(RADIATOR) TTLS and OpenSSL error

Mike McCauley mikem at open.com.au
Thu Oct 13 07:33:56 CDT 2005


Hello Richard,

On Thursday 13 October 2005 22:12, Richard Smit wrote:
> Mike,
>
> Thanks, you fixed the problem. It was the version of openssl.
> The reason I didn't downgrade the version of openssl was that on the
> site of Shinning Light the version 0.9.8 was recommended by the creators
> of openssl and 0.9.7g was not. So.... stupid me.
>
> Thanks for your help. Now I can make my deadline....

Good news. Thanks for the feedback, and we have changed the FAQ to reflect 
that.

Cheers.

>
> Richard Smit
> HES Amsterdam
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: donderdag 13 oktober 2005 12:36
> To: Richard Smit
> Cc: radiator at open.com.au; Martijn Balink
> Subject: Re: (RADIATOR) TTLS and OpenSSL error
>
> Hello Richard,
>
> On Thursday 13 October 2005 20:15, Richard Smit wrote:
> > I installed NET_SSLeay.pm.ppd the way the faq you send me discribed.
> > Version conflict is a possibility.
> >
> > Here is a trace level 5 log file.
>
> Thank you, that helps a lot.
>
> I suggest now that you install Win32 OpenSSL v0.9.7g from shining light
> instead of 0.9.8.
>
> Cheers.
>
> > Thanks,
> >
> > Richard
> >
> >
> > -----Original Message-----
> > From: Mike McCauley [mailto:mikem at open.com.au]
> > Sent: donderdag 13 oktober 2005 12:09
> > To: Richard Smit
> > Cc: radiator at open.com.au; Martijn Balink
> > Subject: Re: (RADIATOR) TTLS and OpenSSL error
> >
> > Hello Richard,
> >
> > On Thursday 13 October 2005 19:42, Richard Smit wrote:
> > > Mike,
> > >
> > > Sorry, i did follow the faq file and installed the NET_SSLeay.pm.ppd
> > > But I still get the same error. I restarted the service but no it
> >
> > didn't
> >
> > > work.
> >
> > How did you install NET_SSLeay.pm.ppd?
> >
> > > I think openSSL and NET_SSLeay are responding because the error
>
> tells
>
> > us
> >
> > > that I call a function I should not call. I tried to find info about
> >
> > the
> >
> > > error number but that didn't return any info.
> >
> > I think that NET_SSLeay is not installed properly.
> > Or perhaps NET_SSLeay is not compatible with whatever version orf
> > OpenSSL you
> > have installed.
> >
> > In any case we need to see the new Radiator log file at trace level 4.
> >
> > Cheers.
> >
> > > Thanks
> > >
> > > Richard
> > >
> > > -----Original Message-----
> > > From: Mike McCauley [mailto:mikem at open.com.au]
> > > Sent: donderdag 13 oktober 2005 10:34
> > > To: Richard Smit
> > > Cc: radiator at open.com.au; Martijn Balink
> > > Subject: Re: (RADIATOR) TTLS and OpenSSL error
> > >
> > > Hello Richard,
> > >
> > > On Thursday 13 October 2005 18:23, Richard Smit wrote:
> > > > Mike,
> > > >
> > > > I use active perl 5.6.1 and win32_openssl 0.9.8
> > > > PPM? Don't know. I just placed the .pm files.
> > >
> > > So did you follow the instructions at
> > > http://www.open.com.au/radiator/faq.html#141
> > >
> > > That should get you working.
> > >
> > > Cheers.
> > >
> > > > Regards,
> > > >
> > > > Richard Smit
> > > > HES Amsterdam
> > > >
> > > > -----Original Message-----
> > > > From: Mike McCauley [mailto:mikem at open.com.au]
> > > > Sent: donderdag 13 oktober 2005 9:36
> > > > To: Richard Smit
> > > > Cc: radiator at open.com.au; Martijn Balink
> > > > Subject: Re: (RADIATOR) TTLS and OpenSSL error
> > > >
> > > > Hello Richard,
> > > >
> > > > On Thursday 13 October 2005 17:21, Richard Smit wrote:
> > > > > To all,
> > > > >
> > > > >
