(RADIATOR) Re: TTLS problem
Mike McCauley
mikem at open.com.au
Wed Nov 9 15:45:27 CST 2005
Hello Richard,
This error is due to not having the correct shared secret configured for
client 145.28.53.217.
Cheers.
On Wednesday 09 November 2005 23:20, Richard Smit wrote:
> Mike,
>
> Thanks for your reply.
> I thought so to bud now a get the following message and maybe this gives
> you more info.
>
> Mon Nov 7 16:27:32 2005: DEBUG: Packet dump:
> *** Received from 145.28.53.217 port 1645 ....
>
> Packet length = 150
> 01 e8 00 96 86 e0 51 1b c1 95 5e 09 80 7f 2c b0
> 84 4c d6 c5 01 0f 73 6d 69 40 68 65 73 61 73 64
> 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
> 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
> 34 62 37 34 2e 63 32 35 33 06 06 00 00 00 01 50
> 12 e6 9f 24 e4 59 49 e1 b5 cb 76 a0 65 75 fe 58
> 44 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
> 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 66
> d7 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
> 53 65 72 76 65 72
> Code: Access-Request
> Identifier: 232
> Authentic:
> <134><224>Q<27><193><149>^<9><128><127>,<176><132>L<214><197>
> Attributes:
> User-Name = "smi at hesasd.nl"
> Framed-MTU = 1400
> Called-Station-Id = "0013.607c.9d6d"
> Calling-Station-Id = "0090.4b74.c253"
> Service-Type = Login-User
> Message-Authenticator =
> <230><159>$<228>YI<225><181><203>v<160>eu<254>XD
> EAP-Message = <2><2><0><18><1>smi at somedomain.nl
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 2713303
> NAS-IP-Address = XX.XX.XX.XX
> NAS-Identifier = "Ap-WDS-Server"
>
> Mon Nov 7 16:27:32 2005: WARNING: Bad EAP Message-Authenticator
> Mon Nov 7 16:27:32 2005: WARNING: Bad authenticator in request from
> DEFAULT (XX.XX.XX.XX)
> Mon Nov 7 16:27:38 2005: DEBUG: Packet dump:
>
> Thanks,
>
> Richard Smit
> HES Amsterdam
>
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: dinsdag 8 november 2005 3:50
> To: Richard Smit
> Cc: radiator at open.com.au
> Subject: Re: TTLS problem
>
> Hello Richard,
>
> What appears to be happening is this:
>
> 1. AP sends an Access-Request with the EAP identity.
> 2. Radiator sends an Access-Challenge with EAP message saying 'go ahead
> with
> TTLS'
> 3. AP retransmits (with same identifier) the request from 1 above.
>
> This indicates some sort of problem with the configuration or behaviour
> of the
> AP. Perhaps the Access-Challenge is not getting through some
> port/address
> filter in or before the AP? Perhaps there is a bug in the AP firmware?
> Anyway, Radiator appears to behaving correctly, and this is confirmed by
> your
> report that it worked OK without WDS.
>
> Hope that helps.
>
> Cheers.
>
> On Tuesday 08 November 2005 00:16, Richard Smit wrote:
> > Hey all,
> >
> > I have a problem. I'm trying to setup the radius server so he can
>
> handle
>
> > EAP-TTLS access requests.
> > Were using Cisco AP's with a WDS AP. I did setup a test without a WDS
> > (Wireless Domain Server) and it worked but now I have a problem I
>
> don't
>
> > understand.
> > When reading the log file it seems that it is looping.
> >
> > The server is running on windows 2003
> > I have installed
> > Digest::MD5
> > Net::SSLeay
> > Digest::SHA1
> > Digest::HMAC
> > Digest::MD4
> >
> > Hope someone can help....
> >
> > Greetz,
> >
> > Richard Smit
> > HES Amsterdam
>
> ========================================================================
>
> > ====
> > Logfile sample
>
> ========================================================================
>
> > ====
> >
> > Mon Nov 7 15:01:36 2005: DEBUG: Finished reading configuration file
> > 'C:\Program Files\Radiator\radius.cfg'
> > Mon Nov 7 15:01:36 2005: DEBUG: Reading dictionary file 'c:/Program
> > Files/Radiator/dictionary'
> > Mon Nov 7 15:01:37 2005: DEBUG: Creating authentication port
> > 0.0.0.0:1645
> > Mon Nov 7 15:01:37 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> > Mon Nov 7 15:01:37 2005: NOTICE: Server started: Radiator 3.13 on
> > radius02
> > Mon Nov 7 15:02:48 2005: DEBUG: Packet dump:
> > *** Received from XX.XX.XX.XX port 1645 ....
