subject:"Re\: \[RADIATOR\] radiator never gets to the 2nd authentication phase in PEAP \- MSCHAPv2"

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

2016-02-01 Thread Hugo Veiga

Hi,


Heikki I bow to you. :)


So the problem was this:

(Topology)

Radiator Machine/ IP: 10.253.1.12/24
--Router--wireless switch/IP:10.240.1.1/24

- The radiator machine receives requests from wireless switch.

- Wireless switch never receives the answer.

:: So Radiator machine is a virtual machine and installed by a
colleague of mine (system admin) that inserted the mask 255.0.0.0 in
the network mask. Radiator machine with the supplied mask will try to
contact 10.240.1.1 through arp discovery and will never find it
because it's on a different broadcast domain. The solution was
obvious, insert the correct netmask and it started to work perfectly.


Problem solved.

Many thanks Heikki,

Hugo Veiga




>* Code:   Access-Request
*>* Identifier: 180
*>* Authentic:  <139><3>(<143><10><139>N<158><194><163><168><135>O
*
Radiator notices this and retransmits its previous reply

>* Tue Jan 26 15:54:57 2016: INFO: Duplicate request id 180 received from
*>* 10.240.1.1(20004): retransmit reply
*>* Tue Jan 26 15:54:57 2016: DEBUG: Packet dump:
*>* *** Sending to 10.240.1.1 port 20004 
*
There are multiple retransmits back and forth and the authentication
does not proceed.

I would check the Wi-Fi controller logs and make sure it is receiving

the responses from Radiator.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

2016-02-01 Thread Hugh Irvine


Indeed - the old adage is very true:

“Just because a packet can get somewhere does not mean that the reply 
can get back….”

regards

Hugh


> On 1 Feb 2016, at 20:39, Hugo Veiga  wrote:
> 
> Hi,
> 
> Heikki I bow to you. :)
> 
> So the problem was this:
> (Topology)
> Radiator Machine/ IP: 10.253.1.12/24 
> --Router--wireless switch/IP:10.240.1.1/24 
> - The radiator machine receives requests from wireless switch.
> - Wireless switch never receives the answer.
> :: So Radiator machine is a virtual machine and installed by a colleague of 
> mine (system admin) that inserted the mask 255.0.0.0 in the network mask. 
> Radiator machine with the supplied mask will try to contact 10.240.1.1 
> through arp discovery and will never find it because it's on a different 
> broadcast domain. The solution was obvious, insert the correct netmask and it 
> started to work perfectly.
> 
> Problem solved.
> Many thanks Heikki,
> Hugo Veiga
> 
> 
> 
> >
>  Code:   Access-Request
> 
> >
>  Identifier: 180
> 
> >
>  Authentic:  <139><3>(<143><10><139>N<158><194><163><168><135>O
> 
> 
> Radiator notices this and retransmits its previous reply
> 
> >
>  Tue Jan 26 15:54:57 2016: INFO: Duplicate request id 180 received from
> 
> >
>  10.240.1.1(20004): retransmit reply
> 
> >
>  Tue Jan 26 15:54:57 2016: DEBUG: Packet dump:
> 
> >
>  *** Sending to 10.240.1.1 port 20004 
> 
> 
> There are multiple retransmits back and forth and the authentication
> does not proceed.
> 
> I would check the Wi-Fi controller logs and make sure it is receiving
> 
> the responses from Radiator.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

2016-01-28 Thread Heikki Vatiainen

On 01/26/2016 06:05 PM, Hugo Veiga wrote:

> Also tried another certificate but it's doing the same, it gets stuck
> and never reaches the inner handler.

I don't think this is a certificate or handler problem now. Previously
AuthBy INTERNAL was dropping the request, but now when you changed the
configuration, the responses from Radiator are sent back to the Wi-Fi
controller.

This might be a problem with network connectivity, Wi-Fi controller
configuration or something that prevents the Wi-Fi controller from
receiving or processing the responses Radiator sends.

