[RADIATOR] EAP TTLS authentication problem
Bengi Sağlam
bengi at socialandbeyond.com
Fri May 8 06:54:28 CDT 2015
Hi all,
I have a problem with the EAP TTLS authentication. My current configuration
file as following:
*<SessionDatabase SQL>*
* Identifier Employee*
* DBSource
dbi:Pg:dbname=%{GlobalVar:dbname};host=%{GlobalVar:host};port=%{GlobalVar:port}*
* DBUsername %{GlobalVar:dbusername}*
* FailureBackoffTime 2*
* Timeout 10*
* AddQuery ………….*
* DeleteQuery begin work; \*
* ……………...*
* ClearNasQuery……….*
*</SessionDatabase>*
*<Realm DEFAULT>*
* SessionDatabase Employee*
* PreProcessingHook sub { \*
* my $p = ${$_[0]};\*
* my $aref =
$p->{Client}->{DupCacheOrder}[0]->{Attributes};\*
* my %h ;\*
* foreach my $pair ( @$aref ) { $h{$pair->[0]} = $pair->[1]
} ;\*
* ${$_[0]}->add_attr('Threshold',80000);\*
* ${$_[0]}->add_attr('Interim-Update',300);\*
* }*
* <AuthBy SQL>*
* DBSource
dbi:Pg:dbname=%{GlobalVar:dbname};host=%{GlobalVar:host};port=%{GlobalVar:port}*
* DBUsername %{GlobalVar:dbusername}*
* FailureBackoffTime 2*
* NoDefault*
* Timeout 10*
* AuthSelect SELECT ……………..*
* AuthColumnDef 0, User-Password, check*
* AuthColumnDef 1, User-Name, check*
* AuthColumnDef 2, Max-Daily-Session, check*
* AuthColumnDef 3, Session-Timeout, reply*
* AuthColumnDef 4, WISPr-Bandwidth-Max-Down, reply*
* AuthColumnDef 5, WISPr-Bandwidth-Max-Up, reply*
* AuthColumnDef 6, Idle-Timeout, reply*
* AuthColumnDef 7, ChilliSpot-Bandwidth-Max-Up, reply*
* AuthColumnDef 8, ChilliSpot-Bandwidth-Max-Down, reply*
* AcctTotalSinceQuery………….*
* HandleAcctStatusTypes Start, Alive ,Stop*
* AcctSQLStatement …...*
* AcctSQLStatement ….*
* AcctSQLStatement DELETE FROM RADONLINE WHERE USERMAC=
'%{Calling-Station-Id}' AND NASID ='%{NAS-Identifier}' AND 'Stop'
='%{Acct-Status-Type}'*
* EAPType TTLS*
* EAPTLS_PrivateKeyPassword ************
* EAPTLS_CAFile
/usr/local/etc/radiator/%{GlobalVar:nodename}/cert/DigiCertCA.crt*
* EAPTLS_CertificateFile
/usr/local/etc/radiator/%{GlobalVar:nodename}/cert/hotspot.crt*
* EAPTLS_CertificateType PEM*
* EAPTLS_PrivateKeyFile
/usr/local/etc/radiator/%{GlobalVar:nodename}/cert/priv.pem*
* EAPTLS_MaxFragmentSize 1000*
* EAPTTLS_NoAckRequired*
* AutoMPPEKeys*
* </AuthBy>*
* </Realm>*
Radiator log file:
*Fri May 8 13:16:56 2015 309744: DEBUG: Packet dump:*
**** Received from 217.124.187.38 port 49158 ....*
*Packet length = 220*
*01 10 00 dc 28 c1 88 9a 42 e6 ca 29 0e 35 31 8b*
*44 5d 5c b5 01 09 6d 61 72 71 75 65 73 04 06 d9*
*7c bb 26 05 06 00 00 00 00 20 13 39 43 2d 31 43*
*2d 31 32 2d 43 45 2d 34 31 2d 43 43 3d 06 00 00*
*00 13 1f 13 30 34 3a 34 36 3a 36 35 3a 36 36 3a*
*44 36 3a 30 44 1e 13 39 43 3a 31 43 3a 31 32 3a*
*43 45 3a 34 31 3a 43 43 06 06 00 00 00 01 0c 06*
*00 00 04 4c 4f 0e 02 01 00 0c 01 6d 61 72 71 75*
*65 73 1a 17 00 00 39 e7 05 11 45 6d 70 6c 65 61*
*64 6f 73 5f 53 49 4c 41 4e 1a 19 00 00 39 e7 06*
*13 39 63 3a 31 63 3a 31 32 3a 63 65 3a 34 31 3a*
*63 63 1a 18 00 00 39 e7 0a 12 69 6e 73 74 61 6e*
*74 2d 43 45 3a 34 31 3a 43 43 50 12 e8 17 50 88*
*22 68 0a 6c 67 3c 68 3f f9 c1 c1 a3*
*Code: Access-Request*
*Identifier: 16*
*Authentic: (<193><136><154>B<230><202>)<14>51<139>D]\<181>*
*Attributes:*
* User-Name = "marques"*
* NAS-IP-Address = 217.124.187.38*
* NAS-Port = 0*
* NAS-Identifier = "9C-1C-12-CE-41-CC"*
* NAS-Port-Type = Wireless-IEEE-802-11*
