Re: [RADIATOR] Radiator
On 03/22/2012 07:05 AM, Sudhir Harwalkar wrote: > I have replaced current clause with whatever you mentioned below, > but in log file it shows an error. There's still one line left from the old clause. Remove this line too: > Please see the command line message in screenshot "cmd_msg.PNG" also see the > log file attached with this. You can set log directory with the command line options, but I suggest you replace 'LogDir' and 'DbDir' with these values: LogDir c:/Program Files/Radiator DbDir c:/Program Files/Radiator You should use the new Client clause and the above LogDir and DbDir values in the other configurations files you also try. > Yes my AP IP is 192.168.37.184. Ok. Thanks. More about this in your other message, but briefly: - this address goes into Client: - BindAddress is local address. Use 0.0.0.0 in most cases > In the log file as I found .directory is not found need to mention the path > for directory? > If possible please make changes in the log file attached with this and send > me, I will verify with this. Try the changes above and try running it then. Thanks! Heikki > Thanks in Advance > Sudhir H > > > -Original Message- > From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On > Behalf Of Heikki Vatiainen > Sent: Thursday, March 22, 2012 4:08 AM > To: radiator@open.com.au > Subject: Re: [RADIATOR] Radiator > > On 03/21/2012 11:40 AM, Sudhir Harwalkar wrote: > >> Thanks Heikki, I installed Net-SSLeay.ppd. > > Ok, good to hear. > >> 1.Please find the radius.cfg file, in that I have added AP IP address and >> Authentication port, is that correct way that I mentioned in the config file >> radius.cfg file or need to make some other things and where do I need to >> mention Shared Secrete. > > Try replacing your current clause with this: > > Trace 4 > LogStdout > AuthPort 1812 > AcctPort 1813 > # This clause defines a single client to listen to > Secret GSDEMO > > > AuthPort and AcctPort do not go into Client and I am assuming > 192.168.37.184 is your AP. > > I added Trace 4 and LogStdout so that you will easily see the debug and other > messages on the console. > >> 2. send me command for running radius.cfg file, that I have stored in >> c:/ProgramFile. > > First, see http://www.open.com.au/radiator/install-demo.html and the > installation instructions there. They give examples how to start radiusd > (Radiator). > > Typically something like this should work: > > perl c:\perl\bin\radiusd -trace 4 -config_file c:\path\to\your.conf > > -- > Heikki Vatiainen > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, > PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full > source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > > > Larsen & Toubro Limited > > www.larsentoubro.com > > This Email may contain confidential or privileged information for the > intended recipient (s) If you are not the intended recipient, please do not > use or disseminate the information, notify the sender and delete it from your > system. -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator
On 03/21/2012 03:58 PM, Sudhir Harwalkar wrote: > Thanks a lot for helping me out. > I have one query : > Steps that I followed for EAP-PEAPv0 Testing: > 1. Copied eap_peap.cfg file to c:\program file Add a Client clause with your AP's address in the configuration. Also set DbDir and LogDir as I just mentioned in my other message: LogDir c:/Program Files/Radiator DbDir c:/Program Files/Radiator > 2. in the command line I typed the command "perl radiusd > -bind_address 192. . . . -auth_port 1812 -log_file filename -config_file > c:\program files\eap_peap.cfg > When I run this command I am getting an error, the error details are shown in > the screenshot named as eap_peap.PNG You do not need to set BindAddress. If set, it should be address belonging to your computer, not to the AP. You usually do not need to set this at all. > - Is there anything that I need to make change? Please see above. > -How does we know that communication happening between AP and Radius Server? The log will messages Radiator receives from AP. > -Port address that I have given in AP is 1812 is that right? Please see above. About auth_port, it should match the setting in AP. By default Radiator uses 1645 so you need to check both AP and Radiator use same port number. > -please see the config file that I have used is attached with this mail. I suggest you try seeing simple authentication without PEAP works before moving to PEAP configuration. If your AP provides a method to authenticate users with plain username and password (no PEAP involved), this would be the best method to see the basic communication between AP and Radiator works. Thanks! Heikki > > Thanks > Sudhir H > > > Larsen & Toubro Limited > > www.larsentoubro.com > > This Email may contain confidential or privileged information for the > intended recipient (s) If you are not the intended recipient, please do not > use or disseminate the information, notify the sender and delete it from your > system. > > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator
I made all the changes you have mentioned, then I run the config file, in the log file I got message as follows Thu Mar 22 15:00:17 2012: DEBUG: Finished reading configuration file 'c:\Program Files\Radiator\radiusnew.cfg' Thu Mar 22 15:00:17 2012: DEBUG: Reading dictionary file 'C:\Program Files\Radiator/dictionary' Thu Mar 22 15:00:17 2012: DEBUG: Creating authentication port 0.0.0.0:1812 Thu Mar 22 15:00:17 2012: DEBUG: Creating accounting port 0.0.0.0:1813 Thu Mar 22 15:00:17 2012: NOTICE: Server started: Radiator 4.9 on EMMYS0938 (LOCKED) Is this authenticated with AP? As you mentioned I haven't got message like receives from AP. Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Thursday, March 22, 2012 2:22 PM To: radiator@open.com.au Subject: Re: [RADIATOR] Radiator On 03/21/2012 03:58 PM, Sudhir Harwalkar wrote: > Thanks a lot for helping me out. > I have one query : > Steps that I followed for EAP-PEAPv0 Testing: > 1. Copied eap_peap.cfg file to c:\program file Add a Client clause with your AP's address in the configuration. Also set DbDir and LogDir as I just mentioned in my other message: LogDir c:/Program Files/Radiator DbDir c:/Program Files/Radiator > 2. in the command line I typed the command "perl radiusd > -bind_address 192. . . . -auth_port 1812 -log_file filename > -config_file c:\program files\eap_peap.cfg When I run this command I > am getting an error, the error details are shown in the screenshot > named as eap_peap.PNG You do not need to set BindAddress. If set, it should be address belonging to your computer, not to the AP. You usually do not need to set this at all. > - Is there anything that I need to make change? Please see above. > -How does we know that communication happening between AP and Radius Server? The log will messages Radiator receives from AP. > -Port address that I have given in AP is 1812 is that right? Please see above. About auth_port, it should match the setting in AP. By default Radiator uses 1645 so you need to check both AP and Radiator use same port number. > -please see the config file that I have used is attached with this mail. I suggest you try seeing simple authentication without PEAP works before moving to PEAP configuration. If your AP provides a method to authenticate users with plain username and password (no PEAP involved), this would be the best method to see the basic communication between AP and Radiator works. Thanks! Heikki > > Thanks > Sudhir H > > > Larsen & Toubro Limited > > www.larsentoubro.com > > This Email may contain confidential or privileged information for the > intended recipient (s) If you are not the intended recipient, please do not > use or disseminate the information, notify the sender and delete it from your > system. > > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Larsen & Toubro Limited www.larsentoubro.com This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator
On 03/22/2012 11:44 AM, Sudhir Harwalkar wrote: > I made all the changes you have mentioned, then I run the config file, in the > log file I got message as follows > Thu Mar 22 15:00:17 2012: DEBUG: Finished reading configuration file > 'c:\Program Files\Radiator\radiusnew.cfg' > Thu Mar 22 15:00:17 2012: DEBUG: Reading dictionary file > 'C:\Program Files\Radiator/dictionary' > Thu Mar 22 15:00:17 2012: DEBUG: Creating authentication port > 0.0.0.0:1812 >Thu Mar 22 15:00:17 2012: DEBUG: Creating accounting port > 0.0.0.0:1813 > Thu Mar 22 15:00:17 2012: NOTICE: Server started: Radiator > 4.9 on EMMYS0938 (LOCKED) > Is this authenticated with AP? Looks good. It is ready to receive messages from AP. There is no authentication done between RADIUS server and wireless AP. The shared secret and client IP just make sure they can communicate with each other when the WLAN users need to be authenticated by the AP. > As you mentioned I haven't got message like receives from AP. The next step is to configure AP so that it will authenticate WLAN users. How this is done depends on your AP. Thanks! Heikki > Regards > Sudhir H > -Original Message- > From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On > Behalf Of Heikki Vatiainen > Sent: Thursday, March 22, 2012 2:22 PM > To: radiator@open.com.au > Subject: Re: [RADIATOR] Radiator > > On 03/21/2012 03:58 PM, Sudhir Harwalkar wrote: > >> Thanks a lot for helping me out. >> I have one query : >> Steps that I followed for EAP-PEAPv0 Testing: >> 1. Copied eap_peap.cfg file to c:\program file > > Add a Client clause with your AP's address in the configuration. Also set > DbDir and LogDir as I just mentioned in my other message: > > LogDir c:/Program Files/Radiator > DbDir c:/Program Files/Radiator > >> 2. in the command line I typed the command "perl radiusd >> -bind_address 192. . . . -auth_port 1812 -log_file filename >> -config_file c:\program files\eap_peap.cfg When I run this command I >> am getting an error, the error details are shown in the screenshot >> named as eap_peap.PNG > > You do not need to set BindAddress. If set, it should be address belonging to > your computer, not to the AP. You usually do not need to set this at all. > >> - Is there anything that I need to make change? > > Please see above. > >> -How does we know that communication happening between AP and Radius Server? > > The log will messages Radiator receives from AP. > >> -Port address that I have given in AP is 1812 is that right? > > Please see above. About auth_port, it should match the setting in AP. By > default Radiator uses 1645 so you need to check both AP and Radiator use same > port number. > >> -please see the config file that I have used is attached with this mail. > > I suggest you try seeing simple authentication without PEAP works before > moving to PEAP configuration. If your AP provides a method to authenticate > users with plain username and password (no PEAP involved), this would be the > best method to see the basic communication between AP and Radiator works. > > Thanks! > Heikki > > >> >> Thanks >> Sudhir H >> >> >> Larsen & Toubro Limited >> >> www.larsentoubro.com >> >> This Email may contain confidential or privileged information for the >> intended recipient (s) If you are not the intended recipient, please do not >> use or disseminate the information, notify the sender and delete it from >> your system. >> >> >> >> ___ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > > > -- > Heikki Vatiainen > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, > PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full > source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > > > Larsen & Toubro Limited > > www.larsentoubro.com > > This Email may contain confidential or privileged information for the > intended recipient (s) If you are not the intended recipient, please do not > use or disseminate the information, notify the sender and delete it from your > system. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, R
Re: [RADIATOR] CRL reload error
On 03/21/2012 12:11 PM, Alexander Hartmaier wrote: > Now that our dot1x and WLAN Radiator needs to check three different crls > I've looked into a better solution for refreshing them. > While reading Radius::TLS I've stumbled over the method reloadCrls which > claims to reload the crl if the timestamp changes. Has this ever worked? I asked about this, and this is the current situation: The code in Radiator works and is enabled (if so configured) by default. So the code for checking CRLs is there without modifications to Radiator sources. If the check really happens as expected depends on OpenSSL library. There is a patch for a 0.9.? version, but it doesnt work in 1.0. It could be that some distributions have applied the patch themselves, so the situation is not very clear. There are a couple of entries in OpenSSL request tracker, but it does not look like they have been processed. You could try to see if it works on your system. > In the contextInit method you've put a note # REVISIT: what if a CRL > changes while we are running? Hmm, that might be a little older comment, I'll check that too. > I'm trying to restart Radiator as rarely as possible to not terminate an > ongoing EAP communication but the crls all have different expiration > dates (two have a lifetime of a day, the third of a week which will > probabliy also changed to a day or less). That's very understandable. Heikki > Best regards, Alex > > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > Handelsgericht Wien, FN 79340b > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > Notice: This e-mail contains information that is confidential and may be > privileged. > If you are not the intended recipient, please notify the sender and then > delete this e-mail immediately. > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] eap + apple products - failed auth - CORRECTION
