[RADIATOR] Bad EAP message length xx, EAP length yyy
André Da Cunha Araújo De Jesus
acaj at reitoria.ulisboa.pt
Fri Feb 8 14:37:39 UTC 2019
Hi
I am setting up a new radiator service for Eduroam. It is between a Cisco wireless controller and an Active Directory.
When testing with various internal smartphones, everything seems to work well (I just feel that there are many too many messages, but I don't understand the protocol, might be normal).
The problem I get, is when I put the radiator in production, I do get a lot of errors between some successes. From devices that I have no access (eduroam).
Googling around unfortunately gave no answers for this problem.
Below is one example of an error:
"f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: Packet dump:
f98f5e50 *** Received from x.x.x.x port x ....
f98f5e50 Code: Access-Request
f98f5e50 Identifier: 146
f98f5e50 Authentic: <12><31><127><145>56<17><220><135><141><137><30><188>;<212><255>
f98f5e50 Attributes:
f98f5e50 User-Name = "aaa at xxx.xx"
f98f5e50 Chargeable-User-Identity = <0>
f98f5e50 Location-Capable = CIVIC_LOCATION
f98f5e50 Calling-Station-Id = "b0-52-16-xx-xx-xx"
f98f5e50 Called-Station-Id = "a4-6c-2a-xx-xx-xx:eduroam"
f98f5e50 NAS-Port = 13
f98f5e50 cisco-avpair = "audit-session-id=0a01050b00d5de9e5c5c790a"
f98f5e50 Acct-Session-Id = "5c5c790a/b0:52:16:0a:27:f7/24493431"
f98f5e50 cisco-avpair = "mDNS=true"
f98f5e50 NAS-IP-Address = 10.1.5.11
f98f5e50 NAS-Identifier = "xxx"
f98f5e50 Airespace-WLAN-Id = 1
f98f5e50 Service-Type = Framed-User
f98f5e50 Framed-MTU = 1300
f98f5e50 NAS-Port-Type = Wireless-IEEE-802-11
f98f5e50 Tunnel-Type = 0:VLAN
f98f5e50 Tunnel-Medium-Type = 0:802
f98f5e50 Tunnel-Private-Group-ID = xxx
f98f5e50 EAP-Message = <1><1><0><8><227><255><252>(aaa at xxx.xx
f98f5e50 Message-Authenticator = <236><138><252><182><210>6<181>Xv<132><227><175><133>|<18><5>
f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: Handling request with Handler 'Realm = "/^xxx.xx$/i"', Identifier ''
f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: SessINTERNAL: Deleting session for aaa at xxx.xx, x.x.x.x, 13
f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: Handling with Radius::AuthFILE: outerEAPdetunneling
f98f5e50 Thu Feb 7 18:30:40 2019: INFO: Bad EAP message length 26, EAP length 8
f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: EAP result: 1, Bad EAP message length 26, EAP length 8
f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: AuthBy FILE result: REJECT, Bad EAP message length 26, EAP length 8
f98f5e50 Thu Feb 7 18:30:40 2019: INFO: Access rejected for aaa at xxx.xx: Bad EAP message length 26, EAP length 8
f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: Packet dump:
f98f5e50 *** Sending to 10.1.5.11 port 32777 ....
f98f5e50 Code: Access-Reject
f98f5e50 Identifier: 146
f98f5e50 Authentic: <188><20><241>$P<1>`<220><247><20><9>g<27><165><145>o
f98f5e50 Attributes:
f98f5e50 EAP-Message = <4><1><0><4>
f98f5e50 Message-Authenticator = l/<14>g}<136>J<149>$<197><235>#<251>%<161><142>
f98f5e50 Reply-Message = "Bad EAP message length 26, EAP length 8""
The sections of the configuration that seems relevant are:
"
<AuthBy LDAP2>
Identifier ADxxxCatalog2
Debug 255
Host z.z.z.z z.z.z.z
FailureBackoffTime 10
Port 3268
AuthDN CN=xxx
AuthPassword xxx
HoldServerConnection
BaseDN xxx
UsernameAttr userPrincipalName
NoCheckPassword
AuthAttrDef xx,yy,request
NoDefault
AcceptIfMissing
Version 3
NoEAP
</AuthBy>
<AuthBy GROUP>
Identifier ADxxxCatalog
AuthByPolicy ContinueWhileAccept
#ContinueUntilAcceptOrChallenge
<AuthBy NTLM>
UsernameFormat %U
UsernameMatchesWithoutRealm
Domain xxx.xx
EAPType MSCHAP-V2
AddToReply User-Name = %u
</AuthBy>
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
RewriteUsername s/^([^@]+)\@yyy\.yy/$1\@xxx\.xx/
AuthBy ADcampusCatalog2
</AuthBy>
</AuthBy>
<AuthBy FILE>
Identifier outerEAPdetunneling
EAPType PEAP, TTLS, FAST
EAPAnonymous %0
EAPTLS_CAFile /etc/radiator/certs/xxx.ca-bundle
EAPTLS_CertificateFile /etc/radiator/certs/xxx.crt
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/certs/xxx.xx.key
EAPTLS_PEAPVersion 0
EAPTTLS_NoAckRequired
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
</AuthBy>
<Handler TunnelledByPEAP=1, Realm = "/^xxx.xx$/i">
StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID, Filter-Id, cisco-avpair
AuthBy ADcampusCatalog
AccountingHandled
RejectHasReason
AuthLog Statistics
AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802
PostProcessingHook file:"/etc/radiator/conf.d/vlanscript.pl"
</Handler>
<Handler TunnelledByTTLS=1, Realm = "/^xxx.xx$/i">
StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID, Filter-Id, cisco-avpair
AuthBy ADcampusCatalog
AccountingHandled
RejectHasReason
AuthLog Statistics
AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802
PostProcessingHook file:"/etc/radiator/conf.d/vlanscript.pl"
</Handler>
<Handler Realm = "/^xxx.xx$/i">
AuthBy outerEAPdetunneling
AccountingHandled
RejectHasReason
AuthLog Statistics
</Handler>"
Best regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190208/d5ab880b/attachment-0001.html>
More information about the radiator
mailing list