[RADIATOR] Problem Radiator configuration WIMAX
Augusto Cabrera
acabrera at etapa.net.ec
Fri Mar 4 13:37:07 CST 2011
Hi, I have a problema with conection AAA
Please helpme
Fri Mar 4 14:34:03 2011: DEBUG: Response type 13
Fri Mar 4 14:34:03 2011: DEBUG: Certificate Subject Name is /name=Root CA certificate
Fri Mar 4 14:34:03 2011: INFO: EAP TLS client certificate subject /name=Root CA certificate does not match user name 5c4ca9e2b858 or identity wimax at wimaxtest
Fri Mar 4 14:34:03 2011: INFO: EAP TLS certificate verification failed: application verification failure, 7236:
Code: Access-Request
Identifier: 204
Authentic: <0><0>Q<254><0><0>!<15><0><0>h<196><0><0><30><28>
Attributes:
User-Name = "wimax at wimaxtest"
NAS-IP-Address = 3.3.3.3
Calling-Station-Id = "5c4ca9e2b858"
NAS-Identifier = "WASN9770"
Event-Timestamp = 1299267273
EAP-Message = <2><228><3>,<13><0><22><3><1><1><208><11><0><1><204><0><1><201><0><1><198>0<130><1><194>0<130><1>+<160><3><2><1><2><2><2><1><17>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<30>1<28>0<26><6><3>U<4>)<19><19>Root CA certificate0<30><23><13>050926120100Z<23><13>260926120100Z0<30>1<28>0<26><6><3>U<4>)<19><19>Root CA certificate0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><165>\H<190>F<26><146><149>m<165><145><249>7<19><11>5si<130><143><240><188><153><142><254>j<203><30><26><229><129><186><137><231><210><156><235><237>/<210>u<156><197>+<178>B<161><185>\<140><133><194>C~<190><246><151><170><202><148>7<194><24>B<244>nd<157><225>)<236>'<193><160>p
EAP-Message = <129><28><207><200>!<194>yyg<158><254>o<153><18>b<198><239><162><163>}"RM<232><208>c<196>3<145>soy<31><168>6<137>KMf<205><133>W<204>6*<186><143>9E<165><18><156><207><2><3><1><0><1><163><15>0<13>0<11><6><3>U<29><15><4><4><3><2><1><142>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>7c<18><232><251><238><239><171><142><14>r(<146><20><172><202><132><211><244>\<202><12><162>y<149>r<220><146><213><225><138><24>%:<236><230>hI<221><165>e<171>cw<133><151>2<14><136><156>s<157> <6>|<165><232><150>V<250>Q=<204><159><143><184>8<227><186><<202><130><180>J<233><28>_GJ;<164><167><228><201>YQ<131><127><242>|<205><140>,:>X!<229><131><218><179><148><20>]~<250><220><217><19>.<162><178><8>6<5>_<173>k!9o`t{<250>K<129><229><22><3><1><0><134><16><0><0><130><0><128>C<234><17><183>x<13> <234><200>(<203>.PI<171><20>*C<149><160>
EAP-Message = "<29><152><238>4r<31>4<216><231>@|<10><249><170><199><249>f<30><252><178>T<132>&<17><161>(<209><211><7><6>FP<193><230>P\,<180>)<165>a<224><156>&<1><229><155><239>Y<166><14><200><19>c<167><24><248><5><237>,P<189><151><163>0<249>'<156><186>?<24><139><189><252>w<13>l<236><14><200>{<5><207><196>$^:<214>}r<211>9<207>9A<161><173>q<226><185>SFk<254>'<185><203><22><3><1><0><134><15><0><0><130><0><128><145>1<178>Z<131>"<182><244><27>j<222>Uy`<153><190><25>c<142><221><234><200><232>G<217><187>2:<244><155><178><197><170><255>7<5>J<204><11><202>f<244><153><150><136>o<218><146><145>G<182><204>6R<220><135><166>&(<208><130><251>Q<137>`RP<129>V$$<233>}<224>[6<204><161><159>G<15><246>s<238>W%<243><228>T(<225><179><[<145><24><208>f<224><yO<201><236><133><201><11>8<226><246><239><243>l<150>2<12>?zJ<179><240>XA'wJ<188>3<20><3><1><0><1><1>