> > > > >
> > > > > I have a problem TTLS authentication and Radiator. I have
> >
> > installed
> >
> > > > > openssl and and the modules from CPAN.
> > > > >
> > > > >
> > > > >
> > > > >             *           Net_SSLeay     v1.25
> > > > >
> > > > >             *           Digest-SHA1     v2.10
> > > > >
> > > > >             *           Digest-HMAC    v1.01
> > > >
> > > > Did you compile these yourself, or install with PPM?
> > > >
> > > > > I get an error that I'm calling a module I should not call?? I'm
> > > >
> > > > running
> > > >
> > > > > the Radiator server on Windows 2003.
> > > >
> > > > Have you installed the Win32  OpenSSL as described in
> > > > http://www.open.com.au/radiator/faq.html#141
> > > > What version of Win32_OpenSSL have you installed?
> > > >
> > > > Are you using ActivePerl? What version?
> > > >
> > > > Cheers.
> > > >
> > > > > I hope someone knows the problem and can help me.
> > > > >
> > > > >
> > > > >
> > > > > Regards,
> > > > >
> > > > >
> > > > >
> > > > > Richard Smit
> > > > >
> > > > > HES Amsterdam
> > > > >
> > > > >
> > > > >
> > > > > ========================LOG========================
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Code:       Access-Request
> > > > >
> > > > > Identifier: 151
> > > > >
> > > > > Authentic:
>
> <214><21><163><204><229>w>]Rv{<210><153><221><190><0>
>
> > > > > Attributes:
> > > > >
> > > > >             User-Name = "smi at heseduroam.nl"
> > > > >
> > > > >             Framed-MTU = 1400
> > > > >
> > > > >             Called-Station-Id = "0014.a824.c0c0"
> > > > >
> > > > >             Calling-Station-Id = "0090.4b74.c253"
> > > > >
> > > > >             Service-Type = Login-User
> > > > >
> > > > >             Message-Authenticator =
> > > > > <159>.p<156><245><20><26>c5T<184><150><4>^<16>
> > > > >
> > > > >             EAP-Message =
>
> <2><6><0>W<21><128><0><0><0>M<23><3><1><0>H<30>q<202><130><222><195><184
>
> ><197><8><233><184><141><152>O<240>qz&<211><159><245>N<160><219>t<14><18
>
> 8>N<231><170><208><149><185><136><191>~>HA<206>QH_<207><245><206><170>2<
>
>
>
>
> 229><237><130>%u<152><152><203><252>yA<206><179><135>'<143><1><238>-.<16
>
> > > > > 3><196><23><247>
> > > > >
> > > > >             NAS-Port-Type = Wireless-IEEE-802-11
> > > > >
> > > > >             NAS-Port = 322
> > > > >
> > > > >             NAS-IP-Address = xx.xx.xx.xx
> > > > >
> > > > >
> > > > >
> > > > > Wed Oct  5 13:51:25 2005: DEBUG: Handling request with Handler
> > > > > 'Realm=DEFAULT'
> > > > >
> > > > > Wed Oct  5 13:51:25 2005: DEBUG: Rewrote user name to
> > > >
> > > > smi at heseduroam.nl
> > > >
> > > > > Wed Oct  5 13:51:25 2005: DEBUG: Rewrote user name to
> > > >
> > > > smi at heseduroam.nl
> > > >
> > > > > Wed Oct  5 13:51:25 2005: DEBUG: Rewrote user name to smi
> > > > >
> > > > > Wed Oct  5 13:51:25 2005: DEBUG:  Deleting session for
> > > > > smi at heseduroam.nl, xx.xx.xx.xx, 322
> > > > >
> > > > > Wed Oct  5 13:51:25 2005: DEBUG: Handling with Radius::AuthFILE:
> > > > >
> > > > > Wed Oct  5 13:51:25 2005: DEBUG: Handling with EAP: code 2, 6,
>
> 87
>
> > > > > Wed Oct  5 13:51:25 2005: DEBUG: Response type 21
> > > > >
> > > > > Wed Oct  5 13:51:25 2005: DEBUG: EAP TTLS data, 3, 6, 5
> > > > >
> > > > > Wed Oct  5 13:51:25 2005: DEBUG: EAP result: 1, EAP TLS read
> >
> > failed:
> > > > > 3804: 1 - error:140D5042:SSL routines:SSL3_CTRL:called a
>
> function
>
> > > you
> > >
> > > > > should not call
> > > > >
> > > > >
> > > > >
