(RADIATOR) TLS/TTLS hanging & timing out....

Larry ONeill Larry.ONeill at ucd.ie
Wed Aug 9 05:58:43 CDT 2006


       I have installed the web server, pointed the ssl configuration
file towards the appropriate certificates, and the client has no
problems with them. I am now reasonably sure that the certificate
validation on the client is working. 
       So if the certificates work, and the same problem is being
experienced with two seperate supplicant distributions, then the problem
is probably on the server side, or possibly with the switch.


At least I have one more thing ruled out...


thanks
Larry


----- Original Message -----
From: Larry ONeill <Larry.ONeill at ucd.ie>
Date: Wednesday, August 9, 2006 11:04 am
Subject: Re: (RADIATOR) TLS/TTLS hanging & timing out....
To: radiator at open.com.au

> 
> Hi Hugh,
>           Thanks for your reply. Unfortunately I dont think that 
> that'sthe problem. I have tried to tell the client not to validate
> certificates, so in theory it should just accept any certificate it 
> getssent, yes? And yet I still get nowhere, same behaviour from both
> supplicants - they just do nothing, and time out. 
>           Even when I do tell the clients to validate the 
> certificates,it should work, as the certificates are installed into 
> the Trusted Root
> CA store on the client machine. They appear in the SecureW2 log file,
> when it goes looking for certificates it does find them - both the 
> demoone and the private certificate we made. (all certs are in 
> date, etc)
>           I'm starting to suspect that it's a more fundamental 
> problem,but I'm not sure where to start diagnosing. The supplicant 
> and the
> radius are deffinitely communicating, as shown by the fact that
> MD5-Challenge works perfectly. I am at the moment setting up a web
> server with https on the same machine as radius to test the 
> certificatevalidation process.
> 
> Any other ideas?
> 
> thanks
> Larry
> 
> > 
> > Hello Larry -
> > 
> > The usual cause of this sort of behaviour is that the supplicant  
> > doesnt like
> > the certificate for some reason.
> > 
> > The usual reasons are:
> > 
> > 1. supplicant does not have the root certificate of the CA that  
> > issued the
> > server cert.
> > 
> > 2. The server cert does not have the 'act as a server' extension
> > 
> > 3. The server cert is invalid (out of date etc).
> > 
> > hope that helps
> > 
> > regards
> > 
> > Hugh
> > 
> > 
> > On 9 Aug 2006, at 00:42, Larry ONeill wrote:
> > 
> > >
> > > Hi,
> > >     I have been having some trouble with getting EAP-TTLS off the
> > > ground. I can get MD5-Challenge to work fine, but anytime I've  
> > > tried to
> > > get TTLS working it hangs. If anyone could give me a suggestion 
> > as to
> > > where I can look next for the source of the failure I would really
> > > appreciate it.
> > >
> > > thanks
> > > Larry O'Neill
> > > UCD Computing Services
> > >
> > > Details:
> > >
> > > Behaviour(SecureW2):
> > > I double click on the connection to activate it.
> > > It opens.
> > > After 45 packets are sent out, a message appears asking me to 
> "click> > here to input user credentials" I click on it.
> > > A window pops up prompting me to put in the username and 
> password 
> > and> domain. I enter the username and password and hit "OK"
> > > The switch behaves as expected, giving appropriate debug 
> > information,> with no errors.
> > > Radius does similar.
> > > The last thing that Radius logs is sending the certificate.
> > > The supplicant times out after about a minute, and tells me that
> > > authentication fails.
> > > The switch reports about 4 more lines indicating termination of 
> > the  
> > > AAA
> > > session/dot1x session.
> > >
> > > With AEGIS SecureConnect I get similar behaviour, and nothing 
> in  
> > > the log
> > > files for either SecureW2 or AEGIS SecureConnect show any errors.
> > >
> > > Client:  Windows xp on Dell optiplex with wired Broadcom 
> > NetXtreme  
> > > 57xx
> > > Gigabit Controller, static ip address of 192.168.1.5, no firewall
> > > options enabled.
> > >          I have so far tried to get this to work with SecureW2 
> > and  
> > > with
> > > AEGIS SecureConect, and both exhibit similar behaviour, details 
> > of my
> > > SecureW2 stuff is at 
> > http://www.securew2.com/uk/forum/viewtopic.php? 
> > > t=379
> > >
> > >
> > > Switch: Cisco Catalyst 2950 series, IOS 12.1(6)EA2a
> > > ip: 192.168.1.3
> > > dot1x access control enabled on the FastEthernet port the 
> client is
> > > plugged into.
> > > configured to telk to radius server 192.168.1.6 on ports 1812 
> and 
> > 1813> for authentication and accounting respectively.
> > > debugging is enabled for:
> > >    aaa authentication
> > >    dot1x backend
> > >    radius
> > > this is being monitored over the console.
> > > an example of the debug information is given below.
> > >
> > > 23:58:33: AAA/AUTHEN (622515589): status = GETDATA
> > > 23:58:33: dot1x-backend(Fa0/3): [60] cont_login returned GETDATA
> > > 23:59:03: dot1x-backend(Fa0/3): [60] cleaning up AAA context 
> (abort)> > 23:59:03: AAA/AUTHEN/ABORT: (622515589) because 802.1X 
> ABORT.> > 23:59:03: AAA/MEMORY: free_user (0x80DF41A4) 
> user='anonymous' 
> > ruser=''> port='Fas
> > > tEthernet0/3' rem_addr='00-14-22-2E-6C-19' authen_type=EAP
> > > service=802.1x priv=1
> > >
> > > 23:59:04: dot1x-backend(Fa0/3): [60] starting aaa sequence
> > > 23:59:04: dot1x-backend(Fa0/3): [60] relaying EAP data from 
> > supplicant> 23:59:04: dot1x-backend(Fa0/3): [60] starting login
> > > 23:59:04: dot1x-backend(Fa0/3): [60] login FAIL - no username
> > >
> > >
> > > Radius: Radiator on FedoraCore5,
> > > I have tried this with the Demo certificates supplied, and with
> > > Certificates Written by a colleague of mine, with the same 
> > results in
> > > both cases...
> > > config as follows:
> > > [radius.cfg]
> > >
> > > # trying to get TTLS working
> > > Foreground
> > > LogStdout
> > > LogDir /etc/radiator
> > > DbDir /etc/radiator
> > >
> > > # This will log at DEBUG level: very verbose
> > > # User a lower trace level in production systems, typically use 3
> > > Trace 4
> > >
> > > # Listen on standard and original ports
> > > # added by larry 03/07/06
> > > AuthPort 1812,1645
> > > AcctPort 1813,1646
> > >
> > > # commented out the following 4 lines.... 19/07/06 at 11:26
> > > #<Client DEFAULT>
> > > # Secret mysecret
> > > # DupInterval 0
> > > #</Client>
> > >
> > > # This machine
> > > <Client localhost>
> > > Secret xxxxxxxxx
> > > DupInterval 0
> > > </Client>
> > >
> > > # The switch sitting under my desk...
> > > <Client 192.168.1.3>
> > > Secret xxxxxxxxxxxx
> > > </Client>
> > >
> > > # Look up user details in a flat file
> > > <AuthBy FILE>
> > > Identifier TestTTLS
> > > # %D is replaced by DbDir above
> > > Filename %D/users
> > > EAPType TTLS, PAP
> > >
> > > EAPTLS_CAFile %D/certificates/CA/cacert.crt
> > > EAPTLS_CertificateFile %D/certificates/UCDcert.der
> > > EAPTLS_CertificateType ASN1
> > > EAPTLS_PrivateKeyFile %D/certificates/UCDcert.key
> > > #EAPTLS_PrivateKeyPassword whatever
> > > EAPTLS_MaxFragmentSize 1000
> > > AutoMPPEKeys
> > > 
> > >
> > > <AuthBy FILE>
> > > Identifier TestRAD-File
> > > Filename %D/users
> > > EAPType PAP
> > > 
> > >
> > > # Authenticate all realms with this
> > > <Realm DEFAULT>
> > > AuthBy TestTTLS
> > > AcctLogFileName %D/detail
> > > </Realm>
> > >
> > > [/radius.cfg]
> > >> From log:
> > >
> > > Fri Aug 4 16:34:02 2006: DEBUG: Packet dump:
> > > *** Received from 192.168.1.3 port 1812 ....
