On 04/22/2011 06:22 AM, Augusto Cabrera wrote:
Hello Augusto, I hope you had good Easter weekend.
> I have a problem with configuration radiator.cfg helpme please, i have
> a erro de autentication :
The problem seems to be this:
Thu Apr 21 13:46:45 2011: DEBUG: AuthBy WIMAX result: REJECT,
No Handler for TTLS inner authentication
The TTLS inner authentication in the log contains three attributes,
User-Name, MS-CHAP-Challenge and MS-CHAP2-Response. None of the Handlers
match this inner request.
Try defining something like this to match and process the TTLS inner
authentication:
<Handler TunnelledByTTLS=1>
# AuthBy
# Any other settings
</Handler>
> Code: Access-Request
> Identifier: 38
> Authentic: <0><0><25><177><0><0>c<248><0><0>{<148><0><0><17><240>
> Attributes:
> User-Name = "@usbwimax"
> NAS-IP-Address = 3.3.3.3
> Calling-Station-Id = "5c4ca9e2b7dc"
> NAS-Identifier = "WASN9770"
> Event-Timestamp = 1303411496
> EAP-Message = <2><24><0><192><21><0><23><3><1><0>
> H WiMAX-Capability = <1><5>1.1<2><3><2><3><3><1><5><3><1><4><3><1>
> WiMAX-BS-ID = 00000203f120
> WiMAX-GMT-Timezone-Offset = -18000
> NAS-Port-Type = Wireless-IEEE-802.16
> WiMAX-PPAC = <1><6><0><0><0>c
> Service-Type = Framed-User
> Chargeable-User-Identity = ""
> Message-Authenticator =
> <7>f<185><139><189>D<174><229><18>j<150><201>yZ<3><190>
> Thu Apr 21 13:46:45 2011: DEBUG: Handling request with Handler
> 'NAS-IP-Address=3.3.3.3, Realm=usbwimax', Identifier 'AUTH-WIMAX'
> Thu Apr 21 13:46:45 2011: DEBUG: Deleting session for @usbwimax, 3.3.3.3,
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with Radius::AuthSQL: AAA-SQL
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with Radius::AuthSQL: AAA-SQL
> Thu Apr 21 13:46:45 2011: DEBUG: Query is: 'select reason from blacklist
> where nai='5c4ca9e2b7dc'':
> Thu Apr 21 13:46:45 2011: DEBUG: Radius::AuthSQL looks for match with
> 5c4ca9e2b7dc [@usbwimax]
> Thu Apr 21 13:46:45 2011: DEBUG: Radius::AuthSQL REJECT: No such user:
> 5c4ca9e2b7dc [@usbwimax]
> Thu Apr 21 13:46:45 2011: DEBUG: Query is: 'select reason from blacklist
> where nai='DEFAULT'':
> Thu Apr 21 13:46:45 2011: DEBUG: AuthBy SQL result: ACCEPT, No such user
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with Radius::AuthWIMAX: AAA-WIMAX
> Thu Apr 21 13:46:45 2011: DEBUG: Handling with EAP: code 2, 24, 192, 21
> Thu Apr 21 13:46:45 2011: DEBUG: Response type 21
> Thu Apr 21 13:46:45 2011: DEBUG: EAP TTLS data, 3, 24, 23
> Thu Apr 21 13:46:45 2011: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code: UNDEF
> Identifier: UNDEF
> Authentic: UNDEF
> Attributes:
> User-Name = "acabrera"
> MS-CHAP-Challenge = ]t<156><132><145>x<247><24>){<201>u<249><22><199>*
> MS-CHAP2-Response = y<0><22>j<195><199>
> <144><226>l<214><223>@<219><134><146><211><182><0><0><0><0><0><0><0><0>P<177><244><196>,T<246><182>YZ*(<26><229>S<182>|/jq<134><232>?<222>
> *Thu Apr 21 13:46:45 2011: DEBUG: EAP TTLS inner authentication request
> for acabrera
> Thu Apr 21 13:46:45 2011: DEBUG: EAP result: 1, No Handler for TTLS
> inner authentication
> Thu Apr 21 13:46:45 2011: DEBUG: AuthBy WIMAX result: REJECT, No Handler
> for TTLS inner authentication
> Thu Apr 21 13:46:45 2011: INFO: Access rejected for 5c4ca9e2b7dc: No
> Handler for TTLS inner authentication
> *Thu Apr 21 13:46:45 2011: DEBUG: Packet dump:
> My configuration is:
>
> # Definicion del CLIENTE
>
> <Client 3.3.3.3>
> Secret wimaxwimax
> Identifier WIMAX
> DupInterval 5
> </Client>
>
> <Client 10.0.5.10>
> Secret secret
> Identifier EVDO
> DupInterval 0
> </Client>
>
> <AuthBy SQL>
> Identifier AAA-SQL
> # Details for accessing the SQL database that contains
> # user/device passwords, Device-Sessions etc.
