Re: (RADIATOR) Can't get PEAP to work, need help.
--On mardi 24 juin 2003 09:26 +1000 Mike McCauley [EMAIL PROTECTED] wrote: Hello Jeremy, thanks for the full log. Looks like Radiator is not seeing a completed client hello from your client: its still waiting for the client hello to be closed off. This is very puzzling: your client is behaving differently to other clients we have observed. What PEAP client are you using? Well, this is quite strange as I use both Windows2000 client (hotfix from microsoft) and Funk Odyssey client, giving the same bad result. Maybe the source of the problem could be the AP (Cisco 1200) or the client card (Orinoco, one of the first Lucent ones indeed) ? -- Jerome Fleury === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Can't get PEAP to work, need help.
Hello Jerome, On Tue, 24 Jun 2003 08:32 pm, Jerome Fleury wrote: --On mardi 24 juin 2003 09:26 +1000 Mike McCauley [EMAIL PROTECTED] wrote: Hello Jeremy, thanks for the full log. Looks like Radiator is not seeing a completed client hello from your client: its still waiting for the client hello to be closed off. This is very puzzling: your client is behaving differently to other clients we have observed. What PEAP client are you using? Well, this is quite strange as I use both Windows2000 client (hotfix from microsoft) and Funk Odyssey client, giving the same bad result. Maybe the source of the problem could be the AP (Cisco 1200) or the client card (Orinoco, one of the first Lucent ones indeed) ? Hmm, its possible. Do you have the latest firmware in both the AP and the client card? Is you AP configured for unusually large or small MTUs? Around 1100 would be about normal for an AP. -- Jerome Fleury -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Can't get PEAP to work, need help.
Hello Jerome, On Tue, 24 Jun 2003 08:32 pm, Jerome Fleury wrote: --On mardi 24 juin 2003 09:26 +1000 Mike McCauley [EMAIL PROTECTED] wrote: Hello Jeremy, thanks for the full log. Looks like Radiator is not seeing a completed client hello from your client: its still waiting for the client hello to be closed off. This is very puzzling: your client is behaving differently to other clients we have observed. What PEAP client are you using? Well, this is quite strange as I use both Windows2000 client (hotfix from microsoft) and Funk Odyssey client, giving the same bad result. Maybe the source of the problem could be the AP (Cisco 1200) or the client card (Orinoco, one of the first Lucent ones indeed) ? OK, I have just retested here with the latest Odyssey 2.0 client and Windows 2000. I can see that the latest Odyssey client does in fact act differently on 2000, nevertheless Radiator worked ok here with it with a successful authentication So now I am back to wondering why Radaitor did not respond to the client hello. Normally it responds with the server certificate. I have looked closely again at your log file and I see something else strange: Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465 Mon Jun 23 14:04:09 2003: ERR: jeje - want read Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465, it seems not to have recognised that reason 2 is WANT_READ and instead reported an error. This indicates that there is a problem with either the openssl install oor the Net_SSLeay install. Im sorry I did not see this before. You mentioned previously that you installed the 'latest' openssl but I think you did not say which version. Here we use openssl 0.9.7 and Net_SSLeay 1.22. Caution: openssl 0.9.7 behaves differntly to older version in that it installs it libs and headers in a different place (defaults to /usr/local/ssl). If you have an older version or an RPM installed version, its possible that Net_SSLeay will link with the wrong version. I usually let openssl install in its default place (/usr/local/ssl) then configure Net_SSleay to use it with perl Makefile.PL /usr/local/ssl I strongly suggest you : 1. Ensure there are no old versions of ssl, openssl or Net_SSLeay installed on your host. 2. Compile and install openssl 0.9.7 3. Compile and install Net_SSLeay 1.22 (using the Makefile.PL /usr/local/ssl arg above) Cheers. -- Jerome Fleury === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Can't get PEAP to work, need help.
--On Tuesday, June 24, 2003 09:58:28 PM +1000 Mike McCauley [EMAIL PROTECTED] wrote:
Hello Jerome,
On Tue, 24 Jun 2003 08:32 pm, Jerome Fleury wrote:
--On mardi 24 juin 2003 09:26 +1000 Mike McCauley [EMAIL PROTECTED] wrote:
Hello Jeremy,
thanks for the full log.
Looks like Radiator is not seeing a completed client hello from your
client: its still waiting for the client hello to be closed off.
This is very puzzling: your client is behaving differently to other
clients we have observed.
What PEAP client are you using?
Well, this is quite strange as I use both Windows2000 client (hotfix from
microsoft) and Funk Odyssey client, giving the same bad result.
Maybe the source of the problem could be the AP (Cisco 1200) or the client
card (Orinoco, one of the first Lucent ones indeed) ?
OK, I have just retested here with the latest Odyssey 2.0 client and Windows
2000. I can see that the latest Odyssey client does in fact act differently
on 2000, nevertheless Radiator worked ok here with it with a successful
authentication
So now I am back to wondering why Radaitor did not respond to the client
hello. Normally it responds with the server certificate.
I have looked closely again at your log file and I see something else strange:
Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465
Mon Jun 23 14:04:09 2003: ERR: jeje - want read
Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465,
it seems not to have recognised that reason 2 is WANT_READ and instead
reported an error.
This indicates that there is a problem with either the openssl install oor the
Net_SSLeay install.
Im sorry I did not see this before.
No that's me sorry not to have precised this: I added some debug code in the WANT_READ
condition block:
elsif ($reason == ERROR_WANT_READ)
{
$self-log($main::LOG_ERR, jeje - want read, $p);
my $errs = Net::SSLeay::print_errs();
$self-log($main::LOG_ERR, EAP TLS error: $ret, $reason,
$state,
$errs);
$self-eap_failure($p-{rp}, $context);
# Looking for more data, just ack this
}
So that it recognizes WANT_READ well. Sorry for giving you a bad path.
I strongly suggest you :
1. Ensure there are no old versions of ssl, openssl or Net_SSLeay installed on
your host.
No, old older versions are overrided.
2. Compile and install openssl 0.9.7
done.
3. Compile and install Net_SSLeay 1.22 (using the Makefile.PL /usr/local/ssl
arg above)
done (1.23)
At this point, I think I'll try on an other fresh Unix install.
Thanks for your help Mike.
--
Jerome Fleury
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Can't get PEAP to work, need help.
Hello Jerome,
On Wed, 25 Jun 2003 01:37 am, Jerome Fleury wrote:
--On Tuesday, June 24, 2003 09:58:28 PM +1000 Mike McCauley
[EMAIL PROTECTED] wrote:
Hello Jerome,
On Tue, 24 Jun 2003 08:32 pm, Jerome Fleury wrote:
--On mardi 24 juin 2003 09:26 +1000 Mike McCauley [EMAIL PROTECTED]
wrote:
Hello Jeremy,
thanks for the full log.
Looks like Radiator is not seeing a completed client hello from your
client: its still waiting for the client hello to be closed off.
This is very puzzling: your client is behaving differently to other
clients we have observed.
What PEAP client are you using?
Well, this is quite strange as I use both Windows2000 client (hotfix
from microsoft) and Funk Odyssey client, giving the same bad result.
