(RADIATOR) TLS/TTLS hanging & timing out....

Hugh Irvine hugh at open.com.au
Tue Aug 8 18:52:36 CDT 2006


Hello Larry -

The usual cause of this sort of behaviour is that the supplicant  
doesnt like
the certificate for some reason.

The usual reasons are:

1. supplicant does not have the root certificate of the CA that  
issued the
server cert.

2. The server cert does not have the 'act as a server' extension

3. The server cert is invalid (out of date etc).

hope that helps

regards

Hugh


On 9 Aug 2006, at 00:42, Larry ONeill wrote:

>
> Hi,
>     I have been having some trouble with getting EAP-TTLS off the
> ground. I can get MD5-Challenge to work fine, but anytime I've  
> tried to
> get TTLS working it hangs. If anyone could give me a suggestion as to
> where I can look next for the source of the failure I would really
> appreciate it.
>
> thanks
> Larry O'Neill
> UCD Computing Services
>
> Details:
>
> Behaviour(SecureW2):
> I double click on the connection to activate it.
> It opens.
> After 45 packets are sent out, a message appears asking me to "click
> here to input user credentials" I click on it.
> A window pops up prompting me to put in the username and password and
> domain. I enter the username and password and hit "OK"
> The switch behaves as expected, giving appropriate debug information,
> with no errors.
> Radius does similar.
> The last thing that Radius logs is sending the certificate.
> The supplicant times out after about a minute, and tells me that
> authentication fails.
> The switch reports about 4 more lines indicating termination of the  
> AAA
> session/dot1x session.
>
> With AEGIS SecureConnect I get similar behaviour, and nothing in  
> the log
> files for either SecureW2 or AEGIS SecureConnect show any errors.
>
> Client:  Windows xp on Dell optiplex with wired Broadcom NetXtreme  
> 57xx
> Gigabit Controller, static ip address of 192.168.1.5, no firewall
> options enabled.
>          I have so far tried to get this to work with SecureW2 and  
> with
> AEGIS SecureConect, and both exhibit similar behaviour, details of my
> SecureW2 stuff is at http://www.securew2.com/uk/forum/viewtopic.php? 
> t=379
>
>
> Switch: Cisco Catalyst 2950 series, IOS 12.1(6)EA2a
> ip: 192.168.1.3
> dot1x access control enabled on the FastEthernet port the client is
> plugged into.
> configured to telk to radius server 192.168.1.6 on ports 1812 and 1813
> for authentication and accounting respectively.
> debugging is enabled for:
>    aaa authentication
>    dot1x backend
>    radius
> this is being monitored over the console.
> an example of the debug information is given below.
>
> 23:58:33: AAA/AUTHEN (622515589): status = GETDATA
> 23:58:33: dot1x-backend(Fa0/3): [60] cont_login returned GETDATA
> 23:59:03: dot1x-backend(Fa0/3): [60] cleaning up AAA context (abort)
> 23:59:03: AAA/AUTHEN/ABORT: (622515589) because 802.1X ABORT.
> 23:59:03: AAA/MEMORY: free_user (0x80DF41A4) user='anonymous' ruser=''
> port='Fas
> tEthernet0/3' rem_addr='00-14-22-2E-6C-19' authen_type=EAP
> service=802.1x priv=1
>
> 23:59:04: dot1x-backend(Fa0/3): [60] starting aaa sequence
> 23:59:04: dot1x-backend(Fa0/3): [60] relaying EAP data from supplicant
> 23:59:04: dot1x-backend(Fa0/3): [60] starting login
> 23:59:04: dot1x-backend(Fa0/3): [60] login FAIL - no username
>
>
> Radius: Radiator on FedoraCore5,
> I have tried this with the Demo certificates supplied, and with
> Certificates Written by a colleague of mine, with the same results in
> both cases...
> config as follows:
> [radius.cfg]
>
> # trying to get TTLS working
> Foreground
> LogStdout
> LogDir /etc/radiator
> DbDir /etc/radiator
>
> # This will log at DEBUG level: very verbose
> # User a lower trace level in production systems, typically use 3
> Trace 4
>
> # Listen on standard and original ports
> # added by larry 03/07/06
> AuthPort 1812,1645
> AcctPort 1813,1646
>
> # commented out the following 4 lines.... 19/07/06 at 11:26
> #<Client DEFAULT>
> # Secret mysecret
> # DupInterval 0
> #</Client>
>
> # This machine
> <Client localhost>
> Secret xxxxxxxxx
> DupInterval 0
> </Client>
>
> # The switch sitting under my desk...
> <Client 192.168.1.3>
> Secret xxxxxxxxxxxx
> </Client>
>
> # Look up user details in a flat file
> <AuthBy FILE>
> Identifier TestTTLS
> # %D is replaced by DbDir above
> Filename %D/users
> EAPType TTLS, PAP
>
> EAPTLS_CAFile %D/certificates/CA/cacert.crt
> EAPTLS_CertificateFile %D/certificates/UCDcert.der
> EAPTLS_CertificateType ASN1
> EAPTLS_PrivateKeyFile %D/certificates/UCDcert.key
> #EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> </AuthBy>
>
> <AuthBy FILE>
> Identifier TestRAD-File
> Filename %D/users
> EAPType PAP
> </AuthBy>
>
> # Authenticate all realms with this
> <Realm DEFAULT>
> AuthBy TestTTLS
> AcctLogFileName %D/detail
> </Realm>
>
> [/radius.cfg]
>> From log:
>
> Fri Aug 4 16:34:02 2006: DEBUG: Packet dump:
> *** Received from 192.168.1.3 port 1812 ....
> Code: Access-Request
> Identifier: 28
> Authentic: L<210><28><131><172>  
> <172><13><236>T<177><243><11><203><172><22>
> Attributes:
> NAS-IP-Address = 192.168.1.3
> NAS-Port = 50003
> NAS-Port-Type = Ethernet
> User-Name = "mikem"
> Calling-Station-Id = "00-14-22-2E-6C-19"
> Service-Type = Framed-User
> EAP-Message = <2><1><0><10><1>mikem
> Message-Authenticator =
> N<139><179><224><19><179><127><217><139><16>W<130>]B=O
>
> Fri Aug 4 16:34:02 2006: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug 4 16:34:02 2006: DEBUG: Deleting session for mikem,  
> 192.168.1.3,
> 50003
> Fri Aug 4 16:34:02 2006: DEBUG: Handling with Radius::AuthFILE:  
> TestTTLS
> Fri Aug 4 16:34:02 2006: DEBUG: Handling with EAP: code 2, 1, 10
> Fri Aug 4 16:34:02 2006: DEBUG: Response type 1
> Fri Aug 4 16:34:02 2006: DEBUG: EAP result: 3, EAP TTLS Challenge
> Fri Aug 4 16:34:02 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> TTLS
> Challenge
> Fri Aug 4 16:34:02 2006: DEBUG: Access challenged for mikem: EAP TTLS
> Challenge
> Fri Aug 4 16:34:02 2006: DEBUG: Packet dump:
> *** Sending to 192.168.1.3 port 1812 ....
> Code: Access-Challenge
> Identifier: 28
> Authentic: L<210><28><131><172>  
> <172><13><236>T<177><243><11><203><172><22>
> Attributes:
> EAP-Message = <1><2><0><6><21>
> Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Aug 4 16:34:02 2006: DEBUG: Packet dump:
> *** Received from 192.168.1.3 port 1812 ....
> Code: Access-Request
> Identifier: 29
> Authentic: <12><220>"<179><25><220><134>y<225>Y<233><0>Jv/J
> Attributes:
> NAS-IP-Address = 192.168.1.3
> NAS-Port = 50003
> NAS-Port-Type = Ethernet
> User-Name = "mikem"
> Calling-Station-Id = "00-14-22-2E-6C-19"
> Service-Type = Framed-User
> EAP-Message =
> <2><2><0><<21><128><0><0><0>2<22><3><1><0>-<1><0><0>) 
> <3><1>&~<31><199><173><27>I<14>W<191>V<233><152><172><156><233>h<235>< 
> 178><172><149><158>`Ur@<224><250><7><23>Q<138><0><0><2><0><10><1><0>
> Message-Authenticator = <156><162>x^NKp<233>t<155><14>W<221>QOm
>
> Fri Aug 4 16:34:02 2006: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug 4 16:34:02 2006: DEBUG: Deleting session for mikem,  
> 192.168.1.3,
> 50003
> Fri Aug 4 16:34:02 2006: DEBUG: Handling with Radius::AuthFILE:  