* Service-Type = Login-User*
* Framed-MTU = 1100*
* EAP-Message = <2><1><0><12><1>marques*
* Aruba-Essid-Name = "Empleados_SILAN"*
* Aruba-Location-Id = "9c:1c:12:ce:41:cc"*
* Aruba-AP-Group = "instant-CE:41:CC"*
* Message-Authenticator =
<232><23>P<136>"h<10>lg<h?<249><193><193><163>*
* Called-Station-Id = "9C-1C-12-CE-41-CC"*
* Calling-Station-Id = "04_46_65_66_D6_0D"*
*Fri May 8 13:16:56 2015 310184: DEBUG: Handling request with Handler
'Realm=DEFAULT', Identifier ''*
*Fri May 8 13:16:56 2015 310483: DEBUG: Employee Deleting session for
marques, 217.124.187.38, 0*
*Fri May 8 13:16:56 2015 311407: DEBUG: do query to
'dbi:Pg:dbname=radius;host=silandb;port=5432': 'begin work; INSERT INTO
DEVICES(MAC,DEVICEMODEL,DEVICEOS,PASSWORD,LOCALE,CREATED,MODIFIED)
VALUES(COALESCE(NULLIF('04_46_65_66_D6_0D',''),''),1,1,RANDOM_STRING(24),'s:2:"es"',EXTRACT(EPOCH
FROM NOW())::INT,EXTRACT(EPOCH FROM NOW())::INT); INSERT INTO
DEVICES_LOCATIONS(MAC,LOCATIONID,CREATED,MODIFIED)
VALUES(COALESCE(NULLIF('04_46_65_66_D6_0D',''),''),(SELECT r.LOCATION FROM
ROUTERS r WHERE r.NASID =
COALESCE(NULLIF('9C-1C-12-CE-41-CC',''),'')),EXTRACT(EPOCH FROM
NOW())::INT,EXTRACT(EPOCH FROM NOW())::INT); INSERT INTO
SESSIONS_TIME(MAC,USERID,LOCATIONID,DOMAIN,EXTRATIME,CONSUMEDTIME,CREATED,EXPIRATIONDATE,LASTUPDATE)
VALUES(COALESCE(NULLIF('04_46_65_66_D6_0D',''),''),'marques', (SELECT
r.LOCATION FROM ROUTERS r WHERE r.NASID =
COALESCE(NULLIF('9C-1C-12-CE-41-CC',''),'')),'Connect_Employee', (SELECT
wup.SESSIONTIMEOUT FROM WIFI_USERS wu JOIN WIFI_USER_PROFILES wup ON
wup.NETWORKID = wu.NETWORKID AND wup.PROFILE = wu.PROFILE WHERE wu.USERNAME
= 'marques'), 0,EXTRACT(EPOCH FROM NOW())::INT,EXTRACT(EPOCH FROM
NOW())::INT+(SELECT wup.EXPIRATIONTIMEOUT FROM WIFI_USERS wu JOIN
WIFI_USER_PROFILES wup ON wup.NETWORKID = wu.NETWORKID AND wup.PROFILE =
wu.PROFILE WHERE wu.USERNAME = 'marques'),EXTRACT(EPOCH FROM NOW())::INT);
commit work':*
*Fri May 8 13:16:56 2015 316806: DEBUG: Handling with Radius::AuthSQL:*
*Fri May 8 13:16:56 2015 317011: DEBUG: Handling with Radius::AuthSQL:*
*Fri May 8 13:16:56 2015 317246: DEBUG: Handling with EAP: code 2, 1, 12,
1*
*Fri May 8 13:16:56 2015 317398: DEBUG: Response type 1*
*Fri May 8 13:16:56 2015 317728: DEBUG: EAP result: 3, EAP TTLS Challenge*
*Fri May 8 13:16:56 2015 317876: DEBUG: AuthBy SQL result: CHALLENGE, EAP
TTLS Challenge*
*Fri May 8 13:16:56 2015 318035: DEBUG: Access challenged for marques: EAP
TTLS Challenge*
*Fri May 8 13:16:56 2015 318518: DEBUG: Packet dump:*
**** Sending to 217.124.187.38 port 49158 ....*
*Packet length = 46*
*0b 10 00 2e 09 b8 9a dd 63 6e 8c 6a f6 b4 2f 6f*
*bb e9 04 86 4f 08 01 02 00 06 15 20 50 12 ae 8a*
*fc fd 95 f0 0d 43 af 9f 41 30 07 e6 4d 2b*
*Code: Access-Challenge*
*Identifier: 16*
*Authentic: <9><184><154><221>cn<140>j<246><180>/o<187><233><4><134>*
*Attributes:*
* EAP-Message = <1><2><0><6><21>*
* Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>*
The problem is in the log of the radiator, I am only seeing Access-Request
and one Access-Challenge packet, some how challenge stops.
Could you please tell me what am I missing or how can I fixed it?
Regards,
Bengi Saglam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20150508/70141a9c/attachment-0001.html
More information about the radiator
mailing list