Maybe the source of the problem could be the AP (Cisco 1200) or the
client card (Orinoco, one of the first Lucent ones indeed) ?
OK, I have just retested here with the latest Odyssey 2.0 client and
Windows 2000. I can see that the latest Odyssey client does in fact act
differently on 2000, nevertheless Radiator worked ok here with it with a
successful authentication
So now I am back to wondering why Radaitor did not respond to the client
hello. Normally it responds with the server certificate.
I have looked closely again at your log file and I see something else
strange:
Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465
Mon Jun 23 14:04:09 2003: ERR: jeje - want read
Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465,
it seems not to have recognised that reason 2 is WANT_READ and instead
reported an error.
This indicates that there is a problem with either the openssl install
oor the Net_SSLeay install.
Im sorry I did not see this before.
No that's me sorry not to have precised this: I added some debug code in
the WANT_READ condition block:
elsif ($reason == ERROR_WANT_READ)
{
$self-log($main::LOG_ERR, jeje - want read, $p);
my $errs = Net::SSLeay::print_errs();
$self-log($main::LOG_ERR, EAP TLS error: $ret,
$reason, $state, $errs);
$self-eap_failure($p-{rp}, $context);
# Looking for more data, just ack this
}
So that it recognizes WANT_READ well. Sorry for giving you a bad path.
OK. I understand now.
If you are convinced the openssl/Net_SSLeay install is OK, its time to look at
your config. Are you testing with the example eap_peap.cfg file, and the test
certificates we supply?
May we see your config file (no secrets)?
I strongly suggest you :
1. Ensure there are no old versions of ssl, openssl or Net_SSLeay
installed on your host.
No, old older versions are overrided.
2. Compile and install openssl 0.9.7
done.
3. Compile and install Net_SSLeay 1.22 (using the Makefile.PL
/usr/local/ssl arg above)
done (1.23)
OK. Tested OK with 1.23 here.
At this point, I think I'll try on an other fresh Unix install.
OK.
Cheers.
Thanks for your help Mike.
--
Jerome Fleury
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Can't get PEAP to work, need help.
--On Friday, June 20, 2003 10:10:46 AM +1000 Hugh Irvine [EMAIL PROTECTED] wrote: Salut Jerome - It looks like Radiator is crashing if the log stops as shown. You will need to look at the Perl output to see what the error is, but it is usually a missing module that has not been loaded. The easiest way to see what is happening is to run radiusd from the command line like this: perl radiusd -foreground -log_stdout -trace 4 -config_file . where is the name of your configuration file. Thanks for help Hugh. I tried this, but the server is not crashing. It just stops processing. Added some debug in the EAP_25.pm code and got this: Mon Jun 23 14:04:09 2003: DEBUG: Handling request with Handler '' Mon Jun 23 14:04:09 2003: DEBUG: Deleting session for testUser, 172.30.24.10, 78 Mon Jun 23 14:04:09 2003: DEBUG: Handling with Radius::AuthFILE: Mon Jun 23 14:04:09 2003: DEBUG: Handling with EAP: code 2, 2, 94 Mon Jun 23 14:04:09 2003: DEBUG: Response type 25 Mon Jun 23 14:04:09 2003: DEBUG: jeje - else2 Mon Jun 23 14:04:09 2003: DEBUG: jeje - 25, PEAP Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465 Mon Jun 23 14:04:09 2003: ERR: jeje - want read Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465, Mon Jun 23 14:04:09 2003: DEBUG: Access challenged for testUser: EAP PEAP Challenge Mon Jun 23 14:04:09 2003: DEBUG: Packet dump: *** Sending to 172.30.24.10 port 1645 Code: Access-Challenge Identifier: 215 Authentic: NW237T?254DT20214622|z4219161 Attributes: EAP-Message = 4204 Signature = EAP-Message = 1306250 It seems like I'm stuck in the ERROR_WANT_READ block code, which does nothing, and this does this all the time, wether I'm doing EAP-TTLS or EAP-PEAP. It looks definitely like a Radiator/SSL issue, but I'm stuck by this lack of information. First I guessed it was my version of OpenSSL (it was 0.9.6c), but after upgrading to the most recent one, I still have this problem. I'm looking forward to any suggestion one could have. Note the list of prerequisite modules that are listed in the comment block at the top of the eap_peap.cfg file. regards Hugh On Thursday, Jun 19, 2003, at 23:49 Australia/Melbourne, Jerome Fleury wrote: Here is the test config: Client: Cisco Aironet/Orinoco 802.1X client: 2000+hotfix/Funk Odyssey AP: Cisco Aironet 1100 I use the test config from goodies/eap_peap.cfg with this modification: Filename %D/users-wifi (is there any special entry to put in this file ? anonymous user ?) As soon as I enter my credentials (802.1X identification window from Windows 2000 appears), the radius request launches from the AP: .Jun 19 13:42:01.250: dot11_dot1x_run_rfsm: current state CLIENT_WAIT, received CLIENT_REPLY, mac: 0060.1df0.3503 .Jun 19 13:42:01.250: dot11_dot1x_send_response_to_server: Sending client data to server .Jun 19 13:42:01.251: RADIUS/ENCODE(3489): acct_session_id: 13473 .Jun 19 13:42:01.251: RADIUS(3489): sending .Jun 19 13:42:01.252: RADIUS: Send to unknown id 44 172.30.19.3:1812, Access-Request, len 128 .Jun 19 13:42:01.252: RADIUS: authenticator 52 44 49 1C E4 86 B3 78 - E9 F8 87 6C B1 59 CA FF .Jun 19 13:42:01.252: RADIUS: User-Name [1] 5 ben .Jun 19 13:42:01.252: RADIUS: Framed-MTU [12] 6 1400 .Jun 19 13:42:01.252: RADIUS: Called-Station-Id [30] 16 0002.8a5b.400f .Jun 19 13:42:01.252: RADIUS: Calling-Station-Id [31] 16 0060.1df0.3503 .Jun 19 13:42:01.252: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19] .Jun 19 13:42:01.252: RADIUS: Message-Authenticato[80] 18 * .Jun 19 13:42:01.252: RADIUS: EAP-Message [79] 8 .Jun 19 13:42:01.253: RADIUS: 02 03 00 06 [] .Jun 19 13:42:01.253: RADIUS: NAS-Port-Type [61] 6 Virtual [5] .Jun 19 13:42:01.253: RADIUS: NAS-Port[5] 6 159 .Jun 19 13:42:01.253: RADIUS: Service-Type[6] 6 Login [1] .Jun 19 13:42:01.254: RADIUS: NAS-IP-Address [4] 6 172.30.24.10 .Jun 19 13:42:01.254: RADIUS: Nas-Identifier [32] 9 ap2.gre .Jun 19 13:42:06.253: RADIUS: Retransmit to (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:12.056: RADIUS: Retransmit to (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:17.057: RADIUS: Retransmit to (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:21.899: dot11_dot1x_parse_client_pak: Received EAPOL packet from 0060.1df0.3503 .Jun 19 13:42:21.899: EAPOL pak dump rx .Jun 19 13:42:21.899: EAPOL Version: 0x1 type: 0x1 length: 0x 00E126C0: 0101 .Jun 19 13:42:21.899: dot11_dot1x_run_rfsm: current state SERVER_WAIT, received EAP_START, mac: 0060.1df0.3503 .Jun 19 13:42:21.900: dot11_dot1x_ignore_event: Ignore event: do nothing .Jun 19 13:42:22.188: RADIUS:
Re: (RADIATOR) Can't get PEAP to work, need help.