> # This should match the username created in wimax.sql
> DBSource dbi:mysql:wimax
> DBUsername mikem
> DBAuth fred
> NoEAP
> Blacklist
> AuthenticateAttribute Calling-Station-Id
> AuthSelect select reason from blacklist where nai=%0
> </AuthBy>
> <AuthBy WIMAX>
> Identifier AAA-WIMAX
> DBSource dbi:mysql:wimax
> DBUsername mikem
> DBAuth fred
> # WiMAX is required to handle at least TTLS
> # We can handle any tpe that generates MSK and EMSK
> EAPType TTLS, TLS, PEAP, MSCHAP-V2, PSK, PAX, FAST, SIM, AKA
> EAPTLS_CAFile /etc/ssl/cert1/Rootcacert.pem
> EAPTLS_CertificateFile /etc/ssl/cert1/Servercert.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/ssl/cert1/Serverkey.pem
> EAPTLS_PrivateKeyPassword 12345678
>
> EAPTLS_MaxFragmentSize 1400
>
> HAPassword mysecret
> AccountingTable ACCOUNTING
>
> AcctColumnDef STATUS_TYPE,Acct-Status-Type
> AcctColumnDef
> WIMAX_BEGINNING_OF_SESSION,WiMAX-Beginning-Of-Session
> AcctColumnDef SESSION_ID,Acct-Session-Id
> AcctColumnDef FRAMED_IP_ADDRESS,Framed-IP-Address
> AcctColumnDef NAI,User-Name
> AcctColumnDef USER_NAME,Chargeable-User-Identity
> AcctColumnDef STATION_ID,Calling-Station-Id
> AcctColumnDef NAS_IDENTIFIER,NAS-Identifier
> AcctColumnDef NAS_IP_ADDRESS,NAS-IP-Address
> AcctColumnDef WiMAX_BS_ID,WiMAX-BS-ID
> AcctColumnDef EVENT_TIMESTAMP,Event-Timestamp
> AcctColumnDef HUAWEI_USER_PRIORITY,Huawei-User-Priority
> AcctColumnDef SESSION_TIME,Acct-Session-Time
> AcctColumnDef WIMAX_ACTIVE_TIME,WiMAX-Active-Time
> AcctColumnDef INPUT_OCTETS,Acct-Input-Octets
> AcctColumnDef OUTPUT_OCTETS,Acct-Output-Octets
> AcctColumnDef TERMINATE_CAUSE,Acct-Terminate-Cause
> </AuthBy>
>
> <AuthBy RADMIN>
> Identifier AAA-SQL-CDMA-EVDO
> NoDefault
> DefaultSimultaneousUse 1
> CaseInsensitivePasswords
> RejectEmptyPassword
> DBSource dbi:mysql:radmin:localhost
> DBUsername radmin
> DBAuth radminpw
> AuthSelect select PASS_WORD,STATICADDRESS,TIMELEFT,\
> MAXLOGINS,SERVICENAME, BADLOGINS, VALIDFROM,\
> VALIDTO, CLASE, IMSI \
> from RADUSERS where USERNAME=%0
> # AuthColumnDef 0,Class,reply
> AuthColumnDef IMSI,reply
> AccountingTable RADUSAGE
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Event-Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,3GPP2-Correlation-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> AcctColumnDef NASPORT,Calling-Station-Id,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> # Controlamos el tiempo mámo de conexióel usuario de acuerdo al
> horario siguiente
> # AddToReply Session-Timeout = "until Time"
> </AuthBy>
>
>
> # Handler para manejar WIMAX
> <Handler NAS-IP-Address=3.3.3.3, Realm=wimaxtest>
> AuthByPolicy ContinueWhileAccept
> AuthBy AAA-SQL
> AuthBy AAA-WIMAX
> Identifier AUTH-WIMAX
> RejectHasReason
> AccountingHandled
> </Handler>
>
> # Handler para manejar WIMAX
> <Handler NAS-IP-Address=3.3.3.3, Realm=usbwimax>
> AuthByPolicy ContinueWhileAccept
> AuthBy AAA-SQL
> AuthBy AAA-WIMAX
> Identifier AUTH-WIMAX
> RejectHasReason
> AccountingHandled
> </Handler>
>
> # Handler para manejar EVDO
> <Handler NAS-IP-Address="/10.0.5.12|10.0.5.14|10.0.5.16|10.0.5.10/",
> Realm=evdo.com>
> AuthByPolicy ContinueWhileAccept
> AuthBy AAA-SQL-CDMA-EVDO
> Identifier AUTH-EVDO
> RejectHasReason
> AccountingHandled
> </Handler>
>
>
>
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
