Today I got answer from technicians from Proxim, they are using in own office AP-2000 fw v.2.2.2 and 2.1.3 with EAP-PEAP without problems. But are not using Radiator radius because "is not RFC 2285/2866 compliant".
Has a Radiator some RFC compliance problem? And can it be a cause?
P.
Pavel Paprok wrote:
Mike McCauley wrote:
Hello Pavel,
On Sat, 23 Aug 2003 01:01 am, Pavel Paprok wrote:
Mike McCauley wrote:
Hello Pavel,
On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote:
Mike McCauley wrote:
On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote:
Hallo,
I am trying to get work wifi access point Orinoco/Proxim AP-2000 with
802.1x EAP/PEAP user auth by Radiator:
- Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP
with demo certificates.
- Orinoco/Proxim AP-2000 (latest firmware 2.1.3)
- Test client is notebook Dell with Win XP (all patches applied),
wireless card Orinoco Silver
and/or builtin Intel Pro/WirelessLAN 2100 3A
After all known install and config issues I meet (described in FAQ,
archive and UtahGeeks) I moved to status where
user is authenticated OK and radius send "Access-Accept". But its last
info from radius log, no real connection follows, no accounting on log.
Especially basic UtahGeeks config of Access point is pretty closed to
our config, but unfortunatelly there are not published Radiator
configuration so here maybe I have a problem. Or problem is in using
different wifi client? Please help me somebody where is a problem?
That sounds a lot like the client is not configured to expect a dynamic
WEP key, but your Radiator is configured to send themto the AP.
Check the 'WEP key will be provided for me' option in your client
configuration.
of course, as I have written below in Windows XP client config:
"- Key is provided for me automatically ON"
yesterday i also turn on eap tracing in WinXP, see log below, interesting
is last line:
"We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth."
...i dont know what it means.
That is very curious, since the last thing sent by Radiator is clearly an EAP Success.
Perhaps the EAP Failure is being sent by the AP?
I wonder if your AP needs some configuration so that it will support dynamic WEP?
Cheers.
I just try to use AP Signamax 22Mbps in 802.1x with same radiator and
windows xp client configuration
and client connected ok! So there should be no general problem with
client and radius configuration,
problem is likely in Avaya or its configuration. Or in EAP compatibility
of Avaya?
Sounds like the problem is there.
We found when we tested the Orinoco AP-2000 here that you had to have the _latest_ firmware installed else it would not work properly. see the Radiator FAQ for more details. http://www.open.com.au/radiator/faq.html
I noted that I must set a "IgnoreAcctSignature" option to "yes" for
Avaya or I get "Bad EAP Message-Authenticator" warnings in log and auth
failed. Signamax works ok both with or without this option ....maybe
there is a start of problems?
Sounds like there is a shared secret problem between Radiator and the Avaya?
I thing that in this case should not accepted any radius packet from other side for processing and there should be no communication and request/reply exchange at all. Or is it not true?
P.
Are there some AddToReply which I would try to add to reply for Avaya?
Have Avaya AP-2000 working with 802.1x somebody to help me with
configuratio? Article in FAQ
about it does not help me, I dont know where is mistake so exact AP
configure dump of real working device welcomed.
Cheers.