HelloJerome, My experience with this type of behaviour is that the real cause of the actually occurred long before. What happens is that Radiator declines to reply to a request for some reason, and then you see a number of retransmissions. We will need to see _all_ of the Radiator log file from the start of the authentication attempt until the end. I think then we will see why Radaitor is not repsonding to the clients requests. Cheers. On Mon, 23 Jun 2003 10:22 pm, Jerome Fleury wrote: --On Friday, June 20, 2003 10:10:46 AM +1000 Hugh Irvine [EMAIL PROTECTED] wrote: Salut Jerome - It looks like Radiator is crashing if the log stops as shown. You will need to look at the Perl output to see what the error is, but it is usually a missing module that has not been loaded. The easiest way to see what is happening is to run radiusd from the command line like this: perl radiusd -foreground -log_stdout -trace 4 -config_file . where is the name of your configuration file. Thanks for help Hugh. I tried this, but the server is not crashing. It just stops processing. Added some debug in the EAP_25.pm code and got this: Mon Jun 23 14:04:09 2003: DEBUG: Handling request with Handler '' Mon Jun 23 14:04:09 2003: DEBUG: Deleting session for testUser, 172.30.24.10, 78 Mon Jun 23 14:04:09 2003: DEBUG: Handling with Radius::AuthFILE: Mon Jun 23 14:04:09 2003: DEBUG: Handling with EAP: code 2, 2, 94 Mon Jun 23 14:04:09 2003: DEBUG: Response type 25 Mon Jun 23 14:04:09 2003: DEBUG: jeje - else2 Mon Jun 23 14:04:09 2003: DEBUG: jeje - 25, PEAP Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465 Mon Jun 23 14:04:09 2003: ERR: jeje - want read Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465, Mon Jun 23 14:04:09 2003: DEBUG: Access challenged for testUser: EAP PEAP Challenge Mon Jun 23 14:04:09 2003: DEBUG: Packet dump: *** Sending to 172.30.24.10 port 1645 Code: Access-Challenge Identifier: 215 Authentic: NW237T?254DT20214622|z4219161 Attributes: EAP-Message = 4204 Signature = EAP-Message = 1306250 It seems like I'm stuck in the ERROR_WANT_READ block code, which does nothing, and this does this all the time, wether I'm doing EAP-TTLS or EAP-PEAP. It looks definitely like a Radiator/SSL issue, but I'm stuck by this lack of information. First I guessed it was my version of OpenSSL (it was 0.9.6c), but after upgrading to the most recent one, I still have this problem. I'm looking forward to any suggestion one could have. Note the list of prerequisite modules that are listed in the comment block at the top of the eap_peap.cfg file. regards Hugh On Thursday, Jun 19, 2003, at 23:49 Australia/Melbourne, Jerome Fleury wrote: Here is the test config: Client: Cisco Aironet/Orinoco 802.1X client: 2000+hotfix/Funk Odyssey AP: Cisco Aironet 1100 I use the test config from goodies/eap_peap.cfg with this modification: Filename %D/users-wifi (is there any special entry to put in this file ? anonymous user ?) As soon as I enter my credentials (802.1X identification window from Windows 2000 appears), the radius request launches from the AP: .Jun 19 13:42:01.250: dot11_dot1x_run_rfsm: current state CLIENT_WAIT, received CLIENT_REPLY, mac: 0060.1df0.3503 .Jun 19 13:42:01.250: dot11_dot1x_send_response_to_server: Sending client data to server .Jun 19 13:42:01.251: RADIUS/ENCODE(3489): acct_session_id: 13473 .Jun 19 13:42:01.251: RADIUS(3489): sending .Jun 19 13:42:01.252: RADIUS: Send to unknown id 44 172.30.19.3:1812, Access-Request, len 128 .Jun 19 13:42:01.252: RADIUS: authenticator 52 44 49 1C E4 86 B3 78 - E9 F8 87 6C B1 59 CA FF .Jun 19 13:42:01.252: RADIUS: User-Name [1] 5 ben .Jun 19 13:42:01.252: RADIUS: Framed-MTU [12] 6 1400 .Jun 19 13:42:01.252: RADIUS: Called-Station-Id [30] 16 0002.8a5b.400f .Jun 19 13:42:01.252: RADIUS: Calling-Station-Id [31] 16 0060.1df0.3503 .Jun 19 13:42:01.252: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19] .Jun 19 13:42:01.252: RADIUS: Message-Authenticato[80] 18 * .Jun 19 13:42:01.252: RADIUS: EAP-Message [79] 8 .Jun 19 13:42:01.253: RADIUS: 02 03 00 06 [] .Jun 19 13:42:01.253: RADIUS: NAS-Port-Type [61] 6 Virtual [5] .Jun 19 13:42:01.253: RADIUS: NAS-Port[5] 6 159 .Jun 19 13:42:01.253: RADIUS: Service-Type[6] 6 Login [1] .Jun 19 13:42:01.254: RADIUS: NAS-IP-Address [4] 6 172.30.24.10 .Jun 19 13:42:01.254: RADIUS: Nas-Identifier [32] 9 ap2.gre .Jun 19 13:42:06.253: RADIUS: Retransmit to (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:12.056: RADIUS: Retransmit to (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:17.057: RADIUS: Retransmit to
RE: (RADIATOR) Can't get PEAP to work, need help.
