Re: (RADIATOR) Re: cant connect Win XP to Orinoco AP-2000 via 802.1x (continue)
Hmm maybe is problem in too new firmware in my units. I tell Proxim technicians let they try also test latest firmware 2.3.1 on their office when 2.2.2 have a working, I dont want to spend time by trying old Proxim firmware, latest firmware should always work best, its not my problem, I will wait for their response if problem is in firmware ocassionaly. P. Bret Jordan wrote: We have Proxim AP2000s working with PEAP in a limited area. It does work with Radiator, it just a pain. Bret Mike McCauley wrote: Helo Pavel, On Mon, 8 Sep 2003 09:50 pm, Pavel Paprok wrote: Today I got answer from technicians from Proxim, they are using in own office AP-2000 fw v.2.2.2 and 2.1.3 with EAP-PEAP without problems. But are not using Radiator radius because is not RFC 2285/2866 compliant. 2285 is 'Benchmarking Terminology for LAN Switching Devices' not compliant :-) Prob you mean 2865 and 2866. Its compliant. Have you tested against an AP that is configured correctly and known to work? I still think there may be a configuration problem with the AP you tested with. Has a Radiator some RFC compliance problem? And can it be a cause? No. Cheers. P. Pavel Paprok wrote: Mike McCauley wrote: Hello Pavel, On Sat, 23 Aug 2003 01:01 am, Pavel Paprok wrote: Mike McCauley wrote: Hello Pavel, On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote: Mike McCauley wrote: On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote: Hallo, I am trying to get work wifi access point Orinoco/Proxim AP-2000 with 802.1x EAP/PEAP user auth by Radiator: - Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP with demo certificates. - Orinoco/Proxim AP-2000 (latest firmware 2.1.3) - Test client is notebook Dell with Win XP (all patches applied), wireless card Orinoco Silver and/or builtin Intel Pro/WirelessLAN 2100 3A After all known install and config issues I meet (described in FAQ, archive and UtahGeeks) I moved to status where user is authenticated OK and radius send Access-Accept. But its last info from radius log, no real connection follows, no accounting on log. Especially basic UtahGeeks config of Access point is pretty closed to our config, but unfortunatelly there are not published Radiator configuration so here maybe I have a problem. Or problem is in using different wifi client? Please help me somebody where is a problem? That sounds a lot like the client is not configured to expect a dynamic WEP key, but your Radiator is configured to send themto the AP. Check the 'WEP key will be provided for me' option in your client configuration. of course, as I have written below in Windows XP client config: - Key is provided for me automatically ON yesterday i also turn on eap tracing in WinXP, see log below, interesting is last line: We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth. ...i dont know what it means. That is very curious, since the last thing sent by Radiator is clearly an EAP Success. Perhaps the EAP Failure is being sent by the AP? I wonder if your AP needs some configuration so that it will support dynamic WEP? Cheers. I just try to use AP Signamax 22Mbps in 802.1x with same radiator and windows xp client configuration and client connected ok! So there should be no general problem with client and radius configuration, problem is likely in Avaya or its configuration. Or in EAP compatibility of Avaya? Sounds like the problem is there. We found when we tested the Orinoco AP-2000 here that you had to have the _latest_ firmware installed else it would not work properly. see the Radiator FAQ for more details. http://www.open.com.au/radiator/faq.html I noted that I must set a IgnoreAcctSignature option to yes for Avaya or I get Bad EAP Message-Authenticator warnings in log and auth failed. Signamax works ok both with or without this option maybe there is a start of problems? Sounds like there is a shared secret problem between Radiator and the Avaya? I thing that in this case should not accepted any radius packet from other side for processing and there should be no communication and request/reply exchange at all. Or is it not true? P. Are there some AddToReply which I would try to add to reply for Avaya? Have Avaya AP-2000 working with 802.1x somebody to help me with configuratio? Article in FAQ about it does not help me, I dont know where is mistake so exact AP configure dump of real working device welcomed. Cheers. Pavel Pavel Cheers. My configuration: -- users -- wifitestUser-Password=wifi Session-Timeout=60 -- radius.cfg -- AuthPort1812 AcctPort1813 LogStdout LogDir /var/log/radius DbDir /etc/radiator Trace 5 Client XXX.XXX.XXX.XXX Secret X Identifier
Re: (RADIATOR) Re: cant connect Win XP to Orinoco AP-2000 via 802.1x (continue)