Here's the EAP identity response that starts the authentication. This
comes from the Wi-Fi client side:

> Code:   Access-Request
> Identifier: 180
> Authentic:  <139><3>(<143><10><139>N<158><194><163><168><135>O

This is the response from Radiator that tells to start PEAP.

> Code:   Access-Challenge
> Identifier: 180

This is where things do not go as expected. The first message is resent
to Radiator:

> Code:   Access-Request
> Identifier: 180
> Authentic:  <139><3>(<143><10><139>N<158><194><163><168><135>O

Radiator notices this and retransmits its previous reply

> Tue Jan 26 15:54:57 2016: INFO: Duplicate request id 180 received from
> 10.240.1.1(20004): retransmit reply
> Tue Jan 26 15:54:57 2016: DEBUG: Packet dump:
> *** Sending to 10.240.1.1 port 20004 

There are multiple retransmits back and forth and the authentication
does not proceed.

I would check the Wi-Fi controller logs and make sure it is receiving
the responses from Radiator.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

2016-01-27 Thread Hugo Veiga

Hi,

I'm sorry Heikki I don't know why but I didn't receive your email (but a
friend of mine in this list as sent me yesterday).

So this is what I've tested/checked so far:

1 - Perl modules: In this list are the ones mentioned in the goodies file
for PEAP/MSCHAPv2 (# Requires Net_SSLeay.pm-1.21 or later; # Requires
openssl 0.9.7beta3 or later from www.openssl.org; # Requires Digest-HMAC; #
Requires Digest-SHA)