> > > > > Wed Oct  5 13:51:25 2005: DEBUG: AuthBy FILE result: REJECT, EAP
> >
> > TLS
> >
> > > > > read failed:  3804: 1 - error:140D5042:SSL
> >
> > routines:SSL3_CTRL:called
> >
> > > a
> > >
> > > > > function you should not call
> > > > >
> > > > >
> > > > >
> > > > > Wed Oct  5 13:51:25 2005: INFO: Access rejected for smi: EAP TLS
> > >
> > > read
> > >
> > > > > failed:  3804: 1 - error:140D5042:SSL routines:SSL3_CTRL:called
>
> a
>
> > > > > function you should not call
> > > > >
> > > > >
> > > > >
> > > > > Wed Oct  5 13:51:25 2005: DEBUG: Packet dump:
> > > > >
> > > > > *** Sending to 145.28.33.100 port 1645 ....
> > > > >
> > > > >
> > > > >
> > > > > Packet length = 60
> > > > >
> > > > > 03 97 00 3c 31 90 d9 5e 74 2f a5 a0 4f bb ad 7e
> > > > >
> > > > > 10 40 33 91 4f 06 04 06 00 04 50 12 b0 c1 d2 c0
> > > > >
> > > > > 62 ad e9 9a d4 d9 33 31 33 68 b4 6b 12 10 52 65
> > > > >
> > > > > 71 75 65 73 74 20 44 65 6e 69 65 64
> > > > >
> > > > > Code:       Access-Reject
> > > > >
> > > > > Identifier: 151
> > > > >
> > > > > Authentic:
>
> <214><21><163><204><229>w>]Rv{<210><153><221><190><0>
>
> > > > > Attributes:
> > > > >
> > > > >             EAP-Message = <4><6><0><4>
> > > > >
> > > > >             Message-Authenticator =
> > > > > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > > > >
> > > > >             Reply-Message = "Request Denied"
> > > > >
> > > > >
> > > > >
> > > > > ========================CFG========================
> > > > >
> > > > >
> > > > >
> > > > > # windows.cfg
> > > > >
> > > > > #
> > > > >
> > > > > # Example Radiator configuration file.
> > > > >
> > > > > # This very simple file will allow you to get started with
> > > > >
> > > > > # a simple system on Windows. You can then add and change
> >
> > features.
> >
> > > > > # We suggest you start simple, prove to yourself that it
> > > > >
> > > > > # works and then develop a more complicated configuration.
> > > > >
> > > > > #
> > > > >
> > > > > # This example is expected to be installed in
> > > > >
> > > > > #   c:\Program Files\Radiator\radius.cfg
> > > > >
> > > > > # It will authenticate from a standard users file in
> > > > >
> > > > > #   c:\Program Files\Radiator\users
> > > > >
> > > > > # it will log debug and other messages to
> > > > >
> > > > > #   c:\Program Files\Radiator\logfile
> > > > >
> > > > > # and log accounting to a file in
> > > > >
> > > > > #   c:\Program Files\Radiator\detail
> > > > >
> > > > > # (of course you can change all these by editing this config
>
> file
>
> > if
> >
> > > > you
> > > >
> > > > > wish)
> > > > >
> > > > > #
> > > > >
> > > > > # It will accept requests from any client and try to handle
> >
> > requests
> >
> > > > > # for any realm.
> > > > >
> > > > > # And it will print out what its doing in great detail to the
>
> log
>
> > > > file.
> > > >
> > > > > #
> > > > >
> > > > > # See radius.cfg for more complete examples of features and
> > > > >
> > > > > # syntax, and refer to the reference manual for a complete
> > >
> > > description
> > >
> > > > > # of all the features and syntax.
> > > > >
> > > > > #
> > > > >
> > > > > # You should consider this file to be a starting point only
> > > > >
> > > > > # $Id: windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $
> > > > >
> > > > >
> > > > >
> > > > > # AuthPort specifies the port to list on for authentication
> >
> > requests
> >
> > > > > # Can be a numeric port number or a service name from
> >
> > /etc/services
> >
