[RADIATOR] EAP-PEAP Windows XP Wired Ethernet

Indrajaya Pitra Perdana vietrha at indo.net.id
Wed Dec 14 22:18:28 CST 2011


Heikki,

The problem still persist even i created my own certificate using the 
steps in mkcertificate.sh goodies , my windows didn't respon to the eap 
challenge sent by Radiator, do u have any clue on this? or perhaps the 
problem is within my 2950 catalyst ? thanks :-)


/Regards,
Indrajaya Pitra Perdana/

On 12/14/2011 9:50 PM, Indrajaya Pitra Perdana wrote:
>
> Yup i already did that, but somehow  right now my switch stop sending 
> auth request to my radius :-) , let me check it first, thanks a lot
>
> /Regards,
> Indrajaya Pitra Perdana/
>
> On 12/14/2011 9:44 PM, Heikki Vatiainen wrote:
>> On 12/14/2011 04:33 PM, Indrajaya Pitra Perdana wrote:
>>
>>> Yup, i already import the root.der in trusted root certification
>>> authorities, is Radiator demo certificate include the xpextension?  thanks
>> Importing the certificates to trusted root certificate store is
>> required, but you also need to configure the root CA as trusted in WLAN
>> configuration. See this and especially point 2f) which shows the CA
>> selection.
>>
>> https://wifipartners.itsc.cuhk.edu.hk/getting-connected-eduroam-winxp.html
>>
>> Also, do something like this to see the certifcates are valid and their
>> validity dates have not passed:
>>
>> openssl x509 -noout -text -in certificates/cert-srv.pem
>>
>> Thanks!
>> Heikki
>>
>>
>>> Code:       Access-Request
>>> Identifier: 33
>>> Authentic:  1<197><232><26>`<178><223>;<31><225><30><138><202>Zv<151>
>>> Attributes:
>>>          NAS-IP-Address = x.x.x.x
>>>          NAS-Port = 50011
>>>          NAS-Port-Type = Ethernet
>>>          User-Name = "indrajaya"
>>>          Calling-Station-Id = "00-1B-38-A5-45-A5"
>>>          Service-Type = Framed-User
>>>          EAP-Message =
>>> <2><2><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>N<232>1<194>g<140><177>`G<194><25>B+<191><195><26><223><152>wPjlR<190><224><10><147><176><236><189>0<182><0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
>>>          Message-Authenticator =
>>> b<134><218>`<173>3`<196><246><207><134>E<10><155><0><228>
>>>
>>> Wed Dec 14 12:17:53 2011: DEBUG: Handling request with Handler '',
>>> Identifier ''
>>> Wed Dec 14 12:17:53 2011: DEBUG:  Deleting session for indrajaya,
>>> x.x.x.x, 50011
>>> Wed Dec 14 12:17:53 2011: DEBUG: do query is: 'delete from RADONLINE
>>> where NASIDENTIFIER = 'x.x.x.x' and NASPORT = 050011':
>>> Wed Dec 14 12:17:53 2011: DEBUG: Handling with Radius::AuthSQL:
>>> Wed Dec 14 12:17:53 2011: DEBUG: Handling with Radius::AuthSQL:
>>> Wed Dec 14 12:17:53 2011: DEBUG: Handling with EAP: code 2, 2, 80, 25
>>> Wed Dec 14 12:17:53 2011: DEBUG: Response type 25
>>> Wed Dec 14 12:17:53 2011: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
>>> Wed Dec 14 12:17:53 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
>>> Wed Dec 14 12:17:53 2011: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
>>> Challenge
>>> Wed Dec 14 12:17:53 2011: DEBUG: Access challenged for indrajaya: EAP
>>> PEAP Challenge
>>> Wed Dec 14 12:17:53 2011: DEBUG: Packet dump:
>>> *** Sending to x.x.x.x port 1812 ....
>>> Code:       Access-Challenge
>>> Identifier: 33
>>> Authentic:  n<255><175>k<153><2>n<165><148><140>3<182><148>Q<158><1>
>>> Attributes:
>>>          EAP-Message =
>>> <1><3><3><242><25><192><0><0><7><178><22><3><1><0>J<2><0><0>F<3><1>N<232>1<129>w<144><212><137>X{w<247><18><30><29><171>!<187><187><215><243><191>0<188><149>K&<226><145><179><195><138>
>>> ^<214>H<218>m<25><243>H<218>|<26>y;<187><209>~<160><203>X<236>@"<168>.<145><232>+<26>t<153>k<18><0><4><0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
>>>          EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use
>>> in production)1
>>> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>100128213155Z<23><13>120128213155Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
>>> Section1%0#<6><3>U<4><3><19><28>t
>>>          EAP-Message =
>>> est.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><203>?(<193><229><128><183><136>q<166><202><21><168><224><157>M<139><204>{<209><131><10><156><164><254>Z<214><231><254>g<245>+y~<210><147><171><8><131><143><139><186>{<221><224>)<161>`<140>z<193><247><244><210><152><149><4><204><225><139><204><159><29><1><12><162><219><142><176>)/<189><163>vV<208><250><213><212><144><137><211><2
>>>
>>> 07><10><215><19><206><14><228>umT<7><239><198>_Y<231><197><202><14><166><211><145><181><226><226>|<201>E<128>F<165><189><<250><20><18><227>6t<243><177>ZNv<133><153><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><30><137>N<139><212>><249><25><151><161>N<31><183><246><141>'<233>V<198><203>
>>>          EAP-Message =
>>> <206><146>9*<19><219>0<28><209><244>e<17><199>`<236>g<189>q<<200><185>{<219><252><31>+<245><10><208>M<181>!<248><20><1>K)E<2><158><128>#<169><162><179><224>W08<19><<16>ts<226>~<11>4<8><251>!d<201><223><230>~E<133><166>r<0>:<19>4<206>D<136>8<232>n<26><195>v<13><192>&ws<175>n at 0D<175><29>E<162>:<239>d
>>> <17>?<153><184>C4?<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><249><170>@<232><246>7<146>$0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Tes
>>>          Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> /Regards,
>>> Indrajaya Pitra Perdana/
>>>
>>> On 12/14/2011 9:10 PM, Heikki Vatiainen wrote:
>>>> On 12/14/2011 08:11 AM, Indrajaya Pitra Perdana wrote:
>>>>
>>>>> I try to setup EAP where cisco catalyst 2950 as authenticator and
>>>>> windows xp as the supplicant, but after i enter the credentials in Win
>>>>> xp, radiator send eap access challenge but never got replied by win XP
>>>>> and in the end the windows xp told me that the authentication is failed,
>>>>> am i missing something in my configuration? btw i'm using the demo cert
>>>>> provided by Radiator goodies, and imported the root.der and cert-clt.p12
>>>>> into my win xp, thanks
>>>> When configuring Windows PEAP settings, did you mark the imported
>>>> root.der as trusted CA? You need to both import the certificate and then
>>>> mark it as trusted for the SSID you are configuring.
>>>>
>>>> The configuration and log snippets look good. The log shows Radiator
>>>> sending its certificate to Windows, so if there is no response, then
>>>> Windows may not be accepting the certificate yet.
>>>>
>>>> If there are still problems, please reply with the full configuration
>>>> file and full Radiator log showing everything from the startup.
>>>>
>>>> Thanks!
>>>>
>>>>> Config file:
>>>>>
>>>>>
>>>>> <Handler TunnelledByPEAP=1>
>>>>>          MaxSessions 1
>>>>>          AuthByPolicy ContinueWhileAccept
>>>>>
>>>>>
>>>>> #<Realm DEFAULT>
>>>>>          <AuthBy SQL>
>>>>>                  DBSource        dbi:mysql:radius:localhost
>>>>>                  DBUsername      radius
>>>>>                  DBAuth          r4d1usLocal
>>>>>
>>>>>                  AuthSelect select PASSWORD FROM SUBSCRIBERS WHERE
>>>>> USERNAME=%0
>>>>>
>>>>>                  AcctColumnDef   User-Password, check
>>>>>                  AcctColumnDef   USERNAME,User-Name
>>>>>                  AcctColumnDef   TIME_STAMP,Timestamp,integer
>>>>>                  AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>>>>>                  AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>>>>>                  AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>>>>                  AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>>>>                  AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>>>>>                  AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>>>>>                  AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>>>>                  AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>>>>>                  AcctColumnDef   NASPORT,NAS-Port,integer
>>>>>                  EAPType MSCHAP-V2
>>>>>           #      EAPType PEAP
>>>>>          </AuthBy>
>>>>>
>>>>> </Handler>
>>>>>
>>>>> <Handler>
>>>>>
>>>>>          <AuthBy SQL>
>>>>>                  DBSource        dbi:mysql:radius:localhost
>>>>>                  DBUsername      radius
>>>>>                  DBAuth          r4d1usLocal
>>>>>
>>>>>                  AuthSelect select PASSWORD FROM SUBSCRIBERS WHERE
>>>>> USERNAME=%0
>>>>>
>>>>>                  AcctColumnDef   User-Password, check
>>>>>                  AcctColumnDef   USERNAME,User-Name
>>>>>                  AcctColumnDef   TIME_STAMP,Timestamp,integer
>>>>>                  AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>>>>>                  AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>>>>>                  AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>>>>                  AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>>>>                  AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>>>>>                  AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>>>>>                  AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>>>>                  AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>>>>>                  AcctColumnDef   NASPORT,NAS-Port,integer
>>>>>
>>>>>                  EAPType PEAP
>>>>>            #     EAPType MSCHAP-V2
>>>>>                  EAPTLS_CAFile
>>>>> /usr/share/doc/packages/Radiator/certificates/demoCA/cacert.pem
>>>>>                  EAPTLS_CertificateFile
>>>>> /usr/share/doc/packages/Radiator/certificates/cert-srv.pem
>>>>>                  EAPTLS_CertificateType PEM
>>>>>                  EAPTLS_PrivateKeyFile
>>>>> /usr/share/doc/packages/Radiator/certificates/cert-srv.pem
>>>>>                  EAPTLS_PrivateKeyPassword whatever
>>>>>                  EAPTLS_MaxFragmentSize 1000
>>>>>                  AutoMPPEKeys
>>>>>
>>>>>          </AuthBy>
>>>>>
>>>>> </Handler>
>>>>>
>>>>>
>>>>> Debug:
>>>>>
>>>>> *** Received from 202.53.249.28 port 1812 ....
>>>>> Code:       Access-Request
>>>>> Identifier: 55
>>>>> Authentic:  S<155><173>*<150><226><172><149>!<245>i<30>B<229><133><211>
>>>>> Attributes:
>>>>>          NAS-IP-Address = 202.53.249.28
>>>>>          NAS-Port = 50011
>>>>>          NAS-Port-Type = Ethernet
>>>>>          User-Name = "indrajaya"
>>>>>          Calling-Station-Id = "00-1B-38-A5-45-A5"
>>>>>          Service-Type = Framed-User
>>>>>          EAP-Message =
>>>>> <2><148><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>N<232>;<17><191>k<228><146><254>'<27>U<187><187><26>nf%NK<154><8>-<198><186>8<129>u<170><210>#P<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
>>>>>          Message-Authenticator =<220>DJ<146>1M<9>S5"q<132><197>x<19>
>>>>>
>>>>> Wed Dec 14 12:57:29 2011: DEBUG: Handling request with Handler '',
>>>>> Identifier ''
>>>>> Wed Dec 14 12:57:29 2011: DEBUG:  Deleting session for indrajaya,
>>>>> 202.53.249.28, 50011
>>>>> Wed Dec 14 12:57:29 2011: DEBUG: do query is: 'delete from RADONLINE
>>>>> where NASIDENTIFIER = '202.53.249.28' and NASPORT = 050011':
>>>>> Wed Dec 14 12:57:29 2011: DEBUG: Handling with Radius::AuthSQL:
>>>>> Wed Dec 14 12:57:29 2011: DEBUG: Handling with Radius::AuthSQL:
>>>>> Wed Dec 14 12:57:29 2011: DEBUG: Handling with EAP: code 2, 148, 80, 25
>>>>> Wed Dec 14 12:57:29 2011: DEBUG: Response type 25
>>>>> Wed Dec 14 12:57:29 2011: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
>>>>> Wed Dec 14 12:57:29 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
>>>>> Wed Dec 14 12:57:29 2011: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
>>>>> Challenge
>>>>> Wed Dec 14 12:57:29 2011: DEBUG: Access challenged for indrajaya: EAP
>>>>> PEAP Challenge
>>>>> Wed Dec 14 12:57:29 2011: DEBUG: Packet dump:
>>>>> *** Sending to 202.53.249.28 port 1812 ....
>>>>> Code:       Access-Challenge
>>>>> Identifier: 55
>>>>> Authentic:<3>.<248><243>a<172>b`<181>l<138>E<214>6<154><213>
>>>>> Attributes:
>>>>>          EAP-Message =
>>>>> <1><149><3><242><25><192><0><0><7><178><22><3><1><0>J<2><0><0>F<3><1>N<232>:<201><12><1><17><235>z<22><181>
>>>>> <186><171><150>9<252>@|q<18>,R<134><203>\<27>Vf<27><133><136>
>>>>> <247>B<140><150>j'<152><24>C<163><228><244>_<150>i<141><176><252><149><177>T<182>R8<159><178><20><187><19>Q<22>!<0><4><0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>>>>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
>>>>>          EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use
>>>>> in production)1
>>>>> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>100128213155Z<23><13>120128213155Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>>>>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
>>>>> Section1%0#<6><3>U<4><3><19><28>t
>>>>>          EAP-Message =
>>>>> est.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><203>?(<193><229><128><183><136>q<166><202><21><168><224><157>M<139><204>{<209><131><10><156><164><254>Z<214><231><254>g<245>+y~<210><147><171><8><131><143><139><186>{<221><224>)<161>`<140>z<193><247><244><210><152><149><4><204><225><139><204><159><29><1><12><162><219><142><176>)/<189><163>vV<208><250><213><212><144><137><211><2
>>>>>
>>>>>
>>>>> 07><10><215><19><206><14><228>umT<7><239><198>_Y<231><197><202><14><166><211><145><181><226><226>|<201>E<128>F<165><189><<250><20><18><227>6t<243><177>ZNv<133><153><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><30><137>N<139><212>><249><25><151><161>N<31><183><246><141>'<233>V<198><203>
>>>>>          EAP-Message =
>>>>> <206><146>9*<19><219>0<28><209><244>e<17><199>`<236>g<189>q<<200><185>{<219><252><31>+<245><10><208>M<181>!<248><20><1>K)E<2><158><128>#<169><162><179><224>W08<19><<16>ts<226>~<11>4<8><251>!d<201><223><230>~E<133><166>r<0>:<19>4<206>D<136>8<232>n<26><195>v<13><192>&ws<175>n at 0D<175><29>E<162>:<239>d
>>>>> <17>?<153><184>C4?<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><249><170>@<232><246>7<146>$0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
>>>>> Demo Certificates1!0<31><6><3>U<4><11><19><24>Tes
>>>>>          Message-Authenticator =
>>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> /Regards,
>>>>> Indrajaya Pitra Perdana/
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111215/b80eb78e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: import-cert.JPG
Type: image/jpeg
Size: 106606 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20111215/b80eb78e/attachment-0002.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: peap-winxp.JPG
Type: image/jpeg
Size: 223135 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20111215/b80eb78e/attachment-0003.jpe 


More information about the radiator mailing list