[root@radius02 radiator]# rpm -qa | grep perl
perl-Scalar-List-Utils-1.42-3.fc23.x86_64
perl-threads-2.02-2.fc23.x86_64
perl-ExtUtils-ParseXS-3.30-1.fc23.noarch
perl-IO-Socket-IP-0.37-347.fc23.noarch
perl-XML-Filter-BufferText-1.01-23.fc23.noarch
perl-Compress-Raw-Bzip2-2.068-347.fc23.x86_64
perl-IO-Socket-SSL-2.019-1.fc23.noarch
perl-GSSAPI-0.28-15.fc23.x86_64
perl-Perl-OSType-1.008-347.fc23.noarch
perl-Params-Check-0.38-346.fc23.noarch
perl-MRO-Compat-0.12-9.fc23.noarch
perl-Getopt-Long-2.48-1.fc23.noarch
perl-Algorithm-Diff-1.1903-3.fc23.noarch
perl-Devel-Size-0.80-3.fc23.x86_64
perl-Error-0.17024-4.fc23.noarch
perl-Pod-Perldoc-3.25-347.fc23.noarch
perl-Exporter-5.72-347.fc23.noarch
perl-WWW-Curl-4.17-6.fc23.x86_64
perl-Data-Dumper-2.158-347.fc23.x86_64
perl-version-0.99.12-4.fc23.x86_64
perl-Digest-SHA-5.95-347.fc23.x86_64
perl-Encode-Locale-1.05-3.fc23.noarch
perl-Business-ISBN-2.09-7.fc23.noarch
perl-XML-NamespaceSupport-1.11-16.fc23.noarch
perl-HTML-Parser-3.71-11.fc23.x86_64
perl-Sub-Install-0.928-6.fc23.noarch
perl-Compress-Bzip2-2.24-1.fc23.x86_64
perl-CPAN-Meta-YAML-0.016-4.fc23.noarch
perl-Time-HiRes-1.9728-1.fc23.x86_64
perl-File-Which-1.18-5.fc23.noarch
perl-Digest-SHA1-2.13-15.fc23.x86_64
perl-Time-Local-1.2300-346.fc23.noarch
perl-Pod-Escapes-1.07-348.fc23.noarch
perl-File-Path-2.09-347.fc23.noarch
perl-Module-CoreList-5.20160120-1.fc23.noarch
perl-Storable-2.53-346.fc23.x86_64
perl-Module-Pluggable-5.10-6.fc23.noarch
perl-File-Temp-0.23.04-346.fc23.noarch
perl-Pod-Simple-3.31-1.fc23.noarch
perl-DBI-1.633-6.fc23.x86_64
perl-ExtUtils-Manifest-1.70-346.fc23.noarch
perl-ExtUtils-Install-2.04-347.fc23.noarch
perl-libs-5.22.1-350.fc23.x86_64
perl-XML-SAX-Base-1.08-14.fc23.noarch
perl-Digest-HMAC-1.03-11.fc23.noarch
perl-Text-Unidecode-1.27-1.fc23.noarch
perl-URI-1.69-1.fc23.noarch
perl-TimeDate-2.30-7.fc23.noarch
perl-XML-SAX-Writer-0.53-9.fc23.noarch
perl-IO-HTML-1.001-4.fc23.noarch
perl-HTTP-Cookies-6.01-11.fc23.noarch
perl-JSON-2.90-5.fc23.noarch
perl-Params-Util-1.07-13.fc23.x86_64
perl-CPAN-Meta-Requirements-2.133-4.fc23.noarch
perl-Locale-Maketext-1.26-347.fc23.noarch
perl-IPC-Cmd-0.92-346.fc23.noarch
perl-Package-Generator-1.106-5.fc23.noarch
perl-Text-Template-1.46-3.fc23.noarch
perl-macros-5.22.1-350.fc23.x86_64
perl-Parse-CPAN-Meta-1.4417-2.fc23.noarch
perl-Socket-2.021-1.fc23.x86_64
perl-Archive-Tar-2.04-347.fc23.noarch
perl-File-HomeDir-1.00-10.fc23.noarch
perl-CPAN-2.11-348.fc23.noarch
perl-common-sense-3.7.4-1.fc23.x86_64
perl-Curses-1.33-1.fc23.x86_64
perl-HTTP-Tiny-0.056-3.fc23.noarch
perl-Text-ParseWords-3.30-346.fc23.noarch
perl-constant-1.33-347.fc23.noarch
perl-YAML-1.15-4.fc23.noarch
perl-Text-Tabs+Wrap-2013.0523-346.fc23.noarch
perl-parent-0.234-3.fc23.noarch
perl-DBD-MySQL-4.033-1.fc23.x86_64
perl-ExtUtils-Command-1.20-346.fc23.noarch
perl-ExtUtils-MakeMaker-7.04-347.fc23.noarch
perl-Digest-MD5-2.54-346.fc23.x86_64
perl-LWP-MediaTypes-6.02-8.fc23.noarch
perl-NTLM-1.09-11.fc23.noarch
perl-Text-Soundex-3.04-296.fc23.x86_64
perl-WWW-RobotRules-6.02-12.fc23.noarch
perl-HTTP-Date-6.02-12.fc23.noarch
perl-Net-SSLeay-1.71-1.fc23.x86_64
perl-HTTP-Message-6.11-1.fc23.noarch
perl-libwww-perl-6.15-1.fc23.noarch
perl-Convert-ASN1-0.27-4.fc23.noarch
perl-Module-Load-0.32-346.fc23.noarch
perl-Data-OptList-0.109-6.fc23.noarch
perl-Locale-Maketext-Simple-0.21-350.fc23.noarch
perl-ExtUtils-CBuilder-0.280224-1.fc23.noarch
perl-Sub-Exporter-0.987-6.fc23.noarch
perl-Software-License-0.103010-5.fc23.noarch
perl-PathTools-3.62-1.fc23.x86_64
perl-CPAN-Meta-2.150005-2.fc23.noarch
perl-5.22.1-350.fc23.x86_64
perl-inc-latest-0.500-3.fc23.noarch
perl-Text-Glob-0.09-13.fc23.noarch
perl-Crypt-SSLeay-0.72-7.fc23.x86_64
perl-BDB-1.91-3.fc23.x86_64
perl-Glib-1.313-1.fc23.x86_64
perl-Term-Cap-1.17-1.fc23.noarch
perl-MIME-Base64-3.15-348.fc23.x86_64
perl-Pod-Usage-1.67-3.fc23.noarch
openssl-perl-1.0.2e-3.fc23.x86_64
perl-Test-Harness-3.36-1.fc23.noarch
perl-Digest-1.17-346.fc23.noarch
perl-libnet-3.08-1.fc23.noarch
perl-Business-ISBN-Data-20140910.002-3.fc23.noarch
perl-File-Listing-6.04-11.fc23.noarch
perl-HTTP-Negotiate-6.01-11.fc23.noarch
perl-LDAP-0.65-3.fc23.noarch
perl-IO-Zlib-1.10-350.fc23.noarch
perl-local-lib-2.18-1.fc23.noarch
perl-JSON-PP-2.27300-347.fc23.noarch
perl-Unicode-Normalize-1.24-1.fc23.x86_64
perl-Module-Build-0.42.14-2.fc23.noarch
perl-Digest-MD4-1.9-8.fc23.x86_64
perl-Net-LibIDN-0.12-22.fc23.x86_64
perl-Term-ANSIColor-4.03-346.fc23.noarch
perl-Encode-2.78-2.fc23.x86_64
perl-threads-shared-1.48-346.fc23.x86_64
perl-Math-BigInt-1.9997-350.fc23.noarch