> TestTTLS
> Fri Aug 4 16:34:02 2006: DEBUG: Handling with EAP: code 2, 2, 60
> Fri Aug 4 16:34:02 2006: DEBUG: Response type 21
> Fri Aug 4 16:34:02 2006: DEBUG: EAP TTLS data, 24576, 2, -1
> Fri Aug 4 16:34:02 2006: DEBUG: EAP TTLS SSL_accept result: -1, 2,  
> 8576
> Fri Aug 4 16:34:02 2006: DEBUG: EAP result: 3, EAP TTLS Challenge
> Fri Aug 4 16:34:02 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP  
> TTLS
> Challenge
> Fri Aug 4 16:34:02 2006: DEBUG: Access challenged for mikem: EAP TTLS
> Challenge
> Fri Aug 4 16:34:02 2006: DEBUG: Packet dump:
> *** Sending to 192.168.1.3 port 1812 ....
> Code: Access-Challenge
> Identifier: 29
> Authentic: <12><220>"<179><25><220><134>y<225>Y<233><0>Jv/J
> Attributes:
> EAP-Message =
> <1><3><3><242><21><192><0><0><4><29><22><3><1><0>J<2><0><0>F<3><1>D<21 
> 1>h<234>V<139><182><151>L<10><254><178><211><162><150><25>'E<10><248>< 
> <153><233>X<239><175><175>o<197><127><157><212>
> <165><12>"<16><223>! 
> l<161><189><197>`<241><154><11><224><164><3><223><220><153>q<150>h? 
> W;<167><228><25><160>X6<0><10><0><22><3><1><3><192><11><0><3><188><0>< 
> 3><185><0><3><182>0<130><3><178>0<130><3><27><160><3><2><1><2><2><1><1 
> 8>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><137>1<11>0<9>< 
> 6><3>U<4><6><19><2>IE1<15>0<13><6><3>U<4><7><19><6>Dublin1<31>0<29><6> 
> <3>U<4><10><19><22>UCD
> Computing Services1<31>0<29><6><3>U<4><11><19><22>Technology
> Development1'0%<6><3>U<4><3><19><30>UCD Comp
> EAP-Message = uting Services Root
> CA0<30><23><13>060802152711Z<23><13>080722152711Z0<129><154>1<11>0<9>< 
> 6><3>U<4><6><19><2>IE1<15>0<13><6><3>U<4><7><19><6>Dublin1<31>0<29><6> 
> <3>U<4><10><19><22>UCD
> Computing Services1<31>0<29><6><3>U<4><11><19><22>Technology
> Development1<20>0<18><6><3>U<4><3><19><11>192.168.1.61"0
> <6><9>*<134>H<134><247><13><1><9><1><22><19>xxxxxxxxxxxxxxxxxxx0<129>< 
> 159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<1 
> 29><137><2><129><129><0><193><0>#<29><22>c? 
> <3><233><234><143><159><156>
> EAP-Message =
> <137><140><174><135><177>!% 
> <7><18><230><170><239><137><10><159><252><165><184>=<157>% 
> <7><218><13><241><249> 
> [q':<179><221><159><237><197><128><231>Ry<5><213><211><214><206><202>< 
> 207>T<138>%;<27>[i<158>d) 
> 0<213><174><255><219><214><140><176><213><201><165><19>W<196>! 
> <235><174>#<248>y<153>}0<8><135>a<177><9>C{<185>3/<241>| 
> wF<218><148>~<151><2>W<25><133><199><10>Y<208>u3 
> \<205><178><234><150>}<0> 
> [<2><3><1><0><1><163><130><1><21>0<130><1><17>0<9><6><3>U<29><19><4><2 
> >0<0>0,<6><9>`<134>H<1><134><248>B<1><13><4><31><22><29>OpenSSL
> Generated
> Certificate0<29><6><3>U<29><14><4><22><4><20>qn<23><30><0>*PA<190>v 
> $=<146><185>:<136><218><226>C<246>0<129><182><6><3>U<29>#<4><129><174> 
> 0<129><171><128><20>t<219><174><13>VR<221><156><201><215>X<8><228><20> 
> -<145><192><<242>D<161>
> EAP-Message =
> <129><143><164><129><140>0<129><137>1<11>0<9><6><3>U<4><6><19><2>IE1<1 
> 5>0<13><6><3>U<4><7><19><6>Dublin1<31>0<29><6><3>U<4><10><19><22>UCD
> Computing Services1<31>0<29><6><3>U<4><11><19><22>Technology
> Development1'0%<6><3>U<4><3><19><30>UCD Computing Services Root
> CA<130><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><1 
> 29><0>=n<157><236><172>3<189><233><139><251><210><167><250><145><12>@< 
> 12><203>0<182>;<145><224>B2<249>.<22><234><27><146><162>IV<214><135><1 
> 48><150>0<197>I<234><158><177><26>1<255><186><217>\<11>$<147>6! 
> 9<148><184>(<12>S.<255>t<251>f<5>^D<202>* 
> +<155>=<153><188>y<21><131><255><253><130>'|
> Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list