[RADIATOR] Bridge not authenticating

[Tim Jensen]

Hello,

 

We are attempting to use PEAP to authenticate a wireless serial device
server through the Radiator radius server.  We have been able to
authenticate this device using LEAP, the users file, and TLS but this device
fails during the EAP handshake process in PEAP and TTLS.  Every time that
the device fails the handshake it reports "Handshake unsuccessful:  1228: 1
- error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate" .
If we add a client certificate to the serial device server then the device
authenticates to the network without any problems but at that point we are
basically using options in TTLS and PEAP to make the device act as though we
are using TLS.  Any insight that you could provide would be invaluable to
resolving this issue.

 

The configuration that we are using is a simple PEAP TTLS configuration
based on the configuration found in the goodies directory:

 

Foreground

LogStdout

LogDir            c:\Program Files\Radiator\logs      

#DbDir                  c:\Program Files\Radiator

LogFile           %L/%m%d%y.log

DictionaryFile    c:\Program Files\Radiator\dictionary

PidFile           c:\Program Files\Radiator\radiusd.pid

 

 

BindAddress 192.0.0.1

AuthPort 1812

AcctPort 1813

 

Trace             4

 

<Client 192.0.0.15>

#Cisco AP

      Secret      *****

      Identifier CiscoAP

      DupInterval 0

</Client>

 

<Client 192.0.0.226>

#Proxim AP

      Secret      *****

      Identifier ProximAP

      DupInterval 0

</Client>

 

<Handler Client-Identifier=CiscoAP>

# Handler ID was test2

      AuthByPolicy ContinueUntilAccept

 

      <AuthBy FILE>

            SSLeayTrace 5     

            EAPTLS_NoCheckId  

            Filename c:\Program Files\Radiator\users

            EAPType  PEAP, TTLS

            EAPTLS_MaxFragmentSize 1000

            EAPTLS_CertificateType PEM

            EAPTLS_PrivateKeyPassword whatever

            EAPTLS_PrivateKeyFile c:\Program
Files\Radiator\certificates\cert-srv.pem

            EAPTLS_CAFile c:\Program Files\Radiator\certificates\cacert.pem

            EAPTLS_CertificateFile c:\Program
Files\Radiator\certificates\cert-srv.pem

            #AutoMPPEKeys

            EAPTTLS_NoAckRequired

            #EAPAnonymous testUser

            #EAPTLS_PEAPVersion 0

            #EAPTLS_PEAPBrokenV1Label

      </AuthBy>

 

<Handler Client-Identifier=ProximAP>

      AuthByPolicy ContinueUntilAccept

 

      <AuthBy FILE>

            SSLeayTrace 5     

            EAPTLS_NoCheckId  

            Filename c:\Program Files\Radiator\users

            EAPType  PEAP

            EAPTLS_MaxFragmentSize 1000

            EAPTLS_CertificateType PEM

            EAPTLS_PrivateKeyPassword whatever

            EAPTLS_PrivateKeyFile c:\Program
Files\Radiator\certificates\cert-srv.pem

            EAPTLS_CAFile c:\Program Files\Radiator\certificates\cacert.pem

            EAPTLS_CertificateFile c:\Program
Files\Radiator\certificates\cert-srv.pem

            #AutoMPPEKeys

            EAPTTLS_NoAckRequired

            #EAPAnonymous testUser

            #EAPTLS_PEAPVersion 0

            EAPTLS_PEAPBrokenV1Label

      </AuthBy>

</Handler>

 

 

The attempted login trace shows the transmittal of the server side and CA
certificates:

 

Thu Jul 17 15:12:52 2008: DEBUG: Packet dump:

*** Received from 192.0.0.15 port 1645 ....

Code:       Access-Request

Identifier: 30

Authentic:  77<215>vku<235>S<183>C<203>I<193>1<143><218>

Attributes:

            User-Name = "test2"

            Framed-MTU = 1400

            Called-Station-Id = "000d.edc3.021b"

            Calling-Station-Id = "0040.178d.e1c7"

            Service-Type = Login-User

            Message-Authenticator =
<220>k<181><140>U<4><16>Y^<3><166><168><162>V<245><146>

            EAP-Message = <2><4><0><6><21><0>

            NAS-Port-Type = Wireless-IEEE-802-11

            NAS-Port = 6166

            NAS-IP-Address = 192.0.0.15

            NAS-Identifier = "ap"

 

Thu Jul 17 15:12:52 2008: DEBUG: Handling request with Handler
'Client-Identifier=test2'

Thu Jul 17 15:12:52 2008: DEBUG:  Deleting session for test2, 192.0.0.15,
6166

Thu Jul 17 15:12:52 2008: DEBUG: Handling with Radius::AuthFILE: 

Thu Jul 17 15:12:52 2008: DEBUG: Handling with EAP: code 2, 4, 6, 21

Thu Jul 17 15:12:52 2008: DEBUG: Response type 21

Thu Jul 17 15:12:52 2008: DEBUG: EAP result: 3, EAP TTLS Challenge

Thu Jul 17 15:12:52 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS
Challenge

