[RADIATOR] EAP/TLS Problem with Radiator 4.2/4.3 on Fedora 8/9
Hugh Irvine
hugh at open.com.au
Wed Sep 10 04:31:39 CDT 2008
Hello Wolfgang -
You should be running Radiator 4.3.1 plus the latest patches.
And this is quite often a problem with versions of openssl and/or net-
ssleay.
We have had confirmation that these versions work correctly:
openssl 0.9.8b upgraded to 0.9.8h.
Net-SSLeay 1.30 upgraded to 1.35.
hope that helps
regards
Hugh
On 10 Sep 2008, at 11:38, Wolfgang Miedl wrote:
> Greetings,
>
> we are currently experiencing problems with Radiators usage of EAP/
> TLS on
> Radiator 4.2 and 4.3, running on Fedora 8 respectively Fedora 9, with
> Radiator sending TLS Messages which appear to be corrupt and
> missing TLS
> header data.
>
> This of course results in the client being unable to parse the TLS
> part of the
> message and thus aborting the connection attempt. Furthermore, this
> behaviour
> only appears on Radiator 4.2 and 4.3; the exact same systems
> running Radiator
> 3.17 produces the expected, correct results and is basically
> running fine.
>
> A tcpdump file containing an example packet as recieved by the
> client is
> attached. Dumps of the server side of the message can be provided
> as well,
> but basically the offending TLS part is the same.
>
> Further software version details:
> Fedora 8 box: perl 5.8.8, OpenSSL 0.9.8b
> Fedora 9 box: perl 5.10.0, OpenSSL 0.9.8g
>
> The relevant section of radius.cfg which configures TLS is:
> <AuthBy SQL>
> Identifier wlan-sql
> EAPTLS_PrivateKeyFile /etc/pki/tls/private/localhost.key
> # EAPTLS_PrivateKeyPassword omitted
> EAPTLS_CertificateFile /etc/pki/tls/certs/localhost.crt
> EAPTLS_CertificateType PEM
> EAPTLS_CAFile /etc/pki/tls/cert.pem
> EAPTLS_CAFile /etc/pki/tls/certs/sureserverEDU.pem
> EAPTLS_CAPath /etc/pki/tls/certs
>
> EAPType PEAP,LEAP,TTLS,MSCHAP-V2
> EAPTLS_MaxFragmentSize 512
> SSLeayTrace 4
> AutoMPPEKeys
> EAPTLS_PEAPVersion 0
> EAPTLS_SessionResumption 0
>
> AuthSelect SELECT PASSWORD, \
> CHECKATTR,\
> REPLYATTR,\
> FRAMEDPROTOCOL,\
> IPADDRESS,\
> IPNETMASK \
> FROM SUBSCRIBERS \
> WHERE USERNAME = '%n'
>
> AuthColumnDef 0,User-Password, check
> AuthColumnDef 1,GENERIC,check
> AuthColumnDef 2,GENERIC,reply
> AuthColumnDef 3,Framed-Protocol,reply
> AuthColumnDef 4,Framed-IP-Address,reply
> AuthColumnDef 5,Framed-IP-Netmask,reply
> AddToReply User-Name=%u
> </AuthBy>
>
> If further detail are required i'd of course be happy to provide them.
>
> Best regards,
> Wolfgang Miedl
> --
> Wolfgang Miedl Zentraler Informatikdienst -
> Kommunikation
> Technische Universitaet Wien Tel (+43-1) 58801 -
> 42057
> http://pgpkeys.tuwien.ac.at/ PGP Key
> wmiedl<radiator.dump>_______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list