EAP-Message = <22><3><1><0>0biuJ<145><196>I<177><13><245><133><4>#<27>|<172><250><239><133><254><206><17>B`<29><19>v9<148><138>o<194><12><187>eX<5>:<240><184><190><245><252><250><29><143><253>%
WiMAX-Capability = <1><5>1.1<2><3><2><3><3><1><5><3><1><4><3><1>
WiMAX-BS-ID = 00000203f120
WiMAX-GMT-Timezone-Offset = -18000
NAS-Port-Type = Wireless-IEEE-802.16
WiMAX-PPAC = <1><6><0><0><0>c
Service-Type = Framed-User
Message-Authenticator = <226><162>X<134><21><255><199>zX7<16>q<176><250><250><251>
Fri Mar 4 14:34:03 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Fri Mar 4 14:34:03 2011: DEBUG: Deleting session for wimax at wimaxtest, 3.3.3.3,
Fri Mar 4 14:34:03 2011: DEBUG: Handling with Radius::AuthSQL:
Fri Mar 4 14:34:03 2011: DEBUG: Handling with Radius::AuthSQL:
Fri Mar 4 14:34:03 2011: DEBUG: Query is: 'select reason from blacklist where nai='5c4ca9e2b858'':
Fri Mar 4 14:34:03 2011: DEBUG: Radius::AuthSQL looks for match with 5c4ca9e2b858 [wimax at wimaxtest]
Fri Mar 4 14:34:03 2011: DEBUG: Radius::AuthSQL REJECT: No such user: 5c4ca9e2b858 [wimax at wimaxtest]
Fri Mar 4 14:34:03 2011: DEBUG: Query is: 'select reason from blacklist where nai='DEFAULT'':
Fri Mar 4 14:34:03 2011: DEBUG: AuthBy SQL result: ACCEPT, No such user
Fri Mar 4 14:34:03 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
Fri Mar 4 14:34:03 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
Fri Mar 4 14:34:03 2011: DEBUG: Handling with EAP: code 2, 228, 812, 13
Fri Mar 4 14:34:03 2011: DEBUG: Response type 13
Fri Mar 4 14:34:03 2011: DEBUG: Certificate Subject Name is /name=Root CA certificate
Fri Mar 4 14:34:03 2011: INFO: EAP TLS client certificate subject /name=Root CA certificate does not match user name 5c4ca9e2b858 or identity wimax at wimaxtest
Fri Mar 4 14:34:03 2011: INFO: EAP TLS certificate verification failed: application verification failure, 7236: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Fri Mar 4 14:34:03 2011: DEBUG: EAP result: 3, EAP TLS Challenge
Fri Mar 4 14:34:03 2011: DEBUG: AuthBy WIMAX result: CHALLENGE, EAP TLS Challenge
Fri Mar 4 14:34:03 2011: DEBUG: Access challenged for 5c4ca9e2b858: EAP TLS Challenge
Fri Mar 4 14:34:03 2011: DEBUG: Packet dump:
*** Sending to 3.3.3.3 port 10008 ....
Packet length = 57
0b cc 00 39 d4 a9 9e c5 5e b8 b8 45 0c 9a c8 7f
0b fa 43 c4 4f 13 01 e5 00 11 0d 80 00 00 00 07
15 03 01 00 02 02 28 50 12 f8 10 53 b9 59 78 52
8f 41 63 1b 33 98 a7 e9 eb
Code: Access-Challenge
Identifier: 204
Authentic: <212><169><158><197>^<184><184>E<12><154><200><127><11><250>C<196>
Attributes:
EAP-Message = <1><229><0><17><13><128><0><0><0><7><21><3><1><0><2><2>(
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Fri Mar 4 14:34:03 2011: DEBUG: Rewrote user name to wimax at wimaxtest
Fri Mar 4 14:34:03 2011: DEBUG: Rewrote user name to wimax at wimaxtest
Fri Mar 4 14:34:03 2011: DEBUG: Packet dump:
