Re: [RADIATOR] EAP-PEAP Windows XP Wired Ethernet

Indrajaya Pitra Perdana Wed, 14 Dec 2011 06:50:04 -0800

Yup i already did that, but somehow right now my switch stop sendingauth request to my radius :-) , let me check it first, thanks a lot


/Regards,
Indrajaya Pitra Perdana/

On 12/14/2011 9:44 PM, Heikki Vatiainen wrote:

On 12/14/2011 04:33 PM, Indrajaya Pitra Perdana wrote:

Yup, i already import the root.der in trusted root certification
authorities, is Radiator demo certificate include the xpextension?  thanks

Importing the certificates to trusted root certificate store is
required, but you also need to configure the root CA as trusted in WLAN
configuration. See this and especially point 2f) which shows the CA
selection.

https://wifipartners.itsc.cuhk.edu.hk/getting-connected-eduroam-winxp.html

Also, do something like this to see the certifcates are valid and their
validity dates have not passed:

openssl x509 -noout -text -in certificates/cert-srv.pem

Thanks!
Heikki

Code:       Access-Request
Identifier: 33
Authentic:  1<197><232><26>`<178><223>;<31><225><30><138><202>Zv<151>
Attributes:
         NAS-IP-Address = x.x.x.x
         NAS-Port = 50011
         NAS-Port-Type = Ethernet
         User-Name = "indrajaya"
         Calling-Station-Id = "00-1B-38-A5-45-A5"
         Service-Type = Framed-User
         EAP-Message =
<2><2><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>N<232>1<194>g<140><177>`G<194><25>B+<191><195><26><223><152>wPjlR<190><224><10><147><176><236><189>0<182><0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
         Message-Authenticator =
b<134><218>`<173>3`<196><246><207><134>E<10><155><0><228>

Wed Dec 14 12:17:53 2011: DEBUG: Handling request with Handler '',
Identifier ''
Wed Dec 14 12:17:53 2011: DEBUG:  Deleting session for indrajaya,
x.x.x.x, 50011
Wed Dec 14 12:17:53 2011: DEBUG: do query is: 'delete from RADONLINE
where NASIDENTIFIER = 'x.x.x.x' and NASPORT = 050011':
Wed Dec 14 12:17:53 2011: DEBUG: Handling with Radius::AuthSQL:
Wed Dec 14 12:17:53 2011: DEBUG: Handling with Radius::AuthSQL:
Wed Dec 14 12:17:53 2011: DEBUG: Handling with EAP: code 2, 2, 80, 25
Wed Dec 14 12:17:53 2011: DEBUG: Response type 25
Wed Dec 14 12:17:53 2011: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Wed Dec 14 12:17:53 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
Wed Dec 14 12:17:53 2011: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
Challenge
Wed Dec 14 12:17:53 2011: DEBUG: Access challenged for indrajaya: EAP
PEAP Challenge
Wed Dec 14 12:17:53 2011: DEBUG: Packet dump:
*** Sending to x.x.x.x port 1812 ....
Code:       Access-Challenge
Identifier: 33
Authentic:  n<255><175>k<153><2>n<165><148><140>3<182><148>Q<158><1>
Attributes:
         EAP-Message =
<1><3><3><242><25><192><0><0><7><178><22><3><1><0>J<2><0><0>F<3><1>N<232>1<129>w<144><212><137>X{w<247><18><30><29><171>!<187><187><215><243><191>0<188><149>K&<226><145><179><195><138>
^<214>H<218>m<25><243>H<218>|<26>y;<187><209>~<160><203>X<236>@"<168>.<145><232>+<26>t<153>k<18><0><4><0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
         EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use
in production)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mi...@open.com.au0<30><23><13>100128213155Z<23><13>120128213155Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
Section1%0#<6><3>U<4><3><19><28>t
         EAP-Message =
est.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><203>?(<193><229><128><183><136>q<166><202><21><168><224><157>M<139><204>{<209><131><10><156><164><254>Z<214><231><254>g<245>+y~<210><147><171><8><131><143><139><186>{<221><224>)<161>`<140>z<193><247><244><210><152><149><4><204><225><139><204><159><29><1><12><162><219><142><176>)/<189><163>vV<208><250><213><212><144><137><211><2
07><10><215><19><206><14><228>umT<7><239><198>_Y<231><197><202><14><166><211><145><181><226><226>|<201>E<128>F<165><189><<250><20><18><227>6t<243><177>ZNv<133><153><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><30><137>N<139><212>><249><25><151><161>N<31><183><246><141>'<233>V<198><203>
         EAP-Message =
<206><146>9*<19><219>0<28><209><244>e<17><199>`<236>g<189>q<<200><185>{<219><252><31>+<245><10><208>M<181>!<248><20><1>K)E<2><158><128>#<169><162><179><224>W08<19><<16>ts<226>~<11>4<8><251>!d<201><223><230>~E<133><166>r<0>:<19>4<206>D<136>8<232>n<26><195>v<13><192>&ws<175>n@0D<175><29>E<162>:<239>d
<17>?<153><184>C4?<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><249><170>@<232><246>7<146>$0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Tes
         Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

