[RADIATOR] Bridge not authenticating

Mike McCauley mikem at open.com.au
Tue Jul 29 19:23:52 CDT 2008


Hello Tim,

thanks for your note,

On Wednesday 30 July 2008 03:28, Tim Jensen wrote:
> Hello,
>
>
>
> We are attempting to use PEAP to authenticate a wireless serial device
> server through the Radiator radius server.  We have been able to
> authenticate this device using LEAP, the users file, and TLS but this
> device fails during the EAP handshake process in PEAP and TTLS.  Every time
> that the device fails the handshake it reports "Handshake unsuccessful: 
> 1228: 1 - error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate" . If we add a client certificate to the serial device server
> then the device authenticates to the network without any problems but at
> that point we are basically using options in TTLS and PEAP to make the
> device act as though we are using TLS.  Any insight that you could provide
> would be invaluable to resolving this issue.

sslv3 alert bad certificate

means that the client doesnt like the server certificate that Radiator sent to 
it. This can be due to incorrect  time set on the client (outside the 
validity dates of the server certificate), or the absence of the root 
certificate on the client so it cant verify the server certificate.

So I would look to the config of the client.

Cheers.

>
>
>
> The configuration that we are using is a simple PEAP TTLS configuration
> based on the configuration found in the goodies directory:
>
>
>
> Foreground
>
> LogStdout
>
> LogDir            c:\Program Files\Radiator\logs
>
> #DbDir                  c:\Program Files\Radiator
>
> LogFile           %L/%m%d%y.log
>
> DictionaryFile    c:\Program Files\Radiator\dictionary
>
> PidFile           c:\Program Files\Radiator\radiusd.pid
>
>
>
>
>
> BindAddress 192.0.0.1
>
> AuthPort 1812
>
> AcctPort 1813
>
>
>
> Trace             4
>
>
>
> <Client 192.0.0.15>
>
> #Cisco AP
>
>       Secret      *****
>
>       Identifier CiscoAP
>
>       DupInterval 0
>
> </Client>
>
>
>
> <Client 192.0.0.226>
>
> #Proxim AP
>
>       Secret      *****
>
>       Identifier ProximAP
>
>       DupInterval 0
>
> </Client>
>
>
>
> <Handler Client-Identifier=CiscoAP>
>
> # Handler ID was test2
>
>       AuthByPolicy ContinueUntilAccept
>
>
>
>       <AuthBy FILE>
>
>             SSLeayTrace 5
>
>             EAPTLS_NoCheckId
>
>             Filename c:\Program Files\Radiator\users
>
>             EAPType  PEAP, TTLS
>
>             EAPTLS_MaxFragmentSize 1000
>
>             EAPTLS_CertificateType PEM
>
>             EAPTLS_PrivateKeyPassword whatever
>
>             EAPTLS_PrivateKeyFile c:\Program
> Files\Radiator\certificates\cert-srv.pem
>
>             EAPTLS_CAFile c:\Program Files\Radiator\certificates\cacert.pem
>
>             EAPTLS_CertificateFile c:\Program
> Files\Radiator\certificates\cert-srv.pem
>
>             #AutoMPPEKeys
>
>             EAPTTLS_NoAckRequired
>
>             #EAPAnonymous testUser
>
>             #EAPTLS_PEAPVersion 0
>
>             #EAPTLS_PEAPBrokenV1Label
>
>       </AuthBy>
>
>
>
> <Handler Client-Identifier=ProximAP>
>
>       AuthByPolicy ContinueUntilAccept
>
>
>
>       <AuthBy FILE>
>
>             SSLeayTrace 5
>
>             EAPTLS_NoCheckId
>
