[RADIATOR] EAP-PEAP Windows XP Wired Ethernet
Heikki Vatiainen
hvn at open.com.au
Wed Dec 14 08:44:09 CST 2011
On 12/14/2011 04:33 PM, Indrajaya Pitra Perdana wrote:
> Yup, i already import the root.der in trusted root certification
> authorities, is Radiator demo certificate include the xpextension? thanks
Importing the certificates to trusted root certificate store is
required, but you also need to configure the root CA as trusted in WLAN
configuration. See this and especially point 2f) which shows the CA
selection.
https://wifipartners.itsc.cuhk.edu.hk/getting-connected-eduroam-winxp.html
Also, do something like this to see the certifcates are valid and their
validity dates have not passed:
openssl x509 -noout -text -in certificates/cert-srv.pem
Thanks!
Heikki
> Code: Access-Request
> Identifier: 33
> Authentic: 1<197><232><26>`<178><223>;<31><225><30><138><202>Zv<151>
> Attributes:
> NAS-IP-Address = x.x.x.x
> NAS-Port = 50011
> NAS-Port-Type = Ethernet
> User-Name = "indrajaya"
> Calling-Station-Id = "00-1B-38-A5-45-A5"
> Service-Type = Framed-User
> EAP-Message =
> <2><2><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>N<232>1<194>g<140><177>`G<194><25>B+<191><195><26><223><152>wPjlR<190><224><10><147><176><236><189>0<182><0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
> Message-Authenticator =
> b<134><218>`<173>3`<196><246><207><134>E<10><155><0><228>
>
> Wed Dec 14 12:17:53 2011: DEBUG: Handling request with Handler '',
> Identifier ''
> Wed Dec 14 12:17:53 2011: DEBUG: Deleting session for indrajaya,
> x.x.x.x, 50011
> Wed Dec 14 12:17:53 2011: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER = 'x.x.x.x' and NASPORT = 050011':
> Wed Dec 14 12:17:53 2011: DEBUG: Handling with Radius::AuthSQL:
> Wed Dec 14 12:17:53 2011: DEBUG: Handling with Radius::AuthSQL:
> Wed Dec 14 12:17:53 2011: DEBUG: Handling with EAP: code 2, 2, 80, 25
> Wed Dec 14 12:17:53 2011: DEBUG: Response type 25
> Wed Dec 14 12:17:53 2011: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Wed Dec 14 12:17:53 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Dec 14 12:17:53 2011: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
> Challenge
> Wed Dec 14 12:17:53 2011: DEBUG: Access challenged for indrajaya: EAP
> PEAP Challenge
> Wed Dec 14 12:17:53 2011: DEBUG: Packet dump:
> *** Sending to x.x.x.x port 1812 ....
> Code: Access-Challenge
> Identifier: 33
> Authentic: n<255><175>k<153><2>n<165><148><140>3<182><148>Q<158><1>
> Attributes:
> EAP-Message =
> <1><3><3><242><25><192><0><0><7><178><22><3><1><0>J<2><0><0>F<3><1>N<232>1<129>w<144><212><137>X{w<247><18><30><29><171>!<187><187><215><243><191>0<188><149>K&<226><145><179><195><138>
> ^<214>H<218>m<25><243>H<218>|<26>y;<187><209>~<160><203>X<236>@"<168>.<145><232>+<26>t<153>k<18><0><4><0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
> EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use
> in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>100128213155Z<23><13>120128213155Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1%0#<6><3>U<4><3><19><28>t
> EAP-Message =
> est.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><203>?(<193><229><128><183><136>q<166><202><21><168><224><157>M<139><204>{<209><131><10><156><164><254>Z<214><231><254>g<245>+y~<210><147><171><8><131><143><139><186>{<221><224>)<161>`<140>z<193><247><244><210><152><149><4><204><225><139><204><159><29><1><12><162><219><142><176>)/<189><163>vV<208><250><213><212><144><137><211><2
> 07><10><215><19><206><14><228>umT<7><239><198>_Y<231><197><202><14><166><211><145><181><226><226>|<201>E<128>F<165><189><<250><20><18><227>6t<243><177>ZNv<133><153><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><30><137>N<139><212>><249><25><151><161>N<31><183><246><141>'<233>V<198><203>