Hello, the tips you gave didn't work. I've activated the log of the eapolclient on the MacOS side and observed the following (filtered): 2012/03/22 17:47:02.960034 4-way handshake notification scheduled 2012/03/22 17:47:07.613699 4-way handshake notification unscheduled 2012/03/22 17:50:18.496100 4-way handshake notification scheduled 2012/03/22 17:50:25.761091 4-way handshake complete The lines that corresponds to the TTLS/MSCHAPV2 are the ones that occur by the time 17:47:??, and the authentication fails. The other two lines corresponds to an Successful PEAP (MSCHAPV2) authentication. I googled around to search for "4-way handshake notification unscheduled", and found the source code of EAPOLSocket.c (http://www.opensource.apple.com/source/eap8021x/eap8021x-137/eapolclient.tproj/EAPOLSocket.c). As far as I can understand, someone is breaking the 4-way..., which makes the authentication fail. Hope this can help you to help me... Best regards, Amândio -Mensagem original- De: Heikki Vatiainen [mailto:h...@open.com.au] Enviada: qua 21-03-2012 23:38 Para: Amândio Antunes Gomes Silva Cc: radiator@open.com.au Assunto: Re: [RADIATOR] eap + apple products - failed auth - CORRECTION On 03/19/2012 04:20 PM, Amândio Antunes Gomes Silva wrote: Hello, > I've been busy, that's why I didn't respond so promptly. > > Just a thing that might be crucial to this problem: the RADIUS to which we do > proxy the MSCHAPV2 requests is a Microsoft one (Windows Server 2003 "Internet > Authentication Service"). Ok, I think I have found something. It seems to be a Mac thing, not a IAS or NPS problem. Try adding the following in your AuthBy RADIUS that proxies to IAS: StripFromReply Class,MS-MPPE-Send-Key,MS-MPPE-Recv-Key Looks like Mac does not like it if these attributes are passed to it via TTLS inner authentication. The MPPE attributes are clearly not needed, since Radiator will calculate the correct attributes for the final Access-Accept. Try stripping those three attributes from the reply received from the MS server. Please tell us how it goes. Thanks! Heikki > Thx, > > Amândio > > -Mensagem original- > De: Heikki Vatiainen [mailto:h...@open.com.au] > Enviada: sexta-feira, 16 de Março de 2012 12:54 > Para: Amândio Antunes Gomes Silva > Cc: radiator@open.com.au > Assunto: Re: [RADIATOR] eap + apple products - failed auth > > On 03/08/2012 05:40 PM, Amândio Antunes Gomes Silva wrote: > >> In fact, the Message-Authenticator attribute was in the last packet > > Ok thanks. Returning back to the list with this. There is information > about debugging EAP on Macs below, so this might be useful for later > reference too. > > I did testing with Lion (10.7). The test setup was to terminate TTLS on > one Radiator and proxy the inner MS-CHAP-V2 to anther Radiator for > authentication. > > First setup returned no extra attributes from the authenticating Radiator: > > Fri Mar 16 11:14:47 2012: DEBUG: Returned TTLS tunnelled Diameter Packet > dump: > Code: Access-Accept > Identifier: UNDEF > Authentic: > <250><249>}<28><215><185><130><241><152>6<139><167><237><234>x<196> > Attributes: > MS-CHAP2-Success = "NS=1899CFE6D562949E8EF1C1F18CCD97F16B9981F7" > > > Next try returned a number of different attributes, just like your setup > does: > > Attributes: > MS-CHAP2-Success = "dS=5AC984FF2A1F30FF778EE57C980F62BCBE4F4A48" > Framed-IP-Address = 255.255.255.255 > Class = "funcionarios" > Tunnel-Medium-Type = 0:802 > Tunnel-Private-Group-ID = 0:247 > Tunnel-Type = 0:VLAN > MS-MPPE-Recv-Key = t<131>YQ<180>}<161>eI<252>Jf<23><30>H. > MS-MPPE-Send-Key = > <137><153>;<215><211>D<248><246>C<219>QP&<8><223>` > MS-CHAP2-Success = "<231>S=17CB6844622DC3EE55DE2FCA99750B33A4CA848E" > MS-CHAP-Domain = "<231>UMINHO" > MS-MPPE-Encryption-Policy = Encryption-Required > MS-MPPE-Encryption-Types = 14 > > > In both cases 10.7 had no problems with authentication. > > You could try turning debugging on with Mac. Here are some notes Google > found for 10.6. I did not test these since I did not have 10.6. > > http://prowiki.isc.upenn.edu/wiki/Enabling_Advanced_Logging_for_Wireless_in_Mac_OS_X > > > For 10.7 I turned eapolclient debugging on like this: > > Note: defaults command overwrites > /Library/Preferences/SystemConfiguration/com.apple.eapolclient > > sudo defaults write > /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags > -int 255 > > Then watch /var/log/system.log > > You should see: "eapolclient[]: opened log file > '/var/log/eapolclient.en1.log' where is eapolclient's process id > and en1 is the interface name. > > The log file will show how EAPOL works. It will not show details about > e.g., MS-CHAP-V2 but should at least tell what EAP messages are received > and sent and what their contents are. > > Thanks! > Heikki > > -- > Heikki Vatiainen > > Radi
Re: [RADIATOR] eap + apple products - failed auth - CORRECTION
