(RADIATOR) EAP TTLS

manuel.dominguez at bt.com manuel.dominguez at bt.com
Mon May 16 05:01:54 CDT 2005


Hi again,

Im getting now an error at EAP_TLS authentication with demo certificates
or my own generate files.

ERR: EAP TLS error: -1, 1, 8466, 0,  617: 1 - error:140B544E:SSL
routines:SSL_GET_NEW_SESSION:ssl session id callback failed

I have rechecked and update all prerequisistes:

Net_SSLeay.pm-1.25
Digest-MD4-1.5
Digest-MD5-2.33
Digest-HMAC-1.01
Digest-SHA1-2.10
openssl 0.9.7f

This is my config:

<AuthBy FILE>
        Identifier 802.1x
        Filename /opt/Radiator-3.12/802.1x_users
        EAPType PEAP
        EAPTLS_CAFile /opt/Radiator-3.12/certificates/demoCA/cacert.pem
        EAPTLS_CertificateFile
/opt/Radiator-3.12/certificates/cert-srv.pem
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile
/opt/Radiator-3.12/certificates/cert-srv.pem
        EAPTLS_PrivateKeyPassword xxxxxxxx
        EAPTLS_MaxFragmentSize 1000
        AutoMPPEKeys
</AuthBy>

<Handler NAS-Port-Type=Wireless-IEEE-802-11>
        SessionDatabase NULL
        AuthBy 802.1x
</Handler>

This is the full log:

Mon May 16 11:29:03 2005: DEBUG: Packet dump:
*** Received from 10.0.0.1 port 1149 ....
Code:       Access-Request
Identifier: 22
Authentic:  J^<0><0>,v<0><0><231>'<0><0><135><21><0><0>
Attributes:
        Message-Authenticator =
<219><176>7<157><209>y<173><11><27>-C<229><186><10>MP
        User-Name = "testUser"
        NAS-IP-Address = 10.0.0.1
        NAS-Port = 8
        NAS-Port-Type = Wireless-IEEE-802-11
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        EAP-Message = <2><1><0><13><1>testUser
        Framed-MTU = 1000

Mon May 16 11:29:03 2005: DEBUG: Handling request with Handler
'NAS-Port-Type=Wireless-IEEE-802-11'
Mon May 16 11:29:03 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x
Mon May 16 11:29:03 2005: DEBUG: Handling with EAP: code 2, 1, 13
Mon May 16 11:29:03 2005: DEBUG: Response type 1
Mon May 16 11:29:03 2005: DEBUG: EAP result: 3, EAP TLS Challenge
Mon May 16 11:29:03 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS
Challenge
Mon May 16 11:29:03 2005: DEBUG: Access challenged for testUser: EAP TLS
Challenge
Mon May 16 11:29:03 2005: DEBUG: Packet dump:
*** Sending to 10.0.0.1 port 1149 ....
Code:       Access-Challenge
Identifier: 22
Authentic:  J^<0><0>,v<0><0><231>'<0><0><135><21><0><0>
Attributes:
        EAP-Message = <1><2><0><6><13>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Mon May 16 11:29:03 2005: DEBUG: Packet dump:
*** Received from 10.0.0.1 port 1149 ....
Code:       Access-Request
Identifier: 23
Authentic:  e/<0><0><185><5><0><0>C!<0><0>ZT<0><0>
Attributes:
        Message-Authenticator = <170>f[<181><185>Z<194><203>&.j\yX<233>D
        User-Name = "testUser"
        State = ""
        NAS-IP-Address = 10.0.0.1
        NAS-Port = 8
        NAS-Port-Type = Wireless-IEEE-802-11
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
        Framed-MTU = 1000
        EAP-Message =
<2><2><0>P<13><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>B<136>d<214><
142>A<139><236><242>tJ<24><167>3<129>O<27>F<135>[<212>No<194><228>c<181>
<244>R<231><179><129><0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0
><6><0><19><0><18><0>c<1><0>