> EAP-Message =
> <206><146>9*<19><219>0<28><209><244>e<17><199>`<236>g<189>q<<200><185>{<219><252><31>+<245><10><208>M<181>!<248><20><1>K)E<2><158><128>#<169><162><179><224>W08<19><<16>ts<226>~<11>4<8><251>!d<201><223><230>~E<133><166>r<0>:<19>4<206>D<136>8<232>n<26><195>v<13><192>&ws<175>n at 0D<175><29>E<162>:<239>d
> <17>?<153><184>C4?<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><249><170>@<232><246>7<146>$0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Tes
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> /Regards,
> Indrajaya Pitra Perdana/
>
> On 12/14/2011 9:10 PM, Heikki Vatiainen wrote:
>> On 12/14/2011 08:11 AM, Indrajaya Pitra Perdana wrote:
>>
>>> I try to setup EAP where cisco catalyst 2950 as authenticator and
>>> windows xp as the supplicant, but after i enter the credentials in Win
>>> xp, radiator send eap access challenge but never got replied by win XP
>>> and in the end the windows xp told me that the authentication is failed,
>>> am i missing something in my configuration? btw i'm using the demo cert
>>> provided by Radiator goodies, and imported the root.der and cert-clt.p12
>>> into my win xp, thanks
>> When configuring Windows PEAP settings, did you mark the imported
>> root.der as trusted CA? You need to both import the certificate and then
>> mark it as trusted for the SSID you are configuring.
>>
>> The configuration and log snippets look good. The log shows Radiator
>> sending its certificate to Windows, so if there is no response, then
>> Windows may not be accepting the certificate yet.
>>
>> If there are still problems, please reply with the full configuration
>> file and full Radiator log showing everything from the startup.
>>
>> Thanks!
>>
>>> Config file:
>>>
>>>
>>> <Handler TunnelledByPEAP=1>
>>> MaxSessions 1
>>> AuthByPolicy ContinueWhileAccept
>>>
>>>
>>> #<Realm DEFAULT>
>>> <AuthBy SQL>
>>> DBSource dbi:mysql:radius:localhost
>>> DBUsername radius
>>> DBAuth r4d1usLocal
>>>
>>> AuthSelect select PASSWORD FROM SUBSCRIBERS WHERE
>>> USERNAME=%0
>>>
>>> AcctColumnDef User-Password, check
>>> AcctColumnDef USERNAME,User-Name
>>> AcctColumnDef TIME_STAMP,Timestamp,integer
>>> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>>> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>>> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>>> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>>> AcctColumnDef NASPORT,NAS-Port,integer
>>> EAPType MSCHAP-V2
>>> # EAPType PEAP
>>> </AuthBy>
>>>
>>> </Handler>
>>>
>>> <Handler>
>>>
>>> <AuthBy SQL>
>>> DBSource dbi:mysql:radius:localhost
>>> DBUsername radius
>>> DBAuth r4d1usLocal
>>>
>>> AuthSelect select PASSWORD FROM SUBSCRIBERS WHERE
>>> USERNAME=%0
>>>
>>> AcctColumnDef User-Password, check
>>> AcctColumnDef USERNAME,User-Name
>>> AcctColumnDef TIME_STAMP,Timestamp,integer
>>> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>>> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>>> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>>> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>>> AcctColumnDef NASPORT,NAS-Port,integer
>>>
>>> EAPType PEAP
>>> # EAPType MSCHAP-V2
>>> EAPTLS_CAFile
>>> /usr/share/doc/packages/Radiator/certificates/demoCA/cacert.pem
>>> EAPTLS_CertificateFile
>>> /usr/share/doc/packages/Radiator/certificates/cert-srv.pem
>>> EAPTLS_CertificateType PEM
>>> EAPTLS_PrivateKeyFile
>>> /usr/share/doc/packages/Radiator/certificates/cert-srv.pem
>>> EAPTLS_PrivateKeyPassword whatever
>>> EAPTLS_MaxFragmentSize 1000
>>> AutoMPPEKeys
>>>
>>> </AuthBy>
>>>
>>> </Handler>
>>>
>>>
>>> Debug:
>>>
>>> *** Received from 202.53.249.28 port 1812 ....
>>> Code: Access-Request
>>> Identifier: 55
>>> Authentic: S<155><173>*<150><226><172><149>!<245>i<30>B<229><133><211>
>>> Attributes:
>>> NAS-IP-Address = 202.53.249.28
>>> NAS-Port = 50011
>>> NAS-Port-Type = Ethernet
>>> User-Name = "indrajaya"
>>> Calling-Station-Id = "00-1B-38-A5-45-A5"
>>> Service-Type = Framed-User
>>> EAP-Message =
>>> <2><148><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>N<232>;<17><191>k<228><146><254>'<27>U<187><187><26>nf%NK<154><8>-<198><186>8<129>u<170><210>#P<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
>>> Message-Authenticator = <220>DJ<146>1M<9>S5"q<132><197>x<19>
>>>
>>> Wed Dec 14 12:57:29 2011: DEBUG: Handling request with Handler '',
>>> Identifier ''
>>> Wed Dec 14 12:57:29 2011: DEBUG: Deleting session for indrajaya,
>>> 202.53.249.28, 50011
>>> Wed Dec 14 12:57:29 2011: DEBUG: do query is: 'delete from RADONLINE
>>> where NASIDENTIFIER = '202.53.249.28' and NASPORT = 050011':
>>> Wed Dec 14 12:57:29 2011: DEBUG: Handling with Radius::AuthSQL:
>>> Wed Dec 14 12:57:29 2011: DEBUG: Handling with Radius::AuthSQL:
>>> Wed Dec 14 12:57:29 2011: DEBUG: Handling with EAP: code 2, 148, 80, 25
>>> Wed Dec 14 12:57:29 2011: DEBUG: Response type 25
>>> Wed Dec 14 12:57:29 2011: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
>>> Wed Dec 14 12:57:29 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
>>> Wed Dec 14 12:57:29 2011: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
>>> Challenge
>>> Wed Dec 14 12:57:29 2011: DEBUG: Access challenged for indrajaya: EAP
>>> PEAP Challenge
>>> Wed Dec 14 12:57:29 2011: DEBUG: Packet dump:
>>> *** Sending to 202.53.249.28 port 1812 ....
>>> Code: Access-Challenge
>>> Identifier: 55
>>> Authentic: <3>.<248><243>a<172>b`<181>l<138>E<214>6<154><213>
>>> Attributes:
>>> EAP-Message =
>>> <1><149><3><242><25><192><0><0><7><178><22><3><1><0>J<2><0><0>F<3><1>N<232>:<201><12><1><17><235>z<22><181>
>>> <186><171><150>9<252>@|q<18>,R<134><203>\<27>Vf<27><133><136>
>>> <247>B<140><150>j'<152><24>C<163><228><244>_<150>i<141><176><252><149><177>T<182>R8<159><178><20><187><19>Q<22>!<0><4><0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
>>> EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use
>>> in production)1
>>> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>100128213155Z<23><13>120128213155Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
>>> Section1%0#<6><3>U<4><3><19><28>t
>>> EAP-Message =
>>> est.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><203>?(<193><229><128><183><136>q<166><202><21><168><224><157>M<139><204>{<209><131><10><156><164><254>Z<214><231><254>g<245>+y~<210><147><171><8><131><143><139><186>{<221><224>)<161>`<140>z<193><247><244><210><152><149><4><204><225><139><204><159><29><1><12><162><219><142><176>)/<189><163>vV<208><250><213><212><144><137><211><2
>>>
>>> 07><10><215><19><206><14><228>umT<7><239><198>_Y<231><197><202><14><166><211><145><181><226><226>|<201>E<128>F<165><189><<250><20><18><227>6t<243><177>ZNv<133><153><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><30><137>N<139><212>><249><25><151><161>N<31><183><246><141>'<233>V<198><203>
>>> EAP-Message =
>>> <206><146>9*<19><219>0<28><209><244>e<17><199>`<236>g<189>q<<200><185>{<219><252><31>+<245><10><208>M<181>!<248><20><1>K)E<2><158><128>#<169><162><179><224>W08<19><<16>ts<226>~<11>4<8><251>!d<201><223><230>~E<133><166>r<0>:<19>4<206>D<136>8<232>n<26><195>v<13><192>&ws<175>n at 0D<175><29>E<162>:<239>d
>>> <17>?<153><184>C4?<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><249><170>@<232><246>7<146>$0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Tes
>>> Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>>
>>>
>>>
>>> --
>>> /Regards,
>>> Indrajaya Pitra Perdana/
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list