On 12/14/2011 08:11 AM, Indrajaya Pitra Perdana wrote:

> I try to setup EAP where cisco catalyst 2950 as authenticator and
> windows xp as the supplicant, but after i enter the credentials in Win
> xp, radiator send eap access challenge but never got replied by win XP
> and in the end the windows xp told me that the authentication is failed,
> am i missing something in my configuration? btw i'm using the demo cert
> provided by Radiator goodies, and imported the root.der and cert-clt.p12
> into my win xp, thanks

When configuring Windows PEAP settings, did you mark the imported
root.der as trusted CA? You need to both import the certificate and then
mark it as trusted for the SSID you are configuring.

The configuration and log snippets look good. The log shows Radiator
sending its certificate to Windows, so if there is no response, then
Windows may not be accepting the certificate yet.

If there are still problems, please reply with the full configuration
file and full Radiator log showing everything from the startup.

Thanks!

> Config file:
> 
> 
> <Handler TunnelledByPEAP=1>
>         MaxSessions 1
>         AuthByPolicy ContinueWhileAccept
> 
> 
> #<Realm DEFAULT>
>         <AuthBy SQL>
>                 DBSource        dbi:mysql:radius:localhost
>                 DBUsername      radius
>                 DBAuth          r4d1usLocal
> 
>                 AuthSelect select PASSWORD FROM SUBSCRIBERS WHERE
> USERNAME=%0
> 
>                 AcctColumnDef   User-Password, check
>                 AcctColumnDef   USERNAME,User-Name
>                 AcctColumnDef   TIME_STAMP,Timestamp,integer
>                 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>                 AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>                 AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>                 AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>                 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>                 AcctColumnDef   NASPORT,NAS-Port,integer
>                 EAPType MSCHAP-V2
>          #      EAPType PEAP
>         </AuthBy>
> 
> </Handler>
> 
> <Handler>
> 
>         <AuthBy SQL>
>                 DBSource        dbi:mysql:radius:localhost
>                 DBUsername      radius
>                 DBAuth          r4d1usLocal
> 
>                 AuthSelect select PASSWORD FROM SUBSCRIBERS WHERE
> USERNAME=%0
> 
>                 AcctColumnDef   User-Password, check
>                 AcctColumnDef   USERNAME,User-Name
>                 AcctColumnDef   TIME_STAMP,Timestamp,integer
>                 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>                 AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>                 AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>                 AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>                 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>                 AcctColumnDef   NASPORT,NAS-Port,integer
> 
>                 EAPType PEAP
>           #     EAPType MSCHAP-V2
>                 EAPTLS_CAFile
> /usr/share/doc/packages/Radiator/certificates/demoCA/cacert.pem
>                 EAPTLS_CertificateFile
> /usr/share/doc/packages/Radiator/certificates/cert-srv.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile
> /usr/share/doc/packages/Radiator/certificates/cert-srv.pem
>                 EAPTLS_PrivateKeyPassword whatever
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
> 
>         </AuthBy>
> 
> </Handler>
> 
> 
> Debug:
> 
> *** Received from 202.53.249.28 port 1812 ....
> Code:       Access-Request
> Identifier: 55
> Authentic:  S<155><173>*<150><226><172><149>!<245>i<30>B<229><133><211>
> Attributes:
>         NAS-IP-Address = 202.53.249.28
>         NAS-Port = 50011
>         NAS-Port-Type = Ethernet
>         User-Name = "indrajaya"
>         Calling-Station-Id = "00-1B-38-A5-45-A5"
>         Service-Type = Framed-User
>         EAP-Message =
> <2><148><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>N<232>;<17><191>k<228><146><254>'<27>U<187><187><26>nf%NK<154><8>-<198><186>8<129>u<170><210>#P<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
>         Message-Authenticator =  <220>DJ<146>1M<9>S5"q<132><197>x<19>
> 
> Wed Dec 14 12:57:29 2011: DEBUG: Handling request with Handler '',
> Identifier ''
> Wed Dec 14 12:57:29 2011: DEBUG:  Deleting session for indrajaya,
> 202.53.249.28, 50011
> Wed Dec 14 12:57:29 2011: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER = '202.53.249.28' and NASPORT = 050011':
> Wed Dec 14 12:57:29 2011: DEBUG: Handling with Radius::AuthSQL:
> Wed Dec 14 12:57:29 2011: DEBUG: Handling with Radius::AuthSQL:
> Wed Dec 14 12:57:29 2011: DEBUG: Handling with EAP: code 2, 148, 80, 25
> Wed Dec 14 12:57:29 2011: DEBUG: Response type 25
> Wed Dec 14 12:57:29 2011: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Wed Dec 14 12:57:29 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Dec 14 12:57:29 2011: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
> Challenge
> Wed Dec 14 12:57:29 2011: DEBUG: Access challenged for indrajaya: EAP
> PEAP Challenge
> Wed Dec 14 12:57:29 2011: DEBUG: Packet dump:
> *** Sending to 202.53.249.28 port 1812 ....
> Code:       Access-Challenge
> Identifier: 55
> Authentic:  <3>.<248><243>a<172>b`<181>l<138>E<214>6<154><213>
> Attributes:
>         EAP-Message =
> <1><149><3><242><25><192><0><0><7><178><22><3><1><0>J<2><0><0>F<3><1>N<232>:<201><12><1><17><235>z<22><181>
> <186><171><150>9<252>@|q<18>,R<134><203>\<27>Vf<27><133><136>
> <247>B<140><150>j'<152><24>C<163><228><244>_<150>i<141><176><252><149><177>T<182>R8<159><178><20><187><19>Q<22>!<0><4><0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
>         EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use
> in production)1
> 0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mi...@open.com.au0<30><23><13>100128213155Z<23><13>120128213155Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
> Section1%0#<6><3>U<4><3><19><28>t
>         EAP-Message =
> est.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><203>?(<193><229><128><183><136>q<166><202><21><168><224><157>M<139><204>{<209><131><10><156><164><254>Z<214><231><254>g<245>+y~<210><147><171><8><131><143><139><186>{<221><224>)<161>`<140>z<193><247><244><210><152><149><4><204><225><139><204><159><29><1><12><162><219><142><176>)/<189><163>vV<208><250><213><212><144><137><211><2
> 07><10><215><19><206><14><228>umT<7><239><198>_Y<231><197><202><14><166><211><145><181><226><226>|<201>E<128>F<165><189><<250><20><18><227>6t<243><177>ZNv<133><153><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><30><137>N<139><212>><249><25><151><161>N<31><183><246><141>'<233>V<198><203>
>         EAP-Message =
> <206><146>9*<19><219>0<28><209><244>e<17><199>`<236>g<189>q<<200><185>{<219><252><31>+<245><10><208>M<181>!<248><20><1>K)E<2><158><128>#<169><162><179><224>W08<19><<16>ts<226>~<11>4<8><251>!d<201><223><230>~E<133><166>r<0>:<19>4<206>D<136>8<232>n<26><195>v<13><192>&ws<175>n@0D<175><29>E<162>:<239>d
> <17>?<153><184>C4?<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><249><170>@<232><246>7<146>$0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
> Demo Certificates1!0<31><6><3>U<4><11><19><24>Tes
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> 
> 
> 
> -- 
> /Regards,
> Indrajaya Pitra Perdana/
> 
> 
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to