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

2016-01-26 Thread Christian Kratzer

Hi,

On Tue, 26 Jan 2016, Hugo Veiga wrote:
> Hi Alan,
>
> I have the same config on radiator 4.9 and it works perfectly.
>
> About the stuff order ;) , I use the Authby as "functions" and usually I
> put them before the handlers, this is very practical to reuse code.
>
> As you suggested I tried to put them after the handlers and I have the same
> exact result.

try getting a trace 4 log from the authentication on your 4.9 radiator
so we can see the difference.

Greetings
Christian


>
> Best regards,
> Hugo Veiga
>
>
> 2016-01-25 19:09 GMT+00:00 Alan Buxey :
>
>> Try putting your stuff into order - your inner stuff , handlers et al ,
>> AFTER the realm check (where you are then asking for a particular handler).
>>
>> The goodies directory provides ready to go starting recipes for this stuff
>> (so you can see how handlers/inner work)
>>
>> alan
>

-- 
Christian Kratzer   CK Software GmbH
Email:   c...@cksoft.de   Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0   D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9   HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843   Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

2016-01-26 Thread Hugo Veiga

Hi Alan,

I have the same config on radiator 4.9 and it works perfectly.

About the stuff order ;) , I use the Authby as "functions" and usually I
put them before the handlers, this is very practical to reuse code.

As you suggested I tried to put them after the handlers and I have the same
exact result.

Best regards,
Hugo Veiga


2016-01-25 19:09 GMT+00:00 Alan Buxey :

> Try putting your stuff into order - your inner stuff , handlers et al ,
> AFTER the realm check (where you are then asking for a particular handler).
>
> The goodies directory provides ready to go starting recipes for this stuff
> (so you can see how handlers/inner work)
>
> alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

2016-01-26 Thread Christian Kratzer

Hi,

On Tue, 26 Jan 2016, Hugo Veiga wrote:

> In my original message I have by mistake a AuthBy INTERNAL in the outter
> authentication it's actually a AuthBy SQL clause.

which is exactly why I made you test your 4.9 case.


AuthBy SQL supports EAP.
AuthBy FILE also supports EAP.

and as Heikki said before: AuthBy INTERNAL does not.
>
>
> This is trace from radiator 4.9.
>
> Tue Jan 26 15:01:15 2016: DEBUG: Handling request with Handler
> 'Realm=/^convidado$/i', Identifier ''
> Tue Jan 26 15:01:15 2016: DEBUG:  Deleting session for 1745@convidado,
> 10.240.1.1, 54482
> Tue Jan 26 15:01:15 2016: DEBUG: Handling with Radius::AuthSQL:
> SQLAccounting
> Tue Jan 26 15:01:15 2016: DEBUG: AuthBy SQL result: IGNORE, Ignored due to
> IgnoreAuthentication
> Tue Jan 26 15:01:15 2016: DEBUG: Handling with Radius::AuthSQL: PEAP_CONVIDADO
> Tue Jan 26 15:01:15 2016: DEBUG: Handling with Radius::AuthSQL: PEAP_CONVIDADO

this is proof that the first packet is going into an AuthSQL.  In your
4.16 example it was going into your AuthBy INTERNAL handler.

