[RADIATOR] Problem No Handler for TTLS inner authentication
Heikki Vatiainen
hvn at open.com.au
Tue Apr 26 00:56:54 CDT 2011
On 04/22/2011 06:22 AM, Augusto Cabrera wrote:
Hello Augusto, I hope you had good Easter weekend.
> I have a problem with configuration radiator.cfg helpme please, i have
> a erro de autentication :
The problem seems to be this:
Thu Apr 21 13:46:45 2011: DEBUG: AuthBy WIMAX result: REJECT,
No Handler for TTLS inner authentication
The TTLS inner authentication in the log contains three attributes,
User-Name, MS-CHAP-Challenge and MS-CHAP2-Response. None of the Handlers
match this inner request.
Try defining something like this to match and process the TTLS inner
authentication:
<Handler TunnelledByTTLS=1>
# AuthBy
# Any other settings
</Handler>
> Code: Access-Request
> Identifier: 38
> Authentic: <0><0><25><177><0><0>c<248><0><0>{<148><0><0><17><240>
> Attributes:
> User-Name = "@usbwimax"
> NAS-IP-Address = 3.3.3.3
> Calling-Station-Id = "5c4ca9e2b7dc"
> NAS-Identifier = "WASN9770"
> Event-Timestamp = 1303411496
> EAP-Message = <2><24><0><192><21><0><23><3><1><0>
> H WiMAX-Capability = <1><5>1.1<2><3><2><3><3><1><5><3><1><4><3><1>
> WiMAX-BS-ID = 00000203f120
> WiMAX-GMT-Timezone-Offset = -18000
> NAS-Port-Type = Wireless-IEEE-802.16
> WiMAX-PPAC = <1><6><0><0><0>c
> Service-Type = Framed-User
> Chargeable-User-Identity = ""
> Message-Authenticator =
> <7>f<185><139><189>D<174><229><18>j<150><201>yZ<3><190>
> Thu Apr 21 13:46:45 2011: DEBUG: Handling request with Handler
> 'NAS-IP-Address=3.3.3.3, Realm=usbwimax', Identifier 'AUTH-WIMAX'
> Thu Apr 21 13:46:45 2011: DEBUG: Deleting session for @usbwimax, 3.3.3.3,
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with Radius::AuthSQL: AAA-SQL
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with Radius::AuthSQL: AAA-SQL
> Thu Apr 21 13:46:45 2011: DEBUG: Query is: 'select reason from blacklist
> where nai='5c4ca9e2b7dc'':
> Thu Apr 21 13:46:45 2011: DEBUG: Radius::AuthSQL looks for match with
> 5c4ca9e2b7dc [@usbwimax]
> Thu Apr 21 13:46:45 2011: DEBUG: Radius::AuthSQL REJECT: No such user:
> 5c4ca9e2b7dc [@usbwimax]
> Thu Apr 21 13:46:45 2011: DEBUG: Query is: 'select reason from blacklist
> where nai='DEFAULT'':
> Thu Apr 21 13:46:45 2011: DEBUG: AuthBy SQL result: ACCEPT, No such user
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with EAP: code 2, 24, 192, 21
> Thu Apr 21 13:46:45 2011: DEBUG: Response type 21
> Thu Apr 21 13:46:45 2011: DEBUG: EAP TTLS data, 3, 24, 23
> Thu Apr 21 13:46:45 2011: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code: UNDEF
> Identifier: UNDEF
> Authentic: UNDEF
> Attributes:
> User-Name = "acabrera"
> MS-CHAP-Challenge = ]t<156><132><145>x<247><24>){<201>u<249><22><199>*
> MS-CHAP2-Response = y<0><22>j<195><199>
> <144><226>l<214><223>@<219><134><146><211><182><0><0><0><0><0><0><0><0>P<177><244><196>,T<246><182>YZ*(<26><229>S<182>|/jq<134><232>?<222>
> *Thu Apr 21 13:46:45 2011: DEBUG: EAP TTLS inner authentication request
> for acabrera
> Thu Apr 21 13:46:45 2011: DEBUG: EAP result: 1, No Handler for TTLS
> inner authentication
> Thu Apr 21 13:46:45 2011: DEBUG: AuthBy WIMAX result: REJECT, No Handler
> for TTLS inner authentication
> Thu Apr 21 13:46:45 2011: INFO: Access rejected for 5c4ca9e2b7dc: No
> Handler for TTLS inner authentication
> *Thu Apr 21 13:46:45 2011: DEBUG: Packet dump:
> My configuration is:
>
> # Definicion del CLIENTE
>
> <Client 3.3.3.3>
> Secret wimaxwimax
> Identifier WIMAX
> DupInterval 5
> </Client>
>
> <Client 10.0.5.10>
> Secret secret
> Identifier EVDO
> DupInterval 0
> </Client>
>
> <AuthBy SQL>
> Identifier AAA-SQL
> # Details for accessing the SQL database that contains
> # user/device passwords, Device-Sessions etc.
> # This should match the username created in wimax.sql
> DBSource dbi:mysql:wimax
> DBUsername mikem
> DBAuth fred
> NoEAP
> Blacklist
> AuthenticateAttribute Calling-Station-Id
> AuthSelect select reason from blacklist where nai=%0
> </AuthBy>
> <AuthBy WIMAX>
> Identifier AAA-WIMAX
> DBSource dbi:mysql:wimax
> DBUsername mikem
> DBAuth fred
> # WiMAX is required to handle at least TTLS
> # We can handle any tpe that generates MSK and EMSK
> EAPType TTLS, TLS, PEAP, MSCHAP-V2, PSK, PAX, FAST, SIM, AKA
> EAPTLS_CAFile /etc/ssl/cert1/Rootcacert.pem
> EAPTLS_CertificateFile /etc/ssl/cert1/Servercert.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/ssl/cert1/Serverkey.pem
> EAPTLS_PrivateKeyPassword 12345678
>
> EAPTLS_MaxFragmentSize 1400
>
> HAPassword mysecret
> AccountingTable ACCOUNTING
>
> AcctColumnDef STATUS_TYPE,Acct-Status-Type
> AcctColumnDef
> WIMAX_BEGINNING_OF_SESSION,WiMAX-Beginning-Of-Session
> AcctColumnDef SESSION_ID,Acct-Session-Id
> AcctColumnDef FRAMED_IP_ADDRESS,Framed-IP-Address
> AcctColumnDef NAI,User-Name
> AcctColumnDef USER_NAME,Chargeable-User-Identity
> AcctColumnDef STATION_ID,Calling-Station-Id
> AcctColumnDef NAS_IDENTIFIER,NAS-Identifier
> AcctColumnDef NAS_IP_ADDRESS,NAS-IP-Address
> AcctColumnDef WiMAX_BS_ID,WiMAX-BS-ID
> AcctColumnDef EVENT_TIMESTAMP,Event-Timestamp
> AcctColumnDef HUAWEI_USER_PRIORITY,Huawei-User-Priority
> AcctColumnDef SESSION_TIME,Acct-Session-Time
> AcctColumnDef WIMAX_ACTIVE_TIME,WiMAX-Active-Time
> AcctColumnDef INPUT_OCTETS,Acct-Input-Octets
> AcctColumnDef OUTPUT_OCTETS,Acct-Output-Octets
> AcctColumnDef TERMINATE_CAUSE,Acct-Terminate-Cause
> </AuthBy>
>
> <AuthBy RADMIN>
> Identifier AAA-SQL-CDMA-EVDO
> NoDefault
> DefaultSimultaneousUse 1
> CaseInsensitivePasswords
> RejectEmptyPassword
> DBSource dbi:mysql:radmin:localhost
> DBUsername radmin
> DBAuth radminpw
> AuthSelect select PASS_WORD,STATICADDRESS,TIMELEFT,\
> MAXLOGINS,SERVICENAME, BADLOGINS, VALIDFROM,\
> VALIDTO, CLASE, IMSI \
> from RADUSERS where USERNAME=%0
> # AuthColumnDef 0,Class,reply
> AuthColumnDef IMSI,reply
> AccountingTable RADUSAGE
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Event-Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,3GPP2-Correlation-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> AcctColumnDef NASPORT,Calling-Station-Id,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> # Controlamos el tiempo mámo de conexióel usuario de acuerdo al
> horario siguiente
> # AddToReply Session-Timeout = "until Time"
> </AuthBy>
>
>
> # Handler para manejar WIMAX
> <Handler NAS-IP-Address=3.3.3.3, Realm=wimaxtest>
> AuthByPolicy ContinueWhileAccept
> AuthBy AAA-SQL
> AuthBy AAA-WIMAX
> Identifier AUTH-WIMAX
> RejectHasReason
> AccountingHandled
> </Handler>
>
> # Handler para manejar WIMAX
> <Handler NAS-IP-Address=3.3.3.3, Realm=usbwimax>
> AuthByPolicy ContinueWhileAccept
> AuthBy AAA-SQL
> AuthBy AAA-WIMAX
> Identifier AUTH-WIMAX
> RejectHasReason
> AccountingHandled
> </Handler>
>
> # Handler para manejar EVDO
> <Handler NAS-IP-Address="/10.0.5.12|10.0.5.14|10.0.5.16|10.0.5.10/",
> Realm=evdo.com>
> AuthByPolicy ContinueWhileAccept
> AuthBy AAA-SQL-CDMA-EVDO
> Identifier AUTH-EVDO
> RejectHasReason
> AccountingHandled
> </Handler>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list