*** Received from 3.3.3.3 port 10008 ....
Packet length = 186
01 cd 00 ba 00 00 14 32 00 00 0b 28 00 00 49 cc
00 00 02 70 01 11 77 69 6d 61 78 40 77 69 6d 61
78 74 65 73 74 04 06 03 03 03 03 1f 0e 35 63 34
63 61 39 65 32 62 38 35 38 20 0a 57 41 53 4e 39
37 37 30 37 06 4d 71 3e c9 4f 08 02 e5 00 06 0d
00 1a 1a 00 00 60 b5 01 14 00 01 05 31 2e 31 02
03 02 03 03 01 05 03 01 04 03 01 1a 15 00 00 60
b5 2e 0f 00 30 30 30 30 30 32 30 33 66 31 32 30
1a 0d 00 00 60 b5 03 07 00 ff ff b9 b0 3d 06 00
00 00 1b 1a 0f 00 00 60 b5 23 09 00 01 06 00 00
00 63 06 06 00 00 00 02 50 12 45 80 24 0c 47 0d
24 4b 46 4d bb 3d 45 79 ef 99
Code: Access-Request
Identifier: 205
Authentic: <0><0><20>2<0><0><11>(<0><0>I<204><0><0><2>p
Attributes:
User-Name = "wimax at wimaxtest"
NAS-IP-Address = 3.3.3.3
Calling-Station-Id = "5c4ca9e2b858"
NAS-Identifier = "WASN9770"
Event-Timestamp = 1299267273
EAP-Message = <2><229><0><6><13><0>
WiMAX-Capability = <1><5>1.1<2><3><2><3><3><1><5><3><1><4><3><1>
WiMAX-BS-ID = 00000203f120
WiMAX-GMT-Timezone-Offset = -18000
NAS-Port-Type = Wireless-IEEE-802.16
WiMAX-PPAC = <1><6><0><0><0>c
Service-Type = Framed-User
Message-Authenticator = E<128>$<12>G<13>$KFM<187>=Ey<239><153>
Fri Mar 4 14:34:03 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Fri Mar 4 14:34:03 2011: DEBUG: Deleting session for wimax at wimaxtest, 3.3.3.3,
Fri Mar 4 14:34:03 2011: DEBUG: Handling with Radius::AuthSQL:
Fri Mar 4 14:34:03 2011: DEBUG: Handling with Radius::AuthSQL:
Fri Mar 4 14:34:03 2011: DEBUG: Query is: 'select reason from blacklist where nai='5c4ca9e2b858'':
Fri Mar 4 14:34:03 2011: DEBUG: Radius::AuthSQL looks for match with 5c4ca9e2b858 [wimax at wimaxtest]
Fri Mar 4 14:34:03 2011: DEBUG: Radius::AuthSQL REJECT: No such user: 5c4ca9e2b858 [wimax at wimaxtest]
Fri Mar 4 14:34:03 2011: DEBUG: Query is: 'select reason from blacklist where nai='DEFAULT'':
Fri Mar 4 14:34:03 2011: DEBUG: AuthBy SQL result: ACCEPT, No such user
Fri Mar 4 14:34:03 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
Fri Mar 4 14:34:04 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
Fri Mar 4 14:34:04 2011: DEBUG: Handling with EAP: code 2, 229, 6, 13
Fri Mar 4 14:34:04 2011: DEBUG: Response type 13
Fri Mar 4 14:34:04 2011: DEBUG: EAP result: 1, TLS Alert acknowledged
Fri Mar 4 14:34:04 2011: DEBUG: AuthBy WIMAX result: REJECT, TLS Alert acknowledged
Fri Mar 4 14:34:04 2011: INFO: Access rejected for 5c4ca9e2b858: TLS Alert acknowledged
Fri Mar 4 14:34:04 2011: DEBUG: Packet dump:
*** Sending to 3.3.3.3 port 10008 ....
Packet length = 60
03 cd 00 3c c5 8a a5 01 f7 42 7b e2 06 16 fa cd
43 cf 06 f3 4f 06 04 e5 00 04 50 12 47 d3 77 e5
65 83 8e 92 87 5d 5b e2 f6 d8 4c a3 12 10 52 65
71 75 65 73 74 20 44 65 6e 69 65 64
Code: Access-Reject
Identifier: 205
Authentic: <197><138><165><1><247>B{<226><6><22><250><205>C<207><6><243>
Attributes:
EAP-Message = <4><229><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
Saludos,
Ing. Augusto Cabrera Duffaut.
TELECOMUNICACIONES ISP
Telefono Directo: 4050057
Ext Interna: 4057
-----Mensaje original-----
De: Heikki Vatiainen [mailto:hvn at open.com.au]
Enviado el: jueves, 03 de marzo de 2011 3:26
Para: Augusto Cabrera
CC: radiator at open.com.au
Asunto: Re: [RADIATOR] RV: Problem Radiator configuration WIMAX
On 03/03/2011 12:53 AM, Augusto Cabrera wrote:
> Hello Heikky,
> Thanks for responding, I have the server certificates. Pem and client. Der incurs with openssl
Looks like the certificate problems are solved since the TTLS inner
authentication is trying to run.