Make sure you have the correct/latest SSLeay library. The output message that Radiator sends back looks weird: EAP-Message = 4204 Signature = EAP-Message = 1306250 Two EAP-Messages? One reject and one PEAP ack Regards, Tom. -Original Message- From: Jerome Fleury [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 2:23 PM To: Hugh Irvine Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Can't get PEAP to work, need help. --On Friday, June 20, 2003 10:10:46 AM +1000 Hugh Irvine [EMAIL PROTECTED] wrote: Salut Jerome - It looks like Radiator is crashing if the log stops as shown. You will need to look at the Perl output to see what the error is, but it is usually a missing module that has not been loaded. The easiest way to see what is happening is to run radiusd from the command line like this: perl radiusd -foreground -log_stdout -trace 4 -config_file . where is the name of your configuration file. Thanks for help Hugh. I tried this, but the server is not crashing. It just stops processing. Added some debug in the EAP_25.pm code and got this: Mon Jun 23 14:04:09 2003: DEBUG: Handling request with Handler '' Mon Jun 23 14:04:09 2003: DEBUG: Deleting session for testUser, 172.30.24.10, 78 Mon Jun 23 14:04:09 2003: DEBUG: Handling with Radius::AuthFILE: Mon Jun 23 14:04:09 2003: DEBUG: Handling with EAP: code 2, 2, 94 Mon Jun 23 14:04:09 2003: DEBUG: Response type 25 Mon Jun 23 14:04:09 2003: DEBUG: jeje - else2 Mon Jun 23 14:04:09 2003: DEBUG: jeje - 25, PEAP Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465 Mon Jun 23 14:04:09 2003: ERR: jeje - want read Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465, Mon Jun 23 14:04:09 2003: DEBUG: Access challenged for testUser: EAP PEAP Challenge Mon Jun 23 14:04:09 2003: DEBUG: Packet dump: *** Sending to 172.30.24.10 port 1645 Code: Access-Challenge Identifier: 215 Authentic: NW237T?254DT20214622|z4219161 Attributes: EAP-Message = 4204 Signature = EAP-Message = 1306250 It seems like I'm stuck in the ERROR_WANT_READ block code, which does nothing, and this does this all the time, wether I'm doing EAP-TTLS or EAP-PEAP. It looks definitely like a Radiator/SSL issue, but I'm stuck by this lack of information. First I guessed it was my version of OpenSSL (it was 0.9.6c), but after upgrading to the most recent one, I still have this problem. I'm looking forward to any suggestion one could have. Note the list of prerequisite modules that are listed in the comment block at the top of the eap_peap.cfg file. regards Hugh On Thursday, Jun 19, 2003, at 23:49 Australia/Melbourne, Jerome Fleury wrote: Here is the test config: Client: Cisco Aironet/Orinoco 802.1X client: 2000+hotfix/Funk Odyssey AP: Cisco Aironet 1100 I use the test config from goodies/eap_peap.cfg with this modification: Filename %D/users-wifi (is there any special entry to put in this file ? anonymous user ?) As soon as I enter my credentials (802.1X identification window from Windows 2000 appears), the radius request launches from the AP: .Jun 19 13:42:01.250: dot11_dot1x_run_rfsm: current state CLIENT_WAIT, received CLIENT_REPLY, mac: 0060.1df0.3503 .Jun 19 13:42:01.250: dot11_dot1x_send_response_to_server: Sending client data to server .Jun 19 13:42:01.251: RADIUS/ENCODE(3489): acct_session_id: 13473 .Jun 19 13:42:01.251: RADIUS(3489): sending .Jun 19 13:42:01.252: RADIUS: Send to unknown id 44 172.30.19.3:1812, Access-Request, len 128 .Jun 19 13:42:01.252: RADIUS: authenticator 52 44 49 1C E4 86 B3 78 - E9 F8 87 6C B1 59 CA FF .Jun 19 13:42:01.252: RADIUS: User-Name [1] 5 ben .Jun 19 13:42:01.252: RADIUS: Framed-MTU [12] 6 1400 .Jun 19 13:42:01.252: RADIUS: Called-Station-Id [30] 16 0002.8a5b.400f .Jun 19 13:42:01.252: RADIUS: Calling-Station-Id [31] 16 0060.1df0.3503 .Jun 19 13:42:01.252: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19] .Jun 19 13:42:01.252: RADIUS: Message-Authenticato[80] 18 * .Jun 19 13:42:01.252: RADIUS: EAP-Message [79] 8 .Jun 19 13:42:01.253: RADIUS: 02 03 00 06 [] .Jun 19 13:42:01.253: RADIUS: NAS-Port-Type [61] 6 Virtual [5] .Jun 19 13:42:01.253: RADIUS: NAS-Port[5] 6 159 .Jun 19 13:42:01.253: RADIUS: Service-Type[6] 6 Login [1] .Jun 19 13:42:01.254: RADIUS: NAS-IP-Address [4] 6 172.30.24.10 .Jun 19 13:42:01.254: RADIUS: Nas-Identifier [32] 9 ap2.gre .Jun 19 13:42:06.253: RADIUS: Retransmit to (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:12.056: RADIUS
Re: (RADIATOR) Can't get PEAP to work, need help.
--On Monday, June 23, 2003 10:54:36 PM +1000 Mike McCauley [EMAIL PROTECTED] wrote: HelloJerome, My experience with this type of behaviour is that the real cause of the actually occurred long before. What happens is that Radiator declines to reply to a request for some reason, and then you see a number of retransmissions. We will need to see _all_ of the Radiator log file from the start of the authentication attempt until the end. I think then we will see why Radaitor is not repsonding to the clients requests. Thanks for your help Mike, here is the full log from radiator: Mon Jun 23 14:03:02 2003: NOTICE: SIGTERM received: stopping Mon Jun 23 14:03:15 2003: DEBUG: AuthTEST loaded Mon Jun 23 14:03:15 2003: DEBUG: New Radius::AuthTEST constructed Mon Jun 23 14:03:15 2003: DEBUG: Reading users file /home/radius/conf/users-wifi Mon Jun 23 14:03:15 2003: DEBUG: Reading users file /home/radius/conf/users-wifi Mon Jun 23 14:03:15 2003: DEBUG: Finished reading configuration file '../../conf/radius-wifi.cfg' Mon Jun 23 14:03:15 2003: DEBUG: Reading dictionary file '/home/radius/conf/dictionary' Mon Jun 23 14:03:16 2003: DEBUG: Creating authentication port 172.30.19.3:1812 Mon Jun 23 14:03:16 2003: DEBUG: Creating accounting port 172.30.19.3:1813 Mon Jun 23 14:03:16 2003: NOTICE: Server started: Radiator 3.6 on front5.net.tiscali.fr Mon Jun 23 14:04:08 2003: DEBUG: Packet dump: *** Received from 172.30.24.10 port 1645 Code: Access-Request Identifier: 214 Authentic: @154kT9^21|22s229211188.25( Attributes: User-Name = testUser Framed-MTU = 1400 Called-Station-Id = 0002.8a5b.400f Calling-Station-Id = 0060.1df0.3503 NAS-Port-Type = 19 Signature = 193253246i12239191172227117j0151181W EAP-Message = 210131testUser NAS-Port-Type = Virtual NAS-Port = 78 Service-Type = Login-User NAS-IP-Address = 172.30.24.10 NAS-Identifier = ap2.gre Mon Jun 23 14:04:08 2003: DEBUG: Handling request with Handler '' Mon Jun 23 14:04:08 2003: DEBUG: Deleting session for testUser, 172.30.24.10, 78 Mon Jun 23 14:04:08 2003: DEBUG: Handling with Radius::AuthFILE: Mon Jun 23 14:04:08 2003: DEBUG: Handling with EAP: code 2, 1, 13 Mon Jun 23 14:04:08 2003: DEBUG: Response type 1 Mon Jun 23 14:04:08 2003: DEBUG: jeje - Radius::EAP::EAP_TYPE_IDENTITY Mon Jun 23 14:04:09 2003: DEBUG: Access challenged for testUser: EAP PEAP Challenge Mon Jun 23 14:04:09 2003: DEBUG: Packet dump: *** Sending to 172.30.24.10 port 1645 Code: Access-Challenge Identifier: 214 Authentic: @154kT9^21|22s229211188.25( Attributes: EAP-Message = 120625! Signature = Mon Jun 23 14:04:09 2003: DEBUG: Packet dump: *** Received from 172.30.24.10 port 1645 Code: Access-Request Identifier: 215 Authentic: NW237T?254DT20214622|z4219161 Attributes: User-Name = testUser Framed-MTU = 1400 Called-Station-Id = 0002.8a5b.400f Calling-Station-Id = 0060.1df0.3503 NAS-Port-Type = 19 Signature = g13196159$OxI}i165140177M2426 EAP-Message = 220^25022310S100O31246236186O12181791720146V2 1202J2331461492591492 729 s2022392086313000(0220190f0210180100504090c 0e0`0b0a0d02001703060 81 NAS-Port-Type = Virtual NAS-Port = 78 Service-Type = Login-User NAS-IP-Address = 172.30.24.10 NAS-Identifier = ap2.gre Mon Jun 23 14:04:09 2003: DEBUG: Handling request with Handler '' Mon Jun 23 14:04:09 2003: DEBUG: Deleting session for testUser, 172.30.24.10, 78 Mon Jun 23 14:04:09 2003: DEBUG: Handling with Radius::AuthFILE: Mon Jun 23 14:04:09 2003: DEBUG: Handling with EAP: code 2, 2, 94 Mon Jun 23 14:04:09 2003: DEBUG: Response type 25 Mon Jun 23 14:04:09 2003: DEBUG: jeje - else2 Mon Jun 23 14:04:09 2003: DEBUG: jeje - 25, PEAP Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465 Mon Jun 23 14:04:09 2003: ERR: jeje - want read Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465, Mon Jun 23 14:04:09 2003: DEBUG: Access challenged for testUser: EAP PEAP Challenge Mon Jun 23 14:04:09 2003: DEBUG: Packet dump: *** Sending to 172.30.24.10 port 1645 Code: Access-Challenge Identifier: 215 Authentic: NW237T?254DT20214622|z4219161 Attributes: EAP-Message = 4204 Signature = EAP-Message = 1306250 jeje. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) Can't get PEAP to work, need help.