We are actually running the Avaya 2.2.4 code on our Proxim2000 APs.. Bret Pavel Paprok wrote: Hmm maybe is problem in too new firmware in my units. I tell Proxim technicians let they try also test latest firmware 2.3.1 on their office when 2.2.2 have a working, I dont want to spend time by trying old Proxim firmware, latest firmware should always work best, its not my problem, I will wait for their response if problem is in firmware ocassionaly. P. Bret Jordan wrote: We have Proxim AP2000s working with PEAP in a limited area. It does work with Radiator, it just a pain. Bret Mike McCauley wrote: Helo Pavel, On Mon, 8 Sep 2003 09:50 pm, Pavel Paprok wrote: Today I got answer from technicians from Proxim, they are using in own office AP-2000 fw v.2.2.2 and 2.1.3 with EAP-PEAP without problems. But are not using Radiator radius because is not RFC 2285/2866 compliant. 2285 is 'Benchmarking Terminology for LAN Switching Devices' not compliant :-) Prob you mean 2865 and 2866. Its compliant. Have you tested against an AP that is configured correctly and known to work? I still think there may be a configuration problem with the AP you tested with. Has a Radiator some RFC compliance problem? And can it be a cause? No. Cheers. P. Pavel Paprok wrote: Mike McCauley wrote: Hello Pavel, On Sat, 23 Aug 2003 01:01 am, Pavel Paprok wrote: Mike McCauley wrote: Hello Pavel, On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote: Mike McCauley wrote: On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote: Hallo, I am trying to get work wifi access point Orinoco/Proxim AP-2000 with 802.1x EAP/PEAP user auth by Radiator: - Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP with demo certificates. - Orinoco/Proxim AP-2000 (latest firmware 2.1.3) - Test client is notebook Dell with Win XP (all patches applied), wireless card Orinoco Silver and/or builtin Intel Pro/WirelessLAN 2100 3A After all known install and config issues I meet (described in FAQ, archive and UtahGeeks) I moved to status where user is authenticated OK and radius send Access-Accept. But its last info from radius log, no real connection follows, no accounting on log. Especially basic UtahGeeks config of Access point is pretty closed to our config, but unfortunatelly there are not published Radiator configuration so here maybe I have a problem. Or problem is in using different wifi client? Please help me somebody where is a problem? That sounds a lot like the client is not configured to expect a dynamic WEP key, but your Radiator is configured to send themto the AP. Check the 'WEP key will be provided for me' option in your client configuration. of course, as I have written below in Windows XP client config: - Key is provided for me automatically ON yesterday i also turn on eap tracing in WinXP, see log below, interesting is last line: We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth. ...i dont know what it means. That is very curious, since the last thing sent by Radiator is clearly an EAP Success. Perhaps the EAP Failure is being sent by the AP? I wonder if your AP needs some configuration so that it will support dynamic WEP? Cheers. I just try to use AP Signamax 22Mbps in 802.1x with same radiator and windows xp client configuration and client connected ok! So there should be no general problem with client and radius configuration, problem is likely in Avaya or its configuration. Or in EAP compatibility of Avaya? Sounds like the problem is there. We found when we tested the Orinoco AP-2000 here that you had to have the _latest_ firmware installed else it would not work properly. see the Radiator FAQ for more details. http://www.open.com.au/radiator/faq.html I noted that I must set a IgnoreAcctSignature option to yes for Avaya or I get Bad EAP Message-Authenticator warnings in log and auth failed. Signamax works ok both with or without this option maybe there is a start of problems? Sounds like there is a shared secret problem between Radiator and the Avaya? I thing that in this case should not accepted any radius packet from other side for processing and there should be no communication and request/reply exchange at all. Or is it not true? P. Are there some AddToReply which I would try to add to reply for Avaya? Have Avaya AP-2000 working with 802.1x somebody to help me with configuratio? Article in FAQ about it does not help me, I dont know where is mistake so exact AP configure dump of real working device welcomed. Cheers. Pavel Pavel Cheers. My configuration: -- users -- wifitestUser-Password=wifi Session-Timeout=60 -- radius.cfg -- AuthPort1812 AcctPort1813 LogStdout LogDir
Re: (RADIATOR) Re: cant connect Win XP to Orinoco AP-2000 via 802.1x (continue)
