[RADIATOR] EAP TTLS authentication problem

Hartmaier Alexander alexander.hartmaier at t-systems.at
Fri May 8 07:43:41 CDT 2015


Usually this occurs if the EAPTLS_MaxFragmentSize is set too large in regards to the smallest MTU of the path the Radius packets take.

1000 is a low value for an Ethernet infrastructure with a MTU of 1500 but you might have tunnels or some other media with a smaller MTU in your path.

Another possibility is that the client doesn't trust the radius server certificate which will cause it to stop further processing too.

Best regards, Alex

On 2015-05-08 13:54, Bengi Sağlam wrote:
Hi all,

I have a problem with the EAP TTLS authentication. My current configuration file as following:


<SessionDatabase SQL>
    Identifier Employee
    DBSource    dbi:Pg:dbname=%{GlobalVar:dbname};host=%{GlobalVar:host};port=%{GlobalVar:port}
        DBUsername %{GlobalVar:dbusername}
    FailureBackoffTime 2
    Timeout 10
        AddQuery ………….
    DeleteQuery begin work; \
                               ……………...
        ClearNasQuery……….
</SessionDatabase>

<Realm DEFAULT>
        SessionDatabase Employee
        PreProcessingHook  sub { \
                my $p = ${$_[0]};\
                my $aref = $p->{Client}->{DupCacheOrder}[0]->{Attributes};\
                my %h ;\
                foreach my $pair ( @$aref ) { $h{$pair->[0]} = $pair->[1] } ;\
                ${$_[0]}->add_attr('Threshold',80000);\
                ${$_[0]}->add_attr('Interim-Update',300);\
        }
        <AuthBy SQL>
          DBSource    dbi:Pg:dbname=%{GlobalVar:dbname};host=%{GlobalVar:host};port=%{GlobalVar:port}
          DBUsername %{GlobalVar:dbusername}
          FailureBackoffTime 2
          NoDefault
          Timeout 10

          AuthSelect SELECT ……………..
        AuthColumnDef 0, User-Password, check
                AuthColumnDef 1, User-Name, check
        AuthColumnDef 2, Max-Daily-Session, check
        AuthColumnDef 3, Session-Timeout, reply
        AuthColumnDef 4, WISPr-Bandwidth-Max-Down, reply
        AuthColumnDef 5, WISPr-Bandwidth-Max-Up, reply
        AuthColumnDef 6, Idle-Timeout, reply
        AuthColumnDef 7, ChilliSpot-Bandwidth-Max-Up, reply
        AuthColumnDef 8, ChilliSpot-Bandwidth-Max-Down, reply

                AcctTotalSinceQuery………….

          HandleAcctStatusTypes Start, Alive ,Stop

          AcctSQLStatement …...

          AcctSQLStatement ….

          AcctSQLStatement DELETE FROM RADONLINE WHERE USERMAC= '%{Calling-Station-Id}' AND NASID ='%{NAS-Identifier}' AND 'Stop' ='%{Acct-Status-Type}'

          EAPType TTLS
          EAPTLS_PrivateKeyPassword ***********
          EAPTLS_CAFile /usr/local/etc/radiator/%{GlobalVar:nodename}/cert/DigiCertCA.crt
          EAPTLS_CertificateFile /usr/local/etc/radiator/%{GlobalVar:nodename}/cert/hotspot.crt
          EAPTLS_CertificateType PEM
          EAPTLS_PrivateKeyFile /usr/local/etc/radiator/%{GlobalVar:nodename}/cert/priv.pem
          EAPTLS_MaxFragmentSize 1000
          EAPTTLS_NoAckRequired
          AutoMPPEKeys
        </AuthBy>
 </Realm>



Radiator log file:




Fri May  8 13:16:56 2015 309744: DEBUG: Packet dump:
*** Received from 217.124.187.38 port 49158 ....

Packet length = 220
01 10 00 dc 28 c1 88 9a 42 e6 ca 29 0e 35 31 8b
44 5d 5c b5 01 09 6d 61 72 71 75 65 73 04 06 d9
7c bb 26 05 06 00 00 00 00 20 13 39 43 2d 31 43
2d 31 32 2d 43 45 2d 34 31 2d 43 43 3d 06 00 00
00 13 1f 13 30 34 3a 34 36 3a 36 35 3a 36 36 3a
44 36 3a 30 44 1e 13 39 43 3a 31 43 3a 31 32 3a
43 45 3a 34 31 3a 43 43 06 06 00 00 00 01 0c 06
00 00 04 4c 4f 0e 02 01 00 0c 01 6d 61 72 71 75
65 73 1a 17 00 00 39 e7 05 11 45 6d 70 6c 65 61
64 6f 73 5f 53 49 4c 41 4e 1a 19 00 00 39 e7 06
13 39 63 3a 31 63 3a 31 32 3a 63 65 3a 34 31 3a
63 63 1a 18 00 00 39 e7 0a 12 69 6e 73 74 61 6e
74 2d 43 45 3a 34 31 3a 43 43 50 12 e8 17 50 88
22 68 0a 6c 67 3c 68 3f f9 c1 c1 a3
Code:       Access-Request
Identifier: 16
Authentic:  (<193><136><154>B<230><202>)<14>51<139>D]\<181>
Attributes:
        User-Name = "marques"
        NAS-IP-Address = 217.124.187.38
        NAS-Port = 0
        NAS-Identifier = "9C-1C-12-CE-41-CC"
        NAS-Port-Type = Wireless-IEEE-802-11
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message = <2><1><0><12><1>marques
        Aruba-Essid-Name = "Empleados_SILAN"
        Aruba-Location-Id = "9c:1c:12:ce:41:cc"
        Aruba-AP-Group = "instant-CE:41:CC"
        Message-Authenticator = <232><23>P<136>"h<10>lg<h?<249><193><193><163>
        Called-Station-Id = "9C-1C-12-CE-41-CC"
        Calling-Station-Id = "04_46_65_66_D6_0D"

Fri May  8 13:16:56 2015 310184: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''
Fri May  8 13:16:56 2015 310483: DEBUG: Employee Deleting session for marques, 217.124.187.38, 0
Fri May  8 13:16:56 2015 311407: DEBUG: do query to 'dbi:Pg:dbname=radius;host=silandb;port=5432': 'begin work; INSERT INTO DEVICES(MAC,DEVICEMODEL,DEVICEOS,PASSWORD,LOCALE,CREATED,MODIFIED) VALUES(COALESCE(NULLIF('04_46_65_66_D6_0D',''),''),1,1,RANDOM_STRING(24),'s:2:"es"',EXTRACT(EPOCH FROM NOW())::INT,EXTRACT(EPOCH FROM NOW())::INT); INSERT INTO DEVICES_LOCATIONS(MAC,LOCATIONID,CREATED,MODIFIED) VALUES(COALESCE(NULLIF('04_46_65_66_D6_0D',''),''),(SELECT r.LOCATION FROM ROUTERS r WHERE r.NASID = COALESCE(NULLIF('9C-1C-12-CE-41-CC',''),'')),EXTRACT(EPOCH FROM NOW())::INT,EXTRACT(EPOCH FROM NOW())::INT); INSERT INTO SESSIONS_TIME(MAC,USERID,LOCATIONID,DOMAIN,EXTRATIME,CONSUMEDTIME,CREATED,EXPIRATIONDATE,LASTUPDATE) VALUES(COALESCE(NULLIF('04_46_65_66_D6_0D',''),''),'marques', (SELECT r.LOCATION FROM ROUTERS r WHERE r.NASID = COALESCE(NULLIF('9C-1C-12-CE-41-CC',''),'')),'Connect_Employee', (SELECT wup.SESSIONTIMEOUT FROM WIFI_USERS wu JOIN WIFI_USER_PROFILES wup ON wup.NETWORKID = wu.NETWORKID AND wup.PROFILE = wu.PROFILE WHERE wu.USERNAME = 'marques'), 0,EXTRACT(EPOCH FROM NOW())::INT,EXTRACT(EPOCH FROM NOW())::INT+(SELECT wup.EXPIRATIONTIMEOUT FROM WIFI_USERS wu JOIN WIFI_USER_PROFILES wup ON wup.NETWORKID = wu.NETWORKID AND wup.PROFILE = wu.PROFILE WHERE wu.USERNAME = 'marques'),EXTRACT(EPOCH FROM NOW())::INT); commit work':
Fri May  8 13:16:56 2015 316806: DEBUG: Handling with Radius::AuthSQL:
Fri May  8 13:16:56 2015 317011: DEBUG: Handling with Radius::AuthSQL:
Fri May  8 13:16:56 2015 317246: DEBUG: Handling with EAP: code 2, 1, 12, 1
Fri May  8 13:16:56 2015 317398: DEBUG: Response type 1
Fri May  8 13:16:56 2015 317728: DEBUG: EAP result: 3, EAP TTLS Challenge
Fri May  8 13:16:56 2015 317876: DEBUG: AuthBy SQL result: CHALLENGE, EAP TTLS Challenge
Fri May  8 13:16:56 2015 318035: DEBUG: Access challenged for marques: EAP TTLS Challenge
Fri May  8 13:16:56 2015 318518: DEBUG: Packet dump:
*** Sending to 217.124.187.38 port 49158 ....

Packet length = 46
0b 10 00 2e 09 b8 9a dd 63 6e 8c 6a f6 b4 2f 6f
bb e9 04 86 4f 08 01 02 00 06 15 20 50 12 ae 8a
fc fd 95 f0 0d 43 af 9f 41 30 07 e6 4d 2b
Code:       Access-Challenge
Identifier: 16
Authentic:  <9><184><154><221>cn<140>j<246><180>/o<187><233><4><134>
Attributes:
        EAP-Message = <1><2><0><6><21>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


The problem is in the log of the radiator, I am only seeing Access-Request and one Access-Challenge packet, some how challenge stops.
Could you please tell me what am I missing or how can I fixed it?

Regards,
Bengi Saglam




_______________________________________________
radiator mailing list
radiator at open.com.au<mailto:radiator at open.com.au>
http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20150508/b5a466df/attachment-0001.html 


More information about the radiator mailing list