Hi,
Who can help me to resolve this problem?detail as
following:
Log:
** Received from 10.0.0.10 port 1812
....
Code: Access-Request Identifier: 174 Authentic: @o<26><0><189>i<0><0><189>i<0><0><223>f<166><165> Attributes: User-Name = "anonymous" cisco-avpair = "ssid=Test" NAS-IP-Address = 10.0.0.10 Framed-MTU = 1400 Called-Station-Id = "003002DDA37C" Calling-Station-Id = "00022D4147EC" NAS-Identifier = "Test" NAS-Port = 37 NAS-Port-Type = Wireless-IEEE-802-11 Service-Type = Login-User EAP-Message = <2><12><0><14><1>anonymous Message-Authenticator = <182><250><191><189><134><0>@<172><157>C<4><224> <184><137><14><160>
Mon May 19 18:27:32 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon May 19 18:27:32 2003: DEBUG: Deleting session for anonymous, 10.0.0.10, 37 Mon May 19 18:27:32 2003: DEBUG: Handling with Radius::AuthFILE: Mon May 19 18:27:32 2003: DEBUG: Handling with EAP: code 2, 12, 14 Mon May 19 18:27:32 2003: DEBUG: Response type 1 Mon May 19 18:27:32 2003: ERR: Could not handle an EAP request: Can't locate obj ect method "response_identity" via package "Radius::EAP_21" at
/usr/lib/perl5/si
te_perl/Radius/EAP.pm line 139.
Mon May 19 18:27:32 2003: INFO: Access rejected for anonymous:
Could not handle
an EAP request
Mon May 19 18:27:32 2003: DEBUG: Packet dump: *** Sending to 10.0.0.10 port 1812 .... Code: Access-Reject Identifier: 174 Authentic: @o<26><0><189>i<0><0><189>i<0><0><223>f<166><165> Attributes: Reply-Message = "Request Denied" Mon May 19 18:27:39 2003: DEBUG: Packet dump:
Config
file:
eap_ttls.cfg
# # Example Radiator configuration file. # This very simple file will allow you to get started with # EAP TTLS authentication as used by Funk Odyssey. # We suggest you start simple, prove to yourself that it # works and then develop a more complicated configuration. # # This example will authenticate from a standard users file in # the current directory. # It will accept requests from any client and try to handle request # for any realm. # And it will print out what its doing in great detail. # # In order to authenticate, the clients user name must be in ./users # (the password is irrelevant for EAP TLS). # It will also require that the certificate installed on the client # is within one step of the root certificate, and that the subject name # in the client certificate is the same as the user name they are trying # to log in as. # # In order to test this, you WILL need to install a server certificate and # key for Radiator to use. Runs with openssl on Unix. # # There is a helpful tutorial for testing EAP TLS with Aironet wireless cards # mentioned in http://www.missl.cs.umd.edu/wireless/eaptls/, which were # AuthBy FILE below to suit. # # Requires Net_SSLeay.pm-1.21 or later from CPAN. # Requires openssl 0.9.7beta3 or later from www.openssl.org # Requires Digest-HMAC from CPAN # Requires Digest-SHA1 from CPAN # # Foreground
LogStdout LogDir . DbDir . # User a lower trace level in production systems: Trace 4 # You will probably want to add other Clients to
suit your site,
# one for each NAS you want to work with <Client 10.0.0.10> Secret mysecret DupInterval 0 </Client> # The original TTLS request from a NAS will be
sent to a matching
# extracted. # The inner authentication request will sent again to a matching # a specific handler # act as the AAA/H home server, and authenticate TTLS requests locally or proxy # from a file by AuthBy FILE <Realm DEFAULT>
<AuthBy
FILE>
# Users must be in this file to get anywhere. In this example, # in the outer requests, and it also requires an entry for the # in the Funk Odyssey 'Edit Profile Properties' page Filename %D/users
# EAPType sets the EAP type(s) that Radiator will
honour.
# Options are: MD5-Challenge, One-Time-Password # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 # Multiple types can be comma separated. With the default (most # preferred) type given first EAPType TTLS
# EAPTLS_CAFile is the name of a file of CA
certificates
# in PEM format. The file can contain several CA certificates # EAPTLS_CAPath is the name of a directory containing CA
# EAPTLS_CertificateFile is the name of a file
containing
# defaults to ASN1 EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile is the name of the file
containing
# the servers private key. It is sometimes in the same file # as the server certificate (EAPTLS_CertificateFile) # If the private key is encrypted (usually the case) # then EAPTLS_PrivateKeyPassword is the key to descrypt it EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever
# EAPTLS_RandomFile is an optional file
containing
# randdomness # EAPTLS_RandomFile %D/certificates/random
# EAPTLS_MaxFragmentSize sets the maximum TLS
fragemt
# size that will be replied by Radiator. It must be small # EAPTLS_DHFile if set specifies the DH group file. It # may be required if you need to use ephemeral DH keys. # EAPTLS_DHFile %D/certificates/cert/dh # for the certificate issuer # fail with an error: # Alternatively, CRLs may follow a file naming convention: # the hash of the issuer subject name # You can find out the hash of the issuer name in a CRL with # openssl crl -in crl.pem -hash -noout # CRLs with tis name convention # will be searched in EAPTLS_CAPath, else in the openssl # openssl ca -gencrl -out crl.pem # Use of these flags requires Net_SSLeay-1.21 or later #EAPTLS_CRLCheck #EAPTLS_CRLFile %D/certificates/crl.pem #EAPTLS_CRLFile %D/certificates/revocations.pem # client Network Properties dialog. # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key # in the final Access-Accept AutoMPPEKeys
# You can enable some warning messages from the
Net::SSLeay
# module by setting SSLeayTrace to an integer from 1 to 4 # 1=ciphers, 2=trace, 3=dump data #SSLeayTrace 4
# You can configure the User-Name that will be used for the
inne
r # authentication. Defaults to 'anonymous'. This can be useful # when proxying the inner authentication. If tehre is a realm, i t can # be used to choose a local Realm to handle the inner authentica tion. # %0 is replaced with the EAP identitiy # EAPAnonymous [EMAIL PROTECTED]
# You can enable or disable support for TTLS Session
Resumption
and # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag. # Default is enabled #EAPTLS_SessionResumption 0
# You can limit how long after the initial session that a sessio
n can be resumed # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to 43200 # (12 hours) #EAPTLS_SessionResumptionLimit 10 </AuthBy> # These hooks fix the problem with some implementations of TTLS, where t he # accounting requests have the User-Name of anonymous, instead of the re al # users name. After authenticating the inner TTLS request, the # PostAuthHook caches the _real_ user name in an SQL table, # The PreProcessingHook replaces the 'anonymous' user name in accounting requests with the # real user name that was previously cached for the NAS and NAS-Port. # You can see the correct real User-Name logged in the AcctLogFileName # PreProcessingHook file:"goodies/eap_anon_hook.pl" # PostAuthHook file:"goodies/eap_anon_hook.pl" # AcctLogFileName %D/detail </Realm> |