Following your advice, I just upgraded to the most recent SSLeay (1.22 - 1.23), unfortunately the same problem occurs. --On Monday, June 23, 2003 03:18:52 PM +0200 Tom Rixom [EMAIL PROTECTED] wrote: Make sure you have the correct/latest SSLeay library. The output message that Radiator sends back looks weird: EAP-Message = 4204 Signature = EAP-Message = 1306250 Two EAP-Messages? One reject and one PEAP ack Regards, Tom. -Original Message- From: Jerome Fleury [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 2:23 PM To: Hugh Irvine Cc: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Can't get PEAP to work, need help. --On Friday, June 20, 2003 10:10:46 AM +1000 Hugh Irvine [EMAIL PROTECTED] wrote: Salut Jerome - It looks like Radiator is crashing if the log stops as shown. You will need to look at the Perl output to see what the error is, but it is usually a missing module that has not been loaded. The easiest way to see what is happening is to run radiusd from the command line like this: perl radiusd -foreground -log_stdout -trace 4 -config_file . where is the name of your configuration file. Thanks for help Hugh. I tried this, but the server is not crashing. It just stops processing. Added some debug in the EAP_25.pm code and got this: Mon Jun 23 14:04:09 2003: DEBUG: Handling request with Handler '' Mon Jun 23 14:04:09 2003: DEBUG: Deleting session for testUser, 172.30.24.10, 78 Mon Jun 23 14:04:09 2003: DEBUG: Handling with Radius::AuthFILE: Mon Jun 23 14:04:09 2003: DEBUG: Handling with EAP: code 2, 2, 94 Mon Jun 23 14:04:09 2003: DEBUG: Response type 25 Mon Jun 23 14:04:09 2003: DEBUG: jeje - else2 Mon Jun 23 14:04:09 2003: DEBUG: jeje - 25, PEAP Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465 Mon Jun 23 14:04:09 2003: ERR: jeje - want read Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465, Mon Jun 23 14:04:09 2003: DEBUG: Access challenged for testUser: EAP PEAP Challenge Mon Jun 23 14:04:09 2003: DEBUG: Packet dump: *** Sending to 172.30.24.10 port 1645 Code: Access-Challenge Identifier: 215 Authentic: NW237T?254DT20214622|z4219161 Attributes: EAP-Message = 4204 Signature = EAP-Message = 1306250 It seems like I'm stuck in the ERROR_WANT_READ block code, which does nothing, and this does this all the time, wether I'm doing EAP-TTLS or EAP-PEAP. It looks definitely like a Radiator/SSL issue, but I'm stuck by this lack of information. First I guessed it was my version of OpenSSL (it was 0.9.6c), but after upgrading to the most recent one, I still have this problem. I'm looking forward to any suggestion one could have. Note the list of prerequisite modules that are listed in the comment block at the top of the eap_peap.cfg file. regards Hugh On Thursday, Jun 19, 2003, at 23:49 Australia/Melbourne, Jerome Fleury wrote: Here is the test config: Client: Cisco Aironet/Orinoco 802.1X client: 2000+hotfix/Funk Odyssey AP: Cisco Aironet 1100 I use the test config from goodies/eap_peap.cfg with this modification: Filename %D/users-wifi (is there any special entry to put in this file ? anonymous user ?) As soon as I enter my credentials (802.1X identification window from Windows 2000 appears), the radius request launches from the AP: .Jun 19 13:42:01.250: dot11_dot1x_run_rfsm: current state CLIENT_WAIT, received CLIENT_REPLY, mac: 0060.1df0.3503 .Jun 19 13:42:01.250: dot11_dot1x_send_response_to_server: Sending client data to server .Jun 19 13:42:01.251: RADIUS/ENCODE(3489): acct_session_id: 13473 .Jun 19 13:42:01.251: RADIUS(3489): sending .Jun 19 13:42:01.252: RADIUS: Send to unknown id 44 172.30.19.3:1812, Access-Request, len 128 .Jun 19 13:42:01.252: RADIUS: authenticator 52 44 49 1C E4 86 B3 78 - E9 F8 87 6C B1 59 CA FF .Jun 19 13:42:01.252: RADIUS: User-Name [1] 5 ben .Jun 19 13:42:01.252: RADIUS: Framed-MTU [12] 6 1400 .Jun 19 13:42:01.252: RADIUS: Called-Station-Id [30] 16 0002.8a5b.400f .Jun 19 13:42:01.252: RADIUS: Calling-Station-Id [31] 16 0060.1df0.3503 .Jun 19 13:42:01.252: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19] .Jun 19 13:42:01.252: RADIUS: Message-Authenticato[80] 18 * .Jun 19 13:42:01.252: RADIUS: EAP-Message [79] 8 .Jun 19 13:42:01.253: RADIUS: 02 03 00 06 [] .Jun 19 13:42:01.253: RADIUS: NAS-Port-Type [61] 6 Virtual [5] .Jun 19 13:42:01.253: RADIUS: NAS-Port[5] 6 159 .Jun 19 13:42:01.253: RADIUS: Service-Type[6] 6 Login [1] .Jun 19 13:42:01.254: RADIUS: NAS-IP-Address [4] 6
Re: (RADIATOR) Can't get PEAP to work, need help.
