[RADIATOR] help with AuthBy LSA failure
Hugh Irvine
hugh at open.com.au
Mon Jul 14 18:57:54 CDT 2008
Hello Jason -
Thanks very much for the additional information.
The first problem with the undefined attributes is a number of HP
vendor-specific RADIUS attributes included in the request:
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
>
Vendor 11 is HP, so you should ask them for their list of vendor-
specific RADIUS attributes and send them to me so I can add them to
the standard Radiator dictionary.
The second problem appears to be with your configuration file and/or
certificates.
> Mon Jul 14 11:18:23 2008: DEBUG: Response type 1
> Prototype mismatch: sub Net::SSLeay::randomize (;$$) vs none at
> (eval 48) line 1.
> Mon Jul 14 11:18:23 2008: ERR: TLS could not load_verify_locations , :
> Mon Jul 14 11:18:23 2008: DEBUG: EAP result: 1, EAP TLS Could not
> initialise context
This usually indicates that Radiator is not able to find the
certificates that you need for EAP.
If you download the Radiator source tarball and unpack it in a
suitable directory, you can use the example configuration file and
the example certificates like this in a terminal window:
cd C:\your\Radiator\distribution
perl radiusd -foreground -log_stdout -trace 4 -config_file goodies/
eap_peap.cfg
.....
the example configuration files use the sample certificates located
in the "certificates" directory of the Radiator distribution.
hope that helps
regards
Hugh
On 15 Jul 2008, at 01:22, Jason Mueller wrote:
> Hugh,
>
>> Can you please tell me what access server, what version of
>> Windows, what version of Perl, and what version of OpenSSL you are
>> running?
>
> NAS: HP5406zl running K.13.09; authenticating client on a 24-port
> Ethernet Gig module (J8702A)
> Windows: Win2003 Server SP1
> Perl: 5.8.8 (ActiveState distribution)
> OpenSSL: 0.9.8g (Shining Light binary distribution)
>
> I have commented out "AutoMPPEKeys", as we will only need that for
> our wireless users. Otherwise, there is not much to the config.
>
>
>> If you can send us a trace 5 debug it will help.
>
> A trace with debug level 5 is below:
>
> Mon Jul 14 11:18:14 2008: DEBUG: Finished reading configuration
> file 'C:\Program Files\Radiator\radius.cfg'
> This Radiator license will expire on 2008-08-30
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Mon Jul 14 11:18:14 2008: DEBUG: Reading dictionary file 'E:/
> Radiator/dictionary'
> Mon Jul 14 11:18:15 2008: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Mon Jul 14 11:18:15 2008: DEBUG: Creating accounting port 0.0.0.0:1813
> Mon Jul 14 11:18:15 2008: NOTICE: Server started: Radiator 4.2 on
> iubiastest (LOCKED)
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: ERR: Attribute number 255 (vendor 11) is
> not defined in your dictionary
> Mon Jul 14 11:18:23 2008: DEBUG: Packet dump:
> *** Received from 129.79.9.37 port 1026 ....
>
> Packet length = 315
> 01 20 01 3b 4e 17 c8 b2 31 43 36 a9 2e 05 67 7a
> 1b a2 9a 64 0c 06 00 00 05 ba 04 06 81 4f 09 25
> 20 0a 6a 63 6d 2d 74 65 73 74 01 0a 6a 61 73 6d
> 75 65 6c 6c 06 06 00 00 00 02 07 06 00 00 00 01
> 05 06 00 00 00 18 3d 06 00 00 00 0f 57 05 41 32
> 34 1e 13 30 30 2d 31 37 2d 61 34 2d 62 62 2d 30
> 37 2d 30 30 1f 13 30 30 2d 31 36 2d 63 62 2d 38
> 61 2d 61 38 2d 37 65 4d 27 43 4f 4e 4e 45 43 54
> 20 45 74 68 65 72 6e 65 74 20 31 30 30 30 4d 62
> 70 73 20 46 75 6c 6c 20 64 75 70 6c 65 78 40 06
> 00 00 00 0d 41 06 00 00 00 06 51 05 31 30 30 4f
> 0f 02 16 00 0d 01 6a 61 73 6d 75 65 6c 6c 50 12
> 41 a3 49 ae d5 bd c6 90 ee 62 19 88 26 38 f1 a7
> 1a 0c 00 00 01 37 09 06 00 00 00 0b 1a 0f 00 00
> 00 0b ff 09 01 1a 00 00 00 0b 28 1a 0f 00 00 00
> 0b ff 09 01 1a 00 00 00 0b 2e 1a 0f 00 00 00 0b
> ff 09 01 1a 00 00 00 0b 3d 1a 0a 00 00 00 0b ff
> 04 01 38 1a 0a 00 00 00 0b ff 04 01 3a 1a 0a 00
> 00 00 0b ff 04 01 40 1a 0a 00 00 00 0b ff 04 01
> 41 1a 0a 00 00 00 0b ff 04 01 51
> Code: Access-Request
> Identifier: 32
> Authentic: N<23><200><178>1C6<169>.<5>gz<27><162><154>d
> Attributes:
> Framed-MTU = 1466
> NAS-IP-Address = 129.79.9.37
> NAS-Identifier = "jcm-test"
> User-Name = "jasmuell"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> NAS-Port = 24
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "A24"
> Called-Station-Id = "00-17-a4-bb-07-00"
> Calling-Station-Id = "00-16-cb-8a-a8-7e"
> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 100
> EAP-Message = <2><22><0><13><1>jasmuell
> Message-Authenticator =
> A<163>I<174><213><189><198><144><238>b<25><136>&8<241><167>
> MS-RAS-Vendor = 11
>
> Mon Jul 14 11:18:23 2008: DEBUG: Handling request with Handler ''
> Mon Jul 14 11:18:23 2008: DEBUG: Deleting session for jasmuell,
> 129.79.9.37, 24
> Mon Jul 14 11:18:23 2008: DEBUG: Handling with Radius::AuthFILE:
> Mon Jul 14 11:18:23 2008: DEBUG: Handling with EAP: code 2, 22, 13, 1
> Mon Jul 14 11:18:23 2008: DEBUG: Response type 1
> Prototype mismatch: sub Net::SSLeay::randomize (;$$) vs none at
> (eval 48) line 1.
> Mon Jul 14 11:18:23 2008: ERR: TLS could not load_verify_locations , :
> Mon Jul 14 11:18:23 2008: DEBUG: EAP result: 1, EAP TLS Could not
> initialise context
> Mon Jul 14 11:18:23 2008: DEBUG: AuthBy FILE result: REJECT, EAP
> TLS Could not initialise context
> Mon Jul 14 11:18:23 2008: INFO: Access rejected for jasmuell: EAP
> TLS Could not initialise context
> Mon Jul 14 11:18:23 2008: DEBUG: Packet dump:
> *** Sending to 129.79.9.37 port 1026 ....
>
> Packet length = 36
> 03 20 00 24 d9 67 5f a3 a4 0c f9 aa b2 0c 1b 45
> b2 69 ed be 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code: Access-Reject
> Identifier: 32
> Authentic:
> <217>g_<163><164><12><249><170><178><12><27>E<178>i<237><190>
> Attributes:
> Reply-Message = "Request Denied"
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list