(RADIATOR) RE: TTLS problem
Hugh Irvine
hugh at open.com.au
Wed Nov 9 14:42:42 CST 2005
Hello Richard -
This looks like an incorrect shared secret between the access point
and Radiator.
regards
Hugh
On 10 Nov 2005, at 00:20, Richard Smit wrote:
> Mike,
>
> Thanks for your reply.
> I thought so to bud now a get the following message and maybe this
> gives
> you more info.
>
> Mon Nov 7 16:27:32 2005: DEBUG: Packet dump:
> *** Received from 145.28.53.217 port 1645 ....
>
> Packet length = 150
> 01 e8 00 96 86 e0 51 1b c1 95 5e 09 80 7f 2c b0
> 84 4c d6 c5 01 0f 73 6d 69 40 68 65 73 61 73 64
> 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
> 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
> 34 62 37 34 2e 63 32 35 33 06 06 00 00 00 01 50
> 12 e6 9f 24 e4 59 49 e1 b5 cb 76 a0 65 75 fe 58
> 44 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
> 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 66
> d7 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
> 53 65 72 76 65 72
> Code: Access-Request
> Identifier: 232
> Authentic:
> <134><224>Q<27><193><149>^<9><128><127>,<176><132>L<214><197>
> Attributes:
> User-Name = "smi at hesasd.nl"
> Framed-MTU = 1400
> Called-Station-Id = "0013.607c.9d6d"
> Calling-Station-Id = "0090.4b74.c253"
> Service-Type = Login-User
> Message-Authenticator =
> <230><159>$<228>YI<225><181><203>v<160>eu<254>XD
> EAP-Message = <2><2><0><18><1>smi at somedomain.nl
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 2713303
> NAS-IP-Address = XX.XX.XX.XX
> NAS-Identifier = "Ap-WDS-Server"
>
> Mon Nov 7 16:27:32 2005: WARNING: Bad EAP Message-Authenticator
> Mon Nov 7 16:27:32 2005: WARNING: Bad authenticator in request from
> DEFAULT (XX.XX.XX.XX)
> Mon Nov 7 16:27:38 2005: DEBUG: Packet dump:
>
> Thanks,
>
> Richard Smit
> HES Amsterdam
>
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: dinsdag 8 november 2005 3:50
> To: Richard Smit
> Cc: radiator at open.com.au
> Subject: Re: TTLS problem
>
> Hello Richard,
>
> What appears to be happening is this:
>
> 1. AP sends an Access-Request with the EAP identity.
> 2. Radiator sends an Access-Challenge with EAP message saying 'go
> ahead
> with
> TTLS'
> 3. AP retransmits (with same identifier) the request from 1 above.
>
> This indicates some sort of problem with the configuration or
> behaviour
> of the
> AP. Perhaps the Access-Challenge is not getting through some
> port/address
> filter in or before the AP? Perhaps there is a bug in the AP firmware?
> Anyway, Radiator appears to behaving correctly, and this is
> confirmed by
> your
> report that it worked OK without WDS.
>
> Hope that helps.
>
> Cheers.
>
> On Tuesday 08 November 2005 00:16, Richard Smit wrote:
>> Hey all,
>>
>> I have a problem. I'm trying to setup the radius server so he can
> handle
>> EAP-TTLS access requests.
>> Were using Cisco AP's with a WDS AP. I did setup a test without a WDS
>> (Wireless Domain Server) and it worked but now I have a problem I
> don't
>> understand.
>> When reading the log file it seems that it is looping.
>>
>> The server is running on windows 2003
>> I have installed
>> Digest::MD5
>> Net::SSLeay
>> Digest::SHA1
>> Digest::HMAC
>> Digest::MD4
>>
>> Hope someone can help....