Pavel
===Pavel
Cheers.log from windows xp 802.1x client:
My configuration:
------ users ------ wifitest User-Password=wifi Session-Timeout=60
------ radius.cfg ------ AuthPort 1812 AcctPort 1813
LogStdout LogDir /var/log/radius DbDir /etc/radiator
Trace 5
<Client XXX.XXX.XXX.XXX> Secret XXXXX Identifier wifi-testnet IgnoreAcctSignature yes </Client> # now core config from eap_peap.cfg example:
<Handler TunnelledByPEAP=1> AcctLogFileName %L/detail <AuthBy FILE> Filename %D/users EAPType MSCHAP-V2 </AuthBy> </Handler> <Handler> <AuthBy FILE> Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys # i did try also #AddToReply MS-MPPE-Encryption-Policy = Encryption-Allowed,\ # MS-MPPE-Encryption-Types = Encryption-Any SSLeayTrace 4
</AuthBy> </Handler>
------ WinXP client configuration ------
- Data encryption (WEP enabled) ON
- Network Authentication (Shared mode) OFF
- Key is provided for me automatically ON
- Adhoc network OFF
- Enable 802.1x auth ON
- EAP type: PEAP
-Authenticate as computer OFF
- Authenticate as guest OFF
- Validate server certificate OFF
- Authentication method: EAP-MSCHAP v2 (automatically use Windows logon
name OFF)
- Enable fast reconnect OFF
----- something from Orinoco-2000 config -----
Operational Mode Wireless A: 802.11bg physical iface 802.11g OFDM / DSSS 2.4 GHz, enable auto channel select ON, transmit rate: auto fallback, dtim period: 1 rts/cts medium reservation: 2347, enable closed system: OFF
Wireless B: 802.11b only
physical iface 802.11b DSSS 2.4 GHz enable auto channel select ON,
mcast rate: 2mbit,
dtim period: 1 rts/cts medium reservation: 2347, dist AP: large,
enable closed system: OFF,
enable load balancing: ON, enable medium density distribution: ON
MAC access control: OFF
Authentication: wireless slot A: mode 802.1x, rekeying interval: 900, encr key lenght: 64bits wireless slot B: mode 802.1x, rekeying interval: 900, encr key lenght: 64bits
Radius auth:
enable radius mac access control: OFF, enable primary radius: ON,
enable backup radius: OFF,
auth lifetime: 900sec, primary radius server ip, port and shared
secret set properly, resp time: 3sec,
max retr: 3
Radius acct: enable radius accounting: ON, enable primary radius: ON, enable backup radius: OFF, primary radius server ip, port and shared secret set properly, resp time: 3sec, max retr: 3 DHCP server: enabled
------ radius log recorded ------ (tainted, only last lines, real ip
of radiator and AP replaced, there are no ERROR lines in log...)
Packet length = 163 01 0a 00 a3 35 01 00 00 d3 70 00 00 ea 7f 00 00 fc 20 00 00 01 0a 77 69 66 69 74 65 73 74 04 06 d5 c2 c2 5e 1e 13 30 30 2d 32 30 2d 61 36 2d 34 38 2d 65 37 2d 33 66 1f 13 30 30 2d 30 34 2d 32 33 2d 34 38 2d 66 31 2d 66 33 20 13 4f 52 69 4e 4f 43 4f 2d 41 50 2d 32 30 30 30 41 45 0c 06 00 00 05 78 3d 06 00 00 00 13 4f 28 02 0b 00 26 19 00 17 03 01 00 1b 21 3a 80 0e 47 22 d7 62 48 7e 9e 6c 5f 02 a9 68 ba 5f 5d 43 03 a4 20 bb 7d 3c 04 50 12 4d 14 ad 48 15 4e 0b 5a da b5 23 9f ab a0 b4 b8 Code: Access-Request Identifier: 10 Authentic: 5<1><0><0><211>p<0><0><234><127><0><0><252> <0><0> Attributes: User-Name = "wifitest" NAS-IP-Address = ORI.NO.CO.IP Called-Station-Id = "00-20-a6-48-e7-3f" Calling-Station-Id = "00-04-23-48-f1-f3" NAS-Identifier = "ORiNOCO-AP-2000AE" Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 EAP-Message = <2><11><0>&<25><0><23><3><1><0><27>!:<128><14>G"<215>bH~<158>l_<2><169> h< 18 6>_]C<3><164> <187>}<<4> Message-Authenticator = M<20><173>H<21>N<11>Z<218><181>#<159><171><160><180><184>
Tue Aug 19 14:20:36 2003: DEBUG: Handling request with Handler '' Tue Aug 19 14:20:36 2003: DEBUG: Deleting session for wifitest, ORI.NO.CO.IP , Tue Aug 19 14:20:36 2003: DEBUG: Handling with Radius::AuthFILE: Tue Aug 19 14:20:36 2003: DEBUG: Handling with EAP: code 2, 11, 38 Tue Aug 19 14:20:36 2003: DEBUG: Response type 25 Tue Aug 19 14:20:36 2003: DEBUG: Access accepted for wifitest Tue Aug 19 14:20:36 2003: DEBUG: Packet dump: *** Sending to ORI.NO.CO.IP port 6001 ....
