Hello Henry, Looks like you have not subscribed to the Radiator mailing list. I will try to help you with this problem, but you should subscribe and send all future requests to the mailing list.
In the log below, it shows that Radiator has received an EAP identity and has responded with a EAP-TLS start. This is the correct behaviour, and it shows that your Radiator configuration file is OK so far. I suspect that the problem is in the AP or the client. The most likely reason is that the XP client is not configured for EAP-TLS, and it is expecting something else like maybe EAP-MD5 etc. I would check your XP wireless client settings first. Cheers. On Wed, 17 Jul 2002 09:00, [EMAIL PROTECTED] wrote: > From [EMAIL PROTECTED] Tue Jul 16 18:00:41 2002 > Received: from alicia.nttmcl.com (alicia.nttmcl.com [216.69.69.10]) > by server1.open.com.au (8.11.0/8.11.0) with ESMTP id g6GN0f311978 > for <[EMAIL PROTECTED]>; Tue, 16 Jul 2002 18:00:41 -0500 > Received: from hsu (dhcp252.nttmcl.com [216.69.69.252]) > by alicia.nttmcl.com (8.10.1/8.10.1) with SMTP id g6GMxZ724001 > for <[EMAIL PROTECTED]>; Tue, 16 Jul 2002 15:59:40 -0700 (PDT) > Reply-To: <[EMAIL PROTECTED]> > From: "Henry Su" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: EAP TLS > Date: Tue, 16 Jul 2002 16:00:03 -0700 > Message-ID: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 > Importance: Normal > > I am using Radiator 3.1 with patch on freeBSD4.5, my client is windows XP, > AP is Orinoco AP1000, and openssl is 0.9.7 beta2. > > My problem is that it works partially, radius server get request and send > challage, but there's no further actions going on. > > I'm not sure how to set users for eap-tls. I just add following > > # For testing 802 1x (EAP-TLS) > 1x-client > > Is it correct? Yes, thats OK, but its best to have a password too, just in case someone tries to do a dialup connection that uses that user entry. The password is not used or required by EAP-TLS. > > > Could u pls point out me any clue? Thanks. > > Radius log: > Tue Jul 16 15:13:58 2002: DEBUG: Packet dump: > *** Received from 10.10.10.101 port 192 .... > Code: Access-Request > Identifier: 51 > Authentic: g<218>n<142><216><211>!<25><198><183><184><153><147><4>^P > Attributes: > User-Name = "1x-client" > NAS-IP-Address = 10.10.10.101 > Called-Station-Id = "00022d2e8a1a" > Calling-Station-Id = "00022d150780" > NAS-Identifier = "00-02-2D-15-07-80" > NAS-Port-Type = 19 > Framed-MTU = 1400 > EAP-Message = <2><4><0><14><1>1x-client > Message-Authenticator = > <20><2><139><180><214><231><241><189><195>J<175>(<146><230><152>F > > Tue Jul 16 15:13:58 2002: DEBUG: Handling request with Handler > 'Realm=DEFAULT' > Tue Jul 16 15:13:58 2002: DEBUG: Deleting session for 1x-client, > 10.10.10.101, > Tue Jul 16 15:13:58 2002: DEBUG: Handling with Radius::AuthFILE: > Tue Jul 16 15:13:58 2002: DEBUG: Radius::AuthFILE looks for match with > 1x-client > Tue Jul 16 15:13:58 2002: DEBUG: Handling with EAP > Tue Jul 16 15:13:58 2002: DEBUG: EAP code 2, 4, 14 > Tue Jul 16 15:13:58 2002: DEBUG: Response type 1 > Tue Jul 16 15:13:58 2002: DEBUG: Radius::AuthFILE CHALLENGE: EAP TLS > Challenge > Tue Jul 16 15:13:58 2002: DEBUG: Access challenged for 1x-client: EAP TLS > Challenge > Tue Jul 16 15:13:58 2002: DEBUG: Packet dump: > *** Sending to 10.10.10.101 port 192 .... > Code: Access-Challenge > Identifier: 51 > Authentic: g<218>n<142><216><211>!