[RADIATOR] RV: Problem Radiator configuration WIMAX

Heikki Vatiainen hvn at open.com.au
Thu Mar 3 02:25:34 CST 2011


On 03/03/2011 12:53 AM, Augusto Cabrera wrote:

> Hello Heikky, 
> Thanks for responding, I have the server certificates. Pem and client. Der incurs with openssl 

Looks like the certificate problems are solved since the TTLS inner
authentication is trying to run.

> But I have this problem according to the logs: 

Make sure you have Digest-MD4 module installed as described in
http://www.open.com.au/radiator/install.html

You need this module for MSCHAP and MSCHAPv2.

> ERR: Could not handle an EAP request: Undefined subroutine &Radius::MSCHAP::ASCIItoUnicode called at /usr/lib/perl5/site_perl/Radius/AuthGeneric.pm line 866.

I'd say this is the result of MSCHAP module not working at all since
Digest-MD4 was not available.

> The logs are:
> 
> Code:       Access-Request
> Identifier: 27
> Authentic:  <0><0>V<6><0><0>v<31><0><0>n<11><0><0>d<195>
> Attributes:
> 	User-Name = "wimax at wimaxtest"
> 	NAS-IP-Address = 3.3.3.3
> 	Calling-Station-Id = "00256831312f"
> 	NAS-Identifier = "WASN9770"
> 	Event-Timestamp = 1299099954
> 	EAP-Message = <2><225><0><196><21><128><0><0><0><186><23><3><1><0> <191><10>ZY<162><226><129><185><185>A:~K<235><131>F'Cb<182><225><208>W<242><9><227>v%k,,N<23><3><1><0><144><1>.<238><30><244><14><4>N<0><219><184>3<247><4><8><248><249><217>@3<20><188>}<247><165>m<209><159><25><239><209><11><213><152><222><14><166><250><228><152><166><2><9><220><24>w&<4><15><200><127><163><145><178><165><162><17><203>{<<179><<233><190><227><224><136><31><28>,ed <211><4><157><6><154>u!U<<30><169><174>FX=<200>~<220>N<149><176>0X<12>p<207><217><216><9><175>Kc<18>z<127><187><144><3><134><188><129><253>-(<128><164><189><198>z|7K<231><20><30><129><19><9>(<197>4<196>@<25><221><244><133><198>?k<165>
> 	WiMAX-Capability = <1><5>1.1<2><3><2><3><3><1><5><3><1><4><3><1>
> 	WiMAX-BS-ID = 00000203f110
> 	WiMAX-GMT-Timezone-Offset = -18000
> 	NAS-Port-Type = Wireless-IEEE-802.16
> 	WiMAX-PPAC = <1><6><0><0><0>c
> 	Service-Type = Framed-User
> 	Message-Authenticator = <198><156><178>n<247><177><243><137><224><210>L<11><6>NH<244>
> 
> Wed Mar  2 16:05:20 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
> Wed Mar  2 16:05:20 2011: DEBUG:  Deleting session for wimax at wimaxtest, 3.3.3.3, 
> Wed Mar  2 16:05:20 2011: DEBUG: Handling with Radius::AuthSQL: 
> Wed Mar  2 16:05:20 2011: DEBUG: Handling with Radius::AuthSQL: 
> Wed Mar  2 16:05:20 2011: DEBUG: Query is: 'select reason from blacklist where nai='00256831312f'': 
> Wed Mar  2 16:05:20 2011: DEBUG: Radius::AuthSQL looks for match with 00256831312f [wimax at wimaxtest]
> Wed Mar  2 16:05:20 2011: DEBUG: Radius::AuthSQL REJECT: No such user: 00256831312f [wimax at wimaxtest]
> Wed Mar  2 16:05:20 2011: DEBUG: Query is: 'select reason from blacklist where nai='DEFAULT'': 
> Wed Mar  2 16:05:20 2011: DEBUG: AuthBy SQL result: ACCEPT, No such user
> Wed Mar  2 16:05:20 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Wed Mar  2 16:05:20 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Wed Mar  2 16:05:20 2011: DEBUG: Handling with EAP: code 2, 225, 196, 21
> Wed Mar  2 16:05:20 2011: DEBUG: Response type 21
> Wed Mar  2 16:05:20 2011: DEBUG: EAP TTLS data, 3, 225, 224
> Wed Mar  2 16:05:20 2011: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code:       UNDEF
> Identifier: UNDEF
> Authentic:  UNDEF
> Attributes:
> 	User-Name = "wimax"
> 	MS-CHAP-Challenge = T|}M<140><255><165><195><3><211>s<0><186><210><236><152>
> 	MS-CHAP2-Response = U<0>!@#$%^&*()_+:3|~<0><0><0><0><0><0><0><0>-<17><2><129><24>*<217><224>V<1><158><209><169><192>&&<20><227><13><10><189><143><215><174>
> 
