[RADIATOR] EAP-PEAP Windows XP Wired Ethernet

Indrajaya Pitra Perdana vietrha at indo.net.id
Wed Dec 14 08:50:05 CST 2011


Yup i already did that, but somehow  right now my switch stop sending 
auth request to my radius :-) , let me check it first, thanks a lot

/Regards,
Indrajaya Pitra Perdana/

On 12/14/2011 9:44 PM, Heikki Vatiainen wrote:
> On 12/14/2011 04:33 PM, Indrajaya Pitra Perdana wrote:
>
>> Yup, i already import the root.der in trusted root certification
>> authorities, is Radiator demo certificate include the xpextension?  thanks
> Importing the certificates to trusted root certificate store is
> required, but you also need to configure the root CA as trusted in WLAN
> configuration. See this and especially point 2f) which shows the CA
> selection.
>
> https://wifipartners.itsc.cuhk.edu.hk/getting-connected-eduroam-winxp.html
>
> Also, do something like this to see the certifcates are valid and their
> validity dates have not passed:
>
> openssl x509 -noout -text -in certificates/cert-srv.pem
>
> Thanks!
> Heikki
>
>
>> Code:       Access-Request
>> Identifier: 33
>> Authentic:  1<197><232><26>`<178><223>;<31><225><30><138><202>Zv<151>
>> Attributes:
>>          NAS-IP-Address = x.x.x.x
>>          NAS-Port = 50011
>>          NAS-Port-Type = Ethernet
>>          User-Name = "indrajaya"
>>          Calling-Station-Id = "00-1B-38-A5-45-A5"
>>          Service-Type = Framed-User
>>          EAP-Message =
>> <2><2><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>N<232>1<194>g<140><177>`G<194><25>B+<191><195><26><223><152>wPjlR<190><224><10><147><176><236><189>0<182><0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
>>          Message-Authenticator =
>> b<134><218>`<173>3`<196><246><207><134>E<10><155><0><228>
>>
>> Wed Dec 14 12:17:53 2011: DEBUG: Handling request with Handler '',
>> Identifier ''
>> Wed Dec 14 12:17:53 2011: DEBUG:  Deleting session for indrajaya,
>> x.x.x.x, 50011
>> Wed Dec 14 12:17:53 2011: DEBUG: do query is: 'delete from RADONLINE
>> where NASIDENTIFIER = 'x.x.x.x' and NASPORT = 050011':
>> Wed Dec 14 12:17:53 2011: DEBUG: Handling with Radius::AuthSQL:
>> Wed Dec 14 12:17:53 2011: DEBUG: Handling with Radius::AuthSQL:
>> Wed Dec 14 12:17:53 2011: DEBUG: Handling with EAP: code 2, 2, 80, 25
>> Wed Dec 14 12:17:53 2011: DEBUG: Response type 25
>> Wed Dec 14 12:17:53 2011: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
>> Wed Dec 14 12:17:53 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
>> Wed Dec 14 12:17:53 2011: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
>> Challenge
>> Wed Dec 14 12:17:53 2011: DEBUG: Access challenged for indrajaya: EAP
>> PEAP Challenge
>> Wed Dec 14 12:17:53 2011: DEBUG: Packet dump:
>> *** Sending to x.x.x.x port 1812 ....
>> Code:       Access-Challenge
>> Identifier: 33
>> Authentic:  n<255><175>k<153><2>n<165><148><140>3<182><148>Q<158><1>
>> Attributes:
>>          EAP-Message =
>> <1><3><3><242><25><192><0><0><7><178><22><3><1><0>J<2><0><0>F<3><1>N<232>1<129>w<144><212><137>X{w<247><18><30><29><171>!<187><187><215><243><191>0<188><149>K&<226><145><179><195><138>
>> ^<214>H<218>m<25><243>H<218>|<26>y;<187><209>~<160><203>X<236>@"<168>.<145><232>+<26>t<153>k<18><0><4><0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
>>          EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use
>> in production)1
>> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>100128213155Z<23><13>120128213155Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
>> Section1%0#<6><3>U<4><3><19><28>t
>>          EAP-Message =
>> est.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><203>?(<193><229><128><183><136>q<166><202><21><168><224><157>M<139><204>{<209><131><10><156><164><254>Z<214><231><254>g<245>+y~<210><147><171><8><131><143><139><186>{<221><224>)<161>`<140>z<193><247><244><210><152><149><4><204><225><139><204><159><29><1><12><162><219><142><176>)/<189><163>vV<208><250><213><212><144><137><211><2
>> 07><10><215><19><206><14><228>umT<7><239><198>_Y<231><197><202><14><166><211><145><181><226><226>|<201>E<128>F<165><189><<250><20><18><227>6t<243><177>ZNv<133><153><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><30><137>N<139><212>><249><25><151><161>N<31><183><246><141>'<233>V<198><203>
>>          EAP-Message =
>> <206><146>9*<19><219>0<28><209><244>e<17><199>`<236>g<189>q<<200><185>{<219><252><31>+<245><10><208>M<181>!<248><20><1>K)E<2><158><128>#<169><162><179><224>W08<19><<16>ts<226>~<11>4<8><251>!d<201><223><230>~E<133><166>r<0>:<19>4<206>D<136>8<232>n<26><195>v<13><192>&ws<175>n at 0D<175><29>E<162>:<239>d
