On 12/20/2011 06:06 AM, Indrajaya Pitra Perdana wrote: > I upgraded the IOS in my catalyst, the results shows a little bit > different, seems that the certificate is doing okay, but somehow it keep > asking for anoymous user? is there configuration that i missed? here are > the log file and the config, thanks
Looks like PEAP authentication is now working much better. You should change your configuration a little and it should work after that. Add new Handler before the other Handlers: <Handler Request-Type=Accounting-Request> # Move the second AuthBy from Handler TunnelledByPEAP=1 here # You can also remove the second AuthBy from the last Handler </Handler> Now it fails because of this: Tue Dec 20 10:54:17 2011: DEBUG: EAP result: 1, Not authenticated by this AuthBy Tue Dec 20 10:54:17 2011: DEBUG: AuthBy SQL result: REJECT, Not authenticated by this AuthBy The AuthBy is the second AuthBy in Handler TunnelledByPEAP=1 About anonymous: 'anonymous' is a name that does not matter here. You should look for PEAP tunnelled requests, 'DEBUG: PEAP Tunnelled request Packet dump:', which show the inner authentication and the real identity. For example: Tue Dec 20 10:54:16 2011: DEBUG: Radius::AuthSQL looks for match with indrajaya [anonymous] Here 'indrajaya' is the real identity and 'anonymous' in this case is the default value of User-Name attribute Radiator adds into tunnelled request. Once you change Handler TunneledByPEAP=1 I am quite sure your configuration will work. Can you tell us how old the IOS version was you were using? Thanks! Heikki > > > /Regards, > Indrajaya Pitra Perdana/ > > On 12/17/2011 2:01 PM, viet...@indo.net.id wrote: >> >> I'm using Microsoft Windows XP Professional SP 2 >> >> Quoting Heikki Vatiainen <h...@open.com.au>: >> >>> On 12/16/2011 04:13 AM, Indrajaya Pitra Perdana wrote: >>> >>>> Thanks, i give it a try, i already enable tls trace in my win xp, and i >>>> don't see there's an exchange certificate :-) >>> What client are you using? I noticed the log shows it sends EAP TLS >>> (type 13) responses while also logging about detecting PEAP authentication. >>> >>>> [1448] 11:49:36:218: PeapReadConnectionData >>>> [1448] 11:49:36:218: PeapReadUserData >>>> [1448] 11:49:36:218: RasEapGetInfo >>>> [2884] 11:49:52:515: EapPeapBegin >>>> [2884] 11:49:52:515: PeapReadConnectionData >>>> [2884] 11:49:52:515: PeapReadUserData >>>> [2884] 11:49:52:515: >>>> [2884] 11:49:52:515: EapTlsBegin(test) >>>> [2884] 11:49:52:515: State change to Initial >>>> [2884] 11:49:52:515: EapTlsBegin: Detected 8021X authentication >>>> [2884] 11:49:52:515: EapTlsBegin: Detected PEAP authentication >>>> [2884] 11:49:52:515: MaxTLSMessageLength is now 16384 >>>> [2884] 11:49:52:515: EapPeapBegin done >>>> [2884] 11:49:52:515: EapPeapMakeMessage >>>> [2884] 11:49:52:515: EapPeapCMakeMessage >>>> [2884] 11:49:52:515: PEAP:PEAP_STATE_INITIAL >>>> [2884] 11:49:52:515: EapTlsCMakeMessage >>>> [2884] 11:49:52:515: EapTlsReset >>>> [2884] 11:49:52:515: State change to Initial >>>> [2884] 11:49:52:515: GetCredentials >>>> [2884] 11:49:52:515: Flag is Client and Store is Current User >>>> [2884] 11:49:52:515: GetCachedCredentials >>>> [2884] 11:49:52:515: FreeCachedCredentials >>>> [2884] 11:49:52:515: No Cert Store. Guest Access requested >>>> [2884] 11:49:52:515: No Cert Name. Guest access requested >>>> [2884] 11:49:52:515: Will validate server cert >>>> [2884] 11:49:52:515: MakeReplyMessage >>>> [2884] 11:49:52:515: SecurityContextFunction >>>> [2884] 11:49:52:515: InitializeSecurityContext returned 0x90312 >>>> [2884] 11:49:52:515: State change to SentHello >>>> [2884] 11:49:52:515: BuildPacket >>>> [2884] 11:49:52:515: << Sending Response (Code: 2) packet: Id: 2, >>>> Length: 80, Type: 13, TLS blob length: 70. Flags: L >>>> [2884] 11:49:52:515: EapPeapCMakeMessage done >>>> [2884] 11:49:52:515: EapPeapMakeMessage done >>>> [1352] 11:50:22:531: EapPeapEnd >>>> [1352] 11:50:22:531: EapTlsEnd >>>> [1352] 11:50:22:531: EapTlsEnd(test) >>>> [1352] 11:50:22:531: EapPeapEnd done >>>> [1352] 11:50:22:562: EapPeapBegin >>>> [1352] 11:50:22:562: PeapReadConnectionData >>>> [1352] 11:50:22:562: PeapReadUserData >>>> [1352] 11:50:22:562: >>>> [1352] 11:50:22:562: EapTlsBegin(test) >>>> [1352] 11:50:22:562: State change to Initial >>>> [1352] 11:50:22:562: EapTlsBegin: Detected 8021X authentication >>>> [1352] 11:50:22:562: EapTlsBegin: Detected PEAP authentication >>>> [1352] 11:50:22:562: MaxTLSMessageLength is now 16384 >>>> [1352] 11:50:22:562: EapPeapBegin done >>>> [1352] 11:50:22:562: EapPeapMakeMessage >>>> [1352] 11:50:22:562: EapPeapCMakeMessage >>>> [1352] 11:50:22:562: PEAP:PEAP_STATE_INITIAL >>>> [1352] 11:50:22:562: EapTlsCMakeMessage >>>> [1352] 11:50:22:562: EapTlsReset >>>> [1352] 11:50:22:562: State change to Initial >>>> [1352] 11:50:22:562: GetCredentials >>>> [1352] 11:50:22:562: Flag is Client and Store is Current User >>>> [1352] 11:50:22:562: GetCachedCredentials >>>> [1352] 11:50:22:562: FreeCachedCredentials >>>> [1352] 11:50:22:562: No Cert Store. Guest Access requested >>>> [1352] 11:50:22:562: No Cert Name. Guest access requested >>>> [1352] 11:50:22:562: Will validate server cert >>>> [1352] 11:50:22:562: MakeReplyMessage >>>> [1352] 11:50:22:562: SecurityContextFunction >>>> [1352] 11:50:22:562: InitializeSecurityContext returned 0x90312 >>>> [1352] 11:50:22:562: State change to SentHello >>>> [1352] 11:50:22:562: BuildPacket >>>> [1352] 11:50:22:562: << Sending Response (Code: 2) packet: Id: 37, >>>> Length: 80, Type: 13, TLS blob length: 70. Flags: L >>>> [1352] 11:50:22:562: EapPeapCMakeMessage done >>>> [1352] 11:50:22:562: EapPeapMakeMessage done >>>> [1448] 11:50:52:578: EapPeapEnd >>>> [1448] 11:50:52:578: EapTlsEnd >>>> [1448] 11:50:52:578: EapTlsEnd(test) >>>> [1448] 11:50:52:578: EapPeapEnd done >>>> [1448] 11:51:52:593: PeapReadConnectionData >>>> [1448] 11:51:52:593: PeapReadUserData >>>> [1448] 11:51:52:593: RasEapGetInfo >>>> [1352] 12:02:42:625: PeapReadConnectionData >>>> [1352] 12:02:42:640: PeapReadUserData >>>> [1352] 12:02:42:640: RasEapGetInfo >>>> [1352] 12:02:42:640: PeapReDoUserData >>>> [1352] 12:02:42:640: EapTlsInvokeIdentityUI >>>> [1352] 12:02:42:640: GetCertInfo >>>> [1352] 12:03:42:640: PeapReadConnectionData >>>> [1352] 12:03:42:640: PeapReadUserData >>>> [1352] 12:03:42:640: RasEapGetInfo >>>> [1352] 12:03:42:671: EapPeapBegin >>>> [1352] 12:03:42:671: PeapReadConnectionData >>>> [1352] 