> > > > > # Defaults to 1645
> > > > >
> > > > > AuthPort    1645
> > > > >
> > > > >
> > > > >
> > > > > # AcctPort specifies the port to list on for accounting requests
> > > > >
> > > > > # Can be a numeric port number or a service name from
> >
> > /etc/services
> >
> > > > > # Defaults to 1646
> > > > >
> > > > > AcctPort    1646
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Foreground
> > > > >
> > > > > LogStdout
> > > > >
> > > > > LogDir            c:/Program Files/Radiator/log
> > > > >
> > > > > DbDir       c:/Program Files/Radiator
> > > > >
> > > > >
> > > > >
> > > > > LogFile           c:/Program Files/Radiator/log/radius.log
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > # This will log at DEBUG level: very verbose
> > > > >
> > > > > # User a lower trace level in production systems, typically use
>
> 3
>
> > > > > Trace             4
> > > > >
> > > > >
> > > > >
> > > > > # You will probably want to add other Clients to suit your site,
> > > > >
> > > > > # one for each NAS you want to work with. This will work
> > > > >
> > > > > # at least with radpwtst running on the local machine
> > > > >
> > > > >
> > > > >
> > > > > #########################################
> > > > >
> > > > > # clients
> > > > >
> > > > > #########################################
> > > > >
> > > > >
> > > > >
> > > > > <Client xx.xx.xx.xx>
> > > > >
> > > > >       Secret      <remove>
> > > > >
> > > > > </Client>
> > > > >
> > > > >
> > > > >
> > > > > <Client xx.xx.xx.xx>
> > > > >
> > > > >       Secret      <remove>
> > > > >
> > > > > </Client>
> > > > >
> > > > >
> > > > >
> > > > > <Client xx.xx.xx.xx>
> > > > >
> > > > >       Secret      <remove>
> > > > >
> > > > > </Client>
> > > > >
> > > > >
> > > > >
> > > > > <Client xx.xx.xx.xx>
> > > > >
> > > > >       Secret      <remove>
> > > > >
> > > > > </Client>
> > > > >
> > > > >
> > > > >
> > > > > <Client xx.xx.xx.xx>
> > > > >
> > > > >       Secret      <remove>
> > > > >
> > > > > </Client>
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > #########################################
> > > > >
> > > > > # realms
> > > > >
> > > > > #########################################
> > > > >
> > > > >
> > > > >
> > > > > # Authenticate all realms with this
> > > > >
> > > > > <Realm DEFAULT>
> > > > >
> > > > >       # This one translates all uppercase chars to lowercase
> > > > >
> > > > >       RewriteUsername   tr/[A-Z]/[a-z]/
> > > > >
> > > > >       # Haalhet realm van de request voor verdere verwerking
> > > > >
> > > > >       RewriteUsername s/^(.*)\\(.*)/$2\@$1/
> > > > >
> > > > >       RewriteUsername   s/^([^@]+).*/$1/
> > > > >
> > > > >       AcctLogFileName C:/Program Files/Radiator/log/test.log
> > > > >
> > > > >
> > > > >
> > > > >       <AuthBy FILE>
> > > > >
> > > > >             EAPType TTLS
> > > > >
> > > > >             EAPTLS_CAFile c:/openssl/bin/root/root.pem
> > > > >
> > > > >             EAPTLS_CertificateFile
> >
> > c:/openssl/bin/server/server.pem
> >
> > > > >             EAPTLS_CertificateType PEM
> > > > >
> > > > >             EAPTLS_PrivateKeyFile
>
> c:/openssl/bin/server/server.pem
>
> > > > >             EAPTLS_PrivateKeyPassword <remove>
> > > > >
> > > > >             EAPTLS_MaxFragmentSize 1024
> > > > >
> > > > >             AutoMPPEKeys
> > > > >
> > > > >             Filename  c:/program files/Radiator/bnksmi.txt
> > > > >
> > > > >       </AuthBy>
> > > > >
> > > > > </Realm>

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list