Thu Jul 17 15:12:52 2008: DEBUG: Access challenged for test2: EAP TTLS
Challenge

Thu Jul 17 15:12:52 2008: DEBUG: Packet dump:

*** Sending to 192.0.0.15 port 1645 ....

Code:       Access-Challenge

Identifier: 30

Authentic:  77<215>vku<235>S<183>C<203>I<193>1<143><218>

Attributes:

            EAP-Message =
<1><5><2>@<21><0><24><198><152>$<180><138><238><216>m<238>X<191><169><249><1
49><207>"<224><212><240><176><204><172><230>$3&Yl<186><164>mT<21><129>'gQ<13
9><193><235>3<230><203>0<174><237><254><28>_<171>q<186>f<143><221><178><144>
<167>@<176><16><205><223><205>Z<235>)^+"<140><167><150><189>kQ.i<213>n<17>|H
<248>jA!<197><130><198>J<175>N<226><17><225>!<2><3><1><0><1><163><130><1>30<
130><1>/0<29><6><3>U<29><14><4><22><4><20>D<17>o<145><21><19><197><198>jL<17
>h<219><17><149><182><214><135><158><23>0<129><255><6><3>U<29>#<4><129><247>
0<129><244><128><20>D<17>o<145><21><19><197><198>jL<17>h<219><17><149><182><
214><135><158><23><161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U<
4><6><19><2>AU1<17>0<15><6><3>U<4><8><12><8>Victoria1<18>0<16><6><3>U<4><7><
12><9>Melbourne1<30>0<28><6><3>U<4>

            EAP-Message = <10><12><21>OSC Demo
Certificates1!0<31><6><3>U<4><11><12><24>Test Certificate
Section1/0-<6><3>U<4><3><12>&OSC Test CA (do not use in production)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<130><9><0
><190>J<223><236><255><245>@l0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13><
6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><192>i<147><134>k<2
06>9<139><223>8SNlE}<219><29><173>OK<146><229>e<137>\<152><252><243><195><19
3><11>Y<203><234><193><243>&z<23>)[<24>D
n<228><230><228><246>(2e<192>'K<218><143><161><224><131><203><193><159><155>
A1^

            EAP-Message =
nS<176><191>R<20>WV<182><147>T<21><247><255><195><249>YZ<198>k<147><209>L<17
1><130><185><177><241>|<179>U<171><232><129><200><253><212><152><19>M<211>_<
135>y<25><163><130><175><131><155>hh~<178>AQf<144><217>wM<22><3><1><0><4><14
><0><0><0>

            Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

 

Thu Jul 17 15:12:52 2008: DEBUG: Packet dump:

*** Received from 192.0.0.15 port 1645 ....

Code:       Access-Request

Identifier: 31

Authentic:  <159><25><163><230>0<224>J<200>\<200><30>$<188>y<254><225>

Attributes:

            User-Name = "test2"

            Framed-MTU = 1400

            Called-Station-Id = "000d.edc3.021b"

            Calling-Station-Id = "0040.178d.e1c7"

            Service-Type = Login-User

            Message-Authenticator =
HD#<248>P<202><151><6>C<219><246><215>s<141><27><236>

            EAP-Message = <2><5><0><13><21><0><21><3><1><0><2><2>*

            NAS-Port-Type = Wireless-IEEE-802-11

            NAS-Port = 6166

            NAS-IP-Address = 192.0.0.15

            NAS-Identifier = "ap"

 

Thu Jul 17 15:12:52 2008: DEBUG: Handling request with Handler
'Client-Identifier=test2'

Thu Jul 17 15:12:52 2008: DEBUG:  Deleting session for test2, 192.0.0.15,
6166

Thu Jul 17 15:12:52 2008: DEBUG: Handling with Radius::AuthFILE: 

Thu Jul 17 15:12:52 2008: DEBUG: Handling with EAP: code 2, 5, 13, 21

Thu Jul 17 15:12:52 2008: DEBUG: Response type 21

Thu Jul 17 15:12:52 2008: DEBUG: EAP TTLS data, 8576, 5, 3

Thu Jul 17 15:12:52 2008: DEBUG: EAP TTLS SSL_accept result: 0, 1, 8576

Thu Jul 17 15:12:52 2008: DEBUG: EAP result: 1, EAP TTLS Handshake
unsuccessful:  3416: 1 - error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate

 

Thu Jul 17 15:12:52 2008: DEBUG: AuthBy FILE result: REJECT, EAP TTLS
Handshake unsuccessful:  3416: 1 - error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate

 

Thu Jul 17 15:12:52 2008: INFO: Access rejected for test2: EAP TTLS
Handshake unsuccessful:  3416: 1 - error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate

 

Thu Jul 17 15:12:52 2008: DEBUG: Packet dump:

*** Sending to 192.0.0.15 port 1645 ....

Code:       Access-Reject

Identifier: 31

Authentic:  <159><25><163><230>0<224>J<200>\<200><30>$<188>y<254><225>

Attributes:

            Reply-Message = "Request Denied"

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080729/68a4f0df/attachment-0001.html>