[RADIATOR] EAP TTLS Nothing to read or write

Peter Havekes p.havekes at avans.nl
Wed Apr 14 05:18:08 CDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




Hello,

I'm upgrading the servers on witch we run radiator.
Old server: Debian 5, 32 bit, radiator 4.6
New server: Debian 5, 64 bit, radiator 4.6

The config-files have been copied from the old server to the new one.
On the old server the config works great for our 802.1x wifi users
(EAP-TTLS). On the new server I get the errors:
DEBUG: EAP result: 2, EAP TTLS Nothing to read or write
DEBUG: AuthBy FILE result: IGNORE, EAP TTLS Nothing to read or write

Where should i start looking for the cause of this error?

Thanks for any help you can provide.










Relevant parts of the config:
<Client x.x.x.x>
        DefaultRealm xxxx.nl
        IdenticalClients x.x.x.x, x.x.x.x
        Secret xxxxxxxxxxxxx
        DupInterval 0
        AddToRequestIfNotExist service-identifier=wlan
        IgnoreAcctSignature
</Client>
<Handler TunnelledByTTLS=1,Realm=/.*xxxxxxx.nl.*/,User-Name=/@/>
        <Log FILE>
                Filename %L/%Y%m%d-eduroam.log
                Trace 3
        </Log>
        <AuthBy GROUP>
        RewriteUsername s/-//g
        RewriteUsername s/^([^@]+).*/$1/
        AddToReply Tunnel-Type=VLAN,Tunnel-Medium-Type=Ether_802
                AuthByPolicy ContinueUntilAccept
                <AuthBy LDAP2>
			.... some ldap stuff
                </AuthBy>
                <AuthBy LDAP2>
			.... some ldap stuff
                </AuthBy>
        </AuthBy>
        PostProcessingHook file:"/etc/radiator/eap_acct_username.pl"
        AddToReplyIfNotExist Tunnel-Private-Group-ID=wln
</Handler>

<Handler Called-Station-Id=/.*eduroam.*/,Realm=xxxxx.nl,User-Name=/@/>
        <Log FILE>
                Filename %L/%Y%m%d-eduroam.log
                Trace 3
        </Log>
        <AuthBy FILE>
                Filename %D/users
                EAPType TTLS, PEAP
                EAPTLS_CertificateType PEM
                EAPTLS_CAFile /etc/radiator/wificert/terenachain.pem
                EAPTLS_CertificateFile /etc/radiator/wificert/server2010.crt
                EAPTLS_PrivateKeyFile /etc/radiator/wificert/server2010.key
                EAPTLS_PrivateKeyPassword xxxxxxxxxxxxxxx
                EAPTLS_MaxFragmentSize 512
                EAPTTLS_NoAckRequired
                AutoMPPEKeys
        </AuthBy>
</Handler>












Debug-log:

*** Received from x.x.x.x port 20000 ....

Packet length = 152
01 f5 00 98 00 47 09 b3 37 cd c6 e9 26 be 07 9e
05 e6 29 f1 57 07 41 50 32 2f 31 1f 13 30 30 2d
31 44 2d 39 32 2d 31 35 2d 31 46 2d 44 34 1e 1b
30 30 2d 30 42 2d 30 45 2d 32 39 2d 35 45 2d 43
32 3a 65 64 75 72 6f 61 6d 06 06 00 00 00 02 01
14 61 6e 6f 6e 79 6d 6f 75 73 40 61 76 61 6e 73
2e 6e 6c 05 06 00 00 26 76 4f 08 02 03 00 06 15
00 3d 06 00 00 00 13 04 06 91 30 52 33 20 09 54
72 61 70 65 7a 65 50 12 6e 3b 74 4d d5 5d 7c 79
b0 24 1a 0b 93 fd a3 79
Code:       Access-Request
Identifier: 245
Authentic:  <0>G<9><179>7<205><198><233>&<190><7><158><5><230>)<241>
Attributes:
	NAS-Port-Id = "AP2/1"
	Calling-Station-Id = "xxxxxxxxxxxxxxx"
	Called-Station-Id = "xxxxxxxxxxxxxxxxx:eduroam"
	Service-Type = Framed-User
	User-Name = "anonymous at xxxxxxx.nl"
	NAS-Port = 9846
	EAP-Message = <2><3><0><6><21><0>
	NAS-Port-Type = Wireless-IEEE-802-11
	NAS-IP-Address = x.x.x.x
	NAS-Identifier = "Trapeze"
	Message-Authenticator = n;tM<213>]|y<176>$<26><11><147><253><163>y

Wed Apr 14 11:35:33 2010: DEBUG: Handling request with Handler
'Called-Station-Id=/.*eduroam.*/,Realm=xxxxxx.nl,User-Name=/@/',
Identifier ''
Wed Apr 14 11:35:33 2010: DEBUG:  Deleting session for
anonymous at xxxxxx.nl, x.x.x.x, 9846
Wed Apr 14 11:35:33 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Apr 14 11:35:33 2010: DEBUG: Handling with EAP: code 2, 3, 6, 21
Wed Apr 14 11:35:33 2010: DEBUG: Response type 21
Wed Apr 14 11:35:33 2010: DEBUG: EAP result: 2, EAP TTLS Nothing to read
or write
Wed Apr 14 11:35:33 2010: DEBUG: AuthBy FILE result: IGNORE, EAP TTLS
Nothing to read or write
Wed Apr 14 11:35:34 2010: DEBUG: Packet dump:
*** Received from x.x.x.x port 20000 ....

Packet length = 169
01 f6 00 a9 00 7d 67 ff 29 36 96 99 3e d9 2b f2
23 d4 3d 1a 57 07 41 50 33 2f 31 1f 13 30 30 2d
31 41 2d 37 33 2d 31 42 2d 44 31 2d 33 39 1e 1b
30 30 2d 30 42 2d 30 45 2d 32 39 2d 35 45 2d 30
32 3a 65 64 75 72 6f 61 6d 06 06 00 00 00 02 4f
19 02 07 00 17 01 61 6e 6f 6e 79 6d 6f 75 73 40
61 76 61 6e 73 2e 6e 6c 01 14 61 6e 6f 6e 79 6d
6f 75 73 40 61 76 61 6e 73 2e 6e 6c 05 06 00 00
26 71 3d 06 00 00 00 13 04 06 91 30 52 33 20 09
54 72 61 70 65 7a 65 50 12 f6 5d 5f 6f 01 32 05
96 2e 13 54 8c 53 1b 36 67
Code:       Access-Request
Identifier: 246
Authentic:  <0>}g<255>)6<150><153>><217>+<242>#<212>=<26>
Attributes:
	NAS-Port-Id = "AP3/1"
	Calling-Station-Id = "xxxxxxxxxxxxxxxxxx"
	Called-Station-Id = "xxxxxxxxxxxxxxxx:eduroam"
	Service-Type = Framed-User
	EAP-Message = <2><7><0><23><1>anonymous at xxxxxx.nl
	User-Name = "anonymous at xxxxxxx.nl"
	NAS-Port = 9841
	NAS-Port-Type = Wireless-IEEE-802-11
	NAS-IP-Address = x.x.x.x
	NAS-Identifier = "Trapeze"
	Message-Authenticator = <246>]_o<1>2<5><150>.<19>T<140>S<27>6g

Wed Apr 14 11:35:34 2010: DEBUG: Handling request with Handler
'Called-Station-Id=/.*eduroam.*/,Realm=xxxxxxx.nl,User-Name=/@/',
Identifier ''
Wed Apr 14 11:35:34 2010: DEBUG:  Deleting session for
anonymous at xxxxxxx.nl, x.x.x.82.51, 9841
Wed Apr 14 11:35:34 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Apr 14 11:35:34 2010: DEBUG: Handling with EAP: code 2, 7, 23, 1
Wed Apr 14 11:35:34 2010: DEBUG: Response type 1
Wed Apr 14 11:35:34 2010: DEBUG: EAP result: 3, EAP TTLS Challenge
Wed Apr 14 11:35:34 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS
Challenge
Wed Apr 14 11:35:34 2010: DEBUG: Access challenged for
anonymous at xxxxxx.nl: EAP TTLS Challenge
Wed Apr 14 11:35:34 2010: DEBUG: Packet dump:
*** Sending to x.x.x.x port 20000 ....

Packet length = 46
0b f6 00 2e cb 50 99 2c 43 ec 9a e2 81 5e 74 c6
cf 86 22 eb 4f 08 01 08 00 06 15 20 50 12 ab 34
4a 4e 90 a9 ba 79 80 20 d1 1d 54 dc 8c c0
Code:       Access-Challenge
Identifier: 246
Authentic:  <203>P<153>,C<236><154><226><129>^t<198><207><134>"<235>
Attributes:
	EAP-Message = <1><8><0><6><21>
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Apr 14 11:35:34 2010: DEBUG: Packet dump:
*** Received from x.x.x.x port 20000 ....

Packet length = 234
01 f7 00 ea 00 88 f2 5a 1e de f2 fc 3f 22 8e 39
75 a7 60 90 57 07 41 50 33 2f 31 1f 13 30 30 2d
31 41 2d 37 33 2d 31 42 2d 44 31 2d 33 39 1e 1b
30 30 2d 30 42 2d 30 45 2d 32 39 2d 35 45 2d 30
32 3a 65 64 75 72 6f 61 6d 06 06 00 00 00 02 01
14 61 6e 6f 6e 79 6d 6f 75 73 40 61 76 61 6e 73
2e 6e 6c 05 06 00 00 26 71 4f 5a 02 08 00 58 15
00 16 03 01 00 4d 01 00 00 49 03 01 3c f2 73 f4
16 20 b2 11 33 5f 31 6e 57 00 0d dc da f1 81 c4
a2 a7 ca e8 2e 34 4b af 33 25 3b b0 20 cb a0 bc
2d 5d e3 9d 3c 3c 4b 68 50 86 56 de 68 3a 43 6c
3d 87 86 9b 58 3c d8 7d 4c 93 61 cf 8f 00 02 00
0a 01 00 3d 06 00 00 00 13 04 06 91 30 52 33 20
09 54 72 61 70 65 7a 65 50 12 85 e0 ae 1f 3b 62
33 29 03 8b 67 e7 19 17 0c 5a
Code:       Access-Request
Identifier: 247
Authentic:  <0><136><242>Z<30><222><242><252>?"<142>9u<167>`<144>
Attributes:
	NAS-Port-Id = "AP3/1"
	Calling-Station-Id = "xxxxxxxxxxxxxx"
	Called-Station-Id = "xxxxxxxxxxxx:eduroam"
	Service-Type = Framed-User
	User-Name = "anonymous at xxxxxxxx.nl"
	NAS-Port = 9841
	EAP-Message =
<2><8><0>X<21><0><22><3><1><0>M<1><0><0>I<3><1><<242>s<244><22>
<178><17>3_1nW<0><13><220><218><241><129><196><162><167><202><232>.4K<175>3%;<176>
<203><160><188>-]<227><157><<KhP<134>V<222>h:Cl=<135><134><155>X<<216>}L<147>a<207><143><0><2><0><10><1><0>
	NAS-Port-Type = Wireless-IEEE-802-11
	NAS-IP-Address = x.x.x.x
	NAS-Identifier = "Trapeze"
	Message-Authenticator = <133><224><174><31>;b3)<3><139>g<231><25><23><12>Z

Wed Apr 14 11:35:34 2010: DEBUG: Handling request with Handler
'Called-Station-Id=/.*eduroam.*/,Realm=xxxxxxxx.nl,User-Name=/@/',
Identifier ''
Wed Apr 14 11:35:34 2010: DEBUG:  Deleting session for
anonymous at xxxxxxx.nl, x.x.x.82.51, 9841
Wed Apr 14 11:35:34 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Apr 14 11:35:34 2010: DEBUG: Handling with EAP: code 2, 8, 88, 21
Wed Apr 14 11:35:34 2010: DEBUG: Response type 21
Wed Apr 14 11:35:34 2010: DEBUG: EAP TTLS data, 24576, 8,
Wed Apr 14 11:35:34 2010: DEBUG: EAP TTLS SSL_accept result: -1, 2, 8576
Wed Apr 14 11:35:34 2010: DEBUG: EAP result: 3, EAP TTLS Challenge
Wed Apr 14 11:35:34 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TTLS
Challenge
Wed Apr 14 11:35:34 2010: DEBUG: Access challenged for
anonymous at xxxxxxx.nl: EAP TTLS Challenge
Wed Apr 14 11:35:34 2010: DEBUG: Packet dump:
*** Sending to x.x.x.82.51 port 20000 ....

Packet length = 566
0b f7 02 36 d9 6e d0 bf 66 3c f7 60 9e 30 90 2b
83 c0 5b 50 4f ff 01 09 02 0a 15 c0 00 00 11 70
16 03 01 00 4a 02 00 00 46 03 01 4b c5 8c 66 ff
6f 1e 6d d4 8f a9 2b 41 12 35 2d 0c 82 14 77 71
af 6f c3 f0 b2 19 6e 26 f4 85 f2 20 ea 0e 9b 39
25 e0 73 9f 06 5a 06 de 17 59 8f 34 03 04 73 eb
d3 bb 67 eb a3 fd 86 3f ee 7c d2 2b 00 0a 00 16
03 01 11 13 0b 00 11 0f 00 11 0c 00 03 ea 30 82
03 e6 30 82 02 ce a0 03 02 01 02 02 11 00 b3 29
1e 2c fb b7 ce fe fa 1b 51 af 8b 0d 43 8c 30 0d
06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 36 31
0b 30 09 06 03 55 04 06 13 02 4e 4c 31 0f 30 0d
06 03 55 04 0a 13 06 54 45 52 45 4e 41 31 16 30
14 06 03 55 04 03 13 0d 54 45 52 45 4e 41 20 53
53 4c 20 43 41 30 1e 17 0d 31 30 30 31 32 30 30
30 30 30 30 30 5a 17 0d 31 33 30 31 31 39 32 33
35 39 35 39 5a 30 47 31 0b 30 09 06 03 55 04 06
13 02 4e 4f ff 4c 31 0e 30 0c 06 03 55 04 0a 13
05 41 76 61 6e 73 31 10 30 0e 06 03 55 04 0b 13
07 44 49 46 2d 49 43 54 31 16 30 14 06 03 55 04
03 13 0d 77 69 66 69 2e 61 76 61 6e 73 2e 6e 6c
30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01
05 00 03 81 8d 00 30 81 89 02 81 81 00 c4 fd ab
6d bc 03 1e 6e fc 84 30 a3 62 b1 0f 8c 26 7b ae
83 d2 fc fd 6c 92 dd 97 9e 21 c4 c1 34 ca 2c 0f
f4 39 1d 6e 89 dd e6 d1 cb 9e cf 66 12 00 40 18
3f 0e 38 29 1d d3 8b 66 9e ac 54 53 99 02 61 95
8f b9 54 40 63 a2 5c 1d bc 1d e7 38 d7 3b 0b 7d
60 c7 ab 5b 92 84 ac 47 7c 45 48 61 0f fd d7 a7
dc f3 ca d5 1e 71 e3 e1 97 b8 9e 45 61 a3 2f 65
7c 85 0e 0c 1f f6 c8 a6 43 26 98 b3 bd 02 03 01
00 01 a3 82 01 60 30 82 01 5c 30 1f 06 03 55 1d
23 04 18 30 16 80 14 0c bd 93 68 0c f3 de ab a3
49 6b 4f 12 2b 37 57 47 ea 90 e3 b9 ed 30 1d 06
03 55 1d 0e 50 12 93 20 ae 11 e5 54 34 35 f6 30
10 b1 e0 bb 9d fe
Code:       Access-Challenge
Identifier: 247
Authentic:  <217>n<208><191>f<<247>`<158>0<144>+<131><192>[P
Attributes:
	EAP-Message =
<1><9><2><10><21><192><0><0><17>p<22><3><1><0>J<2><0><0>F<3><1>K<197><140>f<255>o<30>m<212><143><169>+A<18>5-<12><130><20>wq<175>o<195><240><178><25>n&<244><133><242>
<234><14><155>9%<224>s<159><6>Z<6><222><23>Y<143>4<3><4>s<235><211><187>g<235><163><253><134>?<238>|<210>+<0><10><0><22><3><1><17><19><11><0><17><15><0><17><12><0><3><234>0<130><3><230>0<130><2><206><160><3><2><1><2><2><17><0><179>)<30>,<251><183><206><254><250><27>Q<175><139><13>C<140>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>061<11>0<9><6><3>U<4><6><19><2>NL1<15>0<13><6><3>U<4><10><19><6>TERENA1<22>0<20><6><3>U<4><3><19><13>TERENA
SSL
CA0<30><23><13>100120000000Z<23><13>130119235959Z0G1<11>0<9><6><3>U<4><6><19><2>N
	EAP-Message =
L1<14>0<12><6><3>U<4><10><19><5>xxxxxxx1<16>0<14><6><3>U<4><11><19><7>DIF-ICT1<22>0<20><6><3>U<4><3><19><13>wifi.xxxxxxx.nl0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><196><253><171>m<188><3><30>n<252><132>0<163>b<177><15><140>&{<174><131><210><252><253>l<146><221><151><158>!<196><193>4<202>,<15><244>9<29>n<137><221><230><209><203><158><207>f<18><0>@<24>?<14>8)<29><211><139>f<158><172>TS<153><2>a<149><143><185>T at c<162>\<29><188><29><231>8<215>;<11>}`<199><171>[<146><132><172>G|EHa<15><253><215><167><220><243><202><213><30>q<227><225><151><184><158>Ea<163>/e|<133><14><12><31><246><200><166>C&<152><179><189><2><3><1><0><1><163><130><1>`0<130><1>\0<31><6><3>U<29>#<4><24>0<22><128><20><12><189><147>h<12><243><222><171><163>Ik
	EAP-Message = +7WG<234><144><227><185><237>0<29><6><3>U<29><14>
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Wed Apr 14 11:35:34 2010: DEBUG: Packet dump:
*** Received from x.x.x2.51 port 20000 ....

Packet length = 152
01 f8 00 98 00 8c 89 7c 0a 96 2c 2c 09 2e 02 22
2b 8e 0a e3 57 07 41 50 33 2f 31 1f 13 30 30 2d
31 41 2d 37 33 2d 31 42 2d 44 31 2d 33 39 1e 1b
30 30 2d 30 42 2d 30 45 2d 32 39 2d 35 45 2d 30
32 3a 65 64 75 72 6f 61 6d 06 06 00 00 00 02 01
14 61 6e 6f 6e 79 6d 6f 75 73 40 61 76 61 6e 73
2e 6e 6c 05 06 00 00 26 71 4f 08 02 09 00 06 15
00 3d 06 00 00 00 13 04 06 91 30 52 33 20 09 54
72 61 70 65 7a 65 50 12 22 f8 2f d1 f1 d9 38 34
40 3c 92 42 50 31 c0 62
Code:       Access-Request
Identifier: 248
Authentic:  <0><140><137>|<10><150>,,<9>.<2>"+<142><10><227>
Attributes:
	NAS-Port-Id = "AP3/1"
	Calling-Station-Id = "00-1A-73-1B-D1-39"
	Called-Station-Id = "00-0B-0E-29-5E-02:eduroam"
	Service-Type = Framed-User
	User-Name = "anonymous at xxxxxxx.nl"
	NAS-Port = 9841
	EAP-Message = <2><9><0><6><21><0>
	NAS-Port-Type = Wireless-IEEE-802-11
	NAS-IP-Address = x.x.x2.51
	NAS-Identifier = "Trapeze"
	Message-Authenticator = "<248>/<209><241><217>84@<<146>BP1<192>b

Wed Apr 14 11:35:34 2010: DEBUG: Handling request with Handler
'Called-Station-Id=/.*eduroam.*/,Realm=xxxxxxx.nl,User-Name=/@/',
Identifier ''
Wed Apr 14 11:35:34 2010: DEBUG:  Deleting session for
anonymous at xxxxxxx.nl, x.x.x2.51, 9841
Wed Apr 14 11:35:34 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Apr 14 11:35:34 2010: DEBUG: Handling with EAP: code 2, 9, 6, 21
Wed Apr 14 11:35:34 2010: DEBUG: Response type 21
Wed Apr 14 11:35:34 2010: DEBUG: EAP result: 2, EAP TTLS Nothing to read
or write
Wed Apr 14 11:35:34 2010: DEBUG: AuthBy FILE result: IGNORE, EAP TTLS
Nothing to read or write



- --


Peter Havekes
ICT-Ontwikkeling & xxxxxxx-CSIRT
xxxxxxx Hogeschool
Onderwijsboulevard 215
5223 DE 's-Hertogenbosch
Telefoon 0736295592
Mobiel 0612917383
email/msn p.havekes at xxxxxxx.nl


- - Have you got anything without Spam in it?
- - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJLxZZgAAoJEN+XNdyDF60NxpEH/AwlUNhsFY1P6ityPvjP2F1w
bUg/jhs8+qHxmv7HGT4d6YyOgDJIMOKmeqlYcwvZPjwhf3K6LEE986uUL3LnExb0
+4XvH6NyIDJjQMPCaLhbUNBvZ1hEFge1/+Gjr/4WvvX9kZ8SnIuuyvcSJ2cWygNM
W3Ibr9ixu39OM6ULpmFCY0S2FhrfmWLEoZT/e/bVEkWzwz4HkjHPKHfWkD9WzWPL
n2gwaWUICwFXoNn9Dpz5/o4+yvCutO686v6bdqIMn6JVok1KKf92JNOWVIowTb+6
1hunHUnODpafYiDL2veDUP0zPmxlviuUAT43sKXSNtKbHFjnd5SSXs1S/C3eX6Q=
=PtWh
-----END PGP SIGNATURE-----
--------------------------------------------------------------------------- 
Op deze e-mail zijn de volgende voorwaarden van toepassing: 
The following conditions apply to this e-mail: 
http://emaildisclaimer.avans.nl 
---------------------------------------------------------------------------

More information about the radiator mailing list