Hi all, I have a problem with the EAP TTLS authentication. My current configuration file as following:
*<SessionDatabase SQL>* * Identifier Employee* * DBSource dbi:Pg:dbname=%{GlobalVar:dbname};host=%{GlobalVar:host};port=%{GlobalVar:port}* * DBUsername %{GlobalVar:dbusername}* * FailureBackoffTime 2* * Timeout 10* * AddQuery ………….* * DeleteQuery begin work; \* * ……………...* * ClearNasQuery……….* *</SessionDatabase>* *<Realm DEFAULT>* * SessionDatabase Employee* * PreProcessingHook sub { \* * my $p = ${$_[0]};\* * my $aref = $p->{Client}->{DupCacheOrder}[0]->{Attributes};\* * my %h ;\* * foreach my $pair ( @$aref ) { $h{$pair->[0]} = $pair->[1] } ;\* * ${$_[0]}->add_attr('Threshold',80000);\* * ${$_[0]}->add_attr('Interim-Update',300);\* * }* * <AuthBy SQL>* * DBSource dbi:Pg:dbname=%{GlobalVar:dbname};host=%{GlobalVar:host};port=%{GlobalVar:port}* * DBUsername %{GlobalVar:dbusername}* * FailureBackoffTime 2* * NoDefault* * Timeout 10* * AuthSelect SELECT ……………..* * AuthColumnDef 0, User-Password, check* * AuthColumnDef 1, User-Name, check* * AuthColumnDef 2, Max-Daily-Session, check* * AuthColumnDef 3, Session-Timeout, reply* * AuthColumnDef 4, WISPr-Bandwidth-Max-Down, reply* * AuthColumnDef 5, WISPr-Bandwidth-Max-Up, reply* * AuthColumnDef 6, Idle-Timeout, reply* * AuthColumnDef 7, ChilliSpot-Bandwidth-Max-Up, reply* * AuthColumnDef 8, ChilliSpot-Bandwidth-Max-Down, reply* * AcctTotalSinceQuery………….* * HandleAcctStatusTypes Start, Alive ,Stop* * AcctSQLStatement …...* * AcctSQLStatement ….* * AcctSQLStatement DELETE FROM RADONLINE WHERE USERMAC= '%{Calling-Station-Id}' AND NASID ='%{NAS-Identifier}' AND 'Stop' ='%{Acct-Status-Type}'* * EAPType TTLS* * EAPTLS_PrivateKeyPassword ************ * EAPTLS_CAFile /usr/local/etc/radiator/%{GlobalVar:nodename}/cert/DigiCertCA.crt* * EAPTLS_CertificateFile /usr/local/etc/radiator/%{GlobalVar:nodename}/cert/hotspot.crt* * EAPTLS_CertificateType PEM* * EAPTLS_PrivateKeyFile /usr/local/etc/radiator/%{GlobalVar:nodename}/cert/priv.pem* * EAPTLS_MaxFragmentSize 1000* * EAPTTLS_NoAckRequired* * AutoMPPEKeys* * </AuthBy>* * </Realm>* Radiator log file: *Fri May 8 13:16:56 2015 309744: DEBUG: Packet dump:* **** Received from 217.124.187.38 port 49158 ....* *Packet length = 220* *01 10 00 dc 28 c1 88 9a 42 e6 ca 29 0e 35 31 8b* *44 5d 5c b5 01 09 6d 61 72 71 75 65 73 04 06 d9* *7c bb 26 05 06 00 00 00 00 20 13 39 43 2d 31 43* *2d 31 32 2d 43 45 2d 34 31 2d 43 43 3d 06 00 00* *00 13 1f 13 30 34 3a 34 36 3a 36 35 3a 36 36 3a* *44 36 3a 30 44 1e 13 39 43 3a 31 43 3a 31 32 3a* *43 45 3a 34 31 3a 43 43 06 06 00 00 00 01 0c 06* *00 00 04 4c 4f 0e 02 01 00 0c 01 6d 61 72 71 75* *65 73 1a 17 00 00 39 e7 05 11 45 6d 70 6c 65 61* *64 6f 73 5f 53 49 4c 41 4e 1a 19 00 00 39 e7 06* *13 39 63 3a 31 63 3a 31 32 3a 63 65 3a 34 31 3a* *63 63 1a 18 00 00 39 e7 0a 12 69 6e 73 74 61 6e* *74 2d 43 45 3a 34 31 3a 43 43 50 12 e8 17 50 88* *22 68 0a 6c 67 3c 68 3f f9 c1 c1 a3* *Code: Access-Request* *Identifier: 16* *Authentic: (<193><136><154>B<230><202>)<14>51<139>D]\<181>* *Attributes:* * User-Name = "marques"* * NAS-IP-Address = 217.124.187.38* * NAS-Port = 0* * NAS-Identifier = "9C-1C-12-CE-41-CC"* * NAS-Port-Type = Wireless-IEEE-802-11* * Service-Type = Login-User* * Framed-MTU = 1100* * EAP-Message = <2><1><0><12><1>marques* * Aruba-Essid-Name = "Empleados_SILAN"* * Aruba-Location-Id = "9c:1c:12:ce:41:cc"* * Aruba-AP-Group = "instant-CE:41:CC"* * Message-Authenticator = <232><23>P<136>"h<10>lg<h?