(RADIATOR) TLS/TTLS hanging & timing out....

[Larry ONeill]

Hi,
    I have been having some trouble with getting EAP-TTLS off the
ground. I can get MD5-Challenge to work fine, but anytime I've tried to
get TTLS working it hangs. If anyone could give me a suggestion as to
where I can look next for the source of the failure I would really
appreciate it.

thanks
Larry O'Neill
UCD Computing Services

Details:

Behaviour(SecureW2):
I double click on the connection to activate it.
It opens.
After 45 packets are sent out, a message appears asking me to "click
here to input user credentials" I click on it.
A window pops up prompting me to put in the username and password and
domain. I enter the username and password and hit "OK"
The switch behaves as expected, giving appropriate debug information,
with no errors.
Radius does similar.
The last thing that Radius logs is sending the certificate.
The supplicant times out after about a minute, and tells me that
authentication fails.
The switch reports about 4 more lines indicating termination of the AAA
session/dot1x session. 

With AEGIS SecureConnect I get similar behaviour, and nothing in the log
files for either SecureW2 or AEGIS SecureConnect show any errors.

Client:  Windows xp on Dell optiplex with wired Broadcom NetXtreme 57xx
Gigabit Controller, static ip address of 192.168.1.5, no firewall
options enabled.
         I have so far tried to get this to work with SecureW2 and with
AEGIS SecureConect, and both exhibit similar behaviour, details of my
SecureW2 stuff is at http://www.securew2.com/uk/forum/viewtopic.php?t=379


Switch: Cisco Catalyst 2950 series, IOS 12.1(6)EA2a
ip: 192.168.1.3
dot1x access control enabled on the FastEthernet port the client is
plugged into.
configured to telk to radius server 192.168.1.6 on ports 1812 and 1813
for authentication and accounting respectively.
debugging is enabled for:
   aaa authentication
   dot1x backend
   radius
this is being monitored over the console.
an example of the debug information is given below.

23:58:33: AAA/AUTHEN (622515589): status = GETDATA
23:58:33: dot1x-backend(Fa0/3): [60] cont_login returned GETDATA
23:59:03: dot1x-backend(Fa0/3): [60] cleaning up AAA context (abort)
23:59:03: AAA/AUTHEN/ABORT: (622515589) because 802.1X ABORT.
23:59:03: AAA/MEMORY: free_user (0x80DF41A4) user='anonymous' ruser=''
port='Fas
tEthernet0/3' rem_addr='00-14-22-2E-6C-19' authen_type=EAP
service=802.1x priv=1

23:59:04: dot1x-backend(Fa0/3): [60] starting aaa sequence
23:59:04: dot1x-backend(Fa0/3): [60] relaying EAP data from supplicant
23:59:04: dot1x-backend(Fa0/3): [60] starting login
23:59:04: dot1x-backend(Fa0/3): [60] login FAIL - no username 


Radius: Radiator on FedoraCore5, 
I have tried this with the Demo certificates supplied, and with
Certificates Written by a colleague of mine, with the same results in
both cases...
config as follows:
[radius.cfg]

# trying to get TTLS working
Foreground
LogStdout
LogDir /etc/radiator
DbDir /etc/radiator

# This will log at DEBUG level: very verbose
# User a lower trace level in production systems, typically use 3
Trace 4

# Listen on standard and original ports
# added by larry 03/07/06
AuthPort 1812,1645
AcctPort 1813,1646

# commented out the following 4 lines.... 19/07/06 at 11:26
#<Client DEFAULT>
# Secret mysecret
# DupInterval 0
#</Client>

# This machine
<Client localhost>
Secret xxxxxxxxx
DupInterval 0
</Client>

# The switch sitting under my desk...
<Client 192.168.1.3>
Secret xxxxxxxxxxxx
</Client>

# Look up user details in a flat file
<AuthBy FILE>
Identifier TestTTLS
# %D is replaced by DbDir above
Filename %D/users
EAPType TTLS, PAP

EAPTLS_CAFile %D/certificates/CA/cacert.crt
EAPTLS_CertificateFile %D/certificates/UCDcert.der
EAPTLS_CertificateType ASN1
EAPTLS_PrivateKeyFile %D/certificates/UCDcert.key
#EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
</AuthBy>

<AuthBy FILE>
Identifier TestRAD-File
Filename %D/users
EAPType PAP
</AuthBy>

# Authenticate all realms with this
<Realm DEFAULT>
AuthBy TestTTLS
AcctLogFileName %D/detail
</Realm>

[/radius.cfg]