On 03/22/2012 08:08 PM, Amândio Antunes Gomes Silva wrote: > the tips you gave didn't work. I've activated the log of the eapolclient > on the MacOS side and observed the following (filtered): Yes, I it looks like filtering attributes from inner authentication was sometimes successful, but not always. The eapol log is not that helpfulp because the problem seems to be with TTLS (upper layer). However, I think I have found a consistent way to have it fail or succeed. Looks like the key to success is to make sure MS-CHAP2-Success gets tunneled to the client as the first attribute. You could try stripping all other attributes and/or making sure MS-CHAP2-Success is the first attribute in the "Returned TTLS tunnelled Diameter Packet dump" list. Can you try this and tell how it works for you? Thanks! Heikki > 2012/03/22 17:47:02.960034 4-way handshake notification scheduled > 2012/03/22 17:47:07.613699 4-way handshake notification unscheduled > 2012/03/22 17:50:18.496100 4-way handshake notification scheduled > 2012/03/22 17:50:25.761091 4-way handshake complete > > The lines that corresponds to the TTLS/MSCHAPV2 are the ones that occur > by the time 17:47:??, and the authentication fails. The other two lines > corresponds to an Successful PEAP (MSCHAPV2) authentication. > > I googled around to search for "4-way handshake notification > unscheduled", and found the source code of EAPOLSocket.c > (http://www.opensource.apple.com/source/eap8021x/eap8021x-137/eapolclient.tproj/EAPOLSocket.c). > > As far as I can understand, someone is breaking the 4-way..., which > makes the authentication fail. > > Hope this can help you to help me... > > Best regards, > > Amândio > > -Mensagem original- > De: Heikki Vatiainen [mailto:h...@open.com.au] > Enviada: qua 21-03-2012 23:38 > Para: Amândio Antunes Gomes Silva > Cc: radiator@open.com.au > Assunto: Re: [RADIATOR] eap + apple products - failed auth - CORRECTION > > On 03/19/2012 04:20 PM, Amândio Antunes Gomes Silva wrote: > > Hello, > >> I've been busy, that's why I didn't respond so promptly. >> >> Just a thing that might be crucial to this problem: the RADIUS to > which we do proxy the MSCHAPV2 requests is a Microsoft one (Windows > Server 2003 "Internet Authentication Service"). > > Ok, I think I have found something. It seems to be a Mac thing, not a > IAS or NPS problem. > > Try adding the following in your AuthBy RADIUS that proxies to IAS: > > StripFromReply Class,MS-MPPE-Send-Key,MS-MPPE-Recv-Key > > Looks like Mac does not like it if these attributes are passed to it via > TTLS inner authentication. The MPPE attributes are clearly not needed, > since Radiator will calculate the correct attributes for the final > Access-Accept. > > Try stripping those three attributes from the reply received from the MS > server. Please tell us how it goes. > > Thanks! > Heikki > > >> Thx, >> >> Amândio >> >> -Mensagem original- >> De: Heikki Vatiainen [mailto:h...@open.com.au] >> Enviada: sexta-feira, 16 de Março de 2012 12:54 >> Para: Amândio Antunes Gomes Silva >> Cc: radiator@open.com.au >> Assunto: Re: [RADIATOR] eap + apple products - failed auth >> >> On 03/08/2012 05:40 PM, Amândio Antunes Gomes Silva wrote: >> >>> In fact, the Message-Authenticator attribute was in the last packet >> >> Ok thanks. Returning back to the list with this. There is information >> about debugging EAP on Macs below, so this might be useful for later >> reference too. >> >> I did testing with Lion (10.7). The test setup was to terminate TTLS on >> one Radiator and proxy the inner MS-CHAP-V2 to anther Radiator for >> authentication. >> >> First setup returned no extra attributes from the authenticating Radiator: >> >> Fri Mar 16 11:14:47 2012: DEBUG: Returned TTLS tunnelled Diameter Packet >> dump: >> Code: Access-Accept >> Identifier: UNDEF >> Authentic: >> <250><249>}<28><215><185><130><241><152>6<139><167><237><234>x<196> >> Attributes: >> MS-CHAP2-Success = "NS=1899CFE6D562949E8EF1C1F18CCD97F16B9981F7" >> >> >> Next try returned a number of different attributes, just like your setup >> does: >> >> Attributes: >> MS-CHAP2-Success = "dS=5AC984FF2A1F30FF778EE57C980F62BCBE4F4A48" >> Framed-IP-Address = 255.255.255.255 >> Class = "funcionarios" >> Tunnel-Medium-Type = 0:802 >> Tunnel-Private-Group-ID = 0:247 >> Tunnel-Type = 0:VLAN >> MS-MPPE-Recv-Key = t<131>YQ<180>}<161>eI<252>Jf<23><30>H. >> MS-MPPE-Send-Key = >> <137><153>;<215><211>D<248><246>C<219>QP&<8><223>` >> MS-CHAP2-Success = > "<231>S=17CB6844622DC3EE55DE2FCA99750B33A4CA848E" >> MS-CHAP-Domain = "<231>UMINHO" >> MS-MPPE-Encryption-Policy = Encryption-Required >> MS-MPPE-Encryption-Types = 14 >> >> >> In both cases 10.7 had no problems with authentication. >> >> You could try turning debugging on with Mac. Here are some notes Google >> found for 10.6. I did not test these since I did not h