Packet length = 160 02 0a 00 a0 16 83 b2 81 33 aa 76 f3 c4 8c bd f6 80 76 b9 ea 1a 3a 00 00 01 37 10 34 ed 16 5d 7f 0e 74 a1 73 03 45 9c 75 15 67 22 90 c7 3d b5 b1 71 60 1d ba be d4 29 00 42 83 18 62 b0 2f 61 c6 ca db b1 02 2d f4 76 4e 67 65 2c 98 f2 ea 1a 3a 00 00 01 37 11 34 87 c2 87 6c 05 9a 2e c2 87 c5 39 89 e5 45 73 57 63 e9 02 be 82 f2 21 84 ea 0d f9 8e cc fd 4d 72 8e d9 4b 72 37 5e 55 e9 f7 65 87 79 8d 45 2d 79 46 99 4f 06 03 0b 00 04 50 12 9d 85 0f 55 3f ea 50 c9 85 db 50 75 01 92 67 ec Code: Access-Accept Identifier: 10 Authentic: 5<1><0><0><211>p<0><0><234><127><0><0><252> <0><0> Attributes: MS-MPPE-Send-Key = "<237><22>]<127><14>t<161>s<3>E<156>u<21>g"<144><199>=<181><177>q`<29>< 18 6> <190><212>)<0>B<131><24>b<176>/a<198><202><219><177><2>-<244>vNge,<152> < 242> <234>"
MS-MPPE-Recv-Key = "<135><194><135>l<5><154>.<194><135><197>9<137><229>EsWc<233><2><190><1 30
<
242>!<132><234><13><249><142><204><253>Mr<142><217>Kr7^U<233><247>e<135
y<14 1>E-yF<153>"
EAP-Message = <3><11><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
[5584] 12:58:01:192: PeapReadConnectionData
[5584] 12:58:01:192: PeapReadUserData
[5584] 12:58:01:192: RasEapGetInfo
[5584] 12:58:01:192: PeapReDoUserData
[5584] 12:58:30:234: PeapReadConnectionData
[5584] 12:58:30:234: PeapReadUserData
[5584] 12:58:30:244: RasEapGetInfo
[5584] 12:58:30:244: PeapReDoUserData
[5584] 12:58:43:203: EapPeapBegin
[5584] 12:58:43:203: PeapReadConnectionData
[5584] 12:58:43:203: PeapReadUserData
[5584] 12:58:43:203:
[5584] 12:58:43:203: EapTlsBegin(wifitest)
[5584] 12:58:43:203: State change to Initial
[5584] 12:58:43:203: EapTlsBegin: Detected 8021X authentication
[5584] 12:58:43:203: EapTlsBegin: Detected PEAP authentication
[5584] 12:58:43:203: MaxTLSMessageLength is now 16384
[5584] 12:58:43:203: EapPeapBegin done
[5584] 12:58:43:203: EapPeapMakeMessage
[5584] 12:58:43:203: EapPeapCMakeMessage
[5584] 12:58:43:203: PEAP:PEAP_STATE_INITIAL
[5584] 12:58:43:203: EapTlsCMakeMessage
[5584] 12:58:43:203: EapTlsReset
[5584] 12:58:43:203: State change to Initial
[5584] 12:58:43:203: GetCredentials
[5584] 12:58:43:203: Flag is Client and Store is Current User
[5584] 12:58:43:203: GetCachedCredentials
[5584] 12:58:43:203: PEAP GetCachedCredentials: Using cached credentials.
