[RADIATOR] Problem No Handler for TTLS inner authentication

Heikki Vatiainen hvn at open.com.au
Tue Apr 26 00:56:54 CDT 2011


On 04/22/2011 06:22 AM, Augusto Cabrera wrote:

Hello Augusto, I hope you had good Easter weekend.

> I have a problem with configuration radiator.cfg helpme please,  i have
> a erro de autentication :

The problem seems to be this:

Thu Apr 21 13:46:45 2011: DEBUG: AuthBy WIMAX result: REJECT,
No Handler for TTLS inner authentication

The TTLS inner authentication in the log contains three attributes,
User-Name, MS-CHAP-Challenge and MS-CHAP2-Response. None of the Handlers
match this inner request.

Try defining something like this to match and process the TTLS inner
authentication:

<Handler TunnelledByTTLS=1>
  # AuthBy
  # Any other settings
</Handler>

> Code:       Access-Request
> Identifier: 38
> Authentic:  <0><0><25><177><0><0>c<248><0><0>{<148><0><0><17><240>
> Attributes:
>  User-Name = "@usbwimax"
>  NAS-IP-Address = 3.3.3.3
>  Calling-Station-Id = "5c4ca9e2b7dc"
>  NAS-Identifier = "WASN9770"
>  Event-Timestamp = 1303411496
>  EAP-Message = <2><24><0><192><21><0><23><3><1><0>
>  H WiMAX-Capability = <1><5>1.1<2><3><2><3><3><1><5><3><1><4><3><1>
>  WiMAX-BS-ID = 00000203f120
>  WiMAX-GMT-Timezone-Offset = -18000
>  NAS-Port-Type = Wireless-IEEE-802.16
>  WiMAX-PPAC = <1><6><0><0><0>c
>  Service-Type = Framed-User
>  Chargeable-User-Identity = ""
>  Message-Authenticator =
> <7>f<185><139><189>D<174><229><18>j<150><201>yZ<3><190>
> Thu Apr 21 13:46:45 2011: DEBUG: Handling request with Handler
> 'NAS-IP-Address=3.3.3.3, Realm=usbwimax', Identifier 'AUTH-WIMAX'
> Thu Apr 21 13:46:45 2011: DEBUG:  Deleting session for @usbwimax, 3.3.3.3,
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with Radius::AuthSQL: AAA-SQL
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with Radius::AuthSQL: AAA-SQL
> Thu Apr 21 13:46:45 2011: DEBUG: Query is: 'select reason from blacklist
> where nai='5c4ca9e2b7dc'':
> Thu Apr 21 13:46:45 2011: DEBUG: Radius::AuthSQL looks for match with
> 5c4ca9e2b7dc [@usbwimax]
> Thu Apr 21 13:46:45 2011: DEBUG: Radius::AuthSQL REJECT: No such user:
> 5c4ca9e2b7dc [@usbwimax]
> Thu Apr 21 13:46:45 2011: DEBUG: Query is: 'select reason from blacklist
> where nai='DEFAULT'':
> Thu Apr 21 13:46:45 2011: DEBUG: AuthBy SQL result: ACCEPT, No such user
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with EAP: code 2, 24, 192, 21
> Thu Apr 21 13:46:45 2011: DEBUG: Response type 21
> Thu Apr 21 13:46:45 2011: DEBUG: EAP TTLS data, 3, 24, 23
> Thu Apr 21 13:46:45 2011: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code:       UNDEF
> Identifier: UNDEF
> Authentic:  UNDEF
> Attributes:
>  User-Name = "acabrera"
>  MS-CHAP-Challenge = ]t<156><132><145>x<247><24>){<201>u<249><22><199>*
>  MS-CHAP2-Response = y<0><22>j<195><199>
> <144><226>l<214><223>@<219><134><146><211><182><0><0><0><0><0><0><0><0>P<177><244><196>,T<246><182>YZ*(<26><229>S<182>|/jq<134><232>?<222>
> *Thu Apr 21 13:46:45 2011: DEBUG: EAP TTLS inner authentication request
> for acabrera
> Thu Apr 21 13:46:45 2011: DEBUG: EAP result: 1, No Handler for TTLS
> inner authentication
> Thu Apr 21 13:46:45 2011: DEBUG: AuthBy WIMAX result: REJECT, No Handler
> for TTLS inner authentication
> Thu Apr 21 13:46:45 2011: INFO: Access rejected for 5c4ca9e2b7dc: No
> Handler for TTLS inner authentication
> *Thu Apr 21 13:46:45 2011: DEBUG: Packet dump:
> My configuration is:
>  
> # Definicion del CLIENTE
>  
> <Client 3.3.3.3>
>         Secret  wimaxwimax
>         Identifier WIMAX
>         DupInterval 5
> </Client>
> 
> <Client 10.0.5.10>
>         Secret  secret
>         Identifier EVDO
>        DupInterval 0
> </Client>
>  
> <AuthBy SQL>
>                 Identifier     AAA-SQL
>                 # Details for accessing the SQL database that contains
>                 # user/device passwords, Device-Sessions etc.
>                 # This should match the username created in wimax.sql
>                 DBSource dbi:mysql:wimax
>                 DBUsername      mikem
>                 DBAuth          fred
>                 NoEAP
>                 Blacklist
>                 AuthenticateAttribute Calling-Station-Id
>                 AuthSelect select reason from blacklist where nai=%0
> </AuthBy>
> <AuthBy WIMAX>
>                 Identifier      AAA-WIMAX
>                 DBSource dbi:mysql:wimax
>                 DBUsername      mikem
>                 DBAuth          fred
>                 # WiMAX is required to handle at least TTLS
>                 # We can handle any tpe that generates MSK and EMSK
>                 EAPType TTLS, TLS, PEAP, MSCHAP-V2, PSK, PAX, FAST, SIM, AKA
>                 EAPTLS_CAFile /etc/ssl/cert1/Rootcacert.pem
>                 EAPTLS_CertificateFile /etc/ssl/cert1/Servercert.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile /etc/ssl/cert1/Serverkey.pem
>                 EAPTLS_PrivateKeyPassword 12345678
>                
>                 EAPTLS_MaxFragmentSize 1400
>                 
>                 HAPassword mysecret
>                AccountingTable ACCOUNTING
>                
>                 AcctColumnDef   STATUS_TYPE,Acct-Status-Type
>                 AcctColumnDef  
> WIMAX_BEGINNING_OF_SESSION,WiMAX-Beginning-Of-Session
>                 AcctColumnDef   SESSION_ID,Acct-Session-Id
>                 AcctColumnDef   FRAMED_IP_ADDRESS,Framed-IP-Address
>                 AcctColumnDef   NAI,User-Name
>                 AcctColumnDef   USER_NAME,Chargeable-User-Identity
>                 AcctColumnDef   STATION_ID,Calling-Station-Id
>                 AcctColumnDef   NAS_IDENTIFIER,NAS-Identifier
>                 AcctColumnDef   NAS_IP_ADDRESS,NAS-IP-Address
>                 AcctColumnDef   WiMAX_BS_ID,WiMAX-BS-ID
>                 AcctColumnDef   EVENT_TIMESTAMP,Event-Timestamp
>                 AcctColumnDef   HUAWEI_USER_PRIORITY,Huawei-User-Priority
>                 AcctColumnDef   SESSION_TIME,Acct-Session-Time
>                 AcctColumnDef   WIMAX_ACTIVE_TIME,WiMAX-Active-Time
>                 AcctColumnDef   INPUT_OCTETS,Acct-Input-Octets
>                 AcctColumnDef   OUTPUT_OCTETS,Acct-Output-Octets
>                 AcctColumnDef   TERMINATE_CAUSE,Acct-Terminate-Cause
> </AuthBy>
> 
> <AuthBy RADMIN>
>         Identifier      AAA-SQL-CDMA-EVDO
>         NoDefault 
>          DefaultSimultaneousUse 1
>         CaseInsensitivePasswords
>         RejectEmptyPassword
>         DBSource        dbi:mysql:radmin:localhost
>         DBUsername      radmin
>         DBAuth          radminpw
>         AuthSelect select PASS_WORD,STATICADDRESS,TIMELEFT,\
>                 MAXLOGINS,SERVICENAME, BADLOGINS, VALIDFROM,\
>                 VALIDTO, CLASE, IMSI \
>                 from RADUSERS where USERNAME=%0
> #       AuthColumnDef   0,Class,reply
>         AuthColumnDef   IMSI,reply
>         AccountingTable RADUSAGE
>         AcctColumnDef   USERNAME,User-Name
>         AcctColumnDef   TIME_STAMP,Event-Timestamp,integer
>         AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type,integer
>         AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>         AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>         AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>         AcctColumnDef   ACCTSESSIONID,3GPP2-Correlation-Id
>         AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>         AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
>         AcctColumnDef   NASIDENTIFIER,NAS-IP-Address
>         AcctColumnDef   NASPORT,Calling-Station-Id,integer
>         AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>         # Controlamos el tiempo mámo de conexióel usuario de acuerdo al
> horario siguiente
> #       AddToReply Session-Timeout = "until Time"
> </AuthBy>
>  
>  
> # Handler para manejar WIMAX
> <Handler NAS-IP-Address=3.3.3.3, Realm=wimaxtest>
>         AuthByPolicy    ContinueWhileAccept
>         AuthBy          AAA-SQL
>         AuthBy          AAA-WIMAX
>         Identifier      AUTH-WIMAX
>         RejectHasReason
>         AccountingHandled
> </Handler>
>  
> # Handler para manejar WIMAX
> <Handler NAS-IP-Address=3.3.3.3, Realm=usbwimax>
>         AuthByPolicy    ContinueWhileAccept
>         AuthBy          AAA-SQL
>         AuthBy          AAA-WIMAX
>         Identifier      AUTH-WIMAX
>         RejectHasReason
>         AccountingHandled
> </Handler>
>  
> # Handler para manejar EVDO
> <Handler NAS-IP-Address="/10.0.5.12|10.0.5.14|10.0.5.16|10.0.5.10/",
> Realm=evdo.com>
>         AuthByPolicy    ContinueWhileAccept
>         AuthBy          AAA-SQL-CDMA-EVDO
>         Identifier      AUTH-EVDO
>         RejectHasReason
>         AccountingHandled
> </Handler>
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list