We have Proxim AP2000s working with PEAP in a limited area. It does work with Radiator, it just a pain. Bret Mike McCauley wrote: Helo Pavel, On Mon, 8 Sep 2003 09:50 pm, Pavel Paprok wrote: Today I got answer from technicians from Proxim, they are using in own office AP-2000 fw v.2.2.2 and 2.1.3 with EAP-PEAP without problems. But are not using Radiator radius because is not RFC 2285/2866 compliant. 2285 is 'Benchmarking Terminology for LAN Switching Devices' not compliant :-) Prob you mean 2865 and 2866. Its compliant. Have you tested against an AP that is configured correctly and known to work? I still think there may be a configuration problem with the AP you tested with. Has a Radiator some RFC compliance problem? And can it be a cause? No. Cheers. P. Pavel Paprok wrote: Mike McCauley wrote: Hello Pavel, On Sat, 23 Aug 2003 01:01 am, Pavel Paprok wrote: Mike McCauley wrote: Hello Pavel, On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote: Mike McCauley wrote: On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote: Hallo, I am trying to get work wifi access point Orinoco/Proxim AP-2000 with 802.1x EAP/PEAP user auth by Radiator: - Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP with demo certificates. - Orinoco/Proxim AP-2000 (latest firmware 2.1.3) - Test client is notebook Dell with Win XP (all patches applied), wireless card Orinoco Silver and/or builtin Intel Pro/WirelessLAN 2100 3A After all known install and config issues I meet (described in FAQ, archive and UtahGeeks) I moved to status where user is authenticated OK and radius send Access-Accept. But its last info from radius log, no real connection follows, no accounting on log. Especially basic UtahGeeks config of Access point is pretty closed to our config, but unfortunatelly there are not published Radiator configuration so here maybe I have a problem. Or problem is in using different wifi client? Please help me somebody where is a problem? That sounds a lot like the client is not configured to expect a dynamic WEP key, but your Radiator is configured to send themto the AP. Check the 'WEP key will be provided for me' option in your client configuration. of course, as I have written below in Windows XP client config: - Key is provided for me automatically ON yesterday i also turn on eap tracing in WinXP, see log below, interesting is last line: We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth. ...i dont know what it means. That is very curious, since the last thing sent by Radiator is clearly an EAP Success. Perhaps the EAP Failure is being sent by the AP? I wonder if your AP needs some configuration so that it will support dynamic WEP? Cheers. I just try to use AP Signamax 22Mbps in 802.1x with same radiator and windows xp client configuration and client connected ok! So there should be no general problem with client and radius configuration, problem is likely in Avaya or its configuration. Or in EAP compatibility of Avaya? Sounds like the problem is there. We found when we tested the Orinoco AP-2000 here that you had to have the _latest_ firmware installed else it would not work properly. see the Radiator FAQ for more details. http://www.open.com.au/radiator/faq.html I noted that I must set a IgnoreAcctSignature option to yes for Avaya or I get Bad EAP Message-Authenticator warnings in log and auth failed. Signamax works ok both with or without this option maybe there is a start of problems? Sounds like there is a shared secret problem between Radiator and the Avaya? I thing that in this case should not accepted any radius packet from other side for processing and there should be no communication and request/reply exchange at all. Or is it not true? P. Are there some AddToReply which I would try to add to reply for Avaya? Have Avaya AP-2000 working with 802.1x somebody to help me with configuratio? Article in FAQ about it does not help me, I dont know where is mistake so exact AP configure dump of real working device welcomed. Cheers. Pavel Pavel Cheers. My configuration: -- users -- wifitestUser-Password=wifi Session-Timeout=60 -- radius.cfg -- AuthPort1812 AcctPort1813 LogStdout LogDir /var/log/radius DbDir /etc/radiator Trace 5 Client XXX.XXX.XXX.XXX Secret X Identifier wifi-testnet IgnoreAcctSignature yes /Client # now core config from eap_peap.cfg example: Handler TunnelledByPEAP=1 AcctLogFileName %L/detail AuthBy FILE Filename %D/users EAPType MSCHAP-V2 /AuthBy /Handler Handler AuthBy FILE Filename %D/users EAPType PEAP EAPTLS_CAFile
Re: (RADIATOR) Re: cant connect Win XP to Orinoco AP-2000 via 802.1x (continue)
Helo Pavel, On Mon, 8 Sep 2003 09:50 pm, Pavel Paprok wrote: Today I got answer from technicians from Proxim, they are using in own office AP-2000 fw v.2.2.2 and 2.1.3 with EAP-PEAP without problems. But are not using Radiator radius because is not RFC 2285/2866 compliant. 2285 is 'Benchmarking Terminology for LAN Switching Devices' not compliant :-) Prob you mean 2865 and 2866. Its compliant. Have you tested against an AP that is configured correctly and known to work? I still think there may be a configuration problem with the AP you tested with. Has a Radiator some RFC compliance problem? And can it be a cause? No. Cheers. P. Pavel Paprok wrote: Mike McCauley wrote: Hello Pavel, On Sat, 23 Aug 2003 01:01 am, Pavel Paprok wrote: Mike McCauley wrote: Hello Pavel, On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote: Mike McCauley wrote: On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote: Hallo, I am trying to get work wifi access point Orinoco/Proxim AP-2000 with 802.1x EAP/PEAP user auth by Radiator: - Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP with demo certificates. - Orinoco/Proxim AP-2000 (latest firmware 2.1.3) - Test client is notebook Dell with Win XP (all patches applied), wireless card Orinoco Silver and/or builtin Intel Pro/WirelessLAN 2100 3A After all known install and config issues I meet (described in FAQ, archive and UtahGeeks) I moved to status where user is authenticated OK and radius send Access-Accept. But its last info from radius log, no real connection follows, no accounting on log. Especially basic UtahGeeks config of Access point is pretty closed to our config, but unfortunatelly there are not published Radiator configuration so here maybe I have a problem. Or problem is in using different wifi client? Please help me somebody where is a problem? That sounds a lot like the client is not configured to expect a dynamic WEP key, but your Radiator is configured to send themto the AP. Check the 'WEP key will be provided for me' option in your client configuration. of course, as I have written below in Windows XP client config: - Key is provided for me automatically ON yesterday i also turn on eap tracing in WinXP, see log below, interesting is last line: We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth. ...i dont know what it means. That is very curious, since the last thing sent by Radiator is clearly an EAP Success. Perhaps the EAP Failure is being sent by the AP? I wonder if your AP needs some configuration so that it will support dynamic WEP? Cheers. I just try to use AP Signamax 22Mbps in 802.1x with same radiator and windows xp client configuration and client connected ok! So there should be no general problem with client and radius configuration, problem is likely in Avaya or its configuration. Or in EAP compatibility of Avaya? Sounds like the problem is there. We found when we tested the Orinoco AP-2000 here that you had to have the _latest_ firmware installed else it would not work properly. see the Radiator FAQ for more details. http://www.open.com.au/radiator/faq.html I noted that I must set a IgnoreAcctSignature option to yes for Avaya or I get Bad EAP Message-Authenticator warnings in log and auth failed. Signamax works ok both with or without this option maybe there is a start of problems? Sounds like there is a shared secret problem between Radiator and the Avaya? I thing that in this case should not accepted any radius packet from other side for processing and there should be no communication and request/reply exchange at all. Or is it not true? P. Are there some AddToReply which I would try to add to reply for Avaya? Have Avaya AP-2000 working with 802.1x somebody to help me with configuratio? Article in FAQ about it does not help me, I dont know where is mistake so exact AP configure dump of real working device welcomed. Cheers. Pavel Pavel Cheers. My configuration: -- users -- wifitestUser-Password=wifi Session-Timeout=60 -- radius.cfg -- AuthPort1812 AcctPort1813 LogStdout LogDir /var/log/radius DbDir /etc/radiator Trace 5 Client XXX.XXX.XXX.XXX Secret X Identifier wifi-testnet IgnoreAcctSignature yes /Client # now core config from eap_peap.cfg example: Handler TunnelledByPEAP=1 AcctLogFileName %L/detail AuthBy FILE Filename %D/users EAPType MSCHAP-V2 /AuthBy /Handler Handler AuthBy FILE Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem
Re: (RADIATOR) Re: cant connect Win XP to Orinoco AP-2000 via 802.1x(continue)
Bret Jordan wrote: Mike McCauley wrote: Hello Pavel, On Sat, 23 Aug 2003 01:01 am, Pavel Paprok wrote: Mike McCauley wrote: Hello Pavel, On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote: Mike McCauley wrote: On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote: Hallo, I am trying to get work wifi access point Orinoco/Proxim AP-2000 with 802.1x EAP/PEAP user auth by Radiator: - Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP with demo certificates. - Orinoco/Proxim AP-2000 (latest firmware 2.1.3) - Test client is notebook Dell with Win XP (all patches applied), wireless card Orinoco Silver and/or builtin Intel Pro/WirelessLAN 2100 3A After all known install and config issues I meet (described in FAQ, archive and UtahGeeks) I moved to status where user is authenticated OK and radius send Access-Accept. But its last info from radius log, no real connection follows, no accounting on log. Especially basic UtahGeeks config of Access point is pretty closed to our config, but unfortunatelly there are not published Radiator configuration so here maybe I have a problem. Or problem is in using different wifi client? Please help me somebody where is a problem? That sounds a lot like the client is not configured to expect a dynamic WEP key, but your Radiator is configured to send themto the AP. Check the 'WEP key will be provided for me' option in your client configuration. of course, as I have written below in Windows XP client config: - Key is provided for me automatically ON yesterday i also turn on eap tracing in WinXP, see log below, interesting is last line: We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth. ...i dont know what it means. That is very curious, since the last thing sent