Hello Jeremy, thanks for the full log. Looks like Radiator is not seeing a completed client hello from your client: its still waiting for the client hello to be closed off. This is very puzzling: your client is behaving differently to other clients we have observed. What PEAP client are you using? Cheers. On Tue, 24 Jun 2003 12:51 am, Jeje wrote: --On Monday, June 23, 2003 10:54:36 PM +1000 Mike McCauley [EMAIL PROTECTED] wrote: HelloJerome, My experience with this type of behaviour is that the real cause of the actually occurred long before. What happens is that Radiator declines to reply to a request for some reason, and then you see a number of retransmissions. We will need to see _all_ of the Radiator log file from the start of the authentication attempt until the end. I think then we will see why Radaitor is not repsonding to the clients requests. Thanks for your help Mike, here is the full log from radiator: Mon Jun 23 14:03:02 2003: NOTICE: SIGTERM received: stopping Mon Jun 23 14:03:15 2003: DEBUG: AuthTEST loaded Mon Jun 23 14:03:15 2003: DEBUG: New Radius::AuthTEST constructed Mon Jun 23 14:03:15 2003: DEBUG: Reading users file /home/radius/conf/users-wifi Mon Jun 23 14:03:15 2003: DEBUG: Reading users file /home/radius/conf/users-wifi Mon Jun 23 14:03:15 2003: DEBUG: Finished reading configuration file '../../conf/radius-wifi.cfg' Mon Jun 23 14:03:15 2003: DEBUG: Reading dictionary file '/home/radius/conf/dictionary' Mon Jun 23 14:03:16 2003: DEBUG: Creating authentication port 172.30.19.3:1812 Mon Jun 23 14:03:16 2003: DEBUG: Creating accounting port 172.30.19.3:1813 Mon Jun 23 14:03:16 2003: NOTICE: Server started: Radiator 3.6 on front5.net.tiscali.fr Mon Jun 23 14:04:08 2003: DEBUG: Packet dump: *** Received from 172.30.24.10 port 1645 Code: Access-Request Identifier: 214 Authentic: @154kT9^21|22s229211188.25( Attributes: User-Name = testUser Framed-MTU = 1400 Called-Station-Id = 0002.8a5b.400f Calling-Station-Id = 0060.1df0.3503 NAS-Port-Type = 19 Signature = 193253246i12239191172227117j0151181W EAP-Message = 210131testUser NAS-Port-Type = Virtual NAS-Port = 78 Service-Type = Login-User NAS-IP-Address = 172.30.24.10 NAS-Identifier = ap2.gre Mon Jun 23 14:04:08 2003: DEBUG: Handling request with Handler '' Mon Jun 23 14:04:08 2003: DEBUG: Deleting session for testUser, 172.30.24.10, 78 Mon Jun 23 14:04:08 2003: DEBUG: Handling with Radius::AuthFILE: Mon Jun 23 14:04:08 2003: DEBUG: Handling with EAP: code 2, 1, 13 Mon Jun 23 14:04:08 2003: DEBUG: Response type 1 Mon Jun 23 14:04:08 2003: DEBUG: jeje - Radius::EAP::EAP_TYPE_IDENTITY Mon Jun 23 14:04:09 2003: DEBUG: Access challenged for testUser: EAP PEAP Challenge Mon Jun 23 14:04:09 2003: DEBUG: Packet dump: *** Sending to 172.30.24.10 port 1645 Code: Access-Challenge Identifier: 214 Authentic: @154kT9^21|22s229211188.25( Attributes: EAP-Message = 120625! Signature = Mon Jun 23 14:04:09 2003: DEBUG: Packet dump: *** Received from 172.30.24.10 port 1645 Code: Access-Request Identifier: 215 Authentic: NW237T?254DT20214622|z4219161 Attributes: User-Name = testUser Framed-MTU = 1400 Called-Station-Id = 0002.8a5b.400f Calling-Station-Id = 0060.1df0.3503 NAS-Port-Type = 19 Signature = g13196159$OxI}i165140177M2426 EAP-Message = 220^25022310S100O31246236186O1218 1791720146V2 1202J2331461492591492 729 s2022392086313000(0220190f0210180100 504090c 0e0`0b0a0d02001703060 81 NAS-Port-Type = Virtual NAS-Port = 78 Service-Type = Login-User NAS-IP-Address = 172.30.24.10 NAS-Identifier = ap2.gre Mon Jun 23 14:04:09 2003: DEBUG: Handling request with Handler '' Mon Jun 23 14:04:09 2003: DEBUG: Deleting session for testUser, 172.30.24.10, 78 Mon Jun 23 14:04:09 2003: DEBUG: Handling with Radius::AuthFILE: Mon Jun 23 14:04:09 2003: DEBUG: Handling with EAP: code 2, 2, 94 Mon Jun 23 14:04:09 2003: DEBUG: Response type 25 Mon Jun 23 14:04:09 2003: DEBUG: jeje - else2 Mon Jun 23 14:04:09 2003: DEBUG: jeje - 25, PEAP Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465 Mon Jun 23 14:04:09 2003: ERR: jeje - want read Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465, Mon Jun 23 14:04:09 2003: DEBUG: Access challenged for testUser: EAP PEAP Challenge Mon Jun 23 14:04:09 2003: DEBUG: Packet dump: *** Sending to 172.30.24.10 port 1645 Code: Access-Challenge Identifier: 215 Authentic: NW237T?254DT20214622|z4219161 Attributes: EAP-Message = 4204 Signature = EAP-Message = 1306250 jeje. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl,
Re: (RADIATOR) Can't get PEAP to work, need help.
On Tue, 24 Jun 2003 09:26 am, Mike McCauley wrote: Hello Jeremy, Sorry: Jerome thanks for the full log. Looks like Radiator is not seeing a completed client hello from your client: its still waiting for the client hello to be closed off. This is very puzzling: your client is behaving differently to other clients we have observed. What PEAP client are you using? Cheers. On Tue, 24 Jun 2003 12:51 am, Jeje wrote: --On Monday, June 23, 2003 10:54:36 PM +1000 Mike McCauley [EMAIL PROTECTED] wrote: HelloJerome, My experience with this type of behaviour is that the real cause of the actually occurred long before. What happens is that Radiator declines to reply to a request for some reason, and then you see a number of retransmissions. We will need to see _all_ of the Radiator log file from the start of the authentication attempt until the end. I think then we will see why Radaitor is not repsonding to the clients requests. Thanks for your help Mike, here is the full log from radiator: Mon Jun 23 14:03:02 2003: NOTICE: SIGTERM received: stopping Mon Jun 23 14:03:15 2003: DEBUG: AuthTEST loaded Mon Jun 23 14:03:15 2003: DEBUG: New Radius::AuthTEST constructed Mon Jun 23 14:03:15 2003: DEBUG: Reading users file /home/radius/conf/users-wifi Mon Jun 23 14:03:15 2003: DEBUG: Reading users file /home/radius/conf/users-wifi Mon Jun 23 14:03:15 2003: DEBUG: Finished reading configuration file '../../conf/radius-wifi.cfg' Mon Jun 23 14:03:15 2003: DEBUG: Reading dictionary file '/home/radius/conf/dictionary' Mon Jun 23 14:03:16 2003: DEBUG: Creating authentication port 172.30.19.3:1812 Mon Jun 23 14:03:16 2003: DEBUG: Creating accounting port 172.30.19.3:1813 Mon Jun 23 14:03:16 2003: NOTICE: Server started: Radiator 3.6 on front5.net.tiscali.fr Mon Jun 23 14:04:08 2003: DEBUG: Packet dump: *** Received from 172.30.24.10 port 1645 Code: Access-Request Identifier: 214 Authentic: @154kT9^21|22s229211188.25( Attributes: User-Name = testUser Framed-MTU = 1400 Called-Station-Id = 0002.8a5b.400f Calling-Station-Id = 0060.1df0.3503 NAS-Port-Type = 19 Signature = 193253246i12239191172227117j0151181W EAP-Message = 210131testUser NAS-Port-Type = Virtual NAS-Port = 78 Service-Type = Login-User NAS-IP-Address = 172.30.24.10 NAS-Identifier = ap2.gre Mon Jun 23 14:04:08 2003: DEBUG: Handling request with Handler '' Mon Jun 23 14:04:08 2003: DEBUG: Deleting session for testUser, 172.30.24.10, 78 Mon Jun 23 14:04:08 2003: DEBUG: Handling with Radius::AuthFILE: Mon Jun 23 14:04:08 2003: DEBUG: Handling with EAP: code 2, 1, 13 Mon Jun 23 14:04:08 2003: DEBUG: Response type 1 Mon Jun 23 14:04:08 2003: DEBUG: jeje - Radius::EAP::EAP_TYPE_IDENTITY Mon Jun 23 14:04:09 2003: DEBUG: Access challenged for testUser: EAP PEAP Challenge Mon Jun 23 14:04:09 2003: DEBUG: Packet dump: *** Sending to 172.30.24.10 port 1645 Code: Access-Challenge Identifier: 214 Authentic: @154kT9^21|22s229211188.25( Attributes: EAP-Message = 120625! Signature = Mon Jun 23 14:04:09 2003: DEBUG: Packet dump: *** Received from 172.30.24.10 port 1645 Code: Access-Request Identifier: 215 Authentic: NW237T?254DT20214622|z4219161 Attributes: User-Name = testUser Framed-MTU = 1400 Called-Station-Id = 0002.8a5b.400f Calling-Station-Id = 0060.1df0.3503 NAS-Port-Type = 19 Signature = g13196159$OxI}i165140177M2426 EAP-Message = 220^25022310S100O31246236186O1218 1791720146V2 1202J2331461492591492 729 s2022392086313000(0220190f021018010 0 504090c 0e0`0b0a0d02001703060 81 NAS-Port-Type = Virtual NAS-Port = 78 Service-Type = Login-User NAS-IP-Address = 172.30.24.10 NAS-Identifier = ap2.gre Mon Jun 23 14:04:09 2003: DEBUG: Handling request with Handler '' Mon Jun 23 14:04:09 2003: DEBUG: Deleting session for testUser, 172.30.24.10, 78 Mon Jun 23 14:04:09 2003: DEBUG: Handling with Radius::AuthFILE: Mon Jun 23 14:04:09 2003: DEBUG: Handling with EAP: code 2, 2, 94 Mon Jun 23 14:04:09 2003: DEBUG: Response type 25 Mon Jun 23 14:04:09 2003: DEBUG: jeje - else2 Mon Jun 23 14:04:09 2003: DEBUG: jeje - 25, PEAP Mon Jun 23 14:04:09 2003: DEBUG: EAP TLS SSL_accept result: -1, 2, 8465 Mon Jun 23 14:04:09 2003: ERR: jeje - want read Mon Jun 23 14:04:09 2003: ERR: EAP TLS error: -1, 2, 8465, Mon Jun 23 14:04:09 2003: DEBUG: Access challenged for testUser: EAP PEAP Challenge Mon Jun 23 14:04:09 2003: DEBUG: Packet dump: *** Sending to 172.30.24.10 port 1645 Code: Access-Challenge Identifier: 215 Authentic: NW237T?254DT20214622|z4219161 Attributes: EAP-Message = 4204
Re: (RADIATOR) Can't get PEAP to work, need help.
Jerome, It seems like the request did not reach the server, or the server dropped the request. We have similar problems at one point with Windows 2000 when using the Windows 2000 built-in client with Cisco 350. It turned out we needed zero configuration, Service pack 3 and 802.11b authentication patch on the client side. We have not tried Funk Odyssey. But if our environment setup infor may be useful to you, you may want to check out: http://bonnet2.geol.qc.edu/wireless/wirelessEap-2.htm which is our How-To for PEAP auth in our environment. Good luck! Bon On Thu, 19 Jun 2003, Jerome Fleury wrote: Here is the test config: Client: Cisco Aironet/Orinoco 802.1X client: 2000+hotfix/Funk Odyssey AP: Cisco Aironet 1100 I use the test config from goodies/eap_peap.cfg with this modification: Filename %D/users-wifi (is there any special entry to put in this file ? anonymous user ?) As soon as I enter my credentials (802.1X identification window from Windows 2000 appears), the radius request launches from the AP: .Jun 19 13:42:01.250: dot11_dot1x_run_rfsm: current state CLIENT_WAIT, received CLIENT_REPLY, mac: 0060.1df0.3503 .Jun 19 13:42:01.250: dot11_dot1x_send_response_to_server: Sending client data to server .Jun 19 13:42:01.251: RADIUS/ENCODE(3489): acct_session_id: 13473 .Jun 19 13:42:01.251: RADIUS(3489): sending .Jun 19 13:42:01.252: RADIUS: Send to unknown id 44 172.30.19.3:1812, Access-Request, len 128 .Jun 19 13:42:01.252: RADIUS: authenticator 52 44 49 1C E4 86 B3 78 - E9 F8 87 6C B1 59 CA FF .Jun 19 13:42:01.252: RADIUS: User-Name [1] 5 ben .Jun 19 13:42:01.252: RADIUS: Framed-MTU [12] 6 1400 .Jun 19 13:42:01.252: RADIUS: Called-Station-Id [30] 16 0002.8a5b.400f .Jun 19 13:42:01.252: RADIUS: Calling-Station-Id [31] 16 0060.1df0.3503 .Jun 19 13:42:01.252: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19] .Jun 19 13:42:01.252: RADIUS: Message-Authenticato[80] 18 * .Jun 19 13:42:01.252: RADIUS: EAP-Message [79] 8 .Jun 19 13:42:01.253: RADIUS: 02 03 00 06 [] .Jun 19 13:42:01.253: RADIUS: NAS-Port-Type [61] 6 Virtual [5] .Jun 19 13:42:01.253: RADIUS: NAS-Port[5] 6 159 .Jun 19 13:42:01.253: RADIUS: Service-Type[6] 6 Login [1] .Jun 19 13:42:01.254: RADIUS: NAS-IP-Address [4] 6 172.30.24.10 .Jun 19 13:42:01.254: RADIUS: Nas-Identifier [32] 9 ap2.gre .Jun 19 13:42:06.253: RADIUS: Retransmit to (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:12.056: RADIUS: Retransmit to (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:17.057: RADIUS: Retransmit to (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:21.899: dot11_dot1x_parse_client_pak: Received EAPOL packet from 0060.1df0.3503 .Jun 19 13:42:21.899: EAPOL pak dump rx .Jun 19 13:42:21.899: EAPOL Version: 0x1 type: 0x1 length: 0x 00E126C0: 0101 .Jun 19 13:42:21.899: dot11_dot1x_run_rfsm: current state SERVER_WAIT, received EAP_START, mac: 0060.1df0.3503 .Jun 19 13:42:21.900: dot11_dot1x_ignore_event: Ignore event: do nothing .Jun 19 13:42:22.188: RADIUS: Tried all servers. .Jun 19 13:42:22.188: RADIUS: No valid server found. Trying any viable server .Jun 19 13:42:22.188: RADIUS: Tried all servers. .Jun 19 13:42:22.188: RADIUS: No response from (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:22.188: RADIUS/DECODE: parse response no app start; FAIL .Jun 19 13:42:22.188: RADIUS/DECODE: parse response; FAIL As you can see, the Radius server seems not to respond, and AP retransmits. Here are the logs on Radiator: Code: Access-Request Identifier: 44 Authentic: RDI28228134179x233248135l177Y202255 Attributes: User-Name = ben Framed-MTU = 1400 Called-Station-Id = 0002.8a5b.400f Calling-Station-Id = 0060.1df0.3503 NAS-Port-Type = 19 Signature = 14184;197Q12;219Y5209240179%181184 EAP-Message = 230625 NAS-Port-Type = Virtual NAS-Port = 159 Service-Type = Login-User NAS-IP-Address = 172.30.24.10 NAS-Identifier = ap2.gre Thu Jun 19 15:42:17 2003: DEBUG: Handling request with Handler '' Thu Jun 19 15:42:17 2003: DEBUG: Deleting session for ben, 172.30.24.10, 159 Thu Jun 19 15:42:17 2003: DEBUG: Handling with Radius::AuthFILE: Thu Jun 19 15:42:17 2003: DEBUG: Handling with EAP: code 2, 3, 6 Thu Jun 19 15:42:17 2003: DEBUG: Response type 25 and that's pretty all. No error to help me out. Has anybody any clue about that ? Thanks. -- Jerome Fleury === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the
Re: (RADIATOR) Can't get PEAP to work, need help.