<25><198><183><184><153><147><4>^P > Attributes: > EAP-Message = <1><5><0><6><13> > Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > > Ethereal dump: > Frame 193 (172 on wire, 172 captured) > Arrival Time: Jul 16, 2002 14:21:26.741422000 > Time delta from previous packet: 30.040387000 seconds > Time relative to first packet: 11703.517713000 seconds > Frame Number: 193 > Packet Length: 172 bytes > Capture Length: 172 bytes > Ethernet II > Destination: 00:80:c8:b9:ad:bd (D-Link_b9:ad:bd) > Source: 00:02:2d:15:07:80 (Agere_15:07:80) > Type: IP (0x0800) > Internet Protocol, Src Addr: 10.10.10.101 (10.10.10.101), Dst Addr: > 10.10.10.1 (10.10.10.1) > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..0. = ECN-Capable Transport (ECT): 0 > .... ...0 = ECN-CE: 0 > Total Length: 158 > Identification: 0x0043 > Flags: 0x00 > .0.. = Don't fragment: Not set > ..0. = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: UDP (0x11) > Header checksum: 0x5193 (correct) > Source: 10.10.10.101 (10.10.10.101) > Destination: 10.10.10.1 (10.10.10.1) > User Datagram Protocol, Src Port: osu-nms (192), Dst Port: radius (1812) > Source port: osu-nms (192) > Destination port: radius (1812) > Length: 138 > Checksum: 0x7249 (correct) > Radius Protocol > Code: Access Request (1) > Packet identifier: 0xe (14) > Length: 130 > Authenticator > Attribute value pairs > t:User Name(1) l:11, Value:"1x-client" > t:NAS IP Address(4) l:6, Value:10.10.10.101 > t:Called Station Id(30) l:14, Value:"00022d2e8a1a" > t:Calling Station Id(31) l:14, Value:"00022d150780" > t:NAS identifier(32) l:19, Value:"00-02-2D-15-07-80" > t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11(19) > t:Framed MTU(12) l:6, Value:1400 > t:EAP Message(79) l:16 > Extensible Authentication Protocol > Code: Response (2) > Id: 1 > Length: 14 > Type: Identity [RFC2284] (1) > Identity (9 bytes): 1x-client > t:Message Authenticator(80) l:18, > Value:6DF2CB94176DE03541C3F701AC641E08 > > Frame 194 (88 on wire, 88 captured) > Arrival Time: Jul 16, 2002 14:21:26.753859000 > Time delta from previous packet: 0.012437000 seconds > Time relative to first packet: 11703.530150000 seconds > Frame Number: 194 > Packet Length: 88 bytes > Capture Length: 88 bytes > Ethernet II > Destination: 00:02:2d:15:07:80 (Agere_15:07:80) > Source: 00:80:c8:b9:ad:bd (D-Link_b9:ad:bd) > Type: IP (0x0800) > Internet Protocol, Src Addr: 10.10.10.1 (10.10.10.1), Dst Addr: > 10.10.10.101 (10.10.10.101) > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > .... ..0. = ECN-Capable Transport (ECT): 0 > .... ...0 = ECN-CE: 0 > Total Length: 74 > Identification: 0x6692 > Flags: 0x00 > .0.. = Don't fragment: Not set > ..0. = More fragments: Not set > Fragment offset: 0 > Time to live: 64 > Protocol: UDP (0x11) > Header checksum: 0xeb97 (correct) > Source: 10.10.10.1 (10.10.10.1) > Destination: 10.10.10.101 (10.10.10.101) > User Datagram Protocol, Src Port: radius (1812), Dst Port: osu-nms (192) > Source port: radius (1812) > Destination port: osu-nms (192) > Length: 54 > Checksum: 0x1f28 (correct) > Radius Protocol > Code: Access challenge (11) > Packet identifier: 0xe (14) > Length: 46 > Authenticator > Attribute value pairs > t:EAP Message(79) l:8 > Extensible Authentication Protocol > Code: Request (1) > Id: 2 > Length: 6 > Type: EAP-TLS [RFC2716] [Aboba] (13) > Flags(0x20): Start > t:Message Authenticator(80) l:18, > Value:249C94D64B4ED518CEBDC54A053B4982 > > > ------------------------------------------------ > > Henry Su > > NTT Multimedia Communications Laboratories, Inc. > > 250 Cambridge Avenue Suite 300 > > Palo Alto, CA 94306, USA (PST:UTC -8H) > > Tel: +1 650 833 3652 > > Fax: +1 650 326 1878 > > http://www.nttmcl.com/ -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory etc etc on Unix, Win95/8, 2000, NT, MacOS 9, MacOS X etc etc === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.