by Radiator is clearly an EAP Success. Perhaps the EAP Failure is being sent by the AP? I wonder if your AP needs some configuration so that it will support dynamic WEP? Cheers. I just try to use AP Signamax 22Mbps in 802.1x with same radiator and windows xp client configuration and client connected ok! So there should be no general problem with client and radius configuration, problem is likely in Avaya or its configuration. Or in EAP compatibility of Avaya? Sounds like the problem is there. We found when we tested the Orinoco AP-2000 here that you had to have the _latest_ firmware installed else it would not work properly. see the Radiator FAQ for more details. http://www.open.com.au/radiator/faq.html We have seen several problems with EAP-PEAP using the Proxim/Avaya AP2000 product.. Now that we have EAP-TTLS completely deployed we are working on enabling PEAP for those users that absolutly refuse to use a real 802.1x client. We will post all our EAP-TTLS and EAP-PEAP configs on utahgeeks.sourceforge.net site..We have also compiled a lengthy list of cards that works and do not work with 802.1x, we will be adding that to the site as well. On another note, we have recently found a bug in the 2.2.2/2.2.4 code for the AP-2000 that causes it not to send Accounting records to Radiator correctly. The problem deals with the of all things the order that you enable radius accounting on the AP and not a problem with Radiator. I will be updating the AP configs to reflect the changes. Bret Hallo Bret, thank you for next info about your network, at least your current informations about installing radiator on RedHat9 was very fine and helps me in radiator install time! today I send a mail to Proxim about problem so I looking for reply, maybe helps. Pavel I noted that I must set a IgnoreAcctSignature option to yes for Avaya or I get Bad EAP Message-Authenticator warnings in log and auth failed. Signamax works ok both with or without this option maybe there is a start of problems? Sounds like there is a shared secret problem between Radiator and the Avaya? Are there some AddToReply which I would try to add to reply for Avaya? Have Avaya AP-2000 working with 802.1x somebody to help me with configuratio? Article in FAQ about it does not help me, I dont know where is mistake so exact AP configure dump of real working device welcomed. Cheers. Pavel Pavel Cheers. My configuration: -- users -- wifitestUser-Password=wifi Session-Timeout=60 -- radius.cfg -- AuthPort1812 AcctPort1813 LogStdout LogDir /var/log/radius DbDir /etc/radiator Trace 5 Client XXX.XXX.XXX.XXX Secret X Identifier wifi-testnet IgnoreAcctSignature yes /Client # now core config from eap_peap.cfg example: Handler TunnelledByPEAP=1 AcctLogFileName %L/detail AuthBy FILE Filename %D/users EAPType MSCHAP-V2 /AuthBy /Handler Handler AuthBy FILE Filename %D/users EAPType PEAP EAPTLS_CAFile
Re: (RADIATOR) Re: cant connect Win XP to Orinoco AP-2000 via 802.1x(continue)
Mike McCauley wrote: Hello Pavel, On Sat, 23 Aug 2003 01:01 am, Pavel Paprok wrote: Mike McCauley wrote: Hello Pavel, On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote: Mike McCauley wrote: On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote: Hallo, I am trying to get work wifi access point Orinoco/Proxim AP-2000 with 802.1x EAP/PEAP user auth by Radiator: - Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP with demo certificates. - Orinoco/Proxim AP-2000 (latest firmware 2.1.3) - Test client is notebook Dell with Win XP (all patches applied), wireless card Orinoco Silver and/or builtin Intel Pro/WirelessLAN 2100 3A After all known install and config issues I meet (described in FAQ, archive and UtahGeeks) I moved to status where user is authenticated OK and radius send Access-Accept. But its last info from radius log, no real connection follows, no accounting on log. Especially basic UtahGeeks config of Access point is pretty closed to our config, but unfortunatelly there are not published Radiator configuration so here maybe I have a problem. Or problem is in using different wifi client? Please help me somebody where is a problem? That sounds a lot like the client is not configured to expect a dynamic WEP key, but your Radiator is configured to send themto the AP. Check the 'WEP key will be provided for me' option in your client configuration. of course, as I have written below in Windows XP client config: - Key is provided for me automatically ON yesterday i also turn on eap tracing in WinXP, see log below, interesting is last line: We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth. ...i dont know what it means. That is very curious, since the last thing sent by Radiator is clearly an EAP Success. Perhaps the EAP Failure is being sent by the AP? I wonder if your AP needs some configuration so that it will support dynamic WEP? Cheers. I just try to use AP Signamax 22Mbps in 802.1x with same radiator and windows xp client configuration and client connected ok! So there should be no general problem with client and radius configuration, problem is likely