12:03:42:671: PeapReadUserData >>>> [1352] 12:03:42:671: >>>> [1352] 12:03:42:671: EapTlsBegin(GHOST\indrajaya) >>>> [1352] 12:03:42:671: State change to Initial >>>> [1352] 12:03:42:671: EapTlsBegin: Detected 8021X authentication >>>> [1352] 12:03:42:671: EapTlsBegin: Detected PEAP authentication >>>> [1352] 12:03:42:671: MaxTLSMessageLength is now 16384 >>>> [1352] 12:03:42:671: EapPeapBegin done >>>> [1352] 12:03:42:671: EapPeapMakeMessage >>>> [1352] 12:03:42:671: EapPeapCMakeMessage >>>> [1352] 12:03:42:671: PEAP:PEAP_STATE_INITIAL >>>> [1352] 12:03:42:671: EapTlsCMakeMessage >>>> [1352] 12:03:42:671: EapTlsReset >>>> [1352] 12:03:42:671: State change to Initial >>>> [1352] 12:03:42:671: GetCredentials >>>> [1352] 12:03:42:671: Flag is Client and Store is Current User >>>> [1352] 12:03:42:671: GetCachedCredentials >>>> [1352] 12:03:42:671: FreeCachedCredentials >>>> [1352] 12:03:42:671: No Cert Store. Guest Access requested >>>> [1352] 12:03:42:671: No Cert Name. Guest access requested >>>> [1352] 12:03:42:671: Will validate server cert >>>> [1352] 12:03:42:671: MakeReplyMessage >>>> [1352] 12:03:42:671: SecurityContextFunction >>>> [1352] 12:03:42:671: InitializeSecurityContext returned 0x90312 >>>> [1352] 12:03:42:671: State change to SentHello >>>> [1352] 12:03:42:671: BuildPacket >>>> [1352] 12:03:42:671: << Sending Response (Code: 2) packet: Id: 3, >>>> Length: 80, Type: 13, TLS blob length: 70. Flags: L >>>> [1352] 12:03:42:671: EapPeapCMakeMessage done >>>> [1352] 12:03:42:671: EapPeapMakeMessage done >>>> [2004] 12:04:12:687: EapPeapEnd >>>> [2004] 12:04:12:687: EapTlsEnd >>>> [2004] 12:04:12:687: EapTlsEnd(ghost\indrajaya) >>>> [2004] 12:04:12:687: EapPeapEnd done >>>> [2004] 12:04:42:734: EapPeapBegin >>>> [2004] 12:04:42:734: PeapReadConnectionData >>>> [2004] 12:04:42:734: PeapReadUserData >>>> >>>> /Regards, >>>> Indrajaya Pitra Perdana/ >>>> >>>> On 12/15/2011 6:04 PM, Heikki Vatiainen wrote: >>>>> On 12/15/2011 06:18 AM, Indrajaya Pitra Perdana wrote: >>>>> >>>>>> The problem still persist even i created my own certificate using the >>>>>> steps in mkcertificate.sh goodies , my windows didn't respon to the eap >>>>>> challenge sent by Radiator, do u have any clue on this? or perhaps the >>>>>> problem is within my 2950 catalyst ? thanks :-) >>>>> You could try enabling debug for EAP authentication on the switch to see >>>>> how it reacts to EAP messages. >>>>> >>>>> Meanwhile you could also try running wireshark on Windows to see if the >>>>> challenge with the certificate is sent by the switch to the XP box. >>>>> >>>>> One thing you could try first is to use even lower value for >>>>> EAPTLS_MaxFragmentSize >>>>> >>>>> The messages before certifcate are much smaller and so this challenge >>>>> would be the first that can reach the maximum size. >>>>> >>>>> Thanks! >>>>> >>> >>> -- >>> Heikki Vatiainen <h...@open.com.au> >>> >>> Radiator: the most portable, flexible and configurable RADIUS server >>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >>> NetWare etc. >> >> >> _______________________________________________ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator >> -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