>             Filename c:\Program Files\Radiator\users
>
>             EAPType  PEAP
>
>             EAPTLS_MaxFragmentSize 1000
>
>             EAPTLS_CertificateType PEM
>
>             EAPTLS_PrivateKeyPassword whatever
>
>             EAPTLS_PrivateKeyFile c:\Program
> Files\Radiator\certificates\cert-srv.pem
>
>             EAPTLS_CAFile c:\Program Files\Radiator\certificates\cacert.pem
>
>             EAPTLS_CertificateFile c:\Program
> Files\Radiator\certificates\cert-srv.pem
>
>             #AutoMPPEKeys
>
>             EAPTTLS_NoAckRequired
>
>             #EAPAnonymous testUser
>
>             #EAPTLS_PEAPVersion 0
>
>             EAPTLS_PEAPBrokenV1Label
>
>       </AuthBy>
>
> </Handler>
>
>
>
>
>
> The attempted login trace shows the transmittal of the server side and CA
> certificates:
>
>
>
> Thu Jul 17 15:12:52 2008: DEBUG: Packet dump:
>
> *** Received from 192.0.0.15 port 1645 ....
>
> Code:       Access-Request
>
> Identifier: 30
>
> Authentic:  77<215>vku<235>S<183>C<203>I<193>1<143><218>
>
> Attributes:
>
>             User-Name = "test2"
>
>             Framed-MTU = 1400
>
>             Called-Station-Id = "000d.edc3.021b"
>
>             Calling-Station-Id = "0040.178d.e1c7"
>
>             Service-Type = Login-User
>
>             Message-Authenticator =
> <220>k<181><140>U<4><16>Y^<3><166><168><162>V<245><146>
>
>             EAP-Message = <2><4><0><6><21><0>
>
>             NAS-Port-Type = Wireless-IEEE-802-11
>
>             NAS-Port = 6166
>
>             NAS-IP-Address = 192.0.0.15
>
>             NAS-Identifier = "ap"
>
>
>
> Thu Jul 17 15:12:52 2008: DEBUG: Handling request with Handler
> 'Client-Identifier=test2'
>
> Thu Jul 17 15:12:52 2008: DEBUG:  Deleting session for test2, 192.0.0.15,
> 6166
>
> Thu Jul 17 15:12:52 2008: DEBUG: Handling with Radius::AuthFILE:
>
> Thu Jul 17 15:12:52 2008: DEBUG: Handling with EAP: code 2, 4, 6, 21
>
> Thu Jul 17 15:12:52 2008: DEBUG: Response type 21
>
> Thu Jul 17 15:12:52 2008: DEBUG: EAP result: 3, EAP TTLS Challenge
>
> Thu Jul 17 15:12:52 2008: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS
> Challenge
>
> Thu Jul 17 15:12:52 2008: DEBUG: Access challenged for test2: EAP TTLS
> Challenge
>
> Thu Jul 17 15:12:52 2008: DEBUG: Packet dump:
>
> *** Sending to 192.0.0.15 port 1645 ....
>
> Code:       Access-Challenge
>
> Identifier: 30
>
> Authentic:  77<215>vku<235>S<183>C<203>I<193>1<143><218>
>
> Attributes:
>
>             EAP-Message =
> <1><5><2>@<21><0><24><198><152>$<180><138><238><216>m<238>X<191><169><249><
>1
> 49><207>"<224><212><240><176><204><172><230>$3&Yl<186><164>mT<21><129>'gQ<1
>3
> 9><193><235>3<230><203>0<174><237><254><28>_<171>q<186>f<143><221><178><144
>>
> <167>@<176><16><205><223><205>Z<235>)^+"<140><167><150><189>kQ.i<213>n<17>|
>H
> <248>jA!<197><130><198>J<175>N<226><17><225>!<2><3><1><0><1><163><130><1>30
><
> 130><1>/0<29><6><3>U<29><14><4><22><4><20>D<17>o<145><21><19><197><198>jL<1
>7
>
> >h<219><17><149><182><214><135><158><23>0<129><255><6><3>U<29>#<4><129><247
> >>
>
> 0<129><244><128><20>D<17>o<145><21><19><197><198>jL<17>h<219><17><149><182>
><
> 214><135><158><23><161><129><208><164><129><205>0<129><202>1<11>0<9><6><3>U
><
> 4><6><19><2>AU1<17>0<15><6><3>U<4><8><12><8>Victoria1<18>0<16><6><3>U<4><7>