in Avaya or its configuration. Or in EAP compatibility of Avaya? Sounds like the problem is there. We found when we tested the Orinoco AP-2000 here that you had to have the _latest_ firmware installed else it would not work properly. see the Radiator FAQ for more details. http://www.open.com.au/radiator/faq.html I noted that I must set a IgnoreAcctSignature option to yes for Avaya or I get Bad EAP Message-Authenticator warnings in log and auth failed. Signamax works ok both with or without this option maybe there is a start of problems? Sounds like there is a shared secret problem between Radiator and the Avaya? I thing that in this case should not accepted any radius packet from other side for processing and there should be no communication and request/reply exchange at all. Or is it not true? P. Are there some AddToReply which I would try to add to reply for Avaya? Have Avaya AP-2000 working with 802.1x somebody to help me with configuratio? Article in FAQ about it does not help me, I dont know where is mistake so exact AP configure dump of real working device welcomed. Cheers. Pavel Pavel Cheers. My configuration: -- users -- wifitestUser-Password=wifi Session-Timeout=60 -- radius.cfg -- AuthPort1812 AcctPort1813 LogStdout LogDir /var/log/radius DbDir /etc/radiator Trace 5 Client XXX.XXX.XXX.XXX Secret X Identifier wifi-testnet IgnoreAcctSignature yes /Client # now core config from eap_peap.cfg example: Handler TunnelledByPEAP=1 AcctLogFileName %L/detail AuthBy FILE Filename %D/users EAPType MSCHAP-V2 /AuthBy /Handler Handler AuthBy FILE Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys # i did try also #AddToReply MS-MPPE-Encryption-Policy = Encryption-Allowed,\ # MS-MPPE-Encryption-Types = Encryption-Any SSLeayTrace 4 /AuthBy /Handler -- WinXP client configuration -- - Data encryption (WEP enabled) ON - Network Authentication (Shared mode) OFF - Key is provided for me automatically ON - Adhoc network OFF - Enable 802.1x auth ON - EAP type: PEAP -Authenticate as computer OFF - Authenticate as guest OFF - Validate server certificate OFF - Authentication method: EAP-MSCHAP v2 (automatically use Windows logon name OFF) - Enable fast
Re: (RADIATOR) Re: cant connect Win XP to Orinoco AP-2000 via 802.1x(continue)
Mike McCauley wrote: Hello Pavel, On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote: Mike McCauley wrote: On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote: Hallo, I am trying to get work wifi access point Orinoco/Proxim AP-2000 with 802.1x EAP/PEAP user auth by Radiator: - Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP with demo certificates. - Orinoco/Proxim AP-2000 (latest firmware 2.1.3) - Test client is notebook Dell with Win XP (all patches applied), wireless card Orinoco Silver and/or builtin Intel Pro/WirelessLAN 2100 3A After all known install and config issues I meet (described in FAQ, archive and UtahGeeks) I moved to status where user is authenticated OK and radius send Access-Accept. But its last info from radius log, no real connection follows, no accounting on log. Especially basic UtahGeeks config of Access point is pretty closed to our config, but unfortunatelly there are not published Radiator configuration so here maybe I have a problem. Or problem is in using different wifi client? Please help me somebody where is a problem? That sounds a lot like the client is not configured to expect a dynamic WEP key, but your Radiator is configured to send themto the AP. Check the 'WEP key will be provided for me' option in your client configuration. of course, as I have written below in Windows XP client config: - Key is provided for me automatically ON yesterday i also turn on eap tracing in WinXP, see log below, interesting is last line: We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth. ...i dont know what it means. That is very curious, since the last thing sent by Radiator is clearly an EAP Success. Perhaps the EAP Failure is being sent by the AP? I wonder if your AP needs some configuration so that it will support dynamic WEP? Cheers. I just try to use AP Signamax 22Mbps in 802.1x with same radiator and windows xp client configuration and client connected ok! So there should be no general problem with client and radius configuration, problem is likely in Avaya or its configuration. Or in EAP compatibility of Avaya? I noted that I must set a IgnoreAcctSignature option to yes for Avaya or I get Bad EAP Message-Authenticator warnings in log and auth failed. Signamax works ok both with or without this option maybe there is a start of problems? Are there some AddToReply which I would try to add to reply for Avaya? Have Avaya AP-2000 working with 802.1x somebody to help me with configuratio? Article in FAQ about it does not help me, I dont know where is mistake so exact AP configure dump of real working device welcomed. Pavel Pavel Cheers. My configuration: -- users -- wifitestUser-Password=wifi Session-Timeout=60 -- radius.cfg -- AuthPort1812 AcctPort1813 LogStdout LogDir /var/log/radius DbDir /etc/radiator Trace 5 Client