:06:52 2005: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Thu May 12 09:06:52 2005: DEBUG: Handling with Radius::AuthFILE:
> Tunnelled
> Thu May 12 09:06:52 2005: DEBUG: Handling with EAP: code 2, 6, 16 Thu
> May 12 09:06:52 2005: DEBUG: Response type 1 Thu May 12 09:06:52 2005:
> ERR: Could not handle an EAP request: Can't locate object method
> "response_identity" via package "Radius::EAP_26"
> at
> Radius/EAP.pm line 145.
>
> Thu May 12 09:06:52 2005: DEBUG: AuthBy FILE result: REJECT, Could not
> handle an EAP request Thu May 12 09:06:52 2005: INFO: Access rejected
> for anonymous: Could not handle an EAP request Thu May 12 09:06:52
> 2005: DEBUG: EAP result: 3, EAP PEAP inner authentication redespatched
> to a Handler Thu May 12 09:06:52 2005: DEBUG: AuthBy FILE result:
> CHALLENGE, EAP PEAP inner authentication redespatched to a Handler Thu
> May 12 09:06:52 2005: DEBUG: Access challenged for TEMPUSER: EAP PEAP
> inner authentication redespatched to a Handler Thu May 12 09:06:52
> 2005: DEBUG: Packet dump:
>
> -----Mensaje original-----
> De: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] En
> nombre de Hugh Irvine Enviado el: jueves, 12 de mayo de 2005 5:45
> Para: Dominguez Jimenez,M,Manuel R
> CC: radiator at open.com.au
> Asunto: Re: (RADIATOR) EAP TTLS
>
>
> Hello Manuel -
>
> From the debug it appears that the access point (or the client) is
> configured for PEAP (EAP type 25):
>
>> Wed May 11 18:32:09 2005: DEBUG: Response type 3 Wed May 11 18:32:09
>> 2005: INFO: EAP Nak desires type 25 Wed May 11 18:32:09 2005: DEBUG:
>> EAP result: 1, Desired EAP type 25 not permitted Wed May 11 18:32:09
>> 2005: DEBUG: AuthBy FILE result: REJECT, Desired EAP type 25 not
>> permitted
>
> You should either configure the client for TTLS, or you should
> configure Radiator for EAP-Type PEAP.
>
> regards
>
> Hugh
>
>
>
> On 12 May 2005, at 02:31, <manuel.dominguez at bt.com> wrote:
>
>> Hi, I upgraded my radiator from 3.5 to 3.12,
>>
>> Im trying to put to work EAP-TTLS with Enterasys R2+Radiator 3.12 +
>> XP
>> SP1
>>
>> Net_SSLeay.pm-1.21, openssl 0.9.7beta3, Digest-HMAC, Digest-SHA1 are
>> installed and im using my own cert files.
>>
>> Im getting this error:
>>
>> Wed May 11 18:32:09 2005: DEBUG: Packet dump:
>> *** Received from 10.0.0.1 port 1025 ....
>> Code: Access-Request
>> Identifier: 0
>> Authentic: <254>L<0><0>'x<0><0>9d<0><0>c,<0><0>
>> Attributes:
>> Message-Authenticator =
>> [=<11>E<127>k<175><155><29><1><140><13>|<25>[<218>
>> User-Name = "TEMP/TEMPUSER"
>> NAS-IP-Address = 10.0.0.1
>> NAS-Port = 2
>> NAS-Port-Type = Wireless-IEEE-802-11
>> Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
>> EAP-Message = <2><1><0><20><1>TEMP/TEMPUSER
>> Framed-MTU = 1000
>>
>> Wed May 11 18:32:09 2005: DEBUG: Handling request with Handler
>> 'NAS-IP-Address=10.0.0.1'
>> Wed May 11 18:32:09 2005: DEBUG: Handling with Radius::AuthFILE:
>> 802.1x Wed May 11 18:32:09 2005: DEBUG: Handling with EAP: code 2, 1,
>> 20 Wed May 11 18:32:09 2005: DEBUG: Response type 1 Wed May 11
>> 18:32:09 2005: DEBUG: EAP result: 3, EAP TTLS Challenge Wed May 11
>> 18:32:09 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS
>> Challenge Wed May 11 18:32:09 2005: DEBUG: Access challenged for
>> TEMP/TEMPUSER:
>> EAP TTLS Challenge
>> Wed May 11 18:32:09 2005: DEBUG: Packet dump:
>> *** Sending to 10.0.0.1 port 1025 ....