> Wed Mar  2 16:05:20 2011: DEBUG: EAP TTLS inner authentication request for wimax
> Wed Mar  2 16:05:20 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
> Wed Mar  2 16:05:20 2011: DEBUG:  Deleting session for wimax, 3.3.3.3, 
> Wed Mar  2 16:05:20 2011: DEBUG: Handling with Radius::AuthSQL: 
> Wed Mar  2 16:05:20 2011: DEBUG: Handling with Radius::AuthSQL: 
> Wed Mar  2 16:05:20 2011: DEBUG: Query is: 'select reason from blacklist where nai=NULL': 
> Wed Mar  2 16:05:20 2011: DEBUG: Radius::AuthSQL looks for match with  [wimax]
> Wed Mar  2 16:05:20 2011: DEBUG: Radius::AuthSQL REJECT: No such user:  [wimax]
> Wed Mar  2 16:05:20 2011: DEBUG: Query is: 'select reason from blacklist where nai='DEFAULT'': 
> Wed Mar  2 16:05:20 2011: DEBUG: AuthBy SQL result: ACCEPT, No such user
> Wed Mar  2 16:05:20 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Wed Mar  2 16:05:20 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Wed Mar  2 16:05:20 2011: DEBUG: Query is: 'select psk, cui, hotlineprofile from subscription where nai=?': wimax
> Wed Mar  2 16:05:20 2011: DEBUG: Query is: 'select profileid, httpredirectionrule, ipredirectionrule, nasfilterrule, sessiontimer from hotlineprofile where id=?': 0
> Wed Mar  2 16:05:20 2011: DEBUG: Radius::AuthWIMAX looks for match with wimax [wimax]
> Wed Mar  2 16:05:20 2011: ERR: Could not handle an EAP request: Undefined subroutine &Radius::MSCHAP::ASCIItoUnicode called at /usr/lib/perl5/site_perl/Radius/AuthGeneric.pm line 866.
> 
> Wed Mar  2 16:05:20 2011: DEBUG: AuthBy WIMAX result: REJECT, Could not handle an EAP request
> Wed Mar  2 16:05:20 2011: INFO: Access rejected for 00256831312f: Could not handle an EAP request
> Wed Mar  2 16:05:20 2011: DEBUG: Packet dump:
> *** Sending to 3.3.3.3 port 10033 ....
> 
> Packet length = 36
> 03 1b 00 24 60 fc ea e7 98 51 59 ae 23 eb dc a9
> ca 25 a7 1f 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:       Access-Reject
> Identifier: 27
> Authentic:  `<252><234><231><152>QY<174>#<235><220><169><202>%<167><31>
> Attributes:
> 	Reply-Message = "Request Denied"
> 
> Wed Mar  2 16:05:20 2011: DEBUG: Monitor received command: STATS .
> Wed Mar  2 16:05:21 2011: DEBUG: Monitor received command: STATS .
> Wed Mar  2 16:05:22 2011: DEBUG: Monitor received command: STATS .
> Wed Mar  2 16:05:23 2011: DEBUG: Monitor received command: STATS .
> 
> 
>       Saludos,
> 
>      Augusto Cabrera Duffaut.
> 
> 
> 
> 
> -----Mensaje original-----
> De: Heikki Vatiainen [mailto:hvn at open.com.au] 
> Enviado el: miércoles, 02 de marzo de 2011 16:48
> Para: Augusto Cabrera
> CC: radiator at open.com.au
> Asunto: Re: [RADIATOR] Problem Radiator configuration WIMAX
> 
> On 03/02/2011 06:08 PM, Augusto Cabrera wrote:
>>
>> Hi I am configuring WiMAX radiator for authentication with the CPES are
>> zyxel, but I have authentication errors please i need help, the setup I
>> have is the following:
> 
> Hello,
> 
> can you tell us a bit more what the problem is? From the log below it
> looks like there are TTLS authentication Access-Requests and
> Access-Challenges, but there is no clear error as far as I can tell.
> 
> If the error is TTLS authentication not finishing, you should check the
> client configuration. Please check that the clients trust this root
> certificate:
> 
> EAPTLS_CAFile /etc/radiator/certificados/cacert.pem
> 
> It is possible that the client does not recognize or trust the root
> certificate and for that reasons stops the authentication process. It
> looks like the TTLS inner authentication does not start so you should
> concentrate on the certificate setup.
> 
> Thanks!
> Heikki
> 
> 
>> [root at wimax radiator]# vi radius.cfg
>>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list