>< 12><9>Melbourne1<30>0<28><6><3>U<4>
>
>             EAP-Message = <10><12><21>OSC Demo
> Certificates1!0<31><6><3>U<4><11><12><24>Test Certificate
> Section1/0-<6><3>U<4><3><12>&OSC Test CA (do not use in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au<130><9><
>0
>
> ><190>J<223><236><255><245>@l0<12><6><3>U<29><19><4><5>0<3><1><1><255>0<13>
> ><
>
> 6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><192>i<147><134>k<
>2
> 06>9<139><223>8SNlE}<219><29><173>OK<146><229>e<137>\<152><252><243><195><1
>9 3><11>Y<203><234><193><243>&z<23>)[<24>D
> n<228><230><228><246>(2e<192>'K<218><143><161><224><131><203><193><159><155
>> A1^
>
>             EAP-Message =
> nS<176><191>R<20>WV<182><147>T<21><247><255><195><249>YZ<198>k<147><209>L<1
>7
> 1><130><185><177><241>|<179>U<171><232><129><200><253><212><152><19>M<211>_
><
> 135>y<25><163><130><175><131><155>hh~<178>AQf<144><217>wM<22><3><1><0><4><1
>4
>
> ><0><0><0>
>
>             Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
>
> Thu Jul 17 15:12:52 2008: DEBUG: Packet dump:
>
> *** Received from 192.0.0.15 port 1645 ....
>
> Code:       Access-Request
>
> Identifier: 31
>
> Authentic:  <159><25><163><230>0<224>J<200>\<200><30>$<188>y<254><225>
>
> Attributes:
>
>             User-Name = "test2"
>
>             Framed-MTU = 1400
>
>             Called-Station-Id = "000d.edc3.021b"
>
>             Calling-Station-Id = "0040.178d.e1c7"
>
>             Service-Type = Login-User
>
>             Message-Authenticator =
> HD#<248>P<202><151><6>C<219><246><215>s<141><27><236>
>
>             EAP-Message = <2><5><0><13><21><0><21><3><1><0><2><2>*
>
>             NAS-Port-Type = Wireless-IEEE-802-11
>
>             NAS-Port = 6166
>
>             NAS-IP-Address = 192.0.0.15
>
>             NAS-Identifier = "ap"
>
>
>
> Thu Jul 17 15:12:52 2008: DEBUG: Handling request with Handler
> 'Client-Identifier=test2'
>
> Thu Jul 17 15:12:52 2008: DEBUG:  Deleting session for test2, 192.0.0.15,
> 6166
>
> Thu Jul 17 15:12:52 2008: DEBUG: Handling with Radius::AuthFILE:
>
> Thu Jul 17 15:12:52 2008: DEBUG: Handling with EAP: code 2, 5, 13, 21
>
> Thu Jul 17 15:12:52 2008: DEBUG: Response type 21
>
> Thu Jul 17 15:12:52 2008: DEBUG: EAP TTLS data, 8576, 5, 3
>
> Thu Jul 17 15:12:52 2008: DEBUG: EAP TTLS SSL_accept result: 0, 1, 8576
>
> Thu Jul 17 15:12:52 2008: DEBUG: EAP result: 1, EAP TTLS Handshake
> unsuccessful:  3416: 1 - error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate
>
>
>
> Thu Jul 17 15:12:52 2008: DEBUG: AuthBy FILE result: REJECT, EAP TTLS
> Handshake unsuccessful:  3416: 1 - error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate
>
>
>
> Thu Jul 17 15:12:52 2008: INFO: Access rejected for test2: EAP TTLS
> Handshake unsuccessful:  3416: 1 - error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate
>
>
>
> Thu Jul 17 15:12:52 2008: DEBUG: Packet dump:
>
> *** Sending to 192.0.0.15 port 1645 ....
>
> Code:       Access-Reject
>
> Identifier: 31
>
> Authentic:  <159><25><163><230>0<224>J<200>\<200><30>$<188>y<254><225>
>
> Attributes:
>
>             Reply-Message = "Request Denied"

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco etc 
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.



More information about the radiator mailing list