[RADIATOR] EAP/TLS Problem with Radiator 4.2/4.3 on Fedora 8/9

Wolfgang Miedl wmiedl at zid.tuwien.ac.at
Wed Sep 10 03:38:53 CDT 2008 

Greetings,

we are currently experiencing problems with Radiators usage of EAP/TLS on 
Radiator 4.2 and 4.3, running on Fedora 8 respectively Fedora 9, with 
Radiator sending TLS Messages which appear to be corrupt and missing TLS 
header data.

This of course results in the client being unable to parse the TLS part of the 
message and thus aborting the connection attempt. Furthermore, this behaviour 
only appears on Radiator 4.2 and 4.3; the exact same systems running Radiator 
3.17 produces the expected, correct results and is basically running fine.

A tcpdump file containing an example packet as recieved by the client is 
attached. Dumps of the server side of the message can be provided as well, 
but basically the offending TLS part is the same.

Further software version details:
Fedora 8 box: perl 5.8.8, OpenSSL 0.9.8b
Fedora 9 box: perl 5.10.0, OpenSSL 0.9.8g

The relevant section of radius.cfg which configures TLS is:
<AuthBy SQL>
        Identifier wlan-sql
        EAPTLS_PrivateKeyFile   /etc/pki/tls/private/localhost.key
#        EAPTLS_PrivateKeyPassword       omitted
        EAPTLS_CertificateFile  /etc/pki/tls/certs/localhost.crt
        EAPTLS_CertificateType  PEM
        EAPTLS_CAFile   /etc/pki/tls/cert.pem
        EAPTLS_CAFile   /etc/pki/tls/certs/sureserverEDU.pem
        EAPTLS_CAPath   /etc/pki/tls/certs

        EAPType         PEAP,LEAP,TTLS,MSCHAP-V2
        EAPTLS_MaxFragmentSize 512
        SSLeayTrace     4
        AutoMPPEKeys
        EAPTLS_PEAPVersion      0
        EAPTLS_SessionResumption        0

        AuthSelect SELECT PASSWORD, \
                          CHECKATTR,\
                          REPLYATTR,\
                          FRAMEDPROTOCOL,\
                          IPADDRESS,\
                          IPNETMASK \
                   FROM  SUBSCRIBERS \
                   WHERE USERNAME = '%n'

        AuthColumnDef 0,User-Password, check
        AuthColumnDef 1,GENERIC,check
        AuthColumnDef 2,GENERIC,reply
        AuthColumnDef 3,Framed-Protocol,reply
        AuthColumnDef 4,Framed-IP-Address,reply
        AuthColumnDef 5,Framed-IP-Netmask,reply
        AddToReply      User-Name=%u
</AuthBy>

If further detail are required i'd of course be happy to provide them.

Best regards,
	Wolfgang Miedl
-- 
Wolfgang Miedl                Zentraler Informatikdienst - Kommunikation
Technische Universitaet Wien                   Tel (+43-1) 58801 - 42057
http://pgpkeys.tuwien.ac.at/                              PGP Key wmiedl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiator.dump
Type: application/octet-stream
Size: 576 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080910/5333b553/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080910/5333b553/attachment.bin>

More information about the radiator mailing list