(RADIATOR) EapTLS question
Markus Moeller
huaraz at moeller.plus.com
Thu Feb 21 14:25:33 CST 2008
Mike
it works fine with eapol_test.
Thank you
Markus
----- Original Message -----
From: "Mike McCauley" <mikem at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Tuesday, February 19, 2008 11:34 PM
Subject: Re: (RADIATOR) EapTLS question
> Hello Markus,
>
>
> On Wednesday 20 February 2008 07:34, Markus Moeller wrote:
>> The final part of my setup is to support EapTLS for wireless. As I don't
>> have yet an AP to test with I was using Lucents VitalAAA radius client.
>>
>> The client gives me an error message: State attribute is missing in
>> Access-Challenge
>>
>> Is this a configuration error or an incompatible client ?
>
> State is an optional reply attribute, so for your client to complain about
> its
> absence is broken.
> You can add a bogus State reply atribute with the AddToReply parameter.
>
> We often use eapol_test (part of the hostap package) for testing TLS and
> others EAP types. ITs open source and doesnt have that broken behaviour.
>
> Cheers.
>
>>
>> Thank you
>> Markus
>>
>> P.S. Config extract is attached.
>>
>> VitalAAA client log:
>>
>> 2008/02/19 21:19:35.898 {AWT-EventQueue-0} <tls.certandkeymanager>
>> Installed ClientCert EMAILADDRESS=markus at moeller.plus.com, CN=Test LAB,
>> OU=Engineering, O=HOME L=London, ST=London, C=GB as RSA 2008/02/19
>> 21:19:35.902 {AWT-EventQueue-0} <tls.certandkeymanager> Installed
>> ServerSet
>> EMAILADDRESS=markus at moeller.plus.com, CN=Test LAB, OU=Engineering, O=HOME
>> L=London, ST=London, C=GB as RSA 2008/02/19 21:19:35.903
>> {AWT-EventQueue-0}
>> <tls.certandkeymanager> Installed ServerSet
>> EMAILADDRESS=markus at moeller.plus.com, CN=Test LAB, OU=Engineering, O=HOME
>> L=London, ST=London, C=GB as DHE_RSA 2008/02/19 21:19:35.910
>> {AWT-EventQueue-0} <callback.eap.tls> Creating new client 2008/02/19
>> 21:19:35.916 {Radius Client Driver} <radiusClient> Xmit: Access-Request
>> to
>> 10.142.161.97:1812 User-Name = "testuser at company.com"
>> EAP-Message =
>> code = Response
>> Identifier = 1
>> Type = Identity
>> Type-Data = "testuser at company.com"
>> Message-Authenticator = "00000000000000000000000000000000"
>>
>> 2008/02/19 21:19:36.246 {Radius Client Listener 0.0.0.0:35536}
>> <radiusClient> Recv: Access-Challenge after 336 ms. EAP-Message =
>> code = Request
>> Identifier = 2
>> Type = TLS
>> Type-Data = " "
>> Message-Authenticator = "A0497AC4DB527F89BAA9F5353261293E"
>>
>> 2008/02/19 21:19:36.248 {Basic Callback} <tls.protocolhandler> client/5
>> >>>
>> Transmitting ClientHello 2008/02/19 21:19:36.248 {Basic Callback}
>> <callback.eap.tls> Enter nwkDataAvailable( ByteBuffer[] array )
>> 2008/02/19
>> 21:19:36.249 {Basic Callback} <callback.eap.tls> Sending a 0 byte message
>> to the EAP TLS client 2008/02/19 21:19:36.249 {Basic Callback}
>> <callback.eap.tls> Received a 62 byte message from the EAP TLS client
>> 2008/02/19 21:19:36.249 {Basic Callback}
>> <radiusclient.callback.challenge>
>> (ERROR) State attribute is missing in Access-Challenge 2008/02/19
>> 21:19:36.249 {Basic Callback} <callback.eap.tls> Closing client
>>
>>
>> Radiator Trace output
>>
>>
>> /usr/bin/radiusd -config_file /etc/radiator/radius.cfg -log_stdout -trace
>> 5
>> -foreground Tue Feb 19 20:58:05 2008: DEBUG: include
>> /etc/radiator/readclients.pl| Tue Feb 19 20:58:05 2008: NOTICE: Reading
>> clients file /etc/radiator/clients Tue Feb 19 20:58:06 2008: DEBUG:
>> Creating TACACSPLUS port 0.0.0.0:49 Tue Feb 19 20:58:06 2008: DEBUG:
>> Creating StreamServer tcp port 0.0.0.0:9443 Tue Feb 19 20:58:06 2008:
>> DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Tue
>> Feb 19 20:58:06 2008: DEBUG: Reading dictionary file
>> '/etc/radiator/dictionary' Tue Feb 19 20:58:06 2008: DEBUG: Creating
>> authentication port 0.0.0.0:1812 Tue Feb 19 20:58:06 2008: DEBUG:
>> Creating
>> accounting port 0.0.0.0:1813 Tue Feb 19 20:58:06 2008: NOTICE: Server
>> started: Radiator 4.0 on radius-server1 Tue Feb 19 20:58:25 2008: DEBUG:
>> Packet dump:
>> *** Received from 10.128.55.23 port 35536 ....