/Regards,
Indrajaya Pitra Perdana/

On 12/14/2011 9:10 PM, Heikki Vatiainen wrote:

On 12/14/2011 08:11 AM, Indrajaya Pitra Perdana wrote:

I try to setup EAP where cisco catalyst 2950 as authenticator and
windows xp as the supplicant, but after i enter the credentials in Win
xp, radiator send eap access challenge but never got replied by win XP
and in the end the windows xp told me that the authentication is failed,
am i missing something in my configuration? btw i'm using the demo cert
provided by Radiator goodies, and imported the root.der and cert-clt.p12
into my win xp, thanks

When configuring Windows PEAP settings, did you mark the imported
root.der as trusted CA? You need to both import the certificate and then
mark it as trusted for the SSID you are configuring.

The configuration and log snippets look good. The log shows Radiator
sending its certificate to Windows, so if there is no response, then
Windows may not be accepting the certificate yet.

If there are still problems, please reply with the full configuration
file and full Radiator log showing everything from the startup.

Thanks!

Config file:


<Handler TunnelledByPEAP=1>
         MaxSessions 1
         AuthByPolicy ContinueWhileAccept


#<Realm DEFAULT>
         <AuthBy SQL>
                 DBSource        dbi:mysql:radius:localhost
                 DBUsername      radius
                 DBAuth          r4d1usLocal

                 AuthSelect select PASSWORD FROM SUBSCRIBERS WHERE
USERNAME=%0

                 AcctColumnDef   User-Password, check
                 AcctColumnDef   USERNAME,User-Name
                 AcctColumnDef   TIME_STAMP,Timestamp,integer
                 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
                 AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
                 AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
                 AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
                 AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
                 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
                 AcctColumnDef   NASPORT,NAS-Port,integer
                 EAPType MSCHAP-V2
          #      EAPType PEAP
         </AuthBy>

</Handler>

<Handler>

         <AuthBy SQL>
                 DBSource        dbi:mysql:radius:localhost
                 DBUsername      radius
                 DBAuth          r4d1usLocal

                 AuthSelect select PASSWORD FROM SUBSCRIBERS WHERE
USERNAME=%0

                 AcctColumnDef   User-Password, check
                 AcctColumnDef   USERNAME,User-Name
                 AcctColumnDef   TIME_STAMP,Timestamp,integer
                 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
                 AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
                 AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
                 AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
                 AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
                 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
                 AcctColumnDef   NASPORT,NAS-Port,integer

                 EAPType PEAP
           #     EAPType MSCHAP-V2
                 EAPTLS_CAFile
/usr/share/doc/packages/Radiator/certificates/demoCA/cacert.pem
                 EAPTLS_CertificateFile
/usr/share/doc/packages/Radiator/certificates/cert-srv.pem
                 EAPTLS_CertificateType PEM
                 EAPTLS_PrivateKeyFile
/usr/share/doc/packages/Radiator/certificates/cert-srv.pem
                 EAPTLS_PrivateKeyPassword whatever
                 EAPTLS_MaxFragmentSize 1000
                 AutoMPPEKeys

         </AuthBy>

</Handler>


Debug:

*** Received from 202.53.249.28 port 1812 ....
Code:       Access-Request
Identifier: 55
Authentic:  S<155><173>*<150><226><172><149>!<245>i<30>B<229><133><211>
Attributes:
         NAS-IP-Address = 202.53.249.28
         NAS-Port = 50011
         NAS-Port-Type = Ethernet
         User-Name = "indrajaya"
         Calling-Station-Id = "00-1B-38-A5-45-A5"
         Service-Type = Framed-User
         EAP-Message =
<2><148><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>N<232>;<17><191>k<228><146><254>'<27>U<187><187><26>nf%NK<154><8>-<198><186>8<129>u<170><210>#P<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0>
         Message-Authenticator =<220>DJ<146>1M<9>S5"q<132><197>x<19>

Wed Dec 14 12:57:29 2011: DEBUG: Handling request with Handler '',
Identifier ''
Wed Dec 14 12:57:29 2011: DEBUG:  Deleting session for indrajaya,
202.53.249.28, 50011
Wed Dec 14 12:57:29 2011: DEBUG: do query is: 'delete from RADONLINE
where NASIDENTIFIER = '202.53.249.28' and NASPORT = 050011':
Wed Dec 14 12:57:29 2011: DEBUG: Handling with Radius::AuthSQL:
Wed Dec 14 12:57:29 2011: DEBUG: Handling with Radius::AuthSQL:
Wed Dec 14 12:57:29 2011: DEBUG: Handling with EAP: code 2, 148, 80, 25
Wed Dec 14 12:57:29 2011: DEBUG: Response type 25
Wed Dec 14 12:57:29 2011: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Wed Dec 14 12:57:29 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
Wed Dec 14 12:57:29 2011: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
Challenge
Wed Dec 14 12:57:29 2011: DEBUG: Access challenged for indrajaya: EAP
PEAP Challenge
Wed Dec 14 12:57:29 2011: DEBUG: Packet dump:
*** Sending to 202.53.249.28 port 1812 ....
Code:       Access-Challenge
Identifier: 55
Authentic:<3>.<248><243>a<172>b`<181>l<138>E<214>6<154><213>
Attributes:
         EAP-Message =
<1><149><3><242><25><192><0><0><7><178><22><3><1><0>J<2><0><0>F<3><1>N<232>:<201><12><1><17><235>z<22><181>
<186><171><150>9<252>@|q<18>,R<134><203>\<27>Vf<27><133><136>
<247>B<140><150>j'<152><24>C<163><228><244>_<150>i<141><176><252><149><177>T<182>R8<159><178><20><187><19>Q<22>!<0><4><0><22><3><1><7>U<11><0><7>Q<0><7>N<0><2><251>0<130><2><247>0<130><2>`<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
         EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use
in production)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mi...@open.com.au0<30><23><13>100128213155Z<23><13>120128213155Z0<129><158>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate
Section1%0#<6><3>U<4><3><19><28>t
         EAP-Message =
est.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><203>?(<193><229><128><183><136>q<166><202><21><168><224><157>M<139><204>{<209><131><10><156><164><254>Z<214><231><254>g<245>+y~<210><147><171><8><131><143><139><186>{<221><224>)<161>`<140>z<193><247><244><210><152><149><4><204><225><139><204><159><29><1><12><162><219><142><176>)/<189><163>vV<208><250><213><212><144><137><211><2

07><10><215><19><206><14><228>umT<7><239><198>_Y<231><197><202><14><166><211><145><181><226><226>|<201>E<128>F<165><189><<250><20><18><227>6t<243><177>ZNv<133><153><2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6><9>*<134>H<134><247><13><1><1><5><5><0><3><129><129><0><30><137>N<139><212>><249><25><151><161>N<31><183><246><141>'<233>V<198><203>
         EAP-Message =
<206><146>9*<19><219>0<28><209><244>e<17><199>`<236>g<189>q<<200><185>{<219><252><31>+<245><10><208>M<181>!<248><20><1>K)E<2><158><128>#<169><162><179><224>W08<19><<16>ts<226>~<11>4<8><251>!d<201><223><230>~E<133><166>r<0>:<19>4<206>D<136>8<232>n<26><195>v<13><192>&ws<175>n@0D<175><29>E<162>:<239>d
<17>?<153><184>C4?<0><4>M0<130><4>I0<130><3><178><160><3><2><1><2><2><9><0><249><170>@<232><246>7<146>$0<13><6><9>*<134>H<134><247><13><1><1><5><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Tes
         Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>




--
/Regards,
Indrajaya Pitra Perdana/


_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP-PEAP Windows XP Wired Ethernet

Reply via email to