Hello Pavel, On Sat, 23 Aug 2003 01:01 am, Pavel Paprok wrote: > Mike McCauley wrote: > >Hello Pavel, > > > >On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote: > >>Mike McCauley wrote: > >>>On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote: > >>>>Hallo, > >>>> > >>>>I am trying to get work wifi access point Orinoco/Proxim AP-2000 with > >>>>802.1x EAP/PEAP user auth by Radiator: > >>>>- Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP > >>>>with demo certificates. > >>>>- Orinoco/Proxim AP-2000 (latest firmware 2.1.3) > >>>>- Test client is notebook Dell with Win XP (all patches applied), > >>>>wireless card Orinoco Silver > >>>> and/or builtin Intel Pro/WirelessLAN 2100 3A > >>>> > >>>>After all known install and config issues I meet (described in FAQ, > >>>>archive and UtahGeeks) I moved to status where > >>>>user is authenticated OK and radius send "Access-Accept". But its last > >>>>info from radius log, no real connection follows, no accounting on log. > >>>>Especially basic UtahGeeks config of Access point is pretty closed to > >>>>our config, but unfortunatelly there are not published Radiator > >>>>configuration so here maybe I have a problem. Or problem is in using > >>>>different wifi client? Please help me somebody where is a problem? > >>> > >>>That sounds a lot like the client is not configured to expect a dynamic > >>>WEP key, but your Radiator is configured to send themto the AP. > >>> > >>>Check the 'WEP key will be provided for me' option in your client > >>>configuration. > >> > >>of course, as I have written below in Windows XP client config: > >> > >>"- Key is provided for me automatically ON" > >>yesterday i also turn on eap tracing in WinXP, see log below, interesting > >>is last line: > >> > >>"We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth." > >> > >>...i dont know what it means. > > > >That is very curious, since the last thing sent by Radiator is clearly an > > EAP Success. > >Perhaps the EAP Failure is being sent by the AP? > > > >I wonder if your AP needs some configuration so that it will support > > dynamic WEP? > > > >Cheers. > > I just try to use AP Signamax 22Mbps in 802.1x with same radiator and > windows xp client configuration > and client connected ok! So there should be no general problem with > client and radius configuration, > problem is likely in Avaya or its configuration. Or in EAP compatibility > of Avaya?
Sounds like the problem is there. We found when we tested the Orinoco AP-2000 here that you had to have the _latest_ firmware installed else it would not work properly. see the Radiator FAQ for more details. http://www.open.com.au/radiator/faq.html > > I noted that I must set a "IgnoreAcctSignature" option to "yes" for > Avaya or I get "Bad EAP Message-Authenticator" warnings in log and auth > failed. Signamax works ok both with or without this option ....maybe > there is a start of problems? Sounds