Mon May 16 11:29:03 2005: DEBUG: Handling request with Handler
'NAS-Port-Type=Wireless-IEEE-802-11'
Mon May 16 11:29:03 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x
Mon May 16 11:29:03 2005: DEBUG: Handling with EAP: code 2, 2, 80
Mon May 16 11:29:03 2005: DEBUG: Response type 13
Mon May 16 11:29:03 2005: ERR: EAP TLS error: -1, 1, 8466, 0,  617: 1 -
error:140B544E:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback
failed

Mon May 16 11:29:03 2005: DEBUG: EAP result: 1, EAP TLS error
Mon May 16 11:29:03 2005: DEBUG: AuthBy FILE result: REJECT, EAP TLS
error
Mon May 16 11:29:03 2005: INFO: Access rejected for testUser: EAP TLS
error
Mon May 16 11:29:03 2005: DEBUG: Packet dump:
*** Sending to 10.0.0.1 port 1149 ....
Code:       Access-Reject
Identifier: 23
Authentic:  e/<0><0><185><5><0><0>C!<0><0>ZT<0><0>
Attributes:
        EAP-Message = <4><2><0><4>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"

Thanks in advance.

-----Mensaje original-----
De: Hugh Irvine [mailto:hugh at open.com.au] 
Enviado el: jueves, 12 de mayo de 2005 10:07
Para: Dominguez Jimenez,M,Manuel R
CC: radiator at open.com.au
Asunto: Re: (RADIATOR) EAP TTLS


Hello Manuel -

Well the problem now is you are trying to do MS-CHAPv2 which is failing,
probably because there are prerequisites missing (Digest-MD4).

Also note that if you do use MS-CHAPv2 you cannot use RewriteUsername in
your configuation file as the full username string as entered by the
user is used in the MS-CHAPv2 algorithm.

regards

Hugh


On 12 May 2005, at 17:14, <manuel.dominguez at bt.com> wrote:

> Thanks Hugh,
>
> I will go with PEAP, after to do some changes at the config file I got

> a new error,
>
> ERR: Could not handle an EAP request: Can't locate object method 
> "response_identity" via package "Radius::EAP_26" at Radius/EAP.pm line

> 145.
>
> I have doubts about when I have to use PostAuthHook, or when to set 
> EAPTLS_PEAPVersion to 1 or 0.
>
> Regards.
>
> # Config.
>
> ############### AuthBy FILE ############## <AuthBy FILE>
>         Identifier 802.1x
>         Filename /opt/Radiator-3.12/802.1x_users
>         EAPType PEAP
>         EAPTLS_CAFile
/opt/Radiator-3.12/Certificates/demoCA/cacert.pem
>         EAPTLS_CertificateFile
> /opt/Radiator-3.12/Certificates/cert-srv.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile
> /opt/Radiator-3.12/Certificates/cert-srv.pem
>         EAPTLS_PrivateKeyPassword XXXXX
>         EAPTLS_MaxFragmentSize 1000
>         AutoMPPEKeys
>         SSLeayTrace 4
>         EAPTLS_PEAPVersion 0
> </AuthBy>
> <AuthBy FILE>
>         Identifier Tunnelled
>         EAPType MSCHAP-V2
>         Filename /opt/Radiator-3.12/802.1x_users </AuthBy> 
> ############### HANDLERS ############## <Handler TunnelledByPEAP=1>
>         SessionDatabase NULL
>         AuthBy Tunnelled
> #       PostAuthHook
file:"/opt/Radiator-3.12/goodies/eap_anon_hook.pl"
> </Handler>
> <Handler NAS-IP-Address=10.0.0.1>
>         SessionDatabase NULL
>         RewriteUsername s/^[^\\]+\\(.*)$/$1/
>         AuthBy 802.1x
> #       PostAuthHook
file:"/opt/Radiator-3.12/goodies/eap_anon_hook.pl"
> </Handler>
>
>
> # Full log.
>
> Thu May 12 09:06:51 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1032 ....
> Code:       Access-Request
> Identifier: 156
> Authentic:  <27>*<0><0>e<10><0><0><152>f<0><0>Z<28><0><0>
> Attributes:
>         Message-Authenticator =
> <129>tx<7><4>E<217>Y<159><199><155><11>^<20><203><179>
>         User-Name = "TEMP\TEMPUSER"
>         NAS-IP-Address = 10.0.0.1
>         NAS-Port = 2
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
>         EAP-Message = <2><1><0><20><1>TEMP\TEMPUSER
>         Framed-MTU = 1000
>
> Thu May 12 09:06:51 2005: DEBUG: Handling request with Handler 
> 'NAS-IP-Address=10.0.0.1'
> Thu May 12 09:06:51 2005: DEBUG: Rewrote user name to TEMPUSER Thu May