XXX.XXX.XXX.XXX Secret X Identifier wifi-testnet IgnoreAcctSignature yes /Client # now core config from eap_peap.cfg example: Handler TunnelledByPEAP=1 AcctLogFileName %L/detail AuthBy FILE Filename %D/users EAPType MSCHAP-V2 /AuthBy /Handler Handler AuthBy FILE Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys # i did try also #AddToReply MS-MPPE-Encryption-Policy = Encryption-Allowed,\ # MS-MPPE-Encryption-Types = Encryption-Any SSLeayTrace 4 /AuthBy /Handler -- WinXP client configuration -- - Data encryption (WEP enabled) ON - Network Authentication (Shared mode) OFF - Key is provided for me automatically ON - Adhoc network OFF - Enable 802.1x auth ON - EAP type: PEAP -Authenticate as computer OFF - Authenticate as guest OFF - Validate server certificate OFF - Authentication method: EAP-MSCHAP v2 (automatically use Windows logon name OFF) - Enable fast reconnect OFF - something from Orinoco-2000 config - Operational Mode Wireless A: 802.11bg physical iface 802.11g OFDM / DSSS 2.4 GHz, enable auto channel select ON, transmit rate: auto fallback, dtim period: 1 rts/cts medium reservation: 2347, enable closed system: OFF Wireless B: 802.11b only physical iface 802.11b DSSS 2.4 GHz enable auto channel select ON, mcast rate: 2mbit, dtim period: 1 rts/cts medium reservation: 2347, dist AP: large, enable closed system: OFF, enable load balancing: ON, enable medium density distribution: ON MAC access control: OFF Authentication: wireless slot A:
Re: (RADIATOR) Re: cant connect Win XP to Orinoco AP-2000 via 802.1x (continue)
Hello Pavel, On Sat, 23 Aug 2003 01:01 am, Pavel Paprok wrote: Mike McCauley wrote: Hello Pavel, On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote: Mike McCauley wrote: On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote: Hallo, I am trying to get work wifi access point Orinoco/Proxim AP-2000 with 802.1x EAP/PEAP user auth by Radiator: - Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP with demo certificates. - Orinoco/Proxim AP-2000 (latest firmware 2.1.3) - Test client is notebook Dell with Win XP (all patches applied), wireless card Orinoco Silver and/or builtin Intel Pro/WirelessLAN 2100 3A After all known install and config issues I meet (described in FAQ, archive and UtahGeeks) I moved to status where user is authenticated OK and radius send Access-Accept. But its last info from radius log, no real connection follows, no accounting on log. Especially basic UtahGeeks config of Access point is pretty closed to our config, but unfortunatelly there are not published Radiator configuration so here maybe I have a problem. Or problem is in using different wifi client? Please help me somebody where is a problem? That sounds a lot like the client is not configured to expect a dynamic WEP key, but your Radiator is configured to send themto the AP. Check the 'WEP key will be provided for me' option in your client configuration. of course, as I have written below in Windows XP client config: - Key is provided for me automatically ON yesterday i also turn on eap tracing in WinXP, see log below, interesting is last line: We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth. ...i dont know what it means. That is very curious, since the last thing sent by Radiator is clearly an EAP Success. Perhaps the EAP Failure is being sent by the AP? I wonder if your AP needs some configuration so that it will support dynamic WEP? Cheers. I just try to use AP Signamax 22Mbps in 802.1x with same radiator and windows xp client configuration and client connected ok! So there should be no general problem with client and radius configuration, problem is likely in Avaya or its configuration. Or in EAP compatibility of Avaya? Sounds like the problem is there. We found when we tested the Orinoco AP-2000 here that you had to have the _latest_ firmware installed else it would not work properly. see the Radiator FAQ for more details. http://www.open.com.au/radiator/faq.html I noted that I must set a IgnoreAcctSignature option to yes for Avaya or I get Bad EAP Message-Authenticator warnings in log and auth failed. Signamax works ok both with or without this option maybe there is a start of problems? Sounds like there is a shared secret problem between Radiator and the Avaya? Are there some AddToReply which I would try to add to reply for Avaya? Have Avaya AP-2000 working with 802.1x somebody to help me with configuratio? Article in FAQ about it does not help me, I dont know where is mistake so exact AP configure dump of real working device welcomed. Cheers. Pavel Pavel Cheers. My configuration: -- users -- wifitestUser-Password=wifi Session-Timeout=60 -- radius.cfg -- AuthPort1812 AcctPort1813 LogStdout LogDir /var/log/radius DbDir /etc/radiator Trace 5 Client XXX.XXX.XXX.XXX Secret X Identifier wifi-testnet IgnoreAcctSignature yes /Client # now core config from eap_peap.cfg example: Handler TunnelledByPEAP=1 AcctLogFileName %L/detail AuthBy FILE Filename %D/users EAPType MSCHAP-V2 /AuthBy /Handler Handler AuthBy FILE Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys # i did try also #AddToReply MS-MPPE-Encryption-Policy = Encryption-Allowed,\ # MS-MPPE-Encryption-Types = Encryption-Any SSLeayTrace 4 /AuthBy /Handler -- WinXP client configuration -- - Data encryption (WEP enabled) ON - Network Authentication (Shared mode) OFF - Key is provided for me automatically ON - Adhoc network OFF - Enable 802.1x auth ON - EAP type: PEAP -Authenticate as computer OFF - Authenticate as guest OFF - Validate server certificate OFF - Authentication method: EAP-MSCHAP v2 (automatically use Windows logon name OFF) - Enable fast reconnect OFF - something from Orinoco-2000 config - Operational Mode Wireless A: 802.11bg physical