like there is a shared secret problem between Radiator and the Avaya? > Are there some AddToReply which I would try to add to reply for Avaya? > Have Avaya AP-2000 working with 802.1x somebody to help me with > configuratio? Article in FAQ > about it does not help me, I dont know where is mistake so exact AP > configure dump of real working device welcomed. Cheers. > > Pavel > > >>Pavel > >> > >>>Cheers. > >>> > >>>>My configuration: > >>>> > >>>>------ users ------ > >>>>wifitest User-Password=wifi > >>>> Session-Timeout=60 > >>>> > >>>> > >>>>------ radius.cfg ------ > >>>>AuthPort 1812 > >>>>AcctPort 1813 > >>>> > >>>>LogStdout > >>>>LogDir /var/log/radius > >>>>DbDir /etc/radiator > >>>> > >>>>Trace 5 > >>>> > >>>><Client XXX.XXX.XXX.XXX> > >>>> Secret XXXXX > >>>> Identifier wifi-testnet > >>>> IgnoreAcctSignature yes > >>>></Client> > >>>># now core config from eap_peap.cfg example: > >>>> > >>>><Handler TunnelledByPEAP=1> > >>>> AcctLogFileName %L/detail > >>>> <AuthBy FILE> > >>>> Filename %D/users > >>>> EAPType MSCHAP-V2 > >>>> </AuthBy> > >>>></Handler> > >>>><Handler> > >>>> <AuthBy FILE> > >>>> Filename %D/users > >>>> EAPType PEAP > >>>> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem > >>>> > >>>> EAPTLS_CertificateFile %D/certificates/cert-srv.pem > >>>> EAPTLS_CertificateType PEM > >>>> > >>>> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem > >>>> EAPTLS_PrivateKeyPassword whatever > >>>> > >>>> EAPTLS_MaxFragmentSize 1024 > >>>> > >>>> AutoMPPEKeys > >>>> # i did try also > >>>> #AddToReply MS-MPPE-Encryption-Policy = > >>>>Encryption-Allowed,\ > >>>> # MS-MPPE-Encryption-Types = > >>>> Encryption-Any SSLeayTrace 4 > >>>> > >>>> </AuthBy> > >>>></Handler> > >>>> > >>>> > >>>>------ WinXP client configuration ------ > >>>> > >>>>- Data encryption (WEP enabled) ON > >>>>- Network Authentication (Shared mode) OFF > >>>>- Key is provided for me automatically ON > >>>>- Adhoc network OFF > >>>>- Enable 802.1x auth ON > >>>>- EAP type: PEAP > >>>>-Authenticate as computer OFF > >>>>- Authenticate as guest OFF > >>>>- Validate server certificate OFF > >>>>- Authentication method: EAP-MSCHAP v2 (automatically use Windows logon > >>>>name OFF) > >>>>- Enable fast reconnect OFF > >>>> > >>>>----- something from Orinoco-2000 config ----- > >>>> > >>>>Operational Mode > >>>>Wireless A: 802.11bg > >>>> physical iface 802.11g OFDM / DSSS 2.4 GHz, enable auto channel > >>>>select ON, transmit rate: auto fallback, > >>>> dtim period: 1 rts/cts medium reservation: 2347, enable closed > >>>>system: OFF > >>>> > >>>> > >>>>Wireless B: 802.11b only > >>>> physical iface 802.11b DSSS 2.4 GHz enable auto channel select ON, > >>>>mcast rate: 2mbit, > >>>> dtim period: 1 rts/cts medium reservation: 2347, dist AP: large, > >>>>enable closed system: OFF, > >>>> enable load balancing: ON, enable medium density distribution: ON > >>>> > >>>> MAC access control: OFF > >>>> > >>>> Authentication: > >>>> wireless slot A: mode 802.1x, rekeying interval: 900, encr key > >>>>lenght: 64bits > >>>> wireless slot B: mode 802.1x, rekeying interval: 900, encr key > >>>>lenght: 64bits > >>>> > >>>> Radius auth: > >>>> enable radius mac access control: OFF, enable primary radius: ON, > >>>>enable backup radius: OFF, > >>>> auth lifetime: 900sec, primary radius server ip, port and shared > >>>>secret set properly, resp time: 3sec, > >>>> max retr: 3 > >>>> > >>>> Radius acct: > >>>> enable radius accounting: ON, enable primary radius: ON, enable > >>>>backup radius: OFF, > >>>> primary radius server ip, port and shared secret set properly, > >>>>resp time: 3sec, > >>>> max retr: 3 > >>>> DHCP server: > >>>> enabled > >>>> > >>>> > >>>>------ radius log recorded ------ (tainted, only last lines, real ip > >>>> of radiator and AP replaced, there are no ERROR lines in log...) > >>>> > >>>> > >>>>Packet length = 163 > >>>>01 0a 00 a3 35 01 00 00 d3 70 00 00 ea 7f 00 00 > >>>>fc 20 00 00 01 0a 77 69 66 69 74 65 73 74 04 06 > >>>>d5 c2 c2 5e 1e 13 30 30 2d 32 30 2d 61 36 2d 34 > >>>>38 2d 65 37 2d 33 66 1f 13 30 30 2d 30 34 2d 32 > >>>>33 2d 34 38 2d 66 31 2d 66 33 20 13 4f 52 69 4e > >>>>4f 43 4f 2d 41 50 2d 32 30 30 30 41 45 0c 06 00 > >>>>00 05 78 3d 06 00 00 00 13 4f 28 02 0b 00 26 19 > >>>>00 17 03 01 00 1b 21 3a 80 0e 47 22 d7 62 48 7e > >>>>9e 6c 5f 02 a9 68 ba 5f 5d 43 03 a4 20 bb 7d 3c > >>>>04 50 12 4d 14 ad 48 15 4e 0b 5a da b5 23 9f ab > >>>>a0 b4 b8 > >>>>Code: Access-Request > >>>>Identifier: 10 > >>>>Authentic: 5<1><0><0><211>p<0><0><234><127><0><0><252> <0><0> > >>>>Attributes: > >>>> User-Name = "wifitest" > >>>> NAS-IP-Address = ORI.NO.CO.IP > >>>> Called-Station-Id = "00-20-a6-48-e7-3f" > >>>> Calling-Station-Id = "00-04-23-48-f1-f3" > >>>> NAS-Identifier = "ORiNOCO-AP-2000AE" > >>>> Framed-MTU = 1400 > >>>> NAS-Port-Type = Wireless-IEEE-802-11 > >>>> EAP-Message = > >>>><2><11><0>&<25><0><23><3><1><0><27>!:<128><14>G"<215>bH~<158>l_<2><169> > >>>>h< 18 6>_]C<3><164> <187>}<<4> > >>>> Message-Authenticator = > >>>>M<20><173>H<21>N<11>Z<218><181>#<159><171><160><180><184> > >>>> > >>>>Tue Aug 19 14:20:36 2003: DEBUG: Handling request with Handler '' > >>>>Tue Aug 19 14:20:36 2003: DEBUG: Deleting session for wifitest, > >>>>ORI.NO.CO.IP , > >>>>Tue Aug 19 14:20:36 2003: DEBUG: Handling with Radius::AuthFILE: > >>>>Tue Aug 19 14:20:36 2003: DEBUG: Handling with EAP: code 2, 11, 38 > >>>>Tue Aug 19 14:20:36 2003: DEBUG: Response type 25 > >>>>Tue Aug 19 14:20:36 2003: DEBUG: Access accepted for wifitest > >>>>Tue Aug 19 14:20:36 2003: DEBUG: Packet dump: > >>>>*** Sending to ORI.NO.CO.IP port 6001 .... > >>>> > >>>>Packet length = 160 > >>>>02 0a 00 a0 16 83 b2 81 33 aa 76 f3 c4 8c bd f6 > >>>>80 76 b9 ea 1a 3a 00 00 01 37 10 34 ed 16 5d 7f > >>>>0e 74 a1 73 03 45 9c 75 15 67 22 90 c7 3d b5 b1 > >>>>71 60 1d ba be d4 29 00 42 83 18 62 b0 2f 61 c6 > >>>>ca db b1 02 2d f4 76 4e 67 65 2c 98 f2 ea 1a 3a > >>>>00 00 01 37 11 34 87 c2 87 6c 05 9a 2e c2 87 c5 > >>>>39 89 e5 45 73 57 63 e9 02 be 82 f2 21 84 ea 0d > >>>>f9 8e cc fd 4d 72 8e d9 4b 72 37 5e 55 e9 f7 65 > >>>>87 79 8d 45 2d 79 46 99 4f 06 03 0b 00 04 50 12 > >>>>9d 85 0f 55 3f ea 50 c9 85 db 50 75 01 92 67 ec > >>>>Code: Access-Accept > >>>>Identifier: 10 > >>>>Authentic: 5<1><0><0><211>p<0><0><234><127><0><0><252> <0><0> > >>>>Attributes: > >>>> MS-MPPE-Send-Key = > >>>>"<237><22>]<127><14>t<161>s<3>E<156>u<21>g"<144><199>=<181><177>q`<29>< > >>>>18 6> > >>>><190><212>)<0>B<131><24>b<176>/a<198><202><219><177><2>-<244>vNge,<152> > >>>>< 242> <234>" > >>>> > >>>> MS-MPPE-Recv-Key = > >>>>"<135><194><135>l<5><154>.<194><135><197>9<137><229>EsWc<233><2><190><1 > >>>>30 > >>>> > >>>>>< > >>>> > >>>>242>!<132><234><13><249><142><204><253>Mr<142><217>Kr7^U<233><247>e<135 > >>>>> y<14 1>E-yF<153>" > >>>> > >>>> EAP-Message = <3><11><0><4> > >>>> Message-Authenticator = > >>>><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > >> > >>log from windows xp 802.1x client: > >> > >>[5584] 12:58:01:192: PeapReadConnectionData > >>[5584] 12:58:01:192: PeapReadUserData > >>[5584] 12:58:01:192: RasEapGetInfo > >>[5584] 12:58:01:192: PeapReDoUserData > >>[5584] 12:58:30:234: PeapReadConnectionData > >>[5584] 12:58:30:234: PeapReadUserData > >>[5584] 12:58:30:244: RasEapGetInfo > >>[5584] 12:58:30:244: PeapReDoUserData > >>[5584] 12:58:43:203: EapPeapBegin > >>[5584] 12:58:43:203: PeapReadConnectionData > >>[5584] 12:58:43:203: PeapReadUserData > >>[5584] 12:58:43:203: > >>[5584] 12:58:43:203: EapTlsBegin(wifitest) > >>[5584] 12:58:43:203: State change to Initial > >>[5584] 12:58:43:203: EapTlsBegin: Detected 8021X authentication > >>[5584] 12:58:43:203: EapTlsBegin: Detected PEAP authentication > >>[5584] 12:58:43:203: MaxTLSMessageLength is now 16384 > >>[5584] 12:58:43:203: EapPeapBegin done > >>[5584] 12:58:43:203: EapPeapMakeMessage > >>[5584] 12:58:43:203: EapPeapCMakeMessage > >>[5584] 12:58:43:203: PEAP:PEAP_STATE_INITIAL > >>[5584] 12:58:43:203: EapTlsCMakeMessage > >>[5584] 12:58:43:203: EapTlsReset > >>[5584] 12:58:43:203: State change to Initial > >>[5584] 12:58:43:203: GetCredentials > >>[5584] 12:58:43:203: Flag is Client and Store is Current User > >>[5584] 12:58:43:203: GetCachedCredentials > >>[5584] 12:58:43:203: PEAP GetCachedCredentials: Using cached credentials. > >>[5584] 12:58:43:203: MakeReplyMessage > >>[5584] 12:58:43:203: SecurityContextFunction > >>[5584] 12:58:43:243: InitializeSecurityContext returned 0x90312 > >>[5584] 12:58:43:243: State change to SentHello > >>[5584] 12:58:43:243: BuildPacket > >>[5584] 12:58:43:243: << Sending Response (Code: 2) packet: Id: 4, > >>Length: 80, Type: 13, TLS blob length: 70. Flags: L > >>[5584] 12:58:43:243: EapPeapCMakeMessage done > >>[5584] 12:58:43:243: EapPeapMakeMessage done > >>[5584] 12:58:43:263: EapPeapMakeMessage > >>[5584] 12:58:43:263: EapPeapCMakeMessage > >>[5584] 12:58:43:263: PEAP:PEAP_STATE_TLS_INPROGRESS > >>[5584] 12:58:43:263: EapTlsCMakeMessage > >>[5584] 12:58:43:263: MakeReplyMessage > >>[5584] 12:58:43:263: Reallocating input TLS blob buffer > >>[5584] 12:58:43:263: BuildPacket > >>[5584] 12:58:43:263: << Sending Response (Code: 2) packet: Id: 5, > >>Length: 6, Type: 13, TLS blob length: 0. Flags: > >>[5584] 12:58:43:263: EapPeapCMakeMessage done > >>[5584] 12:58:43:263: EapPeapMakeMessage done > >>[5584] 12:58:43:323: EapPeapMakeMessage > >>[5584] 12:58:43:323: EapPeapCMakeMessage > >>[5584] 12:58:43:323: PEAP:PEAP_STATE_TLS_INPROGRESS > >>[5584] 12:58:43:323: EapTlsCMakeMessage > >>[5584] 12:58:43:323: MakeReplyMessage > >>[5584] 12:58:43:323: BuildPacket > >>[5584] 12:58:43:323: << Sending Response (Code: 2) packet: Id: 6, > >>Length: 6, Type: 13, TLS blob length: 0. Flags: > >>[5584] 12:58:43:323: EapPeapCMakeMessage done > >>[5584] 12:58:43:323: EapPeapMakeMessage done > >>[5584] 12:58:43:333: EapPeapMakeMessage > >>[5584] 12:58:43:333: EapPeapCMakeMessage > >>[5584] 12:58:43:333: PEAP:PEAP_STATE_TLS_INPROGRESS > >>[5584] 12:58:43:333: EapTlsCMakeMessage > >>[5584] 12:58:43:333: MakeReplyMessage > >>[5584] 12:58:43:333: SecurityContextFunction > >>[5584] 12:58:43:393: InitializeSecurityContext returned 0x90312 > >>[5584] 12:58:43:393: State change to SentFinished > >>[5584] 12:58:43:393: BuildPacket > >>[5584] 12:58:43:393: << Sending Response (Code: 2) packet: Id: 7, > >>Length: 199, Type: 13, TLS blob length: 189. Flags: L > >>[5584] 12:58:43:393: EapPeapCMakeMessage done > >>[5584] 12:58:43:393: EapPeapMakeMessage done > >>[5584] 12:58:43:413: EapPeapMakeMessage > >>[5584] 12:58:43:413: EapPeapCMakeMessage > >>[5584] 12:58:43:413: PEAP:PEAP_STATE_TLS_INPROGRESS > >>[5584] 12:58:43:413: EapTlsCMakeMessage > >>[5584] 12:58:43:413: MakeReplyMessage > >>[5584] 12:58:43:413: SecurityContextFunction > >>[5584] 12:58:43:413: InitializeSecurityContext returned 0x0 > >>[5584] 12:58:43:413: AuthenticateServer > >>[5584] 12:58:43:413: CreateMPPEKeyAttributes > >>[5584] 12:58:43:413: State change to RecdFinished > >>[5584] 12:58:43:413: BuildPacket > >>[5584] 12:58:43:413: << Sending Response (Code: 2) packet: Id: 8, > >>Length: 6, Type: 13, TLS blob length: 0. Flags: > >>[5584] 12:58:43:413: EapPeapCMakeMessage done > >>[5584] 12:58:43:413: EapPeapMakeMessage done > >>[5584] 12:58:43:423: EapPeapMakeMessage > >>[5584] 12:58:43:423: EapPeapCMakeMessage > >>[5584] 12:58:43:423: PEAP:PEAP_STATE_TLS_INPROGRESS > >>[5584] 12:58:43:423: EapTlsCMakeMessage > >>[5584] 12:58:43:423: Negotiation successful > >>[5584] 12:58:43:423: PeapGetTunnelProperties > >>[5584] 12:58:43:423: Successfully negotiated TLS with following > >>parametersdwProtocol = 0x80, Cipher= 0x6801, > >>CipherStrength=0x80,Hash=0x8003 [5584] 12:58:43:423: > >>PeapGetTunnelProperties done > >>[5584] 12:58:43:423: PeapClientDecryptTunnelData > >>[5584] 12:58:43:423: IsDuplicatePacket > >>[5584] 12:58:43:423: PeapDecryptTunnelData dwSizeofData = 0x16, pData = > >>0x4261ff4 > >>[5584] 12:58:43:423: PeapDecryptTunnelData completed with status 0x0 > >>[5584] 12:58:43:423: PeapEncryptTunnelData > >>[5584] 12:58:43:423: PeapEncryptTunnelData completed with status 0x0 > >>[5584] 12:58:43:423: EapPeapCMakeMessage done > >>[5584] 12:58:43:423: EapPeapMakeMessage done > >>[5584] 12:58:43:483: EapPeapMakeMessage > >>[5584] 12:58:43:483: EapPeapCMakeMessage > >>[5584] 12:58:43:483: PEAP:PEAP_STATE_IDENTITY_RESPONSE_SENT > >>[5584] 12:58:43:483: PeapClientDecryptTunnelData > >>[5584] 12:58:43:483: IsDuplicatePacket > >>[5584] 12:58:43:483: PeapDecryptTunnelData dwSizeofData = 0x38, pData = > >>0x4261ff4 > >>[5584] 12:58:43:483: PeapDecryptTunnelData completed with status 0x0 > >>[5584] 12:58:43:483: PeapEncryptTunnelData > >>[5584] 12:58:43:483: PeapEncryptTunnelData completed with status 0x0 > >>[5584] 12:58:43:483: EapPeapCMakeMessage done > >>[5584] 12:58:43:483: EapPeapMakeMessage done > >>[5584] 12:58:43:503: EapPeapMakeMessage > >>[5584] 12:58:43:503: EapPeapCMakeMessage > >>[5584] 12:58:43:503: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS > >>[5584] 12:58:43:503: PeapClientDecryptTunnelData > >>[5584] 12:58:43:503: IsDuplicatePacket > >>[5584] 12:58:43:503: PeapDecryptTunnelData dwSizeofData = 0x4e, pData = > >>0x4261ff4 > >>[5584] 12:58:43:503: PeapDecryptTunnelData completed with status 0x0 > >>[5584] 12:58:43:503: PeapEncryptTunnelData > >>[5584] 12:58:43:503: PeapEncryptTunnelData completed with status 0x0 > >>[5584] 12:58:43:503: EapPeapCMakeMessage done > >>[5584] 12:58:43:503: EapPeapMakeMessage done > >>[5584] 12:58:43:513: EapPeapMakeMessage > >>[5584] 12:58:43:513: EapPeapCMakeMessage > >>[5584] 12:58:43:513: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS > >>[5584] 12:58:43:513: PeapClientDecryptTunnelData > >>[5584] 12:58:43:513: IsDuplicatePacket > >>[5584] 12:58:43:513: PeapDecryptTunnelData dwSizeofData = 0x20, pData = > >>0x4261ff4 > >>[5584] 12:58:43:513: PeapDecryptTunnelData completed with status 0x0 > >>[5584] 12:58:43:513: GetPEAPTLVStatusMessageValue > >>[5584] 12:58:43:523: CreatePEAPTLVStatusMessage > >>[5584] 12:58:43:523: PeapEncryptTunnelData > >>[5584] 12:58:43:523: PeapEncryptTunnelData completed with status 0x0 > >>[5584] 12:58:43:523: EapPeapCMakeMessage done > >>[5584] 12:58:43:523: EapPeapMakeMessage done > >>[5584] 12:58:43:533: EapPeapMakeMessage > >>[5584] 12:58:43:533: EapPeapCMakeMessage > >>[5584] 12:58:43:533: PEAP:PEAP_STATE_PEAP_SUCCESS_SEND > >>[5584] 12:58:43:533: We got a EAP_failure after we got a PEAP_SUCCESS. > >>Failing auth. > >>[5584] 12:58:43:533: EapPeapCMakeMessage done > >>[5584] 12:58:43:533: EapPeapMakeMessage done > >>[5584] 12:59:43:349: EapPeapEnd > >>[5584] 12:59 > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.