(RADIATOR) EapTLS question

Markus Moeller huaraz at moeller.plus.com
Tue Feb 19 17:44:54 CST 2008 

Thank you for the pointer I will try with eapol_test.

Markus

----- Original Message ----- 
From: "Mike McCauley" <mikem at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Tuesday, February 19, 2008 11:34 PM
Subject: Re: (RADIATOR) EapTLS question


> Hello Markus,
>
>
> On Wednesday 20 February 2008 07:34, Markus Moeller wrote:
>> The final part of my setup is to support EapTLS for wireless.  As I don't
>> have yet an AP to test with I was using Lucents VitalAAA radius client.
>>
>> The client gives me an error message: State attribute is missing in
>> Access-Challenge
>>
>> Is this a configuration error or an incompatible client ?
>
> State is an optional reply attribute, so for your client to complain about 
> its
> absence is broken.
> You can add a bogus State reply atribute with the AddToReply parameter.
>
> We often use eapol_test (part of the hostap package) for testing TLS and
> others EAP types. ITs open source and doesnt have that broken behaviour.
>
> Cheers.
>
>>
>> Thank you
>> Markus
>>
>> P.S. Config extract is attached.
>>
>> VitalAAA client log:
>>
>> 2008/02/19 21:19:35.898 {AWT-EventQueue-0} <tls.certandkeymanager>
>> Installed ClientCert EMAILADDRESS=markus at moeller.plus.com, CN=Test LAB,
>> OU=Engineering, O=HOME L=London, ST=London, C=GB as RSA 2008/02/19
>> 21:19:35.902 {AWT-EventQueue-0} <tls.certandkeymanager> Installed 
>> ServerSet
>> EMAILADDRESS=markus at moeller.plus.com, CN=Test LAB, OU=Engineering, O=HOME
>> L=London, ST=London, C=GB as RSA 2008/02/19 21:19:35.903 
>> {AWT-EventQueue-0}
>> <tls.certandkeymanager> Installed ServerSet
>> EMAILADDRESS=markus at moeller.plus.com, CN=Test LAB, OU=Engineering, O=HOME
>> L=London, ST=London, C=GB as DHE_RSA 2008/02/19 21:19:35.910
>> {AWT-EventQueue-0} <callback.eap.tls> Creating new client 2008/02/19
>> 21:19:35.916 {Radius Client Driver} <radiusClient> Xmit: Access-Request 
>> to
>> 10.142.161.97:1812 User-Name = "testuser at company.com"
>>         EAP-Message =
>>             code = Response
>>             Identifier = 1
>>             Type = Identity
>>             Type-Data = "testuser at company.com"
>>         Message-Authenticator = "00000000000000000000000000000000"
>>
>> 2008/02/19 21:19:36.246 {Radius Client Listener 0.0.0.0:35536}
>> <radiusClient> Recv: Access-Challenge after 336 ms. EAP-Message =
>>             code = Request
>>             Identifier = 2
>>             Type = TLS
>>             Type-Data = " "
>>         Message-Authenticator = "A0497AC4DB527F89BAA9F5353261293E"
>>
>> 2008/02/19 21:19:36.248 {Basic Callback} <tls.protocolhandler> client/5 
>>  >>>
>> Transmitting ClientHello 2008/02/19 21:19:36.248 {Basic Callback}
>> <callback.eap.tls> Enter nwkDataAvailable( ByteBuffer[] array ) 
>> 2008/02/19
>> 21:19:36.249 {Basic Callback} <callback.eap.tls> Sending a 0 byte message
>> to the EAP TLS client 2008/02/19 21:19:36.249 {Basic Callback}
>> <callback.eap.tls> Received a 62 byte message from the EAP TLS client
>> 2008/02/19 21:19:36.249 {Basic Callback} 
>> <radiusclient.callback.challenge>