<249><193><193><163>* * Called-Station-Id = "9C-1C-12-CE-41-CC"* * Calling-Station-Id = "04_46_65_66_D6_0D"* *Fri May 8 13:16:56 2015 310184: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier ''* *Fri May 8 13:16:56 2015 310483: DEBUG: Employee Deleting session for marques, 217.124.187.38, 0* *Fri May 8 13:16:56 2015 311407: DEBUG: do query to 'dbi:Pg:dbname=radius;host=silandb;port=5432': 'begin work; INSERT INTO DEVICES(MAC,DEVICEMODEL,DEVICEOS,PASSWORD,LOCALE,CREATED,MODIFIED) VALUES(COALESCE(NULLIF('04_46_65_66_D6_0D',''),''),1,1,RANDOM_STRING(24),'s:2:"es"',EXTRACT(EPOCH FROM NOW())::INT,EXTRACT(EPOCH FROM NOW())::INT); INSERT INTO DEVICES_LOCATIONS(MAC,LOCATIONID,CREATED,MODIFIED) VALUES(COALESCE(NULLIF('04_46_65_66_D6_0D',''),''),(SELECT r.LOCATION FROM ROUTERS r WHERE r.NASID = COALESCE(NULLIF('9C-1C-12-CE-41-CC',''),'')),EXTRACT(EPOCH FROM NOW())::INT,EXTRACT(EPOCH FROM NOW())::INT); INSERT INTO SESSIONS_TIME(MAC,USERID,LOCATIONID,DOMAIN,EXTRATIME,CONSUMEDTIME,CREATED,EXPIRATIONDATE,LASTUPDATE) VALUES(COALESCE(NULLIF('04_46_65_66_D6_0D',''),''),'marques', (SELECT r.LOCATION FROM ROUTERS r WHERE r.NASID = COALESCE(NULLIF('9C-1C-12-CE-41-CC',''),'')),'Connect_Employee', (SELECT wup.SESSIONTIMEOUT FROM WIFI_USERS wu JOIN WIFI_USER_PROFILES wup ON wup.NETWORKID = wu.NETWORKID AND wup.PROFILE = wu.PROFILE WHERE wu.USERNAME = 'marques'), 0,EXTRACT(EPOCH FROM NOW())::INT,EXTRACT(EPOCH FROM NOW())::INT+(SELECT wup.EXPIRATIONTIMEOUT FROM WIFI_USERS wu JOIN WIFI_USER_PROFILES wup ON wup.NETWORKID = wu.NETWORKID AND wup.PROFILE = wu.PROFILE WHERE wu.USERNAME = 'marques'),EXTRACT(EPOCH FROM NOW())::INT); commit work':* *Fri May 8 13:16:56 2015 316806: DEBUG: Handling with Radius::AuthSQL:* *Fri May 8 13:16:56 2015 317011: DEBUG: Handling with Radius::AuthSQL:* *Fri May 8 13:16:56 2015 317246: DEBUG: Handling with EAP: code 2, 1, 12, 1* *Fri May 8 13:16:56 2015 317398: DEBUG: Response type 1* *Fri May 8 13:16:56 2015 317728: DEBUG: EAP result: 3, EAP TTLS Challenge* *Fri May 8 13:16:56 2015 317876: DEBUG: AuthBy SQL result: CHALLENGE, EAP TTLS Challenge* *Fri May 8 13:16:56 2015 318035: DEBUG: Access challenged for marques: EAP TTLS Challenge* *Fri May 8 13:16:56 2015 318518: DEBUG: Packet dump:* **** Sending to 217.124.187.38 port 49158 ....* *Packet length = 46* *0b 10 00 2e 09 b8 9a dd 63 6e 8c 6a f6 b4 2f 6f* *bb e9 04 86 4f 08 01 02 00 06 15 20 50 12 ae 8a* *fc fd 95 f0 0d 43 af 9f 41 30 07 e6 4d 2b* *Code: Access-Challenge* *Identifier: 16* *Authentic: <9><184><154><221>cn<140>j<246><180>/o<187><233><4><134>* *Attributes:* * EAP-Message = <1><2><0><6><21>* * Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>* The problem is in the log of the radiator, I am only seeing Access-Request and one Access-Challenge packet, some how challenge stops. Could you please tell me what am I missing or how can I fixed it? Regards, Bengi Saglam
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator