[RADIATOR] strange PEAP behavior
Hugh Irvine
hugh at open.com.au
Sat Jul 31 01:20:12 CDT 2010
Hello Andrew -
As usual I will need to see a copy of the configuration file and a trace 4 debug showing the whole packet sequence when this problem occurs.
regards
Hugh
On 31 Jul 2010, at 01:19, Andrew Clark wrote:
> Hi,
>
> I'm not sure this is actually a Radiator problem, but I'm seeing strange behavior for EAP-PEAP clients in my authentication log. I have a Trapeze networks wireless system which is configured to do pass-through for EAP requests to my Radiator servers. I have a pretty vanilla setup for EAP on Radiator - I terminate the EAP request, convert the inner request to a Radius-MSCHAPv2 request and then proxy it to another server.
>
> My authlog format is configured as follows:
>
> # add radius server hostname, client ident, handler ident, NAS IP address, and strip passwords
> SuccessFormat %l:%h:%{Client:Identifier}%{OSC-Client-Identifier}:%{Handler:Identifier}:%N:%u:OK
> # add failure code here too
> FailureFormat %l:%h:%{Client:Identifier}%{OSC-Client-Identifier}:%{Handler:Identifier}:%N:%u:FAIL(%1)
>
> A normal authentication looks like this (I've replaced the username with "foo"):
>
> Tue Jul 27 12:41:36 2010:server3:WIRELESS:eap_converted:134.84.143.177:foo:OK
> Tue Jul 27 12:41:36 2010:server3:WIRELESS:eap_inner_peap:134.84.143.177:anonymous:OK
> Tue Jul 27 12:41:36 2010:server3:WIRELESS:uofm_secure:134.84.143.177:foo:OK
>
> But then sometimes I see this (same user in this case):
>
> Tue Jul 27 12:42:07 2010:sever3:WIRELESS:uofm_secure:134.84.143.177:foo:OK
> Tue Jul 27 12:42:20 2010:server3:WIRELESS:uofm_secure:134.84.143.177:foo:OK
> Tue Jul 27 12:42:32 2010:server3:WIRELESS:uofm_secure:134.84.143.177:foo:OK
> Tue Jul 27 12:42:44 2010:server3:WIRELESS:uofm_secure:134.84.143.177:foo:OK
> Tue Jul 27 12:42:57 2010:server3:WIRELESS:uofm_secure:134.84.143.177:foo:OK
> Tue Jul 27 12:43:09 2010:server3:WIRELESS:uofm_secure:134.84.143.177:foo:OK
> Tue Jul 27 12:43:21 2010:server3:WIRELESS:uofm_secure:134.84.143.177:foo:OK
> Tue Jul 27 12:43:31 2010:server3:WIRELESS:uofm_secure:134.84.143.177:foo:OK
>
> Which usually results in no connectivity and an unhappy customer. If the user kills their supplicant and starts over, usually it results in a normal exchange and things are good.
>
> Any ideas?
>
> --
> Andrew D. Clark
> Network Operations Engineer
> University of Minnesota, Networking/Telecom Services
> 2218 University Ave SE
> Minneapolis, MN 55414-3029
> Phone: 612-626-4880
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list