> 12 09:06:51 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x Thu 
> May 12 09:06:51 2005: DEBUG: Handling with EAP: code 2, 1, 20 Thu May 
> 12 09:06:51 2005: DEBUG: Response type 1 Thu May 12 09:06:51 2005: 
> DEBUG: EAP result: 3, EAP PEAP Challenge Thu May 12 09:06:51 2005: 
> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Thu May 12 
> 09:06:51 2005: DEBUG: Access challenged for TEMPUSER: EAP PEAP 
> Challenge Thu May 12 09:06:51 2005: DEBUG: Packet dump:
> *** Sending to 10.0.0.1 port 1032 ....
> Code:       Access-Challenge
> Identifier: 156
> Authentic:  <27>*<0><0>e<10><0><0><152>f<0><0>Z<28><0><0>
> Attributes:
>         EAP-Message = <1><2><0><6><25>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1032 ....
> Code:       Access-Request
> Identifier: 157
> Authentic:  $'<0><0><232>2<0><0><11>t<0><0>.r<0><0>
> Attributes:
>         Message-Authenticator =
> <218>.uq<217><19><208><220>:6U<212>Y<218><15><255>
>         User-Name = "TEMP\TEMPUSER"
>         State = ""
>         NAS-IP-Address = 10.0.0.1
>         NAS-Port = 2
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
>         Framed-MTU = 1000
>         EAP-Message =
> <2><2><0>p<25><128><0><0><0>f<22><3><1><0>a<1><0><0>]<3><1>B<130><253>
> <
> 1
> 58><166>b<154>l<164><195>#<128><248><175>{\V<236>%<29><25><12>+<168>}<
> 58>2
> 4
> 8><138><201><13><10><23><182>
> N<179>z<31><27><142><181>F<10><172><5><221>1;
> <217><195><182>.0pW<209><14
> 9>-
> <187><27><140><175>o&<146><235><0><22><0><4><0><5><0><10><0><9><0>d<0
>> b<0><3><0><6><0><19><0><18><0>c<1><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Handling request with Handler 
> 'NAS-IP-Address=10.0.0.1'
> Thu May 12 09:06:52 2005: DEBUG: Rewrote user name to TEMPUSER Thu May

> 12 09:06:52 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x Thu 
> May 12 09:06:52 2005: DEBUG: Handling with EAP: code 2, 2, 112 Thu May

> 12 09:06:52 2005: DEBUG: Response type 25 Thu May 12 09:06:52 2005: 
> DEBUG: EAP TLS SSL_accept result: -1, 2, 8576 Thu May 12 09:06:52 
> 2005: DEBUG: EAP result: 3, EAP PEAP Challenge Thu May 12 09:06:52 
> 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Thu May

> 12 09:06:52 2005: DEBUG: Access challenged for TEMPUSER: EAP PEAP 
> Challenge Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Sending to 10.0.0.1 port 1032 ....
> Code:       Access-Challenge
> Identifier: 157
> Authentic:  $'<0><0><232>2<0><0><11>t<0><0>.r<0><0>
> Attributes:
>         EAP-Message =
> /shorted/
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1032 ....
> Code:       Access-Request
> Identifier: 158
> Authentic:  <7><2><0><0>l=<0><0>IQ<0><0><162><19><0><0>
> Attributes:
>         Message-Authenticator = ga*<4><161><245>C3<188>3:<128><198> R,
>         User-Name = "TEMP\TEMPUSER"
>         State = ""
>         NAS-IP-Address = 10.0.0.1
>         NAS-Port = 2
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
>         Framed-MTU = 1000
>         EAP-Message = <2><3><0><6><25><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Handling request with Handler 
> 'NAS-IP-Address=10.0.0.1'
> Thu May 12 09:06:52 2005: DEBUG: Rewrote user name to TEMPUSER Thu May

> 12 09:06:52 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x Thu 
> May 12 09:06:52 2005: DEBUG: Handling with EAP: code 2, 3, 6 Thu May 
> 12 09:06:52 2005: DEBUG: Response type 25 Thu May 12 09:06:52 2005: 
> DEBUG: EAP result: 3, EAP PEAP Challenge Thu May 12 09:06:52 2005: 
> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Thu May 12 
> 09:06:52 2005: DEBUG: Access challenged for TEMPUSER: EAP PEAP 
> Challenge Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Sending to 10.0.0.1 port 1032 ....
> Code:       Access-Challenge
> Identifier: 158
> Authentic:  <7><2><0><0>l=<0><0>IQ<0><0><162><19><0><0>
> Attributes:
>         EAP-Message =
> /shorted/
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1032 ....
> Code:       Access-Request
> Identifier: 159
> Authentic:  ud<0><0><156>(<0><0>Ex<0><0><212>`<0><0>
> Attributes:
>         Message-Authenticator =
> #<25><129><190><151>#=I<14><240>NH<242><27><204><172>
>         User-Name = "TEMP\TEMPUSER"
>         State = ""
>         NAS-IP-Address = 10.0.0.1
>         NAS-Port = 2
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
>         Framed-MTU = 1000
>         EAP-Message =
> <2><4><0><199><25><128><0><0><0><189><22><3><1><0><141><11><0><0><3><0
> >
> <
> 0><0><16><0><0><130><0><128><149>z<180><191>g<130><201>Z<19><222>;
> P<192>
> <191><231>~m<144>.<176>=<217><142>H<13><176><23><228>d<11>F<175>j<182>
> P
> <
> 18><148>&<244>><24><140>+<165>8<128>/<133><7>8<183><128><250><151>-
> A<132
>> 6<179><10>R<27>L<205><239><211><240><209><148><209><144>.;-
>> rJI<177><145
>> -<248><190><247><159><25>Gb<197><166><31>c$<15><138><197><165><182><1
>> 7
>> 3
>> w<7>f<225><128><166>p<149><17>6<199>WHy<191><129>@*<228>~g7<245><183>
>> <
>> 1
> 32>B<247>y<243>c<20><3><1><0><1><1><22><3><1><0>
> :<220>X<217>mzX<177><183>Y!<187><152>/
> <224><183>g<160>dDj<196><242><205>
> <221>@~<156><5><216><177>)
>
> Thu May 12 09:06:52 2005: DEBUG: Handling request with Handler 
> 'NAS-IP-Address=10.0.0.1'
> Thu May 12 09:06:52 2005: DEBUG: Rewrote user name to TEMPUSER Thu May

> 12 09:06:52 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x Thu 
> May 12 09:06:52 2005: DEBUG: Handling with EAP: code 2, 4, 199 Thu May

> 12 09:06:52 2005: DEBUG: Response type 25 Thu May 12 09:06:52 2005: 
> DEBUG: EAP TLS SSL_accept result: 1, 0, 3 Thu May 12 09:06:52 2005: 
> DEBUG: EAP result: 3, EAP PEAP Challenge Thu May 12 09:06:52 2005: 
> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Thu May 12 
> 09:06:52 2005: DEBUG: Access challenged for TEMPUSER: EAP PEAP 
> Challenge Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Sending to 10.0.0.1 port 1032 ....
> Code:       Access-Challenge
> Identifier: 159
> Authentic:  ud<0><0><156>(<0><0>Ex<0><0><212>`<0><0>
> Attributes:
>         EAP-Message =
> <1><5><0>5<25><128><0><0><0>+<20><3><1><0><1><1><22><3><1><0>
> <209><213>s<238><141>Ke<206><158><2><216><229>p<172><252><224><187>6-
> <20
> 2><245><14>0<255><143>J<222>Kh<135><233><148>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1032 ....
> Code:       Access-Request
> Identifier: 160
> Authentic:  T_<0><0><Z<0><0>A><0><0><193>5<0><0>
> Attributes:
>         Message-Authenticator =
> %<214><31><136><189><182>I<24>5X<129>w<192>6<237>h
>         User-Name = "TEMP\TEMPUSER"
>         State = ""
>         NAS-IP-Address = 10.0.0.1
>         NAS-Port = 2
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
>         Framed-MTU = 1000
>         EAP-Message = <2><5><0><6><25><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Handling request with Handler 
> 'NAS-IP-Address=10.0.0.1'
> Thu May 12 09:06:52 2005: DEBUG: Rewrote user name to TEMPUSER Thu May

> 12 09:06:52 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x Thu 
> May 12 09:06:52 2005: DEBUG: Handling with EAP: code 2, 5, 6 Thu May 
> 12 09:06:52 2005: DEBUG: Response type 25 Thu May 12 09:06:52 2005: 
> DEBUG: EAP result: 3, EAP PEAP Challenge Thu May 12 09:06:52 2005: 
> DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Thu May 12 
> 09:06:52 2005: DEBUG: Access challenged for TEMPUSER: EAP PEAP 
> Challenge Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Sending to 10.0.0.1 port 1032 ....
> Code:       Access-Challenge
> Identifier: 160
> Authentic:  T_<0><0><Z<0><0>A><0><0><193>5<0><0>
> Attributes:
>         EAP-Message =
> <1><6><0><28><25><0><23><3><1><0><17>j<240><156>b<226><182>n<153>u<144
> >
> <
> 152><130><186><224><147><128><5>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu May 12 09:06:52 2005: DEBUG: Packet dump:
> *** Received from 10.0.0.1 port 1032 ....
> Code:       Access-Request
> Identifier: 161
> Authentic:  '<11><0><0>*U<0><0><28><24><0><0><164>&<0><0>
> Attributes:
>         Message-Authenticator =
>> <131><1><146><151><253><247><20><236><152><236><132>\N<215><228>
>         User-Name = "TEMP\TEMPUSER"
>         State = ""
>         NAS-IP-Address = 10.0.0.1
>         NAS-Port = 2
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
>         Framed-MTU = 1000
>         EAP-Message = <2><6><0>+<25><0><23><3><1><0> 
> <245>D<141><3>"<140><169>m<16><3><236><6>E<173>n1<153><182><177>g<185>
> <
> 1
> 81>w<235><169>M<168>Py<203>w<190>
>
> Thu May 12 09:06:52 2005: DEBUG: Handling request with Handler 
> 'NAS-IP-Address=10.0.0.1'
> Thu May 12 09:06:52 2005: DEBUG: Rewrote user name to TEMPUSER Thu May

> 12 09:06:52 2005: DEBUG: Handling with Radius::AuthFILE: 802.1x Thu 
> May 12 09:06:52 2005: DEBUG: Handling with EAP: code 2, 6, 43 Thu May 
> 12 09:06:52 2005: DEBUG: Response type 25 Thu May 12 09:06:52 2005: 
> DEBUG: EAP PEAP inner authentication request for anonymous Thu May 12 
> 09:06:52 2005: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:
> <175><219><173><215><163><157><138><23><218>||<177>/<164>)<13>
> Attributes:
>         EAP-Message = <2><6><0><16><1>TEMP\TEMPUSER
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         User-Name = "anonymous"
>         NAS-IP-Address = 10.0.0.1
>         NAS-Port = 2
>         Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
>
> Thu May 12 09:06:52 2005: DEBUG: Handling request with Handler 
> 'TunnelledByPEAP=1'
> Thu May 12 09:06:52 2005: DEBUG: Handling with Radius::AuthFILE:
> Tunnelled
> Thu May 12 09:06:52 2005: DEBUG: Handling with EAP: code 2, 6, 16 Thu 
> May 12 09:06:52 2005: DEBUG: Response type 1 Thu May 12 09:06:52 2005:

> ERR: Could not handle an EAP request: Can't locate object method 
> "response_identity" via package "Radius::EAP_26"
> at
> Radius/EAP.pm line 145.
>
> Thu May 12 09:06:52 2005: DEBUG: AuthBy FILE result: REJECT, Could not

> handle an EAP request Thu May 12 09:06:52 2005: INFO: Access rejected 
> for anonymous: Could not handle an EAP request Thu May 12 09:06:52 
> 2005: DEBUG: EAP result: 3, EAP PEAP inner authentication redespatched

> to a Handler Thu May 12 09:06:52 2005: DEBUG: AuthBy FILE result: 
> CHALLENGE, EAP PEAP inner authentication redespatched to a Handler Thu

> May 12 09:06:52 2005: DEBUG: Access challenged for TEMPUSER: EAP PEAP 
> inner authentication redespatched to a Handler Thu May 12 09:06:52 
> 2005: DEBUG: Packet dump:
>
> -----Mensaje original-----
> De: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] En 
> nombre de Hugh Irvine Enviado el: jueves, 12 de mayo de 2005 5:45
> Para: Dominguez Jimenez,M,Manuel R
> CC: radiator at open.com.au
> Asunto: Re: (RADIATOR) EAP TTLS
>
>
> Hello Manuel -
>
>  From the debug it appears that the access point (or the client) is 
> configured for PEAP (EAP type 25):
>
>> Wed May 11 18:32:09 2005: DEBUG: Response type 3 Wed May 11 18:32:09
>> 2005: INFO: EAP Nak desires type 25 Wed May 11 18:32:09 2005: DEBUG:
>> EAP result: 1, Desired EAP type 25 not permitted Wed May 11 18:32:09
>> 2005: DEBUG: AuthBy FILE result: REJECT, Desired EAP type 25 not 
>> permitted
>
> You should either configure the client for TTLS, or you should 
> configure Radiator for EAP-Type PEAP.
>
> regards
>
> Hugh
>
>
>
> On 12 May 2005, at 02:31, <manuel.dominguez at bt.com> wrote:
>
>> Hi, I upgraded my radiator from 3.5 to 3.12,
>>
>> Im trying to put to work EAP-TTLS with Enterasys R2+Radiator 3.12 + 
>> XP
>> SP1
>>
>> Net_SSLeay.pm-1.21, openssl 0.9.7beta3, Digest-HMAC, Digest-SHA1 are 
>> installed and im using my own cert files.
>>
>> Im getting this error:
>>
>> Wed May 11 18:32:09 2005: DEBUG: Packet dump:
>> *** Received from 10.0.0.1 port 1025 ....
>> Code:       Access-Request
>> Identifier: 0
>> Authentic:  <254>L<0><0>'x<0><0>9d<0><0>c,<0><0>
>> Attributes:
>>         Message-Authenticator =
>> [=<11>E<127>k<175><155><29><1><140><13>|<25>[<218>
>>         User-Name = "TEMP/TEMPUSER"
>>         NAS-IP-Address = 10.0.0.1
>>         NAS-Port = 2
>>         NAS-Port-Type = Wireless-IEEE-802-11
>>         Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
>>         EAP-Message = <2><1><0><20><1>TEMP/TEMPUSER
>>         Framed-MTU = 1000
>>
>> Wed May 11 18:32:09 2005: DEBUG: Handling request with Handler 
>> 'NAS-IP-Address=10.0.0.1'
>> Wed May 11 18:32:09 2005: DEBUG: Handling with Radius::AuthFILE:
>> 802.1x Wed May 11 18:32:09 2005: DEBUG: Handling with EAP: code 2, 1,