> But I have this problem according to the logs:
Make sure you have Digest-MD4 module installed as described in
http://www.open.com.au/radiator/install.html
You need this module for MSCHAP and MSCHAPv2.
> ERR: Could not handle an EAP request: Undefined subroutine &Radius::MSCHAP::ASCIItoUnicode called at /usr/lib/perl5/site_perl/Radius/AuthGeneric.pm line 866.
I'd say this is the result of MSCHAP module not working at all since
Digest-MD4 was not available.
> The logs are:
>
> Code: Access-Request
> Identifier: 27
> Authentic: <0><0>V<6><0><0>v<31><0><0>n<11><0><0>d<195>
> Attributes:
> User-Name = "wimax at wimaxtest"
> NAS-IP-Address = 3.3.3.3
> Calling-Station-Id = "00256831312f"
> NAS-Identifier = "WASN9770"
> Event-Timestamp = 1299099954
> EAP-Message = <2><225><0><196><21><128><0><0><0><186><23><3><1><0> <191><10>ZY<162><226><129><185><185>A:~K<235><131>F'Cb<182><225><208>W<242><9><227>v%k,,N<23><3><1><0><144><1>.<238><30><244><14><4>N<0><219><184>3<247><4><8><248><249><217>@3<20><188>}<247><165>m<209><159><25><239><209><11><213><152><222><14><166><250><228><152><166><2><9><220><24>w&<4><15><200><127><163><145><178><165><162><17><203>{<<179><<233><190><227><224><136><31><28>,ed <211><4><157><6><154>u!U<<30><169><174>FX=<200>~<220>N<149><176>0X<12>p<207><217><216><9><175>Kc<18>z<127><187><144><3><134><188><129><253>-(<128><164><189><198>z|7K<231><20><30><129><19><9>(<197>4<196>@<25><221><244><133><198>?k<165>
> WiMAX-Capability = <1><5>1.1<2><3><2><3><3><1><5><3><1><4><3><1>
> WiMAX-BS-ID = 00000203f110
> WiMAX-GMT-Timezone-Offset = -18000
> NAS-Port-Type = Wireless-IEEE-802.16
> WiMAX-PPAC = <1><6><0><0><0>c
> Service-Type = Framed-User
> Message-Authenticator = <198><156><178>n<247><177><243><137><224><210>L<11><6>NH<244>
>
> Wed Mar 2 16:05:20 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
> Wed Mar 2 16:05:20 2011: DEBUG: Deleting session for wimax at wimaxtest, 3.3.3.3,
> Wed Mar 2 16:05:20 2011: DEBUG: Handling with Radius::AuthSQL:
> Wed Mar 2 16:05:20 2011: DEBUG: Handling with Radius::AuthSQL:
> Wed Mar 2 16:05:20 2011: DEBUG: Query is: 'select reason from blacklist where nai='00256831312f'':
> Wed Mar 2 16:05:20 2011: DEBUG: Radius::AuthSQL looks for match with 00256831312f [wimax at wimaxtest]
> Wed Mar 2 16:05:20 2011: DEBUG: Radius::AuthSQL REJECT: No such user: 00256831312f [wimax at wimaxtest]
> Wed Mar 2 16:05:20 2011: DEBUG: Query is: 'select reason from blacklist where nai='DEFAULT'':
> Wed Mar 2 16:05:20 2011: DEBUG: AuthBy SQL result: ACCEPT, No such user
> Wed Mar 2 16:05:20 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Wed Mar 2 16:05:20 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Wed Mar 2 16:05:20 2011: DEBUG: Handling with EAP: code 2, 225, 196, 21
> Wed Mar 2 16:05:20 2011: DEBUG: Response type 21
> Wed Mar 2 16:05:20 2011: DEBUG: EAP TTLS data, 3, 225, 224
> Wed Mar 2 16:05:20 2011: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code: UNDEF
> Identifier: UNDEF
> Authentic: UNDEF
> Attributes:
> User-Name = "wimax"
> MS-CHAP-Challenge = T|}M<140><255><165><195><3><211>s<0><186><210><236><152>
> MS-CHAP2-Response = U<0>!@#$%^&*()_+:3|~<0><0><0><0><0><0><0><0>-<17><2><129><24>*<217><224>V<1><158><209><169><192>&&<20><227><13><10><189><143><215><174>
>
> Wed Mar 2 16:05:20 2011: DEBUG: EAP TTLS inner authentication request for wimax
> Wed Mar 2 16:05:20 2011: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
> Wed Mar 2 16:05:20 2011: DEBUG: Deleting session for wimax, 3.3.3.3,
