[RADIATOR] RADIATOR, EAP-TLS

Heikki Vatiainen hvn at open.com.au
Wed Apr 18 04:10:51 CDT 2012 

On 04/18/2012 11:55 AM, Sudhir Harwalkar wrote:

> Please see the EAP-TLS Client log file, Radius log file and eap_tls.cfg file.

The wireshark capture is not that useful, the same information is in the
Radiator logfile. If you can get a log from your client, not wireshark
capture, that would be more useful.

Radiator log shows Radiator sends EAP-TLS start message, but your client
never responds. It just keeps on sending EAP Identity.

Check your client. Why does it not react to EAP-TLS start?

Thanks!
Heikki


> Regards
> Sudhir H
> 
> -----Original Message-----
> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
> Sent: Wednesday, April 18, 2012 1:41 PM
> To: radiator at open.com.au
> Subject: Re: [RADIATOR] RADIATOR, EAP-TLS
> 
> On 04/18/2012 10:00 AM, Sudhir Harwalkar wrote:
> 
>> How to configure the client to trust the CA certificate?
> 
> That depends on the client. What you wrote below sounds correct.
> 
>> What I done was, converted CA, Client and Client Pvt key to hex value because in our code we are giving as hex code.
> 
> Ok.
> 
>> Using this I run the radius server using TLS config file its showing continuously as Challenge.
> 
> What does the client log show? The client log should show why it is not responding to the Challenge Radiator sends.
> 
> Heikki
> 
> 
>> Regards
>> Sudhir H
>>
>> -----Original Message-----
>> From: radiator-bounces at open.com.au
>> [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
>> Sent: Monday, April 16, 2012 2:39 PM
>> To: radiator at open.com.au
>> Subject: Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2
>>
>> On 04/16/2012 11:12 AM, Sudhir Harwalkar wrote:
>>
>>> 1. Please guide me how to keep PACs in memory, what are all the changes need to make in config files.
>>
>> You need to change the Handler for outer EAP-FAST authentication to use AuthBy SQL. See goodies/sql.cfg and look for CreateEAPFastPACQuery and GetEAPFastPACQuery.
>>
>> For defintion of the single table that is needed, see
>> goodies/mysqlCreate.sql. The table is EAPFAST_PAC
>>
>> MySQL is not required, it is just used for an example. You could try
>> SQLite for a simple file based DB. http://www.sqlite.org/download.html
>>
>> You can keep all EAPTLS_* settings the same as they are now when setting up AuthBy SQL.
>>
>>> 2. I tried to authenticate with the EAP-TLS, as I was seen Access challenge message only and I haven't found any error in that case, please find the log, and config files for this.
>>
>> The log shows two different messages:
>> 1. EAP Identity from your client
>> 2. EAP-TLS start from Radiator
>>
>> The client then resends the identity. Check the client settings. It
>> seems not to accept EAP-TLS or is otherwise incorrectly configured.
>> Note that at some point you need to configure the client to trust the
>> CA certificate in certificates/demoCA/cacert.pem
>>
>> Thanks!
>> Heikki
>>
>>
>>> Regards
>>> Sudhir H
>>>
>>> -----Original Message-----
>>> From: radiator-bounces at open.com.au
>>> [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
>>> Sent: Friday, April 13, 2012 6:00 PM
>>> To: radiator at open.com.au
>>> Subject: Re: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2
>>>
>>> On 04/12/2012 04:14 PM, Sudhir Harwalkar wrote:
>>>
>>>> 1. Whenever I flash the new code to the device it's generating new PAC key at that time it's getting authenticate with the server,
>>>>      If PACs are gone after a restart, but our device generating the same and send to the server so it should authenticate, why that's not happening here.
>>>
>>> If the server has lost its PACs, the client PAC are useless. It is the server that decides if the PAC is valid. If the server refuses the PAC client sends, then a new PAC needs to be provisioned to the client. That is my take to how this should work.
>>>
>>>> 2. For EAP-TLS I took CA Certificate from C:\Radiator\Radiator-Locked-4.9\certificates\demoCA \cacert.pem and for Client I used C:\Radiator\Radiator-Locked-4.9\certificates\ cert-clt.pem is these are the correct files that I am using.
>>>
>>> Yes. See goodies/eap_tls.cfg for an example of EAP-TLS configuration.
>>>
>>> Heikki
>>>
>>>
>>>> Sudhir H
>>>>
>>>> -----Original Message-----
>>>> From: Heikki Vatiainen [mailto:hvn at open.com.au]
>>>> Sent: Thursday, April 12, 2012 2:52 PM
>>>> To: Sudhir Harwalkar
>>>> Subject: Re: FW: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2
>>>>
>>>> On 04/12/2012 09:25 AM, Sudhir Harwalkar wrote:
>>>>
>>>>> Thanks for helping me Heikki, when I flash the new code, then start the radius server it's working fine after that I restarted the radius server and power on the device then it's not authenticated.
>>>>> Again I flash the code and verified working fine.
>>>>
>>>> Ok. Good to hear it works.
>>>>
>>>>> Problem arises only if I restart the radius server.
>>>>> This should not happen right.
>>>>
>>>> By default Radiator keeps PACs in memory and they are gone after a restart. There is a possibility to keep them in SQL so that they survive across reboots.
>>>>
>>>> Heikki
>>>>
>>>>
>>>>
>>>>
>>>> Larsen & Toubro Limited
>>>>
>>>> www.larsentoubro.com
>>>>
>>>> This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system.
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>> --
>>> Heikki Vatiainen <hvn at open.com.au>
>>>
>>> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>> Larsen & Toubro Limited
>>>
>>> www.larsentoubro.com
>>>
>>> This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system.
>>
>>
>> --
>> Heikki Vatiainen <hvn at open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>> Larsen & Toubro Limited
>>
>> www.larsentoubro.com
>>
>> This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system.
> 
> 
> --
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> Larsen & Toubro Limited
> 
> www.larsentoubro.com
> 
> This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system.


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list