Salut Jerome - It looks like Radiator is crashing if the log stops as shown. You will need to look at the Perl output to see what the error is, but it is usually a missing module that has not been loaded. The easiest way to see what is happening is to run radiusd from the command line like this: perl radiusd -foreground -log_stdout -trace 4 -config_file . where is the name of your configuration file. Note the list of prerequisite modules that are listed in the comment block at the top of the eap_peap.cfg file. regards Hugh On Thursday, Jun 19, 2003, at 23:49 Australia/Melbourne, Jerome Fleury wrote: Here is the test config: Client: Cisco Aironet/Orinoco 802.1X client: 2000+hotfix/Funk Odyssey AP: Cisco Aironet 1100 I use the test config from goodies/eap_peap.cfg with this modification: Filename %D/users-wifi (is there any special entry to put in this file ? anonymous user ?) As soon as I enter my credentials (802.1X identification window from Windows 2000 appears), the radius request launches from the AP: .Jun 19 13:42:01.250: dot11_dot1x_run_rfsm: current state CLIENT_WAIT, received CLIENT_REPLY, mac: 0060.1df0.3503 .Jun 19 13:42:01.250: dot11_dot1x_send_response_to_server: Sending client data to server .Jun 19 13:42:01.251: RADIUS/ENCODE(3489): acct_session_id: 13473 .Jun 19 13:42:01.251: RADIUS(3489): sending .Jun 19 13:42:01.252: RADIUS: Send to unknown id 44 172.30.19.3:1812, Access-Request, len 128 .Jun 19 13:42:01.252: RADIUS: authenticator 52 44 49 1C E4 86 B3 78 - E9 F8 87 6C B1 59 CA FF .Jun 19 13:42:01.252: RADIUS: User-Name [1] 5 ben .Jun 19 13:42:01.252: RADIUS: Framed-MTU [12] 6 1400 .Jun 19 13:42:01.252: RADIUS: Called-Station-Id [30] 16 0002.8a5b.400f .Jun 19 13:42:01.252: RADIUS: Calling-Station-Id [31] 16 0060.1df0.3503 .Jun 19 13:42:01.252: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19] .Jun 19 13:42:01.252: RADIUS: Message-Authenticato[80] 18 * .Jun 19 13:42:01.252: RADIUS: EAP-Message [79] 8 .Jun 19 13:42:01.253: RADIUS: 02 03 00 06 [] .Jun 19 13:42:01.253: RADIUS: NAS-Port-Type [61] 6 Virtual [5] .Jun 19 13:42:01.253: RADIUS: NAS-Port[5] 6 159 .Jun 19 13:42:01.253: RADIUS: Service-Type[6] 6 Login [1] .Jun 19 13:42:01.254: RADIUS: NAS-IP-Address [4] 6 172.30.24.10 .Jun 19 13:42:01.254: RADIUS: Nas-Identifier [32] 9 ap2.gre .Jun 19 13:42:06.253: RADIUS: Retransmit to (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:12.056: RADIUS: Retransmit to (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:17.057: RADIUS: Retransmit to (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:21.899: dot11_dot1x_parse_client_pak: Received EAPOL packet from 0060.1df0.3503 .Jun 19 13:42:21.899: EAPOL pak dump rx .Jun 19 13:42:21.899: EAPOL Version: 0x1 type: 0x1 length: 0x 00E126C0: 0101 .Jun 19 13:42:21.899: dot11_dot1x_run_rfsm: current state SERVER_WAIT, received EAP_START, mac: 0060.1df0.3503 .Jun 19 13:42:21.900: dot11_dot1x_ignore_event: Ignore event: do nothing .Jun 19 13:42:22.188: RADIUS: Tried all servers. .Jun 19 13:42:22.188: RADIUS: No valid server found. Trying any viable server .Jun 19 13:42:22.188: RADIUS: Tried all servers. .Jun 19 13:42:22.188: RADIUS: No response from (172.30.19.3:1812,1813) for id 44 .Jun 19 13:42:22.188: RADIUS/DECODE: parse response no app start; FAIL .Jun 19 13:42:22.188: RADIUS/DECODE: parse response; FAIL As you can see, the Radius server seems not to respond, and AP retransmits. Here are the logs on Radiator: Code: Access-Request Identifier: 44 Authentic: RDI28228134179x233248135l177Y202255 Attributes: User-Name = ben Framed-MTU = 1400 Called-Station-Id = 0002.8a5b.400f Calling-Station-Id = 0060.1df0.3503 NAS-Port-Type = 19 Signature = 14184;197Q12;219Y5209240179%181184 EAP-Message = 230625 NAS-Port-Type = Virtual NAS-Port = 159 Service-Type = Login-User NAS-IP-Address = 172.30.24.10 NAS-Identifier = ap2.gre Thu Jun 19 15:42:17 2003: DEBUG: Handling request with Handler '' Thu Jun 19 15:42:17 2003: DEBUG: Deleting session for ben, 172.30.24.10, 159 Thu Jun 19 15:42:17 2003: DEBUG: Handling with Radius::AuthFILE: Thu Jun 19 15:42:17 2003: DEBUG: Handling with EAP: code 2, 3, 6 Thu Jun 19 15:42:17 2003: DEBUG: Response type 25 and that's pretty all. No error to help me out. Has anybody any clue about that ? Thanks. -- Jerome Fleury === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? --