[5584] 12:58:43:203: MakeReplyMessage
[5584] 12:58:43:203: SecurityContextFunction
[5584] 12:58:43:243: InitializeSecurityContext returned 0x90312
[5584] 12:58:43:243: State change to SentHello
[5584] 12:58:43:243: BuildPacket
[5584] 12:58:43:243: << Sending Response (Code: 2) packet: Id: 4,
Length: 80, Type: 13, TLS blob length: 70. Flags: L
[5584] 12:58:43:243: EapPeapCMakeMessage done
[5584] 12:58:43:243: EapPeapMakeMessage done
[5584] 12:58:43:263: EapPeapMakeMessage
[5584] 12:58:43:263: EapPeapCMakeMessage
[5584] 12:58:43:263: PEAP:PEAP_STATE_TLS_INPROGRESS
[5584] 12:58:43:263: EapTlsCMakeMessage
[5584] 12:58:43:263: MakeReplyMessage
[5584] 12:58:43:263: Reallocating input TLS blob buffer
[5584] 12:58:43:263: BuildPacket
[5584] 12:58:43:263: << Sending Response (Code: 2) packet: Id: 5,
Length: 6, Type: 13, TLS blob length: 0. Flags:
[5584] 12:58:43:263: EapPeapCMakeMessage done
[5584] 12:58:43:263: EapPeapMakeMessage done
[5584] 12:58:43:323: EapPeapMakeMessage
[5584] 12:58:43:323: EapPeapCMakeMessage
[5584] 12:58:43:323: PEAP:PEAP_STATE_TLS_INPROGRESS
[5584] 12:58:43:323: EapTlsCMakeMessage
[5584] 12:58:43:323: MakeReplyMessage
[5584] 12:58:43:323: BuildPacket
[5584] 12:58:43:323: << Sending Response (Code: 2) packet: Id: 6,
Length: 6, Type: 13, TLS blob length: 0. Flags:
[5584] 12:58:43:323: EapPeapCMakeMessage done
[5584] 12:58:43:323: EapPeapMakeMessage done
[5584] 12:58:43:333: EapPeapMakeMessage
[5584] 12:58:43:333: EapPeapCMakeMessage
[5584] 12:58:43:333: PEAP:PEAP_STATE_TLS_INPROGRESS
[5584] 12:58:43:333: EapTlsCMakeMessage
[5584] 12:58:43:333: MakeReplyMessage
[5584] 12:58:43:333: SecurityContextFunction
[5584] 12:58:43:393: InitializeSecurityContext returned 0x90312
[5584] 12:58:43:393: State change to SentFinished
[5584] 12:58:43:393: BuildPacket
[5584] 12:58:43:393: << Sending Response (Code: 2) packet: Id: 7,
Length: 199, Type: 13, TLS blob length: 189. Flags: L
[5584] 12:58:43:393: EapPeapCMakeMessage done
[5584] 12:58:43:393: EapPeapMakeMessage done
[5584] 12:58:43:413: EapPeapMakeMessage
[5584] 12:58:43:413: EapPeapCMakeMessage
[5584] 12:58:43:413: PEAP:PEAP_STATE_TLS_INPROGRESS
[5584] 12:58:43:413: EapTlsCMakeMessage
[5584] 12:58:43:413: MakeReplyMessage
[5584] 12:58:43:413: SecurityContextFunction
[5584] 12:58:43:413: InitializeSecurityContext returned 0x0
[5584] 12:58:43:413: AuthenticateServer
[5584] 12:58:43:413: CreateMPPEKeyAttributes
[5584] 12:58:43:413: State change to RecdFinished
[5584] 12:58:43:413: BuildPacket
[5584] 12:58:43:413: << Sending Response (Code: 2) packet: Id: 8,
Length: 6, Type: 13, TLS blob length: 0. Flags:
[5584] 12:58:43:413: EapPeapCMakeMessage done
[5584] 12:58:43:413: EapPeapMakeMessage done
[5584] 12:58:43:423: EapPeapMakeMessage
[5584] 12:58:43:423: EapPeapCMakeMessage
[5584] 12:58:43:423: PEAP:PEAP_STATE_TLS_INPROGRESS
[5584] 12:58:43:423: EapTlsCMakeMessage
[5584] 12:58:43:423: Negotiation successful
[5584] 12:58:43:423: PeapGetTunnelProperties