>> Code: Access-Challenge
>> Identifier: 0
>> Authentic: <254>L<0><0>'x<0><0>9d<0><0>c,<0><0>
>> Attributes:
>> EAP-Message = <1><2><0><6><21>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Wed May 11 18:32:09 2005: DEBUG: Packet dump:
>> *** Received from 10.0.0.1 port 1025 ....
>> Code: Access-Request
>> Identifier: 1
>> Authentic: /F<0><0>_8<0><0><142>-<0><0><140>0<0><0>
>> Attributes:
>> Message-Authenticator =
>> ,<252><227><30><250><241><172>Sb<169><1><154><130><242><205><180>
>> User-Name = "TEMP/TEMPUSER"
>> State = ""
>> NAS-IP-Address = 10.0.0.1
>> NAS-Port = 2
>> NAS-Port-Type = Wireless-IEEE-802-11
>> Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
>> Framed-MTU = 1000
>> EAP-Message = <2><2><0><6><3><25>
>>
>> Wed May 11 18:32:09 2005: DEBUG: Handling request with Handler
>> 'NAS-IP-Address=10.0.0.1'
>> Wed May 11 18:32:09 2005: DEBUG: Handling with Radius::AuthFILE:
>> 802.1x Wed May 11 18:32:09 2005: DEBUG: Handling with EAP: code 2, 2,
>> 6 Wed May 11 18:32:09 2005: DEBUG: Response type 3 Wed May 11
>> 18:32:09
>
>> 2005: INFO: EAP Nak desires type 25 Wed May 11 18:32:09 2005: DEBUG:
>> EAP result: 1, Desired EAP type 25 not permitted Wed May 11 18:32:09
>> 2005: DEBUG: AuthBy FILE result: REJECT, Desired EAP type 25 not
>> permitted Wed May 11 18:32:09 2005: INFO: Access rejected for
>> TEMP/TEMPUSER:
>> Desired EAP type 25 not permitted
>> Wed May 11 18:32:09 2005: DEBUG: Packet dump:
>> *** Sending to 10.0.0.1 port 1025 ....
>> Code: Access-Reject
>> Identifier: 1
>> Authentic: /F<0><0>_8<0><0><142>-<0><0><140>0<0><0>
>> Attributes:
>> Reply-Message = "Request Denied"
>>
>>
>> This is my config
>>
>> ############### AuthBy FILE ############## <AuthBy FILE>
>> Identifier 802.1x
>> Filename /opt/Radiator-3.5/802.1x_users
>> EAPType TTLS
>> EAPTLS_CAFile
> /opt/Radiator-3.12/Certificates/demoCA/cacert.pem
>> EAPTLS_CertificateFile
>> /opt/Radiator-3.12/Certificates/cert-srv.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile
>> /opt/Radiator-3.12/Certificates/cert-srv.pem
>> EAPTLS_PrivateKeyPassword XXXXXXXXXXXXXXXX
>> EAPTLS_MaxFragmentSize 1000
>> AutoMPPEKeys
>> SSLeayTrace 4
>> </AuthBy>
>> ############### HANDLERS ############## <Handler
>> NAS-IP-Address=172.23.128.4>
>> SessionDatabase NULL
>> AuthBy 802.1x
>> </Handler>
>>
>> Any clue about what I did wrong?
>>
>> Thanks in advance.
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au To unsubscribe, email
>> 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of
>> the
>
>> message.
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au To unsubscribe, email
> 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the
> message.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au To unsubscribe, email
> 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the
> message.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list