Hi I am setting up a new radiator service for Eduroam. It is between a Cisco wireless controller and an Active Directory. When testing with various internal smartphones, everything seems to work well (I just feel that there are many too many messages, but I don't understand the protocol, might be normal). The problem I get, is when I put the radiator in production, I do get a lot of errors between some successes. From devices that I have no access (eduroam). Googling around unfortunately gave no answers for this problem. Below is one example of an error:
"f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: Packet dump: f98f5e50 *** Received from x.x.x.x port x .... f98f5e50 Code: Access-Request f98f5e50 Identifier: 146 f98f5e50 Authentic: <12><31><127><145>56<17><220><135><141><137><30><188>;<212><255> f98f5e50 Attributes: f98f5e50 User-Name = "[email protected]" f98f5e50 Chargeable-User-Identity = <0> f98f5e50 Location-Capable = CIVIC_LOCATION f98f5e50 Calling-Station-Id = "b0-52-16-xx-xx-xx" f98f5e50 Called-Station-Id = "a4-6c-2a-xx-xx-xx:eduroam" f98f5e50 NAS-Port = 13 f98f5e50 cisco-avpair = "audit-session-id=0a01050b00d5de9e5c5c790a" f98f5e50 Acct-Session-Id = "5c5c790a/b0:52:16:0a:27:f7/24493431" f98f5e50 cisco-avpair = "mDNS=true" f98f5e50 NAS-IP-Address = 10.1.5.11 f98f5e50 NAS-Identifier = "xxx" f98f5e50 Airespace-WLAN-Id = 1 f98f5e50 Service-Type = Framed-User f98f5e50 Framed-MTU = 1300 f98f5e50 NAS-Port-Type = Wireless-IEEE-802-11 f98f5e50 Tunnel-Type = 0:VLAN f98f5e50 Tunnel-Medium-Type = 0:802 f98f5e50 Tunnel-Private-Group-ID = xxx f98f5e50 EAP-Message = <1><1><0><8><227><255><252>([email protected] f98f5e50 Message-Authenticator = <236><138><252><182><210>6<181>Xv<132><227><175><133>|<18><5> f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: Handling request with Handler 'Realm = "/^xxx.xx$/i"', Identifier '' f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: SessINTERNAL: Deleting session for [email protected], x.x.x.x, 13 f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: Handling with Radius::AuthFILE: outerEAPdetunneling f98f5e50 Thu Feb 7 18:30:40 2019: INFO: Bad EAP message length 26, EAP length 8 f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: EAP result: 1, Bad EAP message length 26, EAP length 8 f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: AuthBy FILE result: REJECT, Bad EAP message length 26, EAP length 8 f98f5e50 Thu Feb 7 18:30:40 2019: INFO: Access rejected for [email protected]: Bad EAP message length 26, EAP length 8 f98f5e50 Thu Feb 7 18:30:40 2019: DEBUG: Packet dump: f98f5e50 *** Sending to 10.1.5.11 port 32777 .... f98f5e50 Code: Access-Reject f98f5e50 Identifier: 146 f98f5e50 Authentic: <188><20><241>$P<1>`<220><247><20><9>g<27><165><145>o f98f5e50 Attributes: f98f5e50 EAP-Message = <4><1><0><4> f98f5e50 Message-Authenticator = l/<14>g}<136>J<149>$<197><235>#<251>%<161><142> f98f5e50 Reply-Message = "Bad EAP message length 26, EAP length 8"" The sections of the configuration that seems relevant are: " <AuthBy LDAP2> Identifier ADxxxCatalog2 Debug 255 Host z.z.z.z z.z.z.z FailureBackoffTime 10 Port 3268 AuthDN CN=xxx AuthPassword xxx HoldServerConnection BaseDN xxx UsernameAttr userPrincipalName NoCheckPassword AuthAttrDef xx,yy,request NoDefault AcceptIfMissing Version 3 NoEAP </AuthBy> <AuthBy GROUP> Identifier ADxxxCatalog AuthByPolicy ContinueWhileAccept #ContinueUntilAcceptOrChallenge <AuthBy NTLM> UsernameFormat %U UsernameMatchesWithoutRealm Domain xxx.xx EAPType MSCHAP-V2 AddToReply User-Name = %u </AuthBy> <AuthBy GROUP> AuthByPolicy ContinueWhileAccept RewriteUsername s/^([^@]+)\@yyy\.yy/$1\@xxx\.xx/ AuthBy ADcampusCatalog2 </AuthBy> </AuthBy> <AuthBy FILE> Identifier outerEAPdetunneling EAPType PEAP, TTLS, FAST EAPAnonymous %0 EAPTLS_CAFile /etc/radiator/certs/xxx.ca-bundle EAPTLS_CertificateFile /etc/radiator/certs/xxx.crt EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/xxx.xx.key EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys </AuthBy> <Handler TunnelledByPEAP=1, Realm = "/^xxx.xx$/i"> StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID, Filter-Id, cisco-avpair AuthBy ADcampusCatalog AccountingHandled RejectHasReason AuthLog Statistics AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802 PostProcessingHook file:"/etc/radiator/conf.d/vlanscript.pl" </Handler> <Handler TunnelledByTTLS=1, Realm = "/^xxx.xx$/i"> StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID, Filter-Id, cisco-avpair AuthBy ADcampusCatalog AccountingHandled RejectHasReason AuthLog Statistics AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802 PostProcessingHook file:"/etc/radiator/conf.d/vlanscript.pl" </Handler> <Handler Realm = "/^xxx.xx$/i"> AuthBy outerEAPdetunneling AccountingHandled RejectHasReason AuthLog Statistics </Handler>" Best regards
_______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