>>
>> Packet length = 73
>> 01 00 00 49 60 b4 20 bb 38 51 d9 d4 7a cb 93 3d
>> be 70 39 9b 01 0f 6d 6f 65 6c 6d 61 40 64 62 2e
>> 63 6f 6d 4f 14 02 01 00 12 01 6d 6f 65 6c 6d 61
>> 40 64 62 2e 63 6f 6d 50 12 10 f6 7b 50 45 19 e8
>> 7f c4 f2 d4 5c 51 28 7c 5b
>> Code: Access-Request
>> Identifier: 0
>> Authentic: `<180> <187>8Q<217><212>z<203><147>=<190>p9<155>
>> Attributes:
>> User-Name = "testuser at company.com"
>> EAP-Message = <2><1><0><18><1>testuser at company.com
>> Message-Authenticator =
>> <16><246>{PE<25><232><127><196><242><212>\Q(|[
>>
>> Tue Feb 19 20:58:25 2008: DEBUG: PreHandlerHook added LDAP Attributes:
>> Tue Feb 19 20:58:25 2008: DEBUG: User-Mail = markus at moeller.plus.com
>> Tue Feb 19 20:58:25 2008: DEBUG: USER-PRINCIPAL-NAME =
>> testuser at company.com
>> Tue Feb 19 20:58:25 2008: DEBUG: Handling request with Handler
>> 'Device-Class=Wlan' Tue Feb 19 20:58:25 2008: DEBUG: Deleting session
>> for
>> testuser at company.com, 192.168.100.1, Tue Feb 19 20:58:25 2008: DEBUG:
>> Handling with Radius::AuthFILE: EapTLS Tue Feb 19 20:58:25 2008: DEBUG:
>> Handling with EAP: code 2, 1, 18, 1 Tue Feb 19 20:58:25 2008: DEBUG:
>> Response type 1
>> Tue Feb 19 20:58:25 2008: DEBUG: EAP result: 3, EAP TLS Challenge
>> Tue Feb 19 20:58:25 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS
>> Challenge Tue Feb 19 20:58:25 2008: DEBUG: Access challenged for
>> testuser at company.com: EAP TLS Challenge Tue Feb 19 20:58:25 2008: DEBUG:
>> Packet dump:
>> *** Sending to 10.128.55.23 port 35536 ....
>>
>> Packet length = 46
>> 0b 00 00 2e ee dd 2f 22 e4 0d 03 25 f6 81 56 5d
>> d8 de 57 b1 4f 08 01 02 00 06 0d 20 50 12 a0 49
>> 7a c4 db 52 7f 89 ba a9 f5 35 32 61 29 3e
>> Code: Access-Challenge
>> Identifier: 0
>> Authentic: `<180> <187>8Q<217><212>z<203><147>=<190>p9<155>
>> Attributes:
>> EAP-Message = <1><2><0><6><13>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list