> > > Code: Access-Request
> > > Identifier: 28
> > > Authentic: L<210><28><131><172>  
> > > <172><13><236>T<177><243><11><203><172><22>
> > > Attributes:
> > > NAS-IP-Address = 192.168.1.3
> > > NAS-Port = 50003
> > > NAS-Port-Type = Ethernet
> > > User-Name = "mikem"
> > > Calling-Station-Id = "00-14-22-2E-6C-19"
> > > Service-Type = Framed-User
> > > EAP-Message = <2><1><0><10><1>mikem
> > > Message-Authenticator =
> > > N<139><179><224><19><179><127><217><139><16>W<130>]B=O
> > >
> > > Fri Aug 4 16:34:02 2006: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT'
> > > Fri Aug 4 16:34:02 2006: DEBUG: Deleting session for mikem,  
> > > 192.168.1.3,
> > > 50003
> > > Fri Aug 4 16:34:02 2006: DEBUG: Handling with Radius::AuthFILE: 
> 
> > > TestTTLS
> > > Fri Aug 4 16:34:02 2006: DEBUG: Handling with EAP: code 2, 1, 10
> > > Fri Aug 4 16:34:02 2006: DEBUG: Response type 1
> > > Fri Aug 4 16:34:02 2006: DEBUG: EAP result: 3, EAP TTLS Challenge
> > > Fri Aug 4 16:34:02 2006: DEBUG: AuthBy FILE result: CHALLENGE, 
> > EAP  
> > > TTLS
> > > Challenge
> > > Fri Aug 4 16:34:02 2006: DEBUG: Access challenged for mikem: 
> EAP 
> > TTLS> Challenge
> > > Fri Aug 4 16:34:02 2006: DEBUG: Packet dump:
> > > *** Sending to 192.168.1.3 port 1812 ....
> > > Code: Access-Challenge
> > > Identifier: 28
> > > Authentic: L<210><28><131><172>  
> > > <172><13><236>T<177><243><11><203><172><22>
> > > Attributes:
> > > EAP-Message = <1><2><0><6><21>
> > > Message-Authenticator =  
> > > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > >
> > > Fri Aug 4 16:34:02 2006: DEBUG: Packet dump:
> > > *** Received from 192.168.1.3 port 1812 ....
> > > Code: Access-Request
> > > Identifier: 29
> > > Authentic: <12><220>"<179><25><220><134>y<225>Y<233><0>Jv/J
> > > Attributes:
> > > NAS-IP-Address = 192.168.1.3
> > > NAS-Port = 50003
> > > NAS-Port-Type = Ethernet
> > > User-Name = "mikem"
> > > Calling-Station-Id = "00-14-22-2E-6C-19"
> > > Service-Type = Framed-User
> > > EAP-Message =
> > > <2><2><0><<21><128><0><0><0>2<22><3><1><0>-<1><0><0>) 
> > > 
> > 
> <3><1>&~<31><199><173><27>I<14>W<191>V<233><152><172><156><233>h<235>< 
> > > 
> 178><172><149><158>`Ur@<224><250><7><23>Q<138><0><0><2><0><10><1><0>>
> Message-Authenticator = <156><162>x^NKp<233>t<155><14>W<221>QOm
> > >
> > > Fri Aug 4 16:34:02 2006: DEBUG: Handling request with Handler
> > > 'Realm=DEFAULT'
> > > Fri Aug 4 16:34:02 2006: DEBUG: Deleting session for mikem,  
> > > 192.168.1.3,
> > > 50003
> > > Fri Aug 4 16:34:02 2006: DEBUG: Handling with Radius::AuthFILE: 
> 
> > > TestTTLS
> > > Fri Aug 4 16:34:02 2006: DEBUG: Handling with EAP: code 2, 2, 60
> > > Fri Aug 4 16:34:02 2006: DEBUG: Response type 21
> > > Fri Aug 4 16:34:02 2006: DEBUG: EAP TTLS data, 24576, 2, -1
> > > Fri Aug 4 16:34:02 2006: DEBUG: EAP TTLS SSL_accept result: -1, 
> > 2,  
> > > 8576
> > > Fri Aug 4 16:34:02 2006: DEBUG: EAP result: 3, EAP TTLS Challenge
> > > Fri Aug 4 16:34:02 2006: DEBUG: AuthBy FILE result: CHALLENGE, 
> > EAP  
> > > TTLS
> > > Challenge
> > > Fri Aug 4 16:34:02 2006: DEBUG: Access challenged for mikem: 
> EAP 
> > TTLS> Challenge
> > > Fri Aug 4 16:34:02 2006: DEBUG: Packet dump:
> > > *** Sending to 192.168.1.3 port 1812 ....
> > > Code: Access-Challenge
> > > Identifier: 29
> > > Authentic: <12><220>"<179><25><220><134>y<225>Y<233><0>Jv/J
> > > Attributes:
> > > EAP-Message =
> > > 
> > 
> <1><3><3><242><21><192><0><0><4><29><22><3><1><0>J<2><0><0>F<3><1>D<21 
> > > 
> > 
> 1>h<234>V<139><182><151>L<10><254><178><211><162><150><25>'E<10><248>< 
> > > <153><233>X<239><175><175>o<197><127><157><212>
> > > <165><12>"<16><223>! 
