(RADIATOR) EapTLS question

Mike McCauley mikem at open.com.au
Tue Feb 19 17:34:56 CST 2008 

Hello Markus,


On Wednesday 20 February 2008 07:34, Markus Moeller wrote:
> The final part of my setup is to support EapTLS for wireless.  As I don't
> have yet an AP to test with I was using Lucents VitalAAA radius client.
>
> The client gives me an error message: State attribute is missing in
> Access-Challenge
>
> Is this a configuration error or an incompatible client ?

State is an optional reply attribute, so for your client to complain about its 
absence is broken.
You can add a bogus State reply atribute with the AddToReply parameter.

We often use eapol_test (part of the hostap package) for testing TLS and 
others EAP types. ITs open source and doesnt have that broken behaviour.

Cheers.

>
> Thank you
> Markus
>
> P.S. Config extract is attached.
>
> VitalAAA client log:
>
> 2008/02/19 21:19:35.898 {AWT-EventQueue-0} <tls.certandkeymanager>
> Installed ClientCert EMAILADDRESS=markus at moeller.plus.com, CN=Test LAB,
> OU=Engineering, O=HOME L=London, ST=London, C=GB as RSA 2008/02/19
> 21:19:35.902 {AWT-EventQueue-0} <tls.certandkeymanager> Installed ServerSet
> EMAILADDRESS=markus at moeller.plus.com, CN=Test LAB, OU=Engineering, O=HOME
> L=London, ST=London, C=GB as RSA 2008/02/19 21:19:35.903 {AWT-EventQueue-0}
> <tls.certandkeymanager> Installed ServerSet
> EMAILADDRESS=markus at moeller.plus.com, CN=Test LAB, OU=Engineering, O=HOME
> L=London, ST=London, C=GB as DHE_RSA 2008/02/19 21:19:35.910
> {AWT-EventQueue-0} <callback.eap.tls> Creating new client 2008/02/19
> 21:19:35.916 {Radius Client Driver} <radiusClient> Xmit: Access-Request to
> 10.142.161.97:1812 User-Name = "testuser at company.com"
>         EAP-Message =
>             code = Response
>             Identifier = 1
>             Type = Identity
>             Type-Data = "testuser at company.com"
>         Message-Authenticator = "00000000000000000000000000000000"
>
> 2008/02/19 21:19:36.246 {Radius Client Listener 0.0.0.0:35536}
> <radiusClient> Recv: Access-Challenge after 336 ms. EAP-Message =
>             code = Request
>             Identifier = 2
>             Type = TLS
>             Type-Data = " "
>         Message-Authenticator = "A0497AC4DB527F89BAA9F5353261293E"
>
> 2008/02/19 21:19:36.248 {Basic Callback} <tls.protocolhandler> client/5 >>>
> Transmitting ClientHello 2008/02/19 21:19:36.248 {Basic Callback}
> <callback.eap.tls> Enter nwkDataAvailable( ByteBuffer[] array ) 2008/02/19
> 21:19:36.249 {Basic Callback} <callback.eap.tls> Sending a 0 byte message
> to the EAP TLS client 2008/02/19 21:19:36.249 {Basic Callback}
> <callback.eap.tls> Received a 62 byte message from the EAP TLS client
> 2008/02/19 21:19:36.249 {Basic Callback} <radiusclient.callback.challenge>
> (ERROR) State attribute is missing in Access-Challenge 2008/02/19
> 21:19:36.249 {Basic Callback} <callback.eap.tls> Closing client
>
>
> Radiator Trace output
>
>
> /usr/bin/radiusd -config_file /etc/radiator/radius.cfg -log_stdout -trace 5
> -foreground Tue Feb 19 20:58:05 2008: DEBUG: include
> /etc/radiator/readclients.pl| Tue Feb 19 20:58:05 2008: NOTICE: Reading
> clients file /etc/radiator/clients Tue Feb 19 20:58:06 2008: DEBUG:
> Creating TACACSPLUS port 0.0.0.0:49 Tue Feb 19 20:58:06 2008: DEBUG:
> Creating StreamServer tcp port 0.0.0.0:9443 Tue Feb 19 20:58:06 2008:
> DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Tue
> Feb 19 20:58:06 2008: DEBUG: Reading dictionary file
> '/etc/radiator/dictionary' Tue Feb 19 20:58:06 2008: DEBUG: Creating
> authentication port 0.0.0.0:1812 Tue Feb 19 20:58:06 2008: DEBUG: Creating
> accounting port 0.0.0.0:1813 Tue Feb 19 20:58:06 2008: NOTICE: Server
> started: Radiator 4.0 on radius-server1 Tue Feb 19 20:58:25 2008: DEBUG:
> Packet dump:
> *** Received from 10.128.55.23 port 35536 ....
>
> Packet length = 73
> 01 00 00 49 60 b4 20 bb 38 51 d9 d4 7a cb 93 3d
> be 70 39 9b 01 0f 6d 6f 65 6c 6d 61 40 64 62 2e
> 63 6f 6d 4f 14 02 01 00 12 01 6d 6f 65 6c 6d 61
> 40 64 62 2e 63 6f 6d 50 12 10 f6 7b 50 45 19 e8
> 7f c4 f2 d4 5c 51 28 7c 5b
> Code:       Access-Request
> Identifier: 0
> Authentic:  `<180> <187>8Q<217><212>z<203><147>=<190>p9<155>
> Attributes:
>         User-Name = "testuser at company.com"
>         EAP-Message = <2><1><0><18><1>testuser at company.com
>         Message-Authenticator =
> <16><246>{PE<25><232><127><196><242><212>\Q(|[
>
> Tue Feb 19 20:58:25 2008: DEBUG: PreHandlerHook added LDAP  Attributes:
> Tue Feb 19 20:58:25 2008: DEBUG: User-Mail = markus at moeller.plus.com
> Tue Feb 19 20:58:25 2008: DEBUG: USER-PRINCIPAL-NAME = testuser at company.com
> Tue Feb 19 20:58:25 2008: DEBUG: Handling request with Handler
> 'Device-Class=Wlan' Tue Feb 19 20:58:25 2008: DEBUG:  Deleting session for
> testuser at company.com, 192.168.100.1, Tue Feb 19 20:58:25 2008: DEBUG:
> Handling with Radius::AuthFILE: EapTLS Tue Feb 19 20:58:25 2008: DEBUG:
> Handling with EAP: code 2, 1, 18, 1 Tue Feb 19 20:58:25 2008: DEBUG:
> Response type 1
> Tue Feb 19 20:58:25 2008: DEBUG: EAP result: 3, EAP TLS Challenge
> Tue Feb 19 20:58:25 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS
> Challenge Tue Feb 19 20:58:25 2008: DEBUG: Access challenged for
> testuser at company.com: EAP TLS Challenge Tue Feb 19 20:58:25 2008: DEBUG:
> Packet dump:
> *** Sending to 10.128.55.23 port 35536 ....
>
> Packet length = 46
> 0b 00 00 2e ee dd 2f 22 e4 0d 03 25 f6 81 56 5d
> d8 de 57 b1 4f 08 01 02 00 06 0d 20 50 12 a0 49
> 7a c4 db 52 7f 89 ba a9 f5 35 32 61 29 3e
> Code:       Access-Challenge
> Identifier: 0
> Authentic:  `<180> <187>8Q<217><212>z<203><147>=<190>p9<155>
> Attributes:
>         EAP-Message = <1><2><0><6><13>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list