>>
>> Greetz,
>>
>> Richard Smit
>> HES Amsterdam
>>
>>
> ======================================================================
> ==
>> ====
>> Logfile sample
>>
> ======================================================================
> ==
>> ====
>>
>> Mon Nov 7 15:01:36 2005: DEBUG: Finished reading configuration file
>> 'C:\Program Files\Radiator\radius.cfg'
>> Mon Nov 7 15:01:36 2005: DEBUG: Reading dictionary file 'c:/Program
>> Files/Radiator/dictionary'
>> Mon Nov 7 15:01:37 2005: DEBUG: Creating authentication port
>> 0.0.0.0:1645
>> Mon Nov 7 15:01:37 2005: DEBUG: Creating accounting port
>> 0.0.0.0:1646
>> Mon Nov 7 15:01:37 2005: NOTICE: Server started: Radiator 3.13 on
>> radius02
>> Mon Nov 7 15:02:48 2005: DEBUG: Packet dump:
>> *** Received from XX.XX.XX.XX port 1645 ....
>>
>> Packet length = 150
>> 01 f3 00 96 a9 73 25 37 eb bc 9f 3f cd 2f 26 e9
>> c4 c9 53 0b 01 0f 73 6d 69 40 68 65 73 61 73 64
>> 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
>> 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
>> 34 62 37 34 2e 62 36 66 63 06 06 00 00 00 01 50
>> 12 eb 62 e0 3e 22 38 34 0e e7 d8 7d 63 81 80 bc
>> b0 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
>> 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 65
>> da 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
>> 53 65 72 76 65 72
>> Code: Access-Request
>> Identifier: 243
>> Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
>> Attributes:
>> User-Name = "smi at adomain.com"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.607c.9d6d"
>> Calling-Station-Id = "0090.4b74.b6fc"
>> Service-Type = Login-User
>> Message-Authenticator =
>> <235>b<224>>"84<14><231><216>}c<129><128><188><176>
>> EAP-Message = <2><2><0><18><1>smi at adomain.com
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 2713050
>> NAS-IP-Address = XX.XX.XX.XX
>> NAS-Identifier = "Ap-WDS-Server"
>>
>> Mon Nov 7 15:02:48 2005: DEBUG: Handling request with Handler
>> 'Realm=adomain.com'
>> Mon Nov 7 15:02:48 2005: DEBUG: Rewrote user name to smi at adomain.com
>> Mon Nov 7 15:02:48 2005: DEBUG: Rewrote user name to smi at adomain.com
>> Mon Nov 7 15:02:48 2005: DEBUG: Rewrote user name to smi
>> Mon Nov 7 15:02:48 2005: DEBUG: Deleting session for
> smi at adomain.com,
>> XX.XX.XX.XX, 2713050
>> Mon Nov 7 15:02:48 2005: DEBUG: Handling with Radius::AuthFILE:
>> Mon Nov 7 15:02:48 2005: DEBUG: Handling with EAP: code 2, 2, 18
>> Mon Nov 7 15:02:48 2005: DEBUG: Response type 1
>> Mon Nov 7 15:02:48 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
>> Mon Nov 7 15:02:48 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> TTLS
>> Challenge
>> Mon Nov 7 15:02:48 2005: DEBUG: Access challenged for smi: EAP TTLS
>> Challenge
>> Mon Nov 7 15:02:48 2005: DEBUG: Packet dump:
>> *** Sending to XX.XX.XX.XX port 1645 ....
>>
>> Packet length = 46
>> 0b f3 00 2e af e5 76 5a 82 e4 10 35 cf f5 e0 9b
>> 95 b7 8c 3e 4f 08 01 03 00 06 15 20 50 12 07 dc
>> 61 e9 2c 32 88 4c 44 ac c1 91 df 53 d9 84
>> Code: Access-Challenge
>> Identifier: 243
>> Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
>> Attributes:
>> EAP-Message = <1><3><0><6><21>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Mon Nov 7 15:02:54 2005: DEBUG: Packet dump:
>> *** Received from XX.XX.XX.XX port 1645 ....