>> (ERROR) State attribute is missing in Access-Challenge 2008/02/19
>> 21:19:36.249 {Basic Callback} <callback.eap.tls> Closing client
>>
>>
>> Radiator Trace output
>>
>>
>> /usr/bin/radiusd -config_file /etc/radiator/radius.cfg -log_stdout -trace 
>> 5
>> -foreground Tue Feb 19 20:58:05 2008: DEBUG: include
>> /etc/radiator/readclients.pl| Tue Feb 19 20:58:05 2008: NOTICE: Reading
>> clients file /etc/radiator/clients Tue Feb 19 20:58:06 2008: DEBUG:
>> Creating TACACSPLUS port 0.0.0.0:49 Tue Feb 19 20:58:06 2008: DEBUG:
>> Creating StreamServer tcp port 0.0.0.0:9443 Tue Feb 19 20:58:06 2008:
>> DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Tue
>> Feb 19 20:58:06 2008: DEBUG: Reading dictionary file
>> '/etc/radiator/dictionary' Tue Feb 19 20:58:06 2008: DEBUG: Creating
>> authentication port 0.0.0.0:1812 Tue Feb 19 20:58:06 2008: DEBUG: 
>> Creating
>> accounting port 0.0.0.0:1813 Tue Feb 19 20:58:06 2008: NOTICE: Server
>> started: Radiator 4.0 on radius-server1 Tue Feb 19 20:58:25 2008: DEBUG:
>> Packet dump:
>> *** Received from 10.128.55.23 port 35536 ....
>>
>> Packet length = 73
>> 01 00 00 49 60 b4 20 bb 38 51 d9 d4 7a cb 93 3d
>> be 70 39 9b 01 0f 6d 6f 65 6c 6d 61 40 64 62 2e
>> 63 6f 6d 4f 14 02 01 00 12 01 6d 6f 65 6c 6d 61
>> 40 64 62 2e 63 6f 6d 50 12 10 f6 7b 50 45 19 e8
>> 7f c4 f2 d4 5c 51 28 7c 5b
>> Code:       Access-Request
>> Identifier: 0
>> Authentic:  `<180> <187>8Q<217><212>z<203><147>=<190>p9<155>
>> Attributes:
>>         User-Name = "testuser at company.com"
>>         EAP-Message = <2><1><0><18><1>testuser at company.com
>>         Message-Authenticator =
>> <16><246>{PE<25><232><127><196><242><212>\Q(|[
>>
>> Tue Feb 19 20:58:25 2008: DEBUG: PreHandlerHook added LDAP  Attributes:
>> Tue Feb 19 20:58:25 2008: DEBUG: User-Mail = markus at moeller.plus.com
>> Tue Feb 19 20:58:25 2008: DEBUG: USER-PRINCIPAL-NAME = 
>> testuser at company.com
>> Tue Feb 19 20:58:25 2008: DEBUG: Handling request with Handler
>> 'Device-Class=Wlan' Tue Feb 19 20:58:25 2008: DEBUG:  Deleting session 
>> for
>> testuser at company.com, 192.168.100.1, Tue Feb 19 20:58:25 2008: DEBUG:
>> Handling with Radius::AuthFILE: EapTLS Tue Feb 19 20:58:25 2008: DEBUG:
>> Handling with EAP: code 2, 1, 18, 1 Tue Feb 19 20:58:25 2008: DEBUG:
>> Response type 1
>> Tue Feb 19 20:58:25 2008: DEBUG: EAP result: 3, EAP TLS Challenge
>> Tue Feb 19 20:58:25 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS
>> Challenge Tue Feb 19 20:58:25 2008: DEBUG: Access challenged for
>> testuser at company.com: EAP TLS Challenge Tue Feb 19 20:58:25 2008: DEBUG:
>> Packet dump:
>> *** Sending to 10.128.55.23 port 35536 ....
>>
>> Packet length = 46
>> 0b 00 00 2e ee dd 2f 22 e4 0d 03 25 f6 81 56 5d
>> d8 de 57 b1 4f 08 01 02 00 06 0d 20 50 12 a0 49
>> 7a c4 db 52 7f 89 ba a9 f5 35 32 61 29 3e
>> Code:       Access-Challenge
>> Identifier: 0
>> Authentic:  `<180> <187>8Q<217><212>z<203><147>=<190>p9<155>
>> Attributes:
>>         EAP-Message = <1><2><0><6><13>
>>         Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia 
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
> 


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list