Re: [RADIATOR] what kind of error?
Ok. Thank you very much. Il 16/03/2012 13.30, Heikki Vatiainen ha scritto: > On 03/16/2012 11:50 AM, Denis Pavani wrote: > >> Hello, I recently changed the certificate of my radiator server 3.17.1-1 >> for wireless authentication. >> This is an official certificate from a trusted CA. >> We use EAP-TTLS with PAP inner authentication. >> One client (WinXP with Intel 5100 and Intel client wirelessPRO) receives >> an error and I got this message in the logfile: >> >> EAP result: 1, EAP TTLS Handshake unsuccessful: 26297: 1 - >> error:14094418:SSL routines:func(148):reason (1048) > I think 1048 is alert for 'unknown CA'. You should check the Intel > client settings and make sure the Intel client trusts the CA. If there > are intermediate certificates, try putting the root CA and the > intermediate CAs into EAPTLS_CAFile. > > Your server that runs Radiator is likely quite old? More recent SSL > libraries create more readable messages which are useful for debugging > these kinds of problems. > > Thanks! > Heikki > > -- Ing. Denis Pavani CINECA - Dipartimento Sistemi e Tecnologie NOC - Network Operations Center phone:+39 0516171648 / fax:+39 0512130212 http://www.cineca.it "Siamo pagati per adattarci, improvvisare e raggiungere lo scopo" -- Gunny Highway ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] AddToReply with Diameter
Hi! I'm using Radiator as Diameter frontend and I'm wondering is there possible to use AddToReply clause with grouped attributes to the Diameter peer? For instance, I want send reply to the peer like this: Location-Information (AVP Code=350, Vendor=13019, Grouped) -> Line-Identifier (AVP Code=500, Vendor=13019, OctetString)="ADSL;privaccess-xxx" To the Radiator dictionary added: VENDORATTR13019Location-Information350string VENDORATTR13019Line-Identifier500 string To the diameter_attrs.dat added: VENDORATTR13019Location-Information350Grouped VENDORATTR13019Line-Identifier500 OctetString I tried to add the following, but this doesn't work: AddToReply Location-Information, Line-Identifier="ADSL;privaccess-xxx" If I tried to add only Line-Information AVP, then it replied, but without grouped AVP and peer doesn't accept it. br, Arthur ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] eap + apple products - failed auth
Hi Heikki (and list)! I've been busy, that's why I didn't respond so promptly. Just a thing that might be crucial to this problem: the RADIUS to which we do proxy the MSCHAPV2 requests is a Microsoft one (Windows Server 2003 "Routing and Remote Access"). Thx, Amândio -Mensagem original- De: Heikki Vatiainen [mailto:h...@open.com.au] Enviada: sexta-feira, 16 de Março de 2012 12:54 Para: Amândio Antunes Gomes Silva Cc: radiator@open.com.au Assunto: Re: [RADIATOR] eap + apple products - failed auth On 03/08/2012 05:40 PM, Amândio Antunes Gomes Silva wrote: > In fact, the Message-Authenticator attribute was in the last packet Ok thanks. Returning back to the list with this. There is information about debugging EAP on Macs below, so this might be useful for later reference too. I did testing with Lion (10.7). The test setup was to terminate TTLS on one Radiator and proxy the inner MS-CHAP-V2 to anther Radiator for authentication. First setup returned no extra attributes from the authenticating Radiator: Fri Mar 16 11:14:47 2012: DEBUG: Returned TTLS tunnelled Diameter Packet dump: Code: Access-Accept Identifier: UNDEF Authentic: <250><249>}<28><215><185><130><241><152>6<139><167><237><234>x<196> Attributes: MS-CHAP2-Success = "NS=1899CFE6D562949E8EF1C1F18CCD97F16B9981F7" Next try returned a number of different attributes, just like your setup does: Attributes: MS-CHAP2-Success = "dS=5AC984FF2A1F30FF778EE57C980F62BCBE4F4A48" Framed-IP-Address = 255.255.255.255 Class = "funcionarios" Tunnel-Medium-Type = 0:802 Tunnel-Private-Group-ID = 0:247 Tunnel-Type = 0:VLAN MS-MPPE-Recv-Key = t<131>YQ<180>}<161>eI<252>Jf<23><30>H. MS-MPPE-Send-Key = <137><153>;<215><211>D<248><246>C<219>QP&<8><223>` MS-CHAP2-Success = "<231>S=17CB6844622DC3EE55DE2FCA99750B33A4CA848E" MS-CHAP-Domain = "<231>UMINHO" MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 14 In both cases 10.7 had no problems with authentication. You could try turning debugging on with Mac. Here are some notes Google found for 10.6. I did not test these since I did not have 10.6. http://prowiki.isc.upenn.edu/wiki/Enabling_Advanced_Logging_for_Wireless_in_Mac_OS_X For 10.7 I turned eapolclient debugging on like this: Note: defaults command overwrites /Library/Preferences/SystemConfiguration/com.apple.eapolclient sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int 255 Then watch /var/log/system.log You should see: "eapolclient[]: opened log file '/var/log/eapolclient.en1.log' where is eapolclient's process id and en1 is the interface name. The log file will show how EAPOL works. It will not show details about e.g., MS-CHAP-V2 but should at least tell what EAP messages are received and sent and what their contents are. Thanks! Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] eap + apple products - failed auth - CORRECTION
Hi Heikki (and list)! I've been busy, that's why I didn't respond so promptly. Just a thing that might be crucial to this problem: the RADIUS to which we do proxy the MSCHAPV2 requests is a Microsoft one (Windows Server 2003 "Internet Authentication Service"). Thx, Amândio -Mensagem original- De: Heikki Vatiainen [mailto:h...@open.com.au] Enviada: sexta-feira, 16 de Março de 2012 12:54 Para: Amândio Antunes Gomes Silva Cc: radiator@open.com.au Assunto: Re: [RADIATOR] eap + apple products - failed auth On 03/08/2012 05:40 PM, Amândio Antunes Gomes Silva wrote: > In fact, the Message-Authenticator attribute was in the last packet Ok thanks. Returning back to the list with this. There is information about debugging EAP on Macs below, so this might be useful for later reference too. I did testing with Lion (10.7). The test setup was to terminate TTLS on one Radiator and proxy the inner MS-CHAP-V2 to anther Radiator for authentication. First setup returned no extra attributes from the authenticating Radiator: Fri Mar 16 11:14:47 2012: DEBUG: Returned TTLS tunnelled Diameter Packet dump: Code: Access-Accept Identifier: UNDEF Authentic: <250><249>}<28><215><185><130><241><152>6<139><167><237><234>x<196> Attributes: MS-CHAP2-Success = "NS=1899CFE6D562949E8EF1C1F18CCD97F16B9981F7" Next try returned a number of different attributes, just like your setup does: Attributes: MS-CHAP2-Success = "dS=5AC984FF2A1F30FF778EE57C980F62BCBE4F4A48" Framed-IP-Address = 255.255.255.255 Class = "funcionarios" Tunnel-Medium-Type = 0:802 Tunnel-Private-Group-ID = 0:247 Tunnel-Type = 0:VLAN MS-MPPE-Recv-Key = t<131>YQ<180>}<161>eI<252>Jf<23><30>H. MS-MPPE-Send-Key = <137><153>;<215><211>D<248><246>C<219>QP&<8><223>` MS-CHAP2-Success = "<231>S=17CB6844622DC3EE55DE2FCA99750B33A4CA848E" MS-CHAP-Domain = "<231>UMINHO" MS-MPPE-Encryption-Policy = Encryption-Required MS-MPPE-Encryption-Types = 14 In both cases 10.7 had no problems with authentication. You could try turning debugging on with Mac. Here are some notes Google found for 10.6. I did not test these since I did not have 10.6. http://prowiki.isc.upenn.edu/wiki/Enabling_Advanced_Logging_for_Wireless_in_Mac_OS_X For 10.7 I turned eapolclient debugging on like this: Note: defaults command overwrites /Library/Preferences/SystemConfiguration/com.apple.eapolclient sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int 255 Then watch /var/log/system.log You should see: "eapolclient[]: opened log file '/var/log/eapolclient.en1.log' where is eapolclient's process id and en1 is the interface name. The log file will show how EAPOL works. It will not show details about e.g., MS-CHAP-V2 but should at least tell what EAP messages are received and sent and what their contents are. Thanks! Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