> > > 
> > 
> l<161><189><197>`<241><154><11><224><164><3><223><220><153>q<150>h? 
> > > 
> > 
> W;<167><228><25><160>X6<0><10><0><22><3><1><3><192><11><0><3><188><0>< 
> > > 
> > 
> 3><185><0><3><182>0<130><3><178>0<130><3><27><160><3><2><1><2><2><1><1 
> > > 
> > 
> 8>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><137>1<11>0<9>< 
> > > 
> > 
> 6><3>U<4><6><19><2>IE1<15>0<13><6><3>U<4><7><19><6>Dublin1<31>0<29><6> 
> > > <3>U<4><10><19><22>UCD
> > > Computing Services1<31>0<29><6><3>U<4><11><19><22>Technology
> > > Development1'0%<6><3>U<4><3><19><30>UCD Comp
> > > EAP-Message = uting Services Root
> > > 
> > 
> CA0<30><23><13>060802152711Z<23><13>080722152711Z0<129><154>1<11>0<9>< 
> > > 
> > 
> 6><3>U<4><6><19><2>IE1<15>0<13><6><3>U<4><7><19><6>Dublin1<31>0<29><6> 
> > > <3>U<4><10><19><22>UCD
> > > Computing Services1<31>0<29><6><3>U<4><11><19><22>Technology
> > > Development1<20>0<18><6><3>U<4><3><19><11>192.168.1.61"0
> > > 
> > 
> <6><9>*<134>H<134><247><13><1><9><1><22><19>xxxxxxxxxxxxxxxxxxx0<129>< 
> > > 
> > 
> 159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<1 
> > > 29><137><2><129><129><0><193><0>#<29><22>c? 
> > > <3><233><234><143><159><156>
> > > EAP-Message =
> > > <137><140><174><135><177>!% 
> > > <7><18><230><170><239><137><10><159><252><165><184>=<157>% 
> > > <7><218><13><241><249> 
> > > 
> > 
> [q':<179><221><159><237><197><128><231>Ry<5><213><211><214><206><202>< 
> > > 207>T<138>%;<27>[i<158>d) 
> > > 0<213><174><255><219><214><140><176><213><201><165><19>W<196>! 
> > > <235><174>#<248>y<153>}0<8><135>a<177><9>C{<185>3/<241>| 
> > > wF<218><148>~<151><2>W<25><133><199><10>Y<208>u3 
> > > \<205><178><234><150>}<0> 
> > > 
> > 
> [<2><3><1><0><1><163><130><1><21>0<130><1><17>0<9><6><3>U<29><19><4><2 
> > > >0<0>0,<6><9>`<134>H<1><134><248>B<1><13><4><31><22><29>OpenSSL
> > > Generated
> > > 
> > 
> Certificate0<29><6><3>U<29><14><4><22><4><20>qn<23><30><0>*PA<190>v 
> > > 
> > 
> $=<146><185>:<136><218><226>C<246>0<129><182><6><3>U<29>#<4><129><174> 
> > > 
> > 
> 0<129><171><128><20>t<219><174><13>VR<221><156><201><215>X<8><228><20> 
> > > -<145><192><<242>D<161>
> > > EAP-Message =
> > > 
> > 
> <129><143><164><129><140>0<129><137>1<11>0<9><6><3>U<4><6><19><2>IE1<1 
> > > 
> 5>0<13><6><3>U<4><7><19><6>Dublin1<31>0<29><6><3>U<4><10><19><22>UCD>
> Computing Services1<31>0<29><6><3>U<4><11><19><22>Technology
> > > Development1'0%<6><3>U<4><3><19><30>UCD Computing Services Root
> > > 
> > 
> CA<130><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><1 
> > > 
> > 
> 29><0>=n<157><236><172>3<189><233><139><251><210><167><250><145><12>@< 
> > > 
> > 
> 12><203>0<182>;<145><224>B2<249>.<22><234><27><146><162>IV<214><135><1 
> > > 48><150>0<197>I<234><158><177><26>1<255><186><217>\<11>$<147>6! 
> > > 9<148><184>(<12>S.<255>t<251>f<5>^D<202>* 
> > > +<155>=<153><188>y<21><131><255><253><130>'|
> > > Message-Authenticator =  
> > > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > >
> > > --
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> > 
> > 
> > 
> > NB:
> > 
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive 
> > (www.open.com.au/archives/ 
> > radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> > 
> > -- 
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > Includes support for reliable RADIUS transport (RadSec),
> > and DIAMETER translation agent.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database 
> independence.> -
> > CATool: Private Certificate Authority for Unix and Unix-like 
> systems.> 
> > 
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> > 
> 
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list