Your old configuration should from 4.9 should run on 4.16.  Just do not
put swap your AuthBy FILE or AuthBy SQL  for an  AuthBy INTERNAL.

Greetings
Christian

-- 
Christian Kratzer   CK Software GmbH
Email:   c...@cksoft.de   Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0   D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9   HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843   Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

2016-01-26 Thread Hugo Veiga

In my original message I have by mistake a AuthBy INTERNAL in the outter
authentication it's actually a AuthBy SQL clause.


This is trace from radiator 4.9.

Tue Jan 26 15:01:15 2016: DEBUG: Handling request with Handler
'Realm=/^convidado$/i', Identifier ''
Tue Jan 26 15:01:15 2016: DEBUG:  Deleting session for 1745@convidado,
10.240.1.1, 54482
Tue Jan 26 15:01:15 2016: DEBUG: Handling with Radius::AuthSQL:
SQLAccounting
Tue Jan 26 15:01:15 2016: DEBUG: AuthBy SQL result: IGNORE, Ignored due to
IgnoreAuthentication
Tue Jan 26 15:01:15 2016: DEBUG: Handling with Radius::AuthSQL:
PEAP_CONVIDADO
Tue Jan 26 15:01:15 2016: DEBUG: Handling with Radius::AuthSQL:
PEAP_CONVIDADO
Tue Jan 26 15:01:15 2016: DEBUG: Handling with EAP: code 2, 1, 19, 1
Tue Jan 26 15:01:15 2016: DEBUG: Response type 1
Tue Jan 26 15:01:15 2016: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Jan 26 15:01:15 2016: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
Challenge
Tue Jan 26 15:01:15 2016: DEBUG: Access challenged for 1745@convidado: EAP
PEAP Challenge
Tue Jan 26 15:01:15 2016: DEBUG: Packet dump:
*** Sending to 10.240.1.1 port 20009 

Packet length = 46
0b 4f 00 2e 37 11 be 25 0c e7 2b ed b6 7b b5 31
79 0b 0d d8 4f 08 01 02 00 06 19 20 50 12 dc 0c
ea 9e 18 75 49 84 2c e3 ba 1b 6c f8 56 79
Code:   Access-Challenge
Identifier: 79
Authentic:  7<17><190>%<12><231>+<237><182>{<181>1y<11><13><216>
Attributes:
EAP-Message = <1><2><0><6><25>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Jan 26 15:01:15 2016: DEBUG: Handling request with Handler
'Realm=/^convidado$/i', Identifier ''
Tue Jan 26 15:01:15 2016: DEBUG:  Deleting session for 1745@convidado,
10.240.1.1, 54482
Tue Jan 26 15:01:15 2016: DEBUG: Handling with Radius::AuthSQL:
SQLAccounting
Tue Jan 26 15:01:15 2016: DEBUG: AuthBy SQL result: IGNORE, Ignored due to
IgnoreAuthentication
Tue Jan 26 15:01:15 2016: DEBUG: Handling with Radius::AuthSQL:
PEAP_CONVIDADO
Tue Jan 26 15:01:15 2016: DEBUG: Handling with Radius::AuthSQL:
PEAP_CONVIDADO
Tue Jan 26 15:01:15 2016: DEBUG: Handling with EAP: code 2, 2, 122, 25
Tue Jan 26 15:01:15 2016: DEBUG: Response type 25
Tue Jan 26 15:01:15 2016: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Jan 26 15:01:15 2016: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
Challenge
Tue Jan 26 15:01:15 2016: DEBUG: Access challenged for 1745@convidado: EAP
PEAP Challenge
Tue Jan 26 15:01:15 2016: DEBUG: Packet dump:
*** Sending to 10.240.1.1 port 20009 