> >
> > Packet length = 150
> > 01 f3 00 96 a9 73 25 37 eb bc 9f 3f cd 2f 26 e9
> > c4 c9 53 0b 01 0f 73 6d 69 40 68 65 73 61 73 64
> > 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
> > 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
> > 34 62 37 34 2e 62 36 66 63 06 06 00 00 00 01 50
> > 12 eb 62 e0 3e 22 38 34 0e e7 d8 7d 63 81 80 bc
> > b0 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
> > 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 65
> > da 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
> > 53 65 72 76 65 72
> > Code: Access-Request
> > Identifier: 243
> > Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> > Attributes:
> > User-Name = "smi at adomain.com"
> > Framed-MTU = 1400
> > Called-Station-Id = "0013.607c.9d6d"
> > Calling-Station-Id = "0090.4b74.b6fc"
> > Service-Type = Login-User
> > Message-Authenticator =
> > <235>b<224>>"84<14><231><216>}c<129><128><188><176>
> > EAP-Message = <2><2><0><18><1>smi at adomain.com
> > NAS-Port-Type = Wireless-IEEE-802-11
> > NAS-Port = 2713050
> > NAS-IP-Address = XX.XX.XX.XX
> > NAS-Identifier = "Ap-WDS-Server"
> >
> > Mon Nov 7 15:02:48 2005: DEBUG: Handling request with Handler
> > 'Realm=adomain.com'
> > Mon Nov 7 15:02:48 2005: DEBUG: Rewrote user name to smi at adomain.com
> > Mon Nov 7 15:02:48 2005: DEBUG: Rewrote user name to smi at adomain.com
> > Mon Nov 7 15:02:48 2005: DEBUG: Rewrote user name to smi
> > Mon Nov 7 15:02:48 2005: DEBUG: Deleting session for
>
> smi at adomain.com,
>
> > XX.XX.XX.XX, 2713050
> > Mon Nov 7 15:02:48 2005: DEBUG: Handling with Radius::AuthFILE:
> > Mon Nov 7 15:02:48 2005: DEBUG: Handling with EAP: code 2, 2, 18
> > Mon Nov 7 15:02:48 2005: DEBUG: Response type 1
> > Mon Nov 7 15:02:48 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
> > Mon Nov 7 15:02:48 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>
> TTLS
>
> > Challenge
> > Mon Nov 7 15:02:48 2005: DEBUG: Access challenged for smi: EAP TTLS
> > Challenge
> > Mon Nov 7 15:02:48 2005: DEBUG: Packet dump:
> > *** Sending to XX.XX.XX.XX port 1645 ....
> >
> > Packet length = 46
> > 0b f3 00 2e af e5 76 5a 82 e4 10 35 cf f5 e0 9b
> > 95 b7 8c 3e 4f 08 01 03 00 06 15 20 50 12 07 dc
> > 61 e9 2c 32 88 4c 44 ac c1 91 df 53 d9 84
> > Code: Access-Challenge
> > Identifier: 243
> > Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> > Attributes:
> > EAP-Message = <1><3><0><6><21>
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Mon Nov 7 15:02:54 2005: DEBUG: Packet dump:
> > *** Received from XX.XX.XX.XX port 1645 ....