Re: (RADIATOR) Re: cant connect Win XP to Orinoco AP-2000 via 802.1x(continue)
Mike McCauley wrote: Hello Pavel, On Sat, 23 Aug 2003 01:01 am, Pavel Paprok wrote: Mike McCauley wrote: Hello Pavel, On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote: Mike McCauley wrote: On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote: Hallo, I am trying to get work wifi access point Orinoco/Proxim AP-2000 with 802.1x EAP/PEAP user auth by Radiator: - Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP with demo certificates. - Orinoco/Proxim AP-2000 (latest firmware 2.1.3) - Test client is notebook Dell with Win XP (all patches applied), wireless card Orinoco Silver and/or builtin Intel Pro/WirelessLAN 2100 3A After all known install and config issues I meet (described in FAQ, archive and UtahGeeks) I moved to status where user is authenticated OK and radius send Access-Accept. But its last info from radius log, no real connection follows, no accounting on log. Especially basic UtahGeeks config of Access point is pretty closed to our config, but unfortunatelly there are not published Radiator configuration so here maybe I have a problem. Or problem is in using different wifi client? Please help me somebody where is a problem? That sounds a lot like the client is not configured to expect a dynamic WEP key, but your Radiator is configured to send themto the AP. Check the 'WEP key will be provided for me' option in your client configuration. of course, as I have written below in Windows XP client config: - Key is provided for me automatically ON yesterday i also turn on eap tracing in WinXP, see log below, interesting is last line: We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth. ...i dont know what it means. That is very curious, since the last thing sent by Radiator is clearly an EAP Success. Perhaps the EAP Failure is being sent by the AP? I wonder if your AP needs some configuration so that it will support dynamic WEP? Cheers. I just try to use AP Signamax 22Mbps in 802.1x with same radiator and windows xp client configuration and client connected ok! So there should be no general problem with client and radius configuration, problem is likely in Avaya or its configuration. Or in EAP compatibility of Avaya? Sounds like the problem is there. We found when we tested the Orinoco AP-2000 here that you had to have the _latest_ firmware installed else it would not work properly. see the Radiator FAQ for more details. http://www.open.com.au/radiator/faq.html We have seen several problems with EAP-PEAP using the Proxim/Avaya AP2000 product.. Now that we have EAP-TTLS completely deployed we are working on enabling PEAP for those users that absolutly refuse to use a real 802.1x client. We will post all our EAP-TTLS and EAP-PEAP configs on utahgeeks.sourceforge.net site..We have also compiled a lengthy list of cards that works and do not work with 802.1x, we will be adding that to the site as well. On another note, we have recently found a bug in the 2.2.2/2.2.4 code for the AP-2000 that causes it not to send Accounting records to Radiator correctly. The problem deals with the of all things the order that you enable radius accounting on the AP and not a problem with Radiator. I will be updating the AP configs to reflect the changes. Bret I noted that I must set a IgnoreAcctSignature option to yes for Avaya or I get Bad EAP Message-Authenticator warnings in log and auth failed. Signamax works ok both with or without this option maybe there is a start of problems? Sounds like there is a shared secret problem between Radiator and the Avaya? Are there some AddToReply which I would try to add to reply for Avaya? Have Avaya AP-2000 working with 802.1x somebody to help me with configuratio? Article in FAQ about it does not help me, I dont know where is mistake so exact AP configure dump of real working device welcomed. Cheers. Pavel Pavel Cheers. My configuration: -- users -- wifitestUser-Password=wifi Session-Timeout=60 -- radius.cfg -- AuthPort1812 AcctPort1813 LogStdout LogDir /var/log/radius DbDir /etc/radiator Trace 5 Client XXX.XXX.XXX.XXX Secret X Identifier wifi-testnet IgnoreAcctSignature yes /Client # now core config from eap_peap.cfg example: Handler TunnelledByPEAP=1 AcctLogFileName %L/detail AuthBy FILE Filename %D/users EAPType MSCHAP-V2 /AuthBy /Handler Handler AuthBy FILE Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys
