[RADIATOR] EAP-PEAP Windows XP Wired Ethernet
Indrajaya Pitra Perdana
vietrha at indo.net.id
Tue Dec 20 06:50:37 CST 2011
Thanks a lot Heikki, its working perfectly now :-) , i'm using 12.1.(22)
ea 9 IOS in catalyst 2950
/Regards,
Indrajaya Pitra Perdana/
On 12/20/2011 7:20 PM, Heikki Vatiainen wrote:
> On 12/20/2011 06:06 AM, Indrajaya Pitra Perdana wrote:
>
>> I upgraded the IOS in my catalyst, the results shows a little bit
>> different, seems that the certificate is doing okay, but somehow it keep
>> asking for anoymous user? is there configuration that i missed? here are
>> the log file and the config, thanks
> Looks like PEAP authentication is now working much better. You should
> change your configuration a little and it should work after that.
>
> Add new Handler before the other Handlers:
>
> <Handler Request-Type=Accounting-Request>
> # Move the second AuthBy from Handler TunnelledByPEAP=1 here
> # You can also remove the second AuthBy from the last Handler
> </Handler>
>
> Now it fails because of this:
> Tue Dec 20 10:54:17 2011: DEBUG: EAP result: 1, Not authenticated by
> this AuthBy
> Tue Dec 20 10:54:17 2011: DEBUG: AuthBy SQL result: REJECT, Not
> authenticated by this AuthBy
>
> The AuthBy is the second AuthBy in Handler TunnelledByPEAP=1
>
> About anonymous: 'anonymous' is a name that does not matter here. You
> should look for PEAP tunnelled requests, 'DEBUG: PEAP Tunnelled request
> Packet dump:', which show the inner authentication and the real
> identity. For example:
>
> Tue Dec 20 10:54:16 2011: DEBUG: Radius::AuthSQL looks for match with
> indrajaya [anonymous]
>
> Here 'indrajaya' is the real identity and 'anonymous' in this case is
> the default value of User-Name attribute Radiator adds into tunnelled
> request.
>
> Once you change Handler TunneledByPEAP=1 I am quite sure your
> configuration will work. Can you tell us how old the IOS version was you
> were using?
>
> Thanks!
> Heikki
>
>>
>> /Regards,
>> Indrajaya Pitra Perdana/
>>
>> On 12/17/2011 2:01 PM, vietrha at indo.net.id wrote:
>>> I'm using Microsoft Windows XP Professional SP 2
>>>
>>> Quoting Heikki Vatiainen<hvn at open.com.au>:
>>>
>>>> On 12/16/2011 04:13 AM, Indrajaya Pitra Perdana wrote:
>>>>
>>>>> Thanks, i give it a try, i already enable tls trace in my win xp, and i
>>>>> don't see there's an exchange certificate :-)
>>>> What client are you using? I noticed the log shows it sends EAP TLS
>>>> (type 13) responses while also logging about detecting PEAP authentication.
>>>>
>>>>> [1448] 11:49:36:218: PeapReadConnectionData
>>>>> [1448] 11:49:36:218: PeapReadUserData
>>>>> [1448] 11:49:36:218: RasEapGetInfo
>>>>> [2884] 11:49:52:515: EapPeapBegin
>>>>> [2884] 11:49:52:515: PeapReadConnectionData
>>>>> [2884] 11:49:52:515: PeapReadUserData
>>>>> [2884] 11:49:52:515:
>>>>> [2884] 11:49:52:515: EapTlsBegin(test)
>>>>> [2884] 11:49:52:515: State change to Initial
>>>>> [2884] 11:49:52:515: EapTlsBegin: Detected 8021X authentication
>>>>> [2884] 11:49:52:515: EapTlsBegin: Detected PEAP authentication
>>>>> [2884] 11:49:52:515: MaxTLSMessageLength is now 16384
>>>>> [2884] 11:49:52:515: EapPeapBegin done
>>>>> [2884] 11:49:52:515: EapPeapMakeMessage
>>>>> [2884] 11:49:52:515: EapPeapCMakeMessage
>>>>> [2884] 11:49:52:515: PEAP:PEAP_STATE_INITIAL
>>>>> [2884] 11:49:52:515: EapTlsCMakeMessage
>>>>> [2884] 11:49:52:515: EapTlsReset
>>>>> [2884] 11:49:52:515: State change to Initial
>>>>> [2884] 11:49:52:515: GetCredentials
>>>>> [2884] 11:49:52:515: Flag is Client and Store is Current User
>>>>> [2884] 11:49:52:515: GetCachedCredentials
>>>>> [2884] 11:49:52:515: FreeCachedCredentials
>>>>> [2884] 11:49:52:515: No Cert Store. Guest Access requested
>>>>> [2884] 11:49:52:515: No Cert Name. Guest access requested
>>>>> [2884] 11:49:52:515: Will validate server cert
>>>>> [2884] 11:49:52:515: MakeReplyMessage
>>>>> [2884] 11:49:52:515: SecurityContextFunction
>>>>> [2884] 11:49:52:515: InitializeSecurityContext returned 0x90312
>>>>> [2884] 11:49:52:515: State change to SentHello
>>>>> [2884] 11:49:52:515: BuildPacket
>>>>> [2884] 11:49:52:515:<< Sending Response (Code: 2) packet: Id: 2,
>>>>> Length: 80, Type: 13, TLS blob length: 70. Flags: L
>>>>> [2884] 11:49:52:515: EapPeapCMakeMessage done
>>>>> [2884] 11:49:52:515: EapPeapMakeMessage done
>>>>> [1352] 11:50:22:531: EapPeapEnd
>>>>> [1352] 11:50:22:531: EapTlsEnd
>>>>> [1352] 11:50:22:531: EapTlsEnd(test)
>>>>> [1352] 11:50:22:531: EapPeapEnd done
>>>>> [1352] 11:50:22:562: EapPeapBegin
>>>>> [1352] 11:50:22:562: PeapReadConnectionData
>>>>> [1352] 11:50:22:562: PeapReadUserData
>>>>> [1352] 11:50:22:562:
>>>>> [1352] 11:50:22:562: EapTlsBegin(test)
>>>>> [1352] 11:50:22:562: State change to Initial
>>>>> [1352] 11:50:22:562: EapTlsBegin: Detected 8021X authentication
>>>>> [1352] 11:50:22:562: EapTlsBegin: Detected PEAP authentication
>>>>> [1352] 11:50:22:562: MaxTLSMessageLength is now 16384
>>>>> [1352] 11:50:22:562: EapPeapBegin done
>>>>> [1352] 11:50:22:562: EapPeapMakeMessage
>>>>> [1352] 11:50:22:562: EapPeapCMakeMessage
>>>>> [1352] 11:50:22:562: PEAP:PEAP_STATE_INITIAL
>>>>> [1352] 11:50:22:562: EapTlsCMakeMessage
>>>>> [1352] 11:50:22:562: EapTlsReset
>>>>> [1352] 11:50:22:562: State change to Initial
>>>>> [1352] 11:50:22:562: GetCredentials
>>>>> [1352] 11:50:22:562: Flag is Client and Store is Current User
>>>>> [1352] 11:50:22:562: GetCachedCredentials
>>>>> [1352] 11:50:22:562: FreeCachedCredentials
>>>>> [1352] 11:50:22:562: No Cert Store. Guest Access requested
>>>>> [1352] 11:50:22:562: No Cert Name. Guest access requested
>>>>> [1352] 11:50:22:562: Will validate server cert
>>>>> [1352] 11:50:22:562: MakeReplyMessage
>>>>> [1352] 11:50:22:562: SecurityContextFunction
>>>>> [1352] 11:50:22:562: InitializeSecurityContext returned 0x90312
>>>>> [1352] 11:50:22:562: State change to SentHello
>>>>> [1352] 11:50:22:562: BuildPacket
>>>>> [1352] 11:50:22:562:<< Sending Response (Code: 2) packet: Id: 37,
>>>>> Length: 80, Type: 13, TLS blob length: 70. Flags: L
>>>>> [1352] 11:50:22:562: EapPeapCMakeMessage done
>>>>> [1352] 11:50:22:562: EapPeapMakeMessage done
>>>>> [1448] 11:50:52:578: EapPeapEnd
>>>>> [1448] 11:50:52:578: EapTlsEnd
>>>>> [1448] 11:50:52:578: EapTlsEnd(test)
>>>>> [1448] 11:50:52:578: EapPeapEnd done
>>>>> [1448] 11:51:52:593: PeapReadConnectionData
>>>>> [1448] 11:51:52:593: PeapReadUserData
>>>>> [1448] 11:51:52:593: RasEapGetInfo
>>>>> [1352] 12:02:42:625: PeapReadConnectionData
>>>>> [1352] 12:02:42:640: PeapReadUserData
>>>>> [1352] 12:02:42:640: RasEapGetInfo
>>>>> [1352] 12:02:42:640: PeapReDoUserData
>>>>> [1352] 12:02:42:640: EapTlsInvokeIdentityUI
>>>>> [1352] 12:02:42:640: GetCertInfo
>>>>> [1352] 12:03:42:640: PeapReadConnectionData
>>>>> [1352] 12:03:42:640: PeapReadUserData
>>>>> [1352] 12:03:42:640: RasEapGetInfo
>>>>> [1352] 12:03:42:671: EapPeapBegin
>>>>> [1352] 12:03:42:671: PeapReadConnectionData
>>>>> [1352] 12:03:42:671: PeapReadUserData
>>>>> [1352] 12:03:42:671:
>>>>> [1352] 12:03:42:671: EapTlsBegin(GHOST\indrajaya)
>>>>> [1352] 12:03:42:671: State change to Initial
>>>>> [1352] 12:03:42:671: EapTlsBegin: Detected 8021X authentication
>>>>> [1352] 12:03:42:671: EapTlsBegin: Detected PEAP authentication
>>>>> [1352] 12:03:42:671: MaxTLSMessageLength is now 16384
>>>>> [1352] 12:03:42:671: EapPeapBegin done
>>>>> [1352] 12:03:42:671: EapPeapMakeMessage
>>>>> [1352] 12:03:42:671: EapPeapCMakeMessage
>>>>> [1352] 12:03:42:671: PEAP:PEAP_STATE_INITIAL
>>>>> [1352] 12:03:42:671: EapTlsCMakeMessage
>>>>> [1352] 12:03:42:671: EapTlsReset
>>>>> [1352] 12:03:42:671: State change to Initial
>>>>> [1352] 12:03:42:671: GetCredentials
>>>>> [1352] 12:03:42:671: Flag is Client and Store is Current User
>>>>> [1352] 12:03:42:671: GetCachedCredentials
>>>>> [1352] 12:03:42:671: FreeCachedCredentials
>>>>> [1352] 12:03:42:671: No Cert Store. Guest Access requested
>>>>> [1352] 12:03:42:671: No Cert Name. Guest access requested
>>>>> [1352] 12:03:42:671: Will validate server cert
>>>>> [1352] 12:03:42:671: MakeReplyMessage
>>>>> [1352] 12:03:42:671: SecurityContextFunction
>>>>> [1352] 12:03:42:671: InitializeSecurityContext returned 0x90312
>>>>> [1352] 12:03:42:671: State change to SentHello
>>>>> [1352] 12:03:42:671: BuildPacket
>>>>> [1352] 12:03:42:671:<< Sending Response (Code: 2) packet: Id: 3,
>>>>> Length: 80, Type: 13, TLS blob length: 70. Flags: L
>>>>> [1352] 12:03:42:671: EapPeapCMakeMessage done
>>>>> [1352] 12:03:42:671: EapPeapMakeMessage done
>>>>> [2004] 12:04:12:687: EapPeapEnd
>>>>> [2004] 12:04:12:687: EapTlsEnd
>>>>> [2004] 12:04:12:687: EapTlsEnd(ghost\indrajaya)
>>>>> [2004] 12:04:12:687: EapPeapEnd done
>>>>> [2004] 12:04:42:734: EapPeapBegin
>>>>> [2004] 12:04:42:734: PeapReadConnectionData
>>>>> [2004] 12:04:42:734: PeapReadUserData
>>>>>
>>>>> /Regards,
>>>>> Indrajaya Pitra Perdana/
>>>>>
>>>>> On 12/15/2011 6:04 PM, Heikki Vatiainen wrote:
>>>>>> On 12/15/2011 06:18 AM, Indrajaya Pitra Perdana wrote:
>>>>>>
>>>>>>> The problem still persist even i created my own certificate using the
>>>>>>> steps in mkcertificate.sh goodies , my windows didn't respon to the eap
>>>>>>> challenge sent by Radiator, do u have any clue on this? or perhaps the
>>>>>>> problem is within my 2950 catalyst ? thanks :-)
>>>>>> You could try enabling debug for EAP authentication on the switch to see
>>>>>> how it reacts to EAP messages.
>>>>>>
>>>>>> Meanwhile you could also try running wireshark on Windows to see if the
>>>>>> challenge with the certificate is sent by the switch to the XP box.
>>>>>>
>>>>>> One thing you could try first is to use even lower value for
>>>>>> EAPTLS_MaxFragmentSize
>>>>>>
>>>>>> The messages before certifcate are much smaller and so this challenge
>>>>>> would be the first that can reach the maximum size.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>> --
>>>> Heikki Vatiainen<hvn at open.com.au>
>>>>
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>>>> NetWare etc.
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111220/efa265c0/attachment-0001.html
More information about the radiator
mailing list