> >
> > Packet length = 150
> > 01 f3 00 96 a9 73 25 37 eb bc 9f 3f cd 2f 26 e9
> > c4 c9 53 0b 01 0f 73 6d 69 40 68 65 73 61 73 64
> > 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
> > 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
> > 34 62 37 34 2e 62 36 66 63 06 06 00 00 00 01 50
> > 12 eb 62 e0 3e 22 38 34 0e e7 d8 7d 63 81 80 bc
> > b0 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
> > 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 65
> > da 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
> > 53 65 72 76 65 72
> > Code: Access-Request
> > Identifier: 243
> > Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> > Attributes:
> > User-Name = "smi at adomain.com"
> > Framed-MTU = 1400
> > Called-Station-Id = "0013.607c.9d6d"
> > Calling-Station-Id = "0090.4b74.b6fc"
> > Service-Type = Login-User
> > Message-Authenticator =
> > <235>b<224>>"84<14><231><216>}c<129><128><188><176>
> > EAP-Message = <2><2><0><18><1>smi at adomain.com
> > NAS-Port-Type = Wireless-IEEE-802-11
> > NAS-Port = 2713050
> > NAS-IP-Address = XX.XX.XX.XX
> > NAS-Identifier = "Ap-WDS-Server"
> >
> > Mon Nov 7 15:02:54 2005: DEBUG: Handling request with Handler
> > 'Realm=adomain.com'
> > Mon Nov 7 15:02:54 2005: DEBUG: Rewrote user name to smi at adomain.com
> > Mon Nov 7 15:02:54 2005: DEBUG: Rewrote user name to smi at adomain.com
> > Mon Nov 7 15:02:54 2005: DEBUG: Rewrote user name to smi
> > Mon Nov 7 15:02:54 2005: DEBUG: Deleting session for
>
> smi at adomain.com,
>
> > XX.XX.XX.XX, 2713050
> > Mon Nov 7 15:02:54 2005: DEBUG: Handling with Radius::AuthFILE:
> > Mon Nov 7 15:02:54 2005: DEBUG: Handling with EAP: code 2, 2, 18
> > Mon Nov 7 15:02:54 2005: DEBUG: Response type 1
> > Mon Nov 7 15:02:54 2005: DEBUG: Resuming session for
> > Radius::Context=HASH(0x1f09ac4)
> >
> > Mon Nov 7 15:02:54 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
> > Mon Nov 7 15:02:54 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>
> TTLS
>
> > Challenge
> > Mon Nov 7 15:02:54 2005: DEBUG: Access challenged for smi: EAP TTLS
> > Challenge
> > Mon Nov 7 15:02:54 2005: DEBUG: Packet dump:
> > *** Sending to XX.XX.XX.XX port 1645 ....
> >
> > Packet length = 46
> > 0b f3 00 2e af e5 76 5a 82 e4 10 35 cf f5 e0 9b
> > 95 b7 8c 3e 4f 08 01 03 00 06 15 20 50 12 07 dc
> > 61 e9 2c 32 88 4c 44 ac c1 91 df 53 d9 84
> > Code: Access-Challenge
> > Identifier: 243
> > Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> > Attributes:
> > EAP-Message = <1><3><0><6><21>
> > Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >
> > Mon Nov 7 15:02:59 2005: DEBUG: Packet dump:
> > *** Received from XX.XX.XX.XX port 1645 ....
> >
> > Packet length = 150
> > 01 f3 00 96 a9 73 25 37 eb bc 9f 3f cd 2f 26 e9
> > c4 c9 53 0b 01 0f 73 6d 69 40 68 65 73 61 73 64
> > 2e 6e 6c 0c 06 00 00 05 78 1e 10 30 30 31 33 2e
> > 36 30 37 63 2e 39 64 36 64 1f 10 30 30 39 30 2e
> > 34 62 37 34 2e 62 36 66 63 06 06 00 00 00 01 50
> > 12 eb 62 e0 3e 22 38 34 0e e7 d8 7d 63 81 80 bc
> > b0 4f 14 02 02 00 12 01 73 6d 69 40 68 65 73 61
> > 73 64 2e 6e 6c 3d 06 00 00 00 13 05 06 00 29 65
> > da 04 06 91 1c 35 d9 20 0f 41 70 2d 57 44 53 2d
> > 53 65 72 76 65 72
> > Code: Access-Request
> > Identifier: 243
> > Authentic: <169>s%7<235><188><159>?<205>/&<233><196><201>S<11>
> > Attributes:
> > User-Name = "smi at adomain.com"
> > Framed-MTU = 1400
> > Called-Station-Id = "0013.607c.9d6d"
> > Calling-Station-Id = "0090.4b74.b6fc"
> > Service-Type = Login-User
> > Message-Authenticator =
> > <235>b<224>>"84<14><231><216>}c<129><128><188><176>
> > EAP-Message = <2><2><0><18><1>smi at adomain.com
> > NAS-Port-Type = Wireless-IEEE-802-11
> > NAS-Port = 2713050
> > NAS-IP-Address = XX.XX.XX.XX
> > NAS-Identifier = "Ap-WDS-Server"
> >
> > Mon Nov 7 15:02:59 2005: DEBUG: Handling request with Handler
> > 'Realm=adomain.com'
> > Mon Nov 7 15:02:59 2005: DEBUG: Rewrote user name to smi at adomain.com
> > Mon Nov 7 15:02:59 2005: DEBUG: Rewrote user name to smi at adomain.com
> > Mon Nov 7 15:02:59 2005: DEBUG: Rewrote user name to smi
> > Mon Nov 7 15:02:59 2005: DEBUG: Deleting session for
>
> smi at adomain.com,
>
> > XX.XX.XX.XX, 2713050
> > Mon Nov 7 15:02:59 2005: DEBUG: Handling with Radius::AuthFILE:
> > Mon Nov 7 15:02:59 2005: DEBUG: Handling with EAP: code 2, 2, 18
> > Mon Nov 7 15:02:59 2005: DEBUG: Response type 1
> > Mon Nov 7 15:02:59 2005: DEBUG: Resuming session for
> > Radius::Context=HASH(0x1f09ac4)
> >
> > Mon Nov 7 15:02:59 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
> > Mon Nov 7 15:02:59 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>
> TTLS
>
> > Challenge
> > Mon Nov 7 15:02:59 2005: DEBUG: Access challenged for smi: EAP TTLS
> > Challenge
> > Mon Nov 7 15:02:59 2005: DEBUG: Packet dump:
>
> ========================================================================
>
> > ====
> > CONFIG
>
> ========================================================================
>
> > ====
> >
> > Foreground
> > LogStdout
> > LogDir c:/Program Files/Radiator
> > DbDir c:/Program Files/Radiator
> > LogFile c:/Program Files/Radiator/logfile.log
> >
> > # Use the followinf TCP ports
> >
> > #AuthPort 1645
> > #AcctPort 1646
> >
> > # This will log at DEBUG level: very verbose
> > # User a lower trace level in production systems, typically use 3
> > Trace 5
> >
> > # You will probably want to add other Clients to suit your site,
> > # one for each NAS you want to work with. This will work
> > # at least with radpwtst running on the local machine
> >
> > <Client DEFAULT>
> > Secret <Secret>
> > IgnoreAcctSignature <------------------- had to set this
> > one
> > because it gave the msg:
> > BAD EAP MESSAGE-
> > AUTHENTICATOR
> > # DupInterval 0
> > </Client>
> >
> > <Client 145.28.2.22>
> > Secret <secret>
> > </Client>
> >
> > <Realm hesasd.nl>
> > # This one translates all uppercase chars to lowercase
> > RewriteUsername tr/[A-Z]/[a-z]/
> > # Haalhet realm van de request voor verdere verwerking
> > RewriteUsername s/^(.*)\\(.*)/$2\@$1/
> > RewriteUsername s/^([^@]+).*/$1/
> > AcctLogFileName C:/Program Files/Radiator/logfile.log
> >
> > <AuthBy FILE>
> > Filename c:/program files/Radiator/users
> > EAPType TTLS
> > EAPTLS_CAFile c:/certs/root/root-cert.pem
> > EAPTLS_CertificateFile c:/certs/server/servercert.pem
> > EAPTLS_CertificateType PEM
> > EAPTLS_PrivateKeyFile c:/certs/server/serverkey.pem
> > EAPTLS_PrivateKeyPassword <secret>
> > EAPTLS_MaxFragmentSize 1024
> > AutoMPPEKeys
> > </AuthBy>
> > </Realm>
> >
> > # Authenticate all realms with this
> > <Realm DEFAULT>
> > # Look up user details in a flat file
> > <AuthBy FILE>
> > # %D is replaced by DbDir above
> > Filename %D/users
> > </AuthBy>
> >
> > # Log accounting to a detail file. %D is replaced by DbDir above
> > AcctLogFileName %D/detail
> > </Realm>
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list