> Wed Mar 2 16:05:20 2011: DEBUG: Handling with Radius::AuthSQL:
> Wed Mar 2 16:05:20 2011: DEBUG: Handling with Radius::AuthSQL:
> Wed Mar 2 16:05:20 2011: DEBUG: Query is: 'select reason from blacklist where nai=NULL':
> Wed Mar 2 16:05:20 2011: DEBUG: Radius::AuthSQL looks for match with [wimax]
> Wed Mar 2 16:05:20 2011: DEBUG: Radius::AuthSQL REJECT: No such user: [wimax]
> Wed Mar 2 16:05:20 2011: DEBUG: Query is: 'select reason from blacklist where nai='DEFAULT'':
> Wed Mar 2 16:05:20 2011: DEBUG: AuthBy SQL result: ACCEPT, No such user
> Wed Mar 2 16:05:20 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Wed Mar 2 16:05:20 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Wed Mar 2 16:05:20 2011: DEBUG: Query is: 'select psk, cui, hotlineprofile from subscription where nai=?': wimax
> Wed Mar 2 16:05:20 2011: DEBUG: Query is: 'select profileid, httpredirectionrule, ipredirectionrule, nasfilterrule, sessiontimer from hotlineprofile where id=?': 0
> Wed Mar 2 16:05:20 2011: DEBUG: Radius::AuthWIMAX looks for match with wimax [wimax]
> Wed Mar 2 16:05:20 2011: ERR: Could not handle an EAP request: Undefined subroutine &Radius::MSCHAP::ASCIItoUnicode called at /usr/lib/perl5/site_perl/Radius/AuthGeneric.pm line 866.
>
> Wed Mar 2 16:05:20 2011: DEBUG: AuthBy WIMAX result: REJECT, Could not handle an EAP request
> Wed Mar 2 16:05:20 2011: INFO: Access rejected for 00256831312f: Could not handle an EAP request
> Wed Mar 2 16:05:20 2011: DEBUG: Packet dump:
> *** Sending to 3.3.3.3 port 10033 ....
>
> Packet length = 36
> 03 1b 00 24 60 fc ea e7 98 51 59 ae 23 eb dc a9
> ca 25 a7 1f 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code: Access-Reject
> Identifier: 27
> Authentic: `<252><234><231><152>QY<174>#<235><220><169><202>%<167><31>
> Attributes:
> Reply-Message = "Request Denied"
>
> Wed Mar 2 16:05:20 2011: DEBUG: Monitor received command: STATS .
> Wed Mar 2 16:05:21 2011: DEBUG: Monitor received command: STATS .
> Wed Mar 2 16:05:22 2011: DEBUG: Monitor received command: STATS .
> Wed Mar 2 16:05:23 2011: DEBUG: Monitor received command: STATS .
>
>
> Saludos,
>
> Augusto Cabrera Duffaut.
>
>
>
>
> -----Mensaje original-----
> De: Heikki Vatiainen [mailto:hvn at open.com.au]
> Enviado el: miércoles, 02 de marzo de 2011 16:48
> Para: Augusto Cabrera
> CC: radiator at open.com.au
> Asunto: Re: [RADIATOR] Problem Radiator configuration WIMAX
>
> On 03/02/2011 06:08 PM, Augusto Cabrera wrote:
>>
>> Hi I am configuring WiMAX radiator for authentication with the CPES are
>> zyxel, but I have authentication errors please i need help, the setup I
>> have is the following:
>
> Hello,
>
> can you tell us a bit more what the problem is? From the log below it
> looks like there are TTLS authentication Access-Requests and
> Access-Challenges, but there is no clear error as far as I can tell.
>
> If the error is TTLS authentication not finishing, you should check the
> client configuration. Please check that the clients trust this root
> certificate:
>
> EAPTLS_CAFile /etc/radiator/certificados/cacert.pem
>
> It is possible that the client does not recognize or trust the root
> certificate and for that reasons stops the authentication process. It
> looks like the TTLS inner authentication does not start so you should
> concentrate on the certificate setup.
>
> Thanks!
> Heikki
>
>
>> [root at wimax radiator]# vi radius.cfg
>>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list