(RADIATOR) Re: TTLS problem
Mike McCauley
mikem at open.com.au
Mon Nov 7 20:49:31 CST 2005
Hello Richard,
What appears to be happening is this:
1. AP sends an Access-Request with the EAP identity.
2. Radiator sends an Access-Challenge with EAP message saying 'go ahead with
TTLS'
3. AP retransmits (with same identifier) the request from 1 above.
This indicates some sort of problem with the configuration or behaviour of the
AP. Perhaps the Access-Challenge is not getting through some port/address
filter in or before the AP? Perhaps there is a bug in the AP firmware?
Anyway, Radiator appears to behaving correctly, and this is confirmed by your
report that it worked OK without WDS.
Hope that helps.
Cheers.
On Tuesday 08 November 2005 00:16, Richard Smit wrote:
> Hey all,
>
> I have a problem. I'm trying to setup the radius server so he can handle
> EAP-TTLS access requests.
> Were using Cisco AP's with a WDS AP. I did setup a test without a WDS
> (Wireless Domain Server) and it worked but now I have a problem I don't
> understand.
> When reading the log file it seems that it is looping.
>
> The server is running on windows 2003
> I have installed
> Digest::MD5
> Net::SSLeay
> Digest::SHA1
> Digest::HMAC
> Digest::MD4
>
> Hope someone can help....
>
> Greetz,
>
> Richard Smit
> HES Amsterdam
>
> ========================================================================
> ====
> Logfile sample
> ========================================================================
> ====
>
> Mon Nov 7 15:01:36 2005: DEBUG: Finished reading configuration file
> 'C:\Program Files\Radiator\radius.cfg'
> Mon Nov 7 15:01:36 2005: DEBUG: Reading dictionary file 'c:/Program
> Files/Radiator/dictionary'
> Mon Nov 7 15:01:37 2005: DEBUG: Creating authentication port
> 0.0.0.0:1645
> Mon Nov 7 15:01:37 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> Mon Nov 7 15:01:37 2005: NOTICE: Server started: Radiator 3.13 on
> radius02
> Mon Nov 7 15:02:48 2005: DEBUG: Packet dump:
> *** Received from XX.XX.XX.XX port 1645 ....
>
> Packet length = 150
> 01 f3 00 96 a9 73 25 37 eb bc 9f 3f cd 2f 26 e9
> c4 c9 53 0b 01 0f 73 6d 69 40 68 65 73 61 73 64
> 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
> 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
> 34 62 37 34 2e 62 36 66 63 06 06 00 00 00 01 50
> 12 eb 62 e0 3e 22 38 34 0e e7 d8 7d 63 81 80 bc
> b0 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
> 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 65
> da 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
> 53 65 72 76 65 72
> Code: Access-Request
> Identifier: 243
> Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> Attributes:
> User-Name = "smi at adomain.com"
> Framed-MTU = 1400
> Called-Station-Id = "0013.607c.9d6d"
> Calling-Station-Id = "0090.4b74.b6fc"
> Service-Type = Login-User
> Message-Authenticator =
> <235>b<224>>"84<14><231><216>}c<129><128><188><176>
> EAP-Message = <2><2><0><18><1>smi at adomain.com
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 2713050
> NAS-IP-Address = XX.XX.XX.XX
> NAS-Identifier = "Ap-WDS-Server"
>
> Mon Nov 7 15:02:48 2005: DEBUG: Handling request with Handler
> 'Realm=adomain.com'
> Mon Nov 7 15:02:48 2005: DEBUG: Rewrote user name to smi at adomain.com
> Mon Nov 7 15:02:48 2005: DEBUG: Rewrote user name to smi at adomain.com
> Mon Nov 7 15:02:48 2005: DEBUG: Rewrote user name to smi
> Mon Nov 7 15:02:48 2005: DEBUG: Deleting session for smi at adomain.com,
> XX.XX.XX.XX, 2713050
> Mon Nov 7 15:02:48 2005: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 7 15:02:48 2005: DEBUG: Handling with EAP: code 2, 2, 18
> Mon Nov 7 15:02:48 2005: DEBUG: Response type 1
> Mon Nov 7 15:02:48 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Nov 7 15:02:48 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS
> Challenge
> Mon Nov 7 15:02:48 2005: DEBUG: Access challenged for smi: EAP TTLS
> Challenge
> Mon Nov 7 15:02:48 2005: DEBUG: Packet dump:
> *** Sending to XX.XX.XX.XX port 1645 ....