Packet length = 1056
0b 50 04 20 18 ae a2 7c d0 65 11 99 e3 db 6e 7c
d3 f3 ac 8d 4f ff 01 03 03 f2 19 c0 00 00 04 4b
16 03 01 00 51 02 00 00 4d 03 01 56 a7 8a 3b ca
c1 23 0c 67 0c d2 a8 e7 16 7a 42 2a 6a b1 b4 2b
f4 f0 1e fb 17 5a d0 2a 9b 99 17 20 bd c3 ec 85
7e 4f e0 28 47 40 6a 12 39 64 da bb 0a b0 78 04
6f b6 68 cd 51 4e 1d d2 6b bf 03 60 00 35 00 00
05 ff 01 00 01 00 16 03 01 03 e7 0b 00 03 e3 00
03 e0 00 03 dd 30 82 03 d9 30 82 02 c1 a0 03 02
01 02 02 09 00 a3 e4 3d af a8 38 8b 21 30 0d 06
09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 81 31
0b 30 09 06 03 55 04 06 13 02 50 54 31 14 30 12
06 03 55 04 08 0c 0b 42 65 69 72 61 20 42 61 69
78 61 31 10 30 0e 06 03 55 04 07 0c 07 43 6f 76
69 6c 68 61 31 0c 30 0a 06 03 55 04 0a 0c 03 55
42 49 31 0b 30 09 06 03 55 04 0b 0c 02 53 49 31
11 30 0f 06 03 55 04 03 0c 08 72 61 64 69 75 73
30 31 31 4f ff 1c 30 1a 06 09 2a 86 48 86 f7 0d
01 09 01 16 0d 68 76 65 69 67 61 40 75 62 69 2e
70 74 30 20 17 0d 31 35 31 31 32 37 31 35 30 34
31 34 5a 18 0f 32 30 39 38 30 31 31 35 31 35 30
34 31 34 5a 30 81 81 31 0b 30 09 06 03 55 04 06
13 02 50 54 31 14 30 12 06 03 55 04 08 0c 0b 42
65 69 72 61 20 42 61 69 78 61 31 10 30 0e 06 03
55 04 07 0c 07 43 6f 76 69 6c 68 61 31 0c 30 0a
06 03 55 04 0a 0c 03 55 42 49 31 0b 30 09 06 03
55 04 0b 0c 02 53 49 31 11 30 0f 06 03 55 04 03
0c 08 72 61 64 69 75 73 30 31 31 1c 30 1a 06 09
2a 86 48 86 f7 0d 01 09 01 16 0d 68 76 65 69 67
61 40 75 62 69 2e 70 74 30 82 01 22 30 0d 06 09
2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00
30 82 01 0a 02 82 01 01 00 ea e6 b1 7f 27 3e 9c
e2 bf 32 b7 ab cb e4 cc f4 58 49 10 84 90 ca 6f
04 e1 4f ff 11 7e 17 ea 54 ee d8 9e 1f 65 ae 14
c3 38 a6 9a 3f d9 c7 08 a5 4d 96 79 d6 5a 21 3b
11 f2 11 fa 5a d6 17 36 6e 0b 97 52 6d 17 68 64
be 53 3a af a3 a6 44 7f 28 ec 13 9a e6 83 4f 58
cf d2 e4 f1 df c7 66 3c dc 95 b8 30 e9 f0 5c 4b
9f e2 cc 0b a3 bb da aa cc 83 0a 5d ba a7 3c d6
d6 ab 60 23 f0 cd 10 6b 31 8f 9b 71 e5 0e 6a ca
6f 4d 0c 06 fd 26 ee c4 08 0f 50 b4 ef 08 2e 98
93 68 fa a2 cb 16 fe a8 e8 a0 2a 2e 95 b5 e7 04
66 da 8b c1 ef 1a 78 51 6c af db 7a b4 7b 49 49
5d 16 ed e7 a4 7a a7 4b 7b 29 be aa 21 26 f7 9f
3e 7a b1 f0 22 63 36 b3 d7 63 7e 4c a2 2c bc 25
4e 49 2c e5 e5 d1 40 6c 0f ee 9c d0 1d 01 af 49
94 29 4d 61 62 0f b9 55 8e 65 7d a1 ad 82 88 33
a0 92 01 7a 24 91 67 5b 7e 99 59 02 03 01 00 01
a3 50 30 4e 30 1d 06 03 55 1d 0e 04 16 04 14 eb
bb 4f fd f0 27 e9 39 88 fc 26 d0 e8 33 23 73 0f
2d 73 f7 8e 5b 30 1f 06 03 55 1d 23 04 18 30 16
80 14 eb bb f0 27 e9 39 88 fc 26