>> 20 Wed May 11 18:32:09 2005: DEBUG: Response type 1 Wed May 11
>> 18:32:09 2005: DEBUG: EAP result: 3, EAP TTLS Challenge Wed May 11
>> 18:32:09 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS 
>> Challenge Wed May 11 18:32:09 2005: DEBUG: Access challenged for
>> TEMP/TEMPUSER:
>> EAP TTLS Challenge
>> Wed May 11 18:32:09 2005: DEBUG: Packet dump:
>> *** Sending to 10.0.0.1 port 1025 ....
>> Code:       Access-Challenge
>> Identifier: 0
>> Authentic:  <254>L<0><0>'x<0><0>9d<0><0>c,<0><0>
>> Attributes:
>>         EAP-Message = <1><2><0><6><21>
>>         Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Wed May 11 18:32:09 2005: DEBUG: Packet dump:
>> *** Received from 10.0.0.1 port 1025 ....
>> Code:       Access-Request
>> Identifier: 1
>> Authentic:  /F<0><0>_8<0><0><142>-<0><0><140>0<0><0>
>> Attributes:
>>         Message-Authenticator =
>> ,<252><227><30><250><241><172>Sb<169><1><154><130><242><205><180>
>>         User-Name = "TEMP/TEMPUSER"
>>         State = ""
>>         NAS-IP-Address = 10.0.0.1
>>         NAS-Port = 2
>>         NAS-Port-Type = Wireless-IEEE-802-11
>>         Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
>>         Framed-MTU = 1000
>>         EAP-Message = <2><2><0><6><3><25>
>>
>> Wed May 11 18:32:09 2005: DEBUG: Handling request with Handler 
>> 'NAS-IP-Address=10.0.0.1'
>> Wed May 11 18:32:09 2005: DEBUG: Handling with Radius::AuthFILE:
>> 802.1x Wed May 11 18:32:09 2005: DEBUG: Handling with EAP: code 2, 2,
>> 6 Wed May 11 18:32:09 2005: DEBUG: Response type 3 Wed May 11 
>> 18:32:09
>
>> 2005: INFO: EAP Nak desires type 25 Wed May 11 18:32:09 2005: DEBUG:
>> EAP result: 1, Desired EAP type 25 not permitted Wed May 11 18:32:09
>> 2005: DEBUG: AuthBy FILE result: REJECT, Desired EAP type 25 not 
>> permitted Wed May 11 18:32:09 2005: INFO: Access rejected for
>> TEMP/TEMPUSER:
>> Desired EAP type 25 not permitted
>> Wed May 11 18:32:09 2005: DEBUG: Packet dump:
>> *** Sending to 10.0.0.1 port 1025 ....
>> Code:       Access-Reject
>> Identifier: 1
>> Authentic:  /F<0><0>_8<0><0><142>-<0><0><140>0<0><0>
>> Attributes:
>>         Reply-Message = "Request Denied"
>>
>>
>> This is my config
>>
>> ############### AuthBy FILE ############## <AuthBy FILE>
>>         Identifier 802.1x
>>         Filename /opt/Radiator-3.5/802.1x_users
>>         EAPType TTLS
>>         EAPTLS_CAFile
> /opt/Radiator-3.12/Certificates/demoCA/cacert.pem
>>         EAPTLS_CertificateFile
>> /opt/Radiator-3.12/Certificates/cert-srv.pem
>>         EAPTLS_CertificateType PEM
>>         EAPTLS_PrivateKeyFile
>> /opt/Radiator-3.12/Certificates/cert-srv.pem
>>         EAPTLS_PrivateKeyPassword XXXXXXXXXXXXXXXX
>>         EAPTLS_MaxFragmentSize 1000
>>         AutoMPPEKeys
>>         SSLeayTrace 4
>> </AuthBy>
>> ############### HANDLERS ############## <Handler 
>> NAS-IP-Address=172.23.128.4>
>>         SessionDatabase NULL
>>         AuthBy 802.1x
>> </Handler>
>>
>> Any clue about what I did wrong?
>>
>> Thanks in advance.
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au To unsubscribe, email 
>> 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of 
>> the
>
>> message.
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets), 
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible, 
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au To unsubscribe, email 
> 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the

> message.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au To unsubscribe, email 
> 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the

> message.
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list