>
> Packet length = 46
> 0b f3 00 2e af e5 76 5a 82 e4 10 35 cf f5 e0 9b
> 95 b7 8c 3e 4f 08 01 03 00 06 15 20 50 12 07 dc
> 61 e9 2c 32 88 4c 44 ac c1 91 df 53 d9 84
> Code: Access-Challenge
> Identifier: 243
> Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> Attributes:
> EAP-Message = <1><3><0><6><21>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 7 15:02:54 2005: DEBUG: Packet dump:
> *** Received from XX.XX.XX.XX port 1645 ....
>
> Packet length = 150
> 01 f3 00 96 a9 73 25 37 eb bc 9f 3f cd 2f 26 e9
> c4 c9 53 0b 01 0f 73 6d 69 40 68 65 73 61 73 64
> 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
> 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
> 34 62 37 34 2e 62 36 66 63 06 06 00 00 00 01 50
> 12 eb 62 e0 3e 22 38 34 0e e7 d8 7d 63 81 80 bc
> b0 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
> 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 65
> da 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
> 53 65 72 76 65 72
> Code: Access-Request
> Identifier: 243
> Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> Attributes:
> User-Name = "smi at adomain.com"
> Framed-MTU = 1400
> Called-Station-Id = "0013.607c.9d6d"
> Calling-Station-Id = "0090.4b74.b6fc"
> Service-Type = Login-User
> Message-Authenticator =
> <235>b<224>>"84<14><231><216>}c<129><128><188><176>
> EAP-Message = <2><2><0><18><1>smi at adomain.com
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 2713050
> NAS-IP-Address = XX.XX.XX.XX
> NAS-Identifier = "Ap-WDS-Server"
>
> Mon Nov 7 15:02:54 2005: DEBUG: Handling request with Handler
> 'Realm=adomain.com'
> Mon Nov 7 15:02:54 2005: DEBUG: Rewrote user name to smi at adomain.com
> Mon Nov 7 15:02:54 2005: DEBUG: Rewrote user name to smi at adomain.com
> Mon Nov 7 15:02:54 2005: DEBUG: Rewrote user name to smi
> Mon Nov 7 15:02:54 2005: DEBUG: Deleting session for smi at adomain.com,
> XX.XX.XX.XX, 2713050
> Mon Nov 7 15:02:54 2005: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 7 15:02:54 2005: DEBUG: Handling with EAP: code 2, 2, 18
> Mon Nov 7 15:02:54 2005: DEBUG: Response type 1
> Mon Nov 7 15:02:54 2005: DEBUG: Resuming session for
> Radius::Context=HASH(0x1f09ac4)
>
> Mon Nov 7 15:02:54 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Nov 7 15:02:54 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS
> Challenge
> Mon Nov 7 15:02:54 2005: DEBUG: Access challenged for smi: EAP TTLS
> Challenge
> Mon Nov 7 15:02:54 2005: DEBUG: Packet dump:
> *** Sending to XX.XX.XX.XX port 1645 ....
>
> Packet length = 46
> 0b f3 00 2e af e5 76 5a 82 e4 10 35 cf f5 e0 9b
> 95 b7 8c 3e 4f 08 01 03 00 06 15 20 50 12 07 dc
> 61 e9 2c 32 88 4c 44 ac c1 91 df 53 d9 84
> Code: Access-Challenge
> Identifier: 243
> Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> Attributes:
> EAP-Message = <1><3><0><6><21>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov 7 15:02:59 2005: DEBUG: Packet dump:
> *** Received from XX.XX.XX.XX port 1645 ....
>
> Packet length = 150
> 01 f3 00 96 a9 73 25 37 eb bc 9f 3f cd 2f 26 e9
> c4 c9 53 0b 01 0f 73 6d 69 40 68 65 73 61 73 64
> 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
> 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
> 34 62 37 34 2e 62 36 66 63 06 06 00 00 00 01 50
> 12 eb 62 e0 3e 22 38 34 0e e7 d8 7d 63 81 80 bc
> b0 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
> 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 65
> da 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
> 53 65 72 76 65 72
> Code: Access-Request
> Identifier: 243
> Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> Attributes:
> User-Name = "smi at adomain.com"
> Framed-MTU = 1400
> Called-Station-Id = "0013.607c.9d6d"
> Calling-Station-Id = "0090.4b74.b6fc"
> Service-Type = Login-User
> Message-Authenticator =
> <235>b<224>>"84<14><231><216>}c<129><128><188><176>
> EAP-Message = <2><2><0><18><1>smi at adomain.com
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 2713050
> NAS-IP-Address = XX.XX.XX.XX
> NAS-Identifier = "Ap-WDS-Server"
>
> Mon Nov 7 15:02:59 2005: DEBUG: Handling request with Handler
> 'Realm=adomain.com'
> Mon Nov 7 15:02:59 2005: DEBUG: Rewrote user name to smi at adomain.com
> Mon Nov 7 15:02:59 2005: DEBUG: Rewrote user name to smi at adomain.com
> Mon Nov 7 15:02:59 2005: DEBUG: Rewrote user name to smi
> Mon Nov 7 15:02:59 2005: DEBUG: Deleting session for smi at adomain.com,
> XX.XX.XX.XX, 2713050
> Mon Nov 7 15:02:59 2005: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov 7 15:02:59 2005: DEBUG: Handling with EAP: code 2, 2, 18
> Mon Nov 7 15:02:59 2005: DEBUG: Response type 1
> Mon Nov 7 15:02:59 2005: DEBUG: Resuming session for
> Radius::Context=HASH(0x1f09ac4)
>
> Mon Nov 7 15:02:59 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Nov 7 15:02:59 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS
> Challenge
> Mon Nov 7 15:02:59 2005: DEBUG: Access challenged for smi: EAP TTLS
> Challenge
> Mon Nov 7 15:02:59 2005: DEBUG: Packet dump:
>
> ========================================================================
> ====
> CONFIG
> ========================================================================
> ====
>
> Foreground
> LogStdout
> LogDir c:/Program Files/Radiator
> DbDir c:/Program Files/Radiator
> LogFile c:/Program Files/Radiator/logfile.log
>
> # Use the followinf TCP ports
>
> #AuthPort 1645
> #AcctPort 1646
>
> # This will log at DEBUG level: very verbose
> # User a lower trace level in production systems, typically use 3
> Trace 5
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with. This will work
> # at least with radpwtst running on the local machine
>
> <Client DEFAULT>
> Secret <Secret>
> IgnoreAcctSignature <------------------- had to set this
> one
> because it gave the msg:
> BAD EAP MESSAGE-
> AUTHENTICATOR
> # DupInterval 0
> </Client>
>
> <Client 145.28.2.22>
> Secret <secret>
> </Client>
>
> <Realm hesasd.nl>
> # This one translates all uppercase chars to lowercase
> RewriteUsername tr/[A-Z]/[a-z]/
> # Haalhet realm van de request voor verdere verwerking
> RewriteUsername s/^(.*)\\(.*)/$2\@$1/
> RewriteUsername s/^([^@]+).*/$1/
> AcctLogFileName C:/Program Files/Radiator/logfile.log
>
> <AuthBy FILE>
> Filename c:/program files/Radiator/users
> EAPType TTLS
> EAPTLS_CAFile c:/certs/root/root-cert.pem
> EAPTLS_CertificateFile c:/certs/server/servercert.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile c:/certs/server/serverkey.pem
> EAPTLS_PrivateKeyPassword <secret>
> EAPTLS_MaxFragmentSize 1024
> AutoMPPEKeys
> </AuthBy>
> </Realm>
>
> # Authenticate all realms with this
> <Realm DEFAULT>
> # Look up user details in a flat file
> <AuthBy FILE>
> # %D is replaced by DbDir above
> Filename %D/users
> </AuthBy>
>
> # Log accounting to a detail file. %D is replaced by DbDir above
> AcctLogFileName %D/detail
> </Realm>
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list