>> <17>?<153><184>C4?<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><249><170>@<232><246>7<146>$0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Tes
>>          Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> /Regards,
>> Indrajaya Pitra Perdana/
>>
>> On 12/14/2011 9:10 PM, Heikki Vatiainen wrote:
>>> On 12/14/2011 08:11 AM, Indrajaya Pitra Perdana wrote:
>>>
>>>> I try to setup EAP where cisco catalyst 2950 as authenticator and
>>>> windows xp as the supplicant, but after i enter the credentials in Win
>>>> xp, radiator send eap access challenge but never got replied by win XP
>>>> and in the end the windows xp told me that the authentication is failed,
>>>> am i missing something in my configuration? btw i'm using the demo cert
>>>> provided by Radiator goodies, and imported the root.der and cert-clt.p12
>>>> into my win xp, thanks
>>> When configuring Windows PEAP settings, did you mark the imported
>>> root.der as trusted CA? You need to both import the certificate and then
>>> mark it as trusted for the SSID you are configuring.
>>>
>>> The configuration and log snippets look good. The log shows Radiator
>>> sending its certificate to Windows, so if there is no response, then
>>> Windows may not be accepting the certificate yet.
>>>
>>> If there are still problems, please reply with the full configuration
>>> file and full Radiator log showing everything from the startup.
>>>
>>> Thanks!
>>>
>>>> Config file:
>>>>
>>>>
>>>> <Handler TunnelledByPEAP=1>
>>>>          MaxSessions 1
>>>>          AuthByPolicy ContinueWhileAccept
>>>>
>>>>
>>>> #<Realm DEFAULT>
>>>>          <AuthBy SQL>
>>>>                  DBSource        dbi:mysql:radius:localhost
>>>>                  DBUsername      radius
>>>>                  DBAuth          r4d1usLocal
>>>>
>>>>                  AuthSelect select PASSWORD FROM SUBSCRIBERS WHERE
>>>> USERNAME=%0
>>>>
>>>>                  AcctColumnDef   User-Password, check
>>>>                  AcctColumnDef   USERNAME,User-Name
>>>>                  AcctColumnDef   TIME_STAMP,Timestamp,integer
>>>>                  AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>>>>                  AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>>>>                  AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>>>                  AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>>>                  AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>>>>                  AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>>>>                  AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>>>                  AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>>>>                  AcctColumnDef   NASPORT,NAS-Port,integer
>>>>                  EAPType MSCHAP-V2
>>>>           #      EAPType PEAP
>>>>          </AuthBy>
>>>>
>>>> </Handler>
>>>>
>>>> <Handler>
>>>>
>>>>          <AuthBy SQL>
>>>>                  DBSource        dbi:mysql:radius:localhost
>>>>                  DBUsername      radius
>>>>                  DBAuth          r4d1usLocal
>>>>
>>>>                  AuthSelect select PASSWORD FROM SUBSCRIBERS WHERE
>>>> USERNAME=%0
>>>>
>>>>                  AcctColumnDef   User-Password, check
>>>>                  AcctColumnDef   USERNAME,User-Name
>>>>                  AcctColumnDef   TIME_STAMP,Timestamp,integer
>>>>                  AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>>>>                  AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>>>>                  AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>>>                  AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>>>                  AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>>>>                  AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>>>>                  AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>>>                  AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>>>>                  AcctColumnDef   NASPORT,NAS-Port,integer
>>>>
>>>>                  EAPType PEAP
>>>>            #     EAPType MSCHAP-V2
>>>>                  EAPTLS_CAFile
>>>> /usr/share/doc/packages/Radiator/certificates/demoCA/cacert.pem
>>>>                  EAPTLS_CertificateFile
>>>> /usr/share/doc/packages/Radiator/certificates/cert-srv.pem
>>>>                  EAPTLS_CertificateType PEM
>>>>                  EAPTLS_PrivateKeyFile
>>>> /usr/share/doc/packages/Radiator/certificates/cert-srv.pem
>>>>                  EAPTLS_PrivateKeyPassword whatever
>>>>                  EAPTLS_MaxFragmentSize 1000
>>>>                  AutoMPPEKeys
>>>>
>>>>          </AuthBy>
>>>>
>>>> </Handler>
>>>>
>>>>
>>>> Debug:
>>>>
>>>> *** Received from 202.53.249.28 port 1812 ....
>>>> Code:       Access-Request
>>>> Identifier: 55
>>>> Authentic:  S<155><173>*<150><226><172><149>!<245>i<30>B<229><133><211>
>>>> Attributes:
>>>>          NAS-IP-Address = 202.53.249.28
>>>>          NAS-Port = 50011
>>>>          NAS-Port-Type = Ethernet
>>>>          User-Name = "indrajaya"
>>>>          Calling-Station-Id = "00-1B-38-A5-45-A5"
>>>>          Service-Type = Framed-User
>>>>          EAP-Message =
>>>> <2><148><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>N<232>;<17><191>k<228><146><254>'<27>U<187><187><26>nf%NK<154><8>-<198><186>8<129>u<170><210>#P<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
>>>>          Message-Authenticator =<220>DJ<146>1M<9>S5"q<132><197>x<19>
>>>>
>>>> Wed Dec 14 12:57:29 2011: DEBUG: Handling request with Handler '',
>>>> Identifier ''
>>>> Wed Dec 14 12:57:29 2011: DEBUG:  Deleting session for indrajaya,
>>>> 202.53.249.28, 50011
>>>> Wed Dec 14 12:57:29 2011: DEBUG: do query is: 'delete from RADONLINE
>>>> where NASIDENTIFIER = '202.53.249.28' and NASPORT = 050011':
>>>> Wed Dec 14 12:57:29 2011: DEBUG: Handling with Radius::AuthSQL:
>>>> Wed Dec 14 12:57:29 2011: DEBUG: Handling with Radius::AuthSQL:
>>>> Wed Dec 14 12:57:29 2011: DEBUG: Handling with EAP: code 2, 148, 80, 25
>>>> Wed Dec 14 12:57:29 2011: DEBUG: Response type 25
>>>> Wed Dec 14 12:57:29 2011: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
>>>> Wed Dec 14 12:57:29 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
>>>> Wed Dec 14 12:57:29 2011: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
>>>> Challenge
>>>> Wed Dec 14 12:57:29 2011: DEBUG: Access challenged for indrajaya: EAP
>>>> PEAP Challenge
>>>> Wed Dec 14 12:57:29 2011: DEBUG: Packet dump:
>>>> *** Sending to 202.53.249.28 port 1812 ....
>>>> Code:       Access-Challenge
>>>> Identifier: 55
>>>> Authentic:<3>.<248><243>a<172>b`<181>l<138>E<214>6<154><213>
>>>> Attributes:
>>>>          EAP-Message =
>>>> <1><149><3><242><25><192><0><0><7><178><22><3><1><0>J<2><0><0>F<3><1>N<232>:<201><12><1><17><235>z<22><181>
>>>> <186><171><150>9<252>@|q<18>,R<134><203>\<27>Vf<27><133><136>
>>>> <247>B<140><150>j'<152><24>C<163><228><244>_<150>i<141><176><252><149><177>T<182>R8<159><178><20><187><19>Q<22>!<0><4><0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>>>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
>>>>          EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use
>>>> in production)1
>>>> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>100128213155Z<23><13>120128213155Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>>>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
>>>> Section1%0#<6><3>U<4><3><19><28>t
>>>>          EAP-Message =
>>>> est.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><203>?(<193><229><128><183><136>q<166><202><21><168><224><157>M<139><204>{<209><131><10><156><164><254>Z<214><231><254>g<245>+y~<210><147><171><8><131><143><139><186>{<221><224>)<161>`<140>z<193><247><244><210><152><149><4><204><225><139><204><159><29><1><12><162><219><142><176>)/<189><163>vV<208><250><213><212><144><137><211><2
>>>>
>>>> 07><10><215><19><206><14><228>umT<7><239><198>_Y<231><197><202><14><166><211><145><181><226><226>|<201>E<128>F<165><189><<250><20><18><227>6t<243><177>ZNv<133><153><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><30><137>N<139><212>><249><25><151><161>N<31><183><246><141>'<233>V<198><203>
>>>>          EAP-Message =
>>>> <206><146>9*<19><219>0<28><209><244>e<17><199>`<236>g<189>q<<200><185>{<219><252><31>+<245><10><208>M<181>!<248><20><1>K)E<2><158><128>#<169><162><179><224>W08<19><<16>ts<226>~<11>4<8><251>!d<201><223><230>~E<133><166>r<0>:<19>4<206>D<136>8<232>n<26><195>v<13><192>&ws<175>n at 0D<175><29>E<162>:<239>d
>>>> <17>?<153><184>C4?<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><249><170>@<232><246>7<146>$0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>>>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Tes
>>>>          Message-Authenticator =
>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>
>>>>
>>>>
>>>>
>>>> -- 
>>>> /Regards,
>>>> Indrajaya Pitra Perdana/
>>>>
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111214/5c8c7130/attachment-0001.html 


More information about the radiator mailing list