(RADIATOR) RE: TTLS problem

Richard Smit smi at hesasd.nl
Wed Nov 9 07:20:34 CST 2005


Mike,

Thanks for your reply. 
I thought so to bud now a get the following message and maybe this gives
you more info.

Mon Nov  7 16:27:32 2005: DEBUG: Packet dump:
*** Received from 145.28.53.217 port 1645 ....

Packet length = 150
01 e8 00 96 86 e0 51 1b c1 95 5e 09 80 7f 2c b0
84 4c d6 c5 01 0f 73 6d 69 40 68 65 73 61 73 64
2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
34 62 37 34 2e 63 32 35 33 06 06 00 00 00 01 50
12 e6 9f 24 e4 59 49 e1 b5 cb 76 a0 65 75 fe 58
44 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 66
d7 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
53 65 72 76 65 72
Code:       Access-Request
Identifier: 232
Authentic:
<134><224>Q<27><193><149>^<9><128><127>,<176><132>L<214><197>
Attributes:
	User-Name = "smi at hesasd.nl"
	Framed-MTU = 1400
	Called-Station-Id = "0013.607c.9d6d"
	Calling-Station-Id = "0090.4b74.c253"
	Service-Type = Login-User
	Message-Authenticator =
<230><159>$<228>YI<225><181><203>v<160>eu<254>XD
	EAP-Message = <2><2><0><18><1>smi at somedomain.nl
	NAS-Port-Type = Wireless-IEEE-802-11
	NAS-Port = 2713303
	NAS-IP-Address = XX.XX.XX.XX
	NAS-Identifier = "Ap-WDS-Server"

Mon Nov  7 16:27:32 2005: WARNING: Bad EAP Message-Authenticator
Mon Nov  7 16:27:32 2005: WARNING: Bad authenticator in request from
DEFAULT (XX.XX.XX.XX)
Mon Nov  7 16:27:38 2005: DEBUG: Packet dump:

Thanks,

Richard Smit
HES Amsterdam


-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au] 
Sent: dinsdag 8 november 2005 3:50
To: Richard Smit
Cc: radiator at open.com.au
Subject: Re: TTLS problem

Hello Richard,

What appears to be happening is this:

1. AP sends an Access-Request with the EAP identity.
2. Radiator sends an Access-Challenge with EAP message saying 'go ahead
with 
TTLS'
3. AP retransmits (with same identifier) the request from 1 above.

This indicates some sort of problem with the configuration or behaviour
of the 
AP. Perhaps the Access-Challenge is not getting through some
port/address 
filter in or before the AP? Perhaps there is a bug in the AP firmware? 
Anyway, Radiator appears to behaving correctly, and this is confirmed by
your 
report that it worked OK without WDS.

Hope that helps.

Cheers.

On Tuesday 08 November 2005 00:16, Richard Smit wrote:
> Hey all,
>
> I have a problem. I'm trying to setup the radius server so he can
handle
> EAP-TTLS access requests.
> Were using Cisco AP's with a WDS AP. I did setup a test without a WDS
> (Wireless Domain Server) and it worked but now I have a problem I
don't
> understand.
> When reading the log file it seems that it is looping.
>
> The server is running on windows 2003
> I have installed
> 	Digest::MD5
> 	Net::SSLeay
> 	Digest::SHA1
> 	Digest::HMAC
> 	Digest::MD4
>
> Hope someone can help....
>
> Greetz,
>
> Richard Smit
> HES Amsterdam
>
>
========================================================================
> ====
> Logfile sample
>
========================================================================
> ====
>
> Mon Nov  7 15:01:36 2005: DEBUG: Finished reading configuration file
> 'C:\Program Files\Radiator\radius.cfg'
> Mon Nov  7 15:01:36 2005: DEBUG: Reading dictionary file 'c:/Program
> Files/Radiator/dictionary'
> Mon Nov  7 15:01:37 2005: DEBUG: Creating authentication port
> 0.0.0.0:1645
> Mon Nov  7 15:01:37 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> Mon Nov  7 15:01:37 2005: NOTICE: Server started: Radiator 3.13 on
> radius02
> Mon Nov  7 15:02:48 2005: DEBUG: Packet dump:
> *** Received from XX.XX.XX.XX port 1645 ....
>
> Packet length = 150
> 01 f3 00 96 a9 73 25 37 eb bc 9f 3f cd 2f 26 e9
> c4 c9 53 0b 01 0f 73 6d 69 40 68 65 73 61 73 64
> 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
> 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
> 34 62 37 34 2e 62 36 66 63 06 06 00 00 00 01 50
> 12 eb 62 e0 3e 22 38 34 0e e7 d8 7d 63 81 80 bc
> b0 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
> 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 65
> da 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
> 53 65 72 76 65 72
> Code:       Access-Request
> Identifier: 243
> Authentic:  <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> Attributes:
> 	User-Name = "smi at adomain.com"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0013.607c.9d6d"
> 	Calling-Station-Id = "0090.4b74.b6fc"
> 	Service-Type = Login-User
> 	Message-Authenticator =
> <235>b<224>>"84<14><231><216>}c<129><128><188><176>
> 	EAP-Message = <2><2><0><18><1>smi at adomain.com
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 2713050
> 	NAS-IP-Address = XX.XX.XX.XX
> 	NAS-Identifier = "Ap-WDS-Server"
>
> Mon Nov  7 15:02:48 2005: DEBUG: Handling request with Handler
> 'Realm=adomain.com'
> Mon Nov  7 15:02:48 2005: DEBUG: Rewrote user name to smi at adomain.com
> Mon Nov  7 15:02:48 2005: DEBUG: Rewrote user name to smi at adomain.com
> Mon Nov  7 15:02:48 2005: DEBUG: Rewrote user name to smi
> Mon Nov  7 15:02:48 2005: DEBUG:  Deleting session for
smi at adomain.com,
> XX.XX.XX.XX, 2713050
> Mon Nov  7 15:02:48 2005: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov  7 15:02:48 2005: DEBUG: Handling with EAP: code 2, 2, 18
> Mon Nov  7 15:02:48 2005: DEBUG: Response type 1
> Mon Nov  7 15:02:48 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Nov  7 15:02:48 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP
TTLS
> Challenge
> Mon Nov  7 15:02:48 2005: DEBUG: Access challenged for smi: EAP TTLS
> Challenge
> Mon Nov  7 15:02:48 2005: DEBUG: Packet dump:
> *** Sending to XX.XX.XX.XX port 1645 ....
>
> Packet length = 46
> 0b f3 00 2e af e5 76 5a 82 e4 10 35 cf f5 e0 9b
> 95 b7 8c 3e 4f 08 01 03 00 06 15 20 50 12 07 dc
> 61 e9 2c 32 88 4c 44 ac c1 91 df 53 d9 84
> Code:       Access-Challenge
> Identifier: 243
> Authentic:  <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> Attributes:
> 	EAP-Message = <1><3><0><6><21>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov  7 15:02:54 2005: DEBUG: Packet dump:
> *** Received from XX.XX.XX.XX port 1645 ....
>
> Packet length = 150
> 01 f3 00 96 a9 73 25 37 eb bc 9f 3f cd 2f 26 e9
> c4 c9 53 0b 01 0f 73 6d 69 40 68 65 73 61 73 64
> 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
> 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
> 34 62 37 34 2e 62 36 66 63 06 06 00 00 00 01 50
> 12 eb 62 e0 3e 22 38 34 0e e7 d8 7d 63 81 80 bc
> b0 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
> 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 65
> da 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
> 53 65 72 76 65 72
> Code:       Access-Request
> Identifier: 243
> Authentic:  <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> Attributes:
> 	User-Name = "smi at adomain.com"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0013.607c.9d6d"
> 	Calling-Station-Id = "0090.4b74.b6fc"
> 	Service-Type = Login-User
> 	Message-Authenticator =
> <235>b<224>>"84<14><231><216>}c<129><128><188><176>
> 	EAP-Message = <2><2><0><18><1>smi at adomain.com
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 2713050
> 	NAS-IP-Address = XX.XX.XX.XX
> 	NAS-Identifier = "Ap-WDS-Server"
>
> Mon Nov  7 15:02:54 2005: DEBUG: Handling request with Handler
> 'Realm=adomain.com'
> Mon Nov  7 15:02:54 2005: DEBUG: Rewrote user name to smi at adomain.com
> Mon Nov  7 15:02:54 2005: DEBUG: Rewrote user name to smi at adomain.com
> Mon Nov  7 15:02:54 2005: DEBUG: Rewrote user name to smi
> Mon Nov  7 15:02:54 2005: DEBUG:  Deleting session for
smi at adomain.com,
> XX.XX.XX.XX, 2713050
> Mon Nov  7 15:02:54 2005: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov  7 15:02:54 2005: DEBUG: Handling with EAP: code 2, 2, 18
> Mon Nov  7 15:02:54 2005: DEBUG: Response type 1
> Mon Nov  7 15:02:54 2005: DEBUG: Resuming session for
> Radius::Context=HASH(0x1f09ac4)
>
> Mon Nov  7 15:02:54 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Nov  7 15:02:54 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP
TTLS
> Challenge
> Mon Nov  7 15:02:54 2005: DEBUG: Access challenged for smi: EAP TTLS
> Challenge
> Mon Nov  7 15:02:54 2005: DEBUG: Packet dump:
> *** Sending to XX.XX.XX.XX port 1645 ....
>
> Packet length = 46
> 0b f3 00 2e af e5 76 5a 82 e4 10 35 cf f5 e0 9b
> 95 b7 8c 3e 4f 08 01 03 00 06 15 20 50 12 07 dc
> 61 e9 2c 32 88 4c 44 ac c1 91 df 53 d9 84
> Code:       Access-Challenge
> Identifier: 243
> Authentic:  <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> Attributes:
> 	EAP-Message = <1><3><0><6><21>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Mon Nov  7 15:02:59 2005: DEBUG: Packet dump:
> *** Received from XX.XX.XX.XX port 1645 ....
>
> Packet length = 150
> 01 f3 00 96 a9 73 25 37 eb bc 9f 3f cd 2f 26 e9
> c4 c9 53 0b 01 0f 73 6d 69 40 68 65 73 61 73 64
> 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
> 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
> 34 62 37 34 2e 62 36 66 63 06 06 00 00 00 01 50
> 12 eb 62 e0 3e 22 38 34 0e e7 d8 7d 63 81 80 bc
> b0 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
> 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 65
> da 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
> 53 65 72 76 65 72
> Code:       Access-Request
> Identifier: 243
> Authentic:  <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> Attributes:
> 	User-Name = "smi at adomain.com"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0013.607c.9d6d"
> 	Calling-Station-Id = "0090.4b74.b6fc"
> 	Service-Type = Login-User
> 	Message-Authenticator =
> <235>b<224>>"84<14><231><216>}c<129><128><188><176>
> 	EAP-Message = <2><2><0><18><1>smi at adomain.com
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 2713050
> 	NAS-IP-Address = XX.XX.XX.XX
> 	NAS-Identifier = "Ap-WDS-Server"
>
> Mon Nov  7 15:02:59 2005: DEBUG: Handling request with Handler
> 'Realm=adomain.com'
> Mon Nov  7 15:02:59 2005: DEBUG: Rewrote user name to smi at adomain.com
> Mon Nov  7 15:02:59 2005: DEBUG: Rewrote user name to smi at adomain.com
> Mon Nov  7 15:02:59 2005: DEBUG: Rewrote user name to smi
> Mon Nov  7 15:02:59 2005: DEBUG:  Deleting session for
smi at adomain.com,
> XX.XX.XX.XX, 2713050
> Mon Nov  7 15:02:59 2005: DEBUG: Handling with Radius::AuthFILE:
> Mon Nov  7 15:02:59 2005: DEBUG: Handling with EAP: code 2, 2, 18
> Mon Nov  7 15:02:59 2005: DEBUG: Response type 1
> Mon Nov  7 15:02:59 2005: DEBUG: Resuming session for
> Radius::Context=HASH(0x1f09ac4)
>
> Mon Nov  7 15:02:59 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
> Mon Nov  7 15:02:59 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP
TTLS
> Challenge
> Mon Nov  7 15:02:59 2005: DEBUG: Access challenged for smi: EAP TTLS
> Challenge
> Mon Nov  7 15:02:59 2005: DEBUG: Packet dump:
>
>
========================================================================
> ====
> CONFIG
>
========================================================================
> ====
>
> Foreground
> LogStdout
> LogDir	c:/Program Files/Radiator
> DbDir		c:/Program Files/Radiator
> LogFile	c:/Program Files/Radiator/logfile.log
>
> # Use the followinf TCP ports
>
> #AuthPort 1645
> #AcctPort 1646
>
> # This will log at DEBUG level: very verbose
> # User a lower trace level in production systems, typically use 3
> Trace 		5
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with. This will work
> # at least with radpwtst running on the local machine
>
> <Client DEFAULT>
> 	Secret 	<Secret>
> 	IgnoreAcctSignature <-------------------	had to set this
> one
> because it gave the msg:
> BAD EAP MESSAGE-
> AUTHENTICATOR
> #	DupInterval 0
> </Client>
>
> <Client 145.28.2.22>
> 	Secret		<secret>
> </Client>
>
> <Realm hesasd.nl>
> 	# This one translates all uppercase chars to lowercase
> 	RewriteUsername	tr/[A-Z]/[a-z]/
> 	# Haalhet realm van de request voor verdere verwerking
> 	RewriteUsername s/^(.*)\\(.*)/$2\@$1/
> 	RewriteUsername	s/^([^@]+).*/$1/
> 	AcctLogFileName C:/Program Files/Radiator/logfile.log
>
> 	<AuthBy FILE>
> 		Filename  c:/program files/Radiator/users
> 		EAPType TTLS
> 		EAPTLS_CAFile c:/certs/root/root-cert.pem
> 		EAPTLS_CertificateFile c:/certs/server/servercert.pem
> 		EAPTLS_CertificateType PEM
> 		EAPTLS_PrivateKeyFile c:/certs/server/serverkey.pem
> 		EAPTLS_PrivateKeyPassword <secret>
> 		EAPTLS_MaxFragmentSize 1024
> 		AutoMPPEKeys
> 	</AuthBy>
> </Realm>
>
> # Authenticate all realms with this
> <Realm DEFAULT>
> 	# Look up user details in a flat file
> 	<AuthBy FILE>
> 		# %D is replaced by DbDir above
> 		Filename %D/users
> 	</AuthBy>
>
> 	# Log accounting to a detail file. %D is replaced by DbDir above
> 	AcctLogFileName	%D/detail
> </Realm>

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia
http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list