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

2016-01-26 Thread Hugo Veiga

Sorry For the waist of your time, and thanks for your point (I was
trying all possible things that I could remember and this went to the list
by mistake).

Also tried another certificate but it's doing the same, it gets stuck and
never reaches the inner handler.

Here is a trace from 4.16 with the SQL clause just like 4.9 (except for the
AuthBy SQL "Accounting" - that's in the 4.9 because its a production
eviroment) with i'm not doing right now for the 4.16.

Best regards,
Hugo Veiga


The config file for 4.16:




Identifier PEAP_CONVIDADO_INNER
DBSource dbi:mysql:radius-temp
DBUsername db_user
DBAuth db_passwd_1234
Timeout 10
SQLRetries 4
FailureBackoffTime 10
EAPType MSCHAP-V2
AuthSelect SELECT password FROM convidado WHERE
username=SUBSTRING('%u',1,LOCATE('@','%u')) AND datai<"%Y-%m-%d %H:%M:%S"
AND dataf>"%Y-%m-%d %H:%M:%S"



Identifier PEAP_CONVIDADO
   DBSource dbi:mysql:radius-temp
DBUsername db_user
DBAuth db_passwd_1234
Timeout 10
SQLRetries 4
FailureBackoffTime 10
EAPType PEAP
EAPAnonymous %u
EAPTLS_PEAPVersion 0
EAPTTLS_NoAckRequired
EAPTLS_CAFile /etc/radiator/hvcert.pem
EAPTLS_CertificateFile /etc/radiator/hvcert.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/hvkey.pem
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys





AuthBy PEAP_CONVIDADO_INNER





AuthByPolicy ContinueAlways
#AuthBy SQLAccounting - Not in for this test used
AuthBy PEAP_CONVIDADO




Dump:

Tue Jan 26 15:54:52 2016: DEBUG: Packet dump:
*** Received from 10.240.1.1 port 20004 

Packet length = 163
01 b4 00 a3 8b 03 28 8f 0a 8b 4e 9e 3c 46 ac c2
a3 a8 87 4f 57 07 41 50 32 2f 31 1f 13 43 34 2d
38 35 2d 30 38 2d 41 36 2d 43 30 2d 32 46 1e 1b
30 30 2d 31 31 2d 38 38 2d 44 32 2d 44 39 2d 39
34 3a 63 63 74 65 73 74 65 06 06 00 00 00 02 4f
15 02 01 00 13 01 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 01 10 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 05 06 00 00 dc 55 3d 06 00 00 00 13
04 06 0a f0 01 01 20 0b 65 6e 74 65 72 61 73 79
73 50 12 e3 bc 56 bf 10 ec 97 f5 f8 22 c6 7e 96
a4 80 c8
Code:   Access-Request
Identifier: 180
Authentic:  <139><3>(<143><10><139>N<158><194><163><168><135>O
Attributes:
NAS-Port-Id = "AP2/1"
Calling-Station-Id = "C4-85-08-A6-C0-2F"
Called-Station-Id = "00-11-88-D2-D9-94:ccteste"
Service-Type = Framed-User
EAP-Message = <2><1><0><19><1>1745@convidado
User-Name = "1745@convidado"
NAS-Port = 56405
NAS-Port-Type = Wireless-IEEE-802-11
NAS-IP-Address = 10.240.1.1
NAS-Identifier = "enterasys"
Message-Authenticator =
<227><188>V<191><16><236><151><245><248>"<198>~<150><164><128><200>