[5584] 12:58:43:423: Successfully negotiated TLS with following
parametersdwProtocol = 0x80, Cipher= 0x6801,
CipherStrength=0x80,Hash=0x8003 [5584] 12:58:43:423:
PeapGetTunnelProperties done
[5584] 12:58:43:423: PeapClientDecryptTunnelData
[5584] 12:58:43:423: IsDuplicatePacket
[5584] 12:58:43:423: PeapDecryptTunnelData dwSizeofData = 0x16, pData =
0x4261ff4
[5584] 12:58:43:423: PeapDecryptTunnelData completed with status 0x0
[5584] 12:58:43:423: PeapEncryptTunnelData
[5584] 12:58:43:423: PeapEncryptTunnelData completed with status 0x0
[5584] 12:58:43:423: EapPeapCMakeMessage done
[5584] 12:58:43:423: EapPeapMakeMessage done
[5584] 12:58:43:483: EapPeapMakeMessage
[5584] 12:58:43:483: EapPeapCMakeMessage
[5584] 12:58:43:483: PEAP:PEAP_STATE_IDENTITY_RESPONSE_SENT
[5584] 12:58:43:483: PeapClientDecryptTunnelData
[5584] 12:58:43:483: IsDuplicatePacket
[5584] 12:58:43:483: PeapDecryptTunnelData dwSizeofData = 0x38, pData =
0x4261ff4
[5584] 12:58:43:483: PeapDecryptTunnelData completed with status 0x0
[5584] 12:58:43:483: PeapEncryptTunnelData
[5584] 12:58:43:483: PeapEncryptTunnelData completed with status 0x0
[5584] 12:58:43:483: EapPeapCMakeMessage done
[5584] 12:58:43:483: EapPeapMakeMessage done
[5584] 12:58:43:503: EapPeapMakeMessage
[5584] 12:58:43:503: EapPeapCMakeMessage
[5584] 12:58:43:503: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[5584] 12:58:43:503: PeapClientDecryptTunnelData
[5584] 12:58:43:503: IsDuplicatePacket
[5584] 12:58:43:503: PeapDecryptTunnelData dwSizeofData = 0x4e, pData =
0x4261ff4
[5584] 12:58:43:503: PeapDecryptTunnelData completed with status 0x0
[5584] 12:58:43:503: PeapEncryptTunnelData
[5584] 12:58:43:503: PeapEncryptTunnelData completed with status 0x0
[5584] 12:58:43:503: EapPeapCMakeMessage done
[5584] 12:58:43:503: EapPeapMakeMessage done
[5584] 12:58:43:513: EapPeapMakeMessage
[5584] 12:58:43:513: EapPeapCMakeMessage
[5584] 12:58:43:513: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[5584] 12:58:43:513: PeapClientDecryptTunnelData
[5584] 12:58:43:513: IsDuplicatePacket
[5584] 12:58:43:513: PeapDecryptTunnelData dwSizeofData = 0x20, pData =
0x4261ff4
[5584] 12:58:43:513: PeapDecryptTunnelData completed with status 0x0
[5584] 12:58:43:513: GetPEAPTLVStatusMessageValue
[5584] 12:58:43:523: CreatePEAPTLVStatusMessage
[5584] 12:58:43:523: PeapEncryptTunnelData
[5584] 12:58:43:523: PeapEncryptTunnelData completed with status 0x0
[5584] 12:58:43:523: EapPeapCMakeMessage done
[5584] 12:58:43:523: EapPeapMakeMessage done
[5584] 12:58:43:533: EapPeapMakeMessage
[5584] 12:58:43:533: EapPeapCMakeMessage
[5584] 12:58:43:533: PEAP:PEAP_STATE_PEAP_SUCCESS_SEND
[5584] 12:58:43:533: We got a EAP_failure after we got a PEAP_SUCCESS.
Failing auth.
[5584] 12:58:43:533: EapPeapCMakeMessage done
[5584] 12:58:43:533: EapPeapMakeMessage done
[5584] 12:59:43:349: EapPeapEnd
[5584] 12:59
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