>>
>> Packet length = 150
>> 01 f3 00 96 a9 73 25 37 eb bc 9f 3f cd 2f 26 e9
>> c4 c9 53 0b 01 0f 73 6d 69 40 68 65 73 61 73 64
>> 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
>> 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
>> 34 62 37 34 2e 62 36 66 63 06 06 00 00 00 01 50
>> 12 eb 62 e0 3e 22 38 34 0e e7 d8 7d 63 81 80 bc
>> b0 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
>> 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 65
>> da 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
>> 53 65 72 76 65 72
>> Code: Access-Request
>> Identifier: 243
>> Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
>> Attributes:
>> User-Name = "smi at adomain.com"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.607c.9d6d"
>> Calling-Station-Id = "0090.4b74.b6fc"
>> Service-Type = Login-User
>> Message-Authenticator =
>> <235>b<224>>"84<14><231><216>}c<129><128><188><176>
>> EAP-Message = <2><2><0><18><1>smi at adomain.com
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 2713050
>> NAS-IP-Address = XX.XX.XX.XX
>> NAS-Identifier = "Ap-WDS-Server"
>>
>> Mon Nov 7 15:02:54 2005: DEBUG: Handling request with Handler
>> 'Realm=adomain.com'
>> Mon Nov 7 15:02:54 2005: DEBUG: Rewrote user name to smi at adomain.com
>> Mon Nov 7 15:02:54 2005: DEBUG: Rewrote user name to smi at adomain.com
>> Mon Nov 7 15:02:54 2005: DEBUG: Rewrote user name to smi
>> Mon Nov 7 15:02:54 2005: DEBUG: Deleting session for
> smi at adomain.com,
>> XX.XX.XX.XX, 2713050
>> Mon Nov 7 15:02:54 2005: DEBUG: Handling with Radius::AuthFILE:
>> Mon Nov 7 15:02:54 2005: DEBUG: Handling with EAP: code 2, 2, 18
>> Mon Nov 7 15:02:54 2005: DEBUG: Response type 1
>> Mon Nov 7 15:02:54 2005: DEBUG: Resuming session for
>> Radius::Context=HASH(0x1f09ac4)
>>
>> Mon Nov 7 15:02:54 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
>> Mon Nov 7 15:02:54 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> TTLS
>> Challenge
>> Mon Nov 7 15:02:54 2005: DEBUG: Access challenged for smi: EAP TTLS
>> Challenge
>> Mon Nov 7 15:02:54 2005: DEBUG: Packet dump:
>> *** Sending to XX.XX.XX.XX port 1645 ....
>>
>> Packet length = 46
>> 0b f3 00 2e af e5 76 5a 82 e4 10 35 cf f5 e0 9b
>> 95 b7 8c 3e 4f 08 01 03 00 06 15 20 50 12 07 dc
>> 61 e9 2c 32 88 4c 44 ac c1 91 df 53 d9 84
>> Code: Access-Challenge
>> Identifier: 243
>> Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
>> Attributes:
>> EAP-Message = <1><3><0><6><21>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Mon Nov 7 15:02:59 2005: DEBUG: Packet dump:
>> *** Received from XX.XX.XX.XX port 1645 ....
>>
>> Packet length = 150
>> 01 f3 00 96 a9 73 25 37 eb bc 9f 3f cd 2f 26 e9
>> c4 c9 53 0b 01 0f 73 6d 69 40 68 65 73 61 73 64
>> 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
>> 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
>> 34 62 37 34 2e 62 36 66 63 06 06 00 00 00 01 50
>> 12 eb 62 e0 3e 22 38 34 0e e7 d8 7d 63 81 80 bc
>> b0 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
>> 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 65
>> da 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
>> 53 65 72 76 65 72
>> Code: Access-Request
>> Identifier: 243
>> Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
>> Attributes:
>> User-Name = "smi at adomain.com"
>> Framed-MTU = 1400
>> Called-Station-Id = "0013.607c.9d6d"
>> Calling-Station-Id = "0090.4b74.b6fc"
>> Service-Type = Login-User
>> Message-Authenticator =
>> <235>b<224>>"84<14><231><216>}c<129><128><188><176>
>> EAP-Message = <2><2><0><18><1>smi at adomain.com
>> NAS-Port-Type = Wireless-IEEE-802-11
>> NAS-Port = 2713050
>> NAS-IP-Address = XX.XX.XX.XX
>> NAS-Identifier = "Ap-WDS-Server"
>>
>> Mon Nov 7 15:02:59 2005: DEBUG: Handling request with Handler
>> 'Realm=adomain.com'
>> Mon Nov 7 15:02:59 2005: DEBUG: Rewrote user name to smi at adomain.com
>> Mon Nov 7 15:02:59 2005: DEBUG: Rewrote user name to smi at adomain.com
>> Mon Nov 7 15:02:59 2005: DEBUG: Rewrote user name to smi
>> Mon Nov 7 15:02:59 2005: DEBUG: Deleting session for
> smi at adomain.com,
>> XX.XX.XX.XX, 2713050
>> Mon Nov 7 15:02:59 2005: DEBUG: Handling with Radius::AuthFILE:
>> Mon Nov 7 15:02:59 2005: DEBUG: Handling with EAP: code 2, 2, 18
>> Mon Nov 7 15:02:59 2005: DEBUG: Response type 1
>> Mon Nov 7 15:02:59 2005: DEBUG: Resuming session for
>> Radius::Context=HASH(0x1f09ac4)
>>
>> Mon Nov 7 15:02:59 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
>> Mon Nov 7 15:02:59 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> TTLS
>> Challenge
>> Mon Nov 7 15:02:59 2005: DEBUG: Access challenged for smi: EAP TTLS
>> Challenge
>> Mon Nov 7 15:02:59 2005: DEBUG: Packet dump:
>>
>>
> ======================================================================
> ==
>> ====
>> CONFIG
>>
> ======================================================================
> ==
>> ====
>>
>> Foreground
>> LogStdout
>> LogDir c:/Program Files/Radiator
>> DbDir c:/Program Files/Radiator
>> LogFile c:/Program Files/Radiator/logfile.log
>>
>> # Use the followinf TCP ports
>>
>> #AuthPort 1645
>> #AcctPort 1646
>>
>> # This will log at DEBUG level: very verbose
>> # User a lower trace level in production systems, typically use 3
>> Trace 5
>>
>> # You will probably want to add other Clients to suit your site,
>> # one for each NAS you want to work with. This will work
>> # at least with radpwtst running on the local machine
>>
>> <Client DEFAULT>
>> Secret <Secret>
>> IgnoreAcctSignature <------------------- had to set this
>> one
>> because it gave the msg:
>> BAD EAP MESSAGE-
>> AUTHENTICATOR
>> # DupInterval 0
>> </Client>
>>
>> <Client 145.28.2.22>
>> Secret <secret>
>> </Client>
>>
>> <Realm hesasd.nl>
>> # This one translates all uppercase chars to lowercase
>> RewriteUsername tr/[A-Z]/[a-z]/
>> # Haalhet realm van de request voor verdere verwerking
>> RewriteUsername s/^(.*)\\(.*)/$2\@$1/
>> RewriteUsername s/^([^@]+).*/$1/
>> AcctLogFileName C:/Program Files/Radiator/logfile.log
>>
>> <AuthBy FILE>
>> Filename c:/program files/Radiator/users
>> EAPType TTLS
>> EAPTLS_CAFile c:/certs/root/root-cert.pem
>> EAPTLS_CertificateFile c:/certs/server/servercert.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile c:/certs/server/serverkey.pem
>> EAPTLS_PrivateKeyPassword <secret>
>> EAPTLS_MaxFragmentSize 1024
>> AutoMPPEKeys
>> </AuthBy>
>> </Realm>
>>
>> # Authenticate all realms with this
>> <Realm DEFAULT>
>> # Look up user details in a flat file
>> <AuthBy FILE>
>> # %D is replaced by DbDir above
>> Filename %D/users
>> </AuthBy>
>>
>> # Log accounting to a detail file. %D is replaced by DbDir above
>> AcctLogFileName %D/detail
>> </Realm>
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++,
> WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
> TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list