Tue Jan 26 15:54:52 2016: DEBUG: Handling request with Handler
'Realm=/^convidado$/i', Identifier ''
Tue Jan 26 15:54:52 2016: DEBUG:  Deleting session for 1745@convidado,
10.240.1.1, 56405
Tue Jan 26 15:54:52 2016: DEBUG: Handling with Radius::AuthSQL:
PEAP_CONVIDADO
Tue Jan 26 15:54:52 2016: DEBUG: Handling with Radius::AuthSQL:
PEAP_CONVIDADO
Tue Jan 26 15:54:52 2016: DEBUG: Handling with EAP: code 2, 1, 19, 1
Tue Jan 26 15:54:52 2016: DEBUG: Response type 1
Tue Jan 26 15:54:52 2016: DEBUG: EAP result: 3, EAP PEAP Challenge
Tue Jan 26 15:54:52 2016: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
Challenge
Tue Jan 26 15:54:52 2016: DEBUG: Access challenged for 1745@convidado: EAP
PEAP Challenge
Tue Jan 26 15:54:52 2016: DEBUG: Packet dump:
*** Sending to 10.240.1.1 port 20004 

Packet length = 46
0b b4 00 2e fa a6 ac 2d f7 6f 14 aa 11 5c 6e 0e
a4 24 88 8e 4f 08 01 02 00 06 19 20 50 12 2d 47
b9 13 e4 7d 75 21 1b 7e 14 4b 39 67 16 5e
Code:   Access-Challenge
Identifier: 180
Authentic:  <250><166><172>-<247>o<20><170><17>\n<14><164>$<136><142>
Attributes:
EAP-Message = <1><2><0><6><25>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Jan 26 15:54:57 2016: DEBUG: Packet dump:
*** Received from 10.240.1.1 port 20004 

Packet length = 163
01 b4 00 a3 8b 03 28 8f 0a 8b 4e 9e 3c 46 ac c2
a3 a8 87 4f 57 07 41 50 32 2f 31 1f 13 43 34 2d
38 35 2d 30 38 2d 41 36 2d 43 30 2d 32 46 1e 1b
30 30 2d 31 31 2d 38 38 2d 44 32 2d 44 39 2d 39
34 3a 63 63 74 65 73 74 65 06 06 00 00 00 02 4f
15 02 01 00 13 01 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 01 10 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 05 06 00 00 dc 55 3d 06 00 00 00 13
04 06 0a f0 01 01 20 0b 65 6e 74 65 72 61 73 79
73 50 12 e3 bc 56 bf 10 ec 97 f5 f8 22 c6 7e 96
a4 80 c8
Code:   Access-Request
Identifier: 180
Authentic:  <139><3>(<143><10><139>N<158><194><163><168><135>O
Attributes:
NAS-Port-Id = "AP2/1"
Calling-Station-Id = "C4-85-08-A6-C0-2F"
Called-Station-Id = "00-11-88-D2-D9-94:ccteste"
Service-Type = Framed-User

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

2016-01-25 Thread Alan Buxey

Try putting your stuff into order - your inner stuff , handlers et al , AFTER 
the realm check (where you are then asking for a particular handler). 

The goodies directory provides ready to go starting recipes for this stuff (so 
you can see how handlers/inner work)

alan___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

2016-01-25 Thread Heikki Vatiainen

On 01/25/2016 07:57 PM, Hugo Veiga wrote:

> I'm upgrading from 4.9 to radiator 4.16 and I'm stuck because I can't
> get radiator to get to the inner authentication phase.

AuthBy INTERNAL does not work with EAP (PEAP in this case). It just
ignores the request by default.

If you had problems with the upgrade and changed your configuration,
make sure that you have Digest::SHA installed. It became an mandatory in
Radiator 4.10. It's part of core Perl since Perl 5.10. For some reason
RHEL and CentOS have packaged it separately, so for those you need to
install perl-Digest-SHA RPM package.

> It simply doesn't dispatch to the inner handler! Am I missing to install
> something?

It's the AuthBy INTERNAL that's causing this. See if you have an older
configuration and compare what has changed.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

11 matches

Site Navigation

Mail list logo

Footer information