Re: [RADIATOR] TTLS/EAP setup
On 24.12.2016 00:37, rohan.henry cwjamaica.com wrote: Logs from another platform show EAP-Type=TTLS. Check that the configuration file has, or at least starts with: 'EAPType TTLS'. This will tell Radiator to start with EAP-TTLS when the client starts authentication. But I suspect that the NAS is not seeing the responses from Radius and therefore resending the access-request. If the above configuration change does not work, then you need to check NAS logs to see if there's any hint about what's going on. The EAPType change should not affect whether the NAS sees the responses or not, unless it, or some other devices on the path, does some type of filtering based on the responses. This is my first time working on this kind of Radius setup so the help is appreciated. The start of WiMAX authentication is the same as with other TLS based EAp methods. The client and Radiator establish a TLS tunnel but now it seems that this is not starting up correctly. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] TTLS/EAP setup
Thanks Tuure.
Logs from another platform show EAP-Type=TTLS.
But I suspect that the NAS is not seeing the responses from Radius and
therefore resending the access-request.
This is my first time working on this kind of Radius setup so the help is
appreciated.
Thanks again Tuure.
- Original Message -
From: "Tuure Vartiainen"
To: radiator@lists.open.com.au
Sent: Saturday, December 10, 2016 3:48:53 AM
Subject: Re: [RADIATOR] TTLS/EAP setup
Hello,
> On 09 Dec 2016, at 18:18, rohan.henry cwjamaica.com
> wrote:
>
> It seems Radiator is not receiving expected response after sending
> access-challenge to NAS (Telrad station).
>
> Does my radiator response look ok?
>
> ...
> Thu Nov 24 08:25:15 2016: DEBUG: Handling with EAP: code 2, 1, 56, 1
> Thu Nov 24 08:25:15 2016: DEBUG: Response type 1
> Thu Nov 24 08:25:15 2016: DEBUG: EAP result: 3, EAP PEAP Challenge
> Thu Nov 24 08:25:15 2016: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
> Challenge
> Thu Nov 24 08:25:15 2016: DEBUG: PostAuthHook: Cypress = Access-Request
> Thu Nov 24 08:25:15 2016: DEBUG: PostAuthHook: Cypress Reason = EAP PEAP
> Challenge
> Thu Nov 24 08:25:15 2016: DEBUG: Access challenged for
> {am=1}c63a2a38c45914908f0394f53834f...@anuwimax.com: EAP PEAP Challenge
> Thu Nov 24 08:25:15 2016: DEBUG: Packet dump:
> *** Sending to 172.20.152.237 port 33511
> Packet length = 46
> 0b 09 00 2e 33 59 ad 2e a9 25 18 08 e4 12 54 be
> 8b bb 26 6f 4f 08 01 02 00 06 19 20 50 12 b0 bf
> 51 31 b6 fd 7a bd f9 1b 07 b2 6c 23 12 2f
> Code: Access-Challenge
> Identifier: 9
> Authentic: 3Y<173>.<169>%<24><8><228><18>T<190><139><187>&o
> Attributes:
> EAP-Message = <1><2><0><6><25>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
above, Radiator sends a response to EAP-Identity from the client and suggests
EAP-PEAP (25) to be used.
> Thu Nov 24 08:25:20 2016: DEBUG: Packet dump:
> *** Received from 172.20.152.237 port 33511
> Packet length = 251
> 01 09 00 fb 33 9d a7 be 03 68 98 13 00 4b b5 b3
> 6f b2 6b 2e 01 35 7b 61 6d 3d 31 7d 63 36 33 61
> 32 61 33 38 63 34 35 39 31 34 39 30 38 66 30 33
> 39 34 66 35 33 38 33 34 66 37 39 30 40 61 6e 75
> 77 69 6d 61 78 2e 63 6f 6d 4f 3a 02 01 00 38 01
> 7b 61 6d 3d 31 7d 63 36 33 61 32 61 33 38 63 34
> 35 39 31 34 39 30 38 66 30 33 39 34 66 35 33 38
> 33 34 66 37 39 30 40 61 6e 75 77 69 6d 61 78 2e
> 63 6f 6d 50 12 a2 6c ed 33 5b 7c 92 98 50 86 d4
> 28 5e 81 9f 56 20 05 30 31 38 04 06 0a 01 64 64
> 1f 13 30 30 2d 31 30 2d 45 37 2d 45 32 2d 43 30
> 2d 35 34 1a 0f 00 00 60 b5 2e 09 00 01 01 01 16
> 16 02 3d 06 00 00 00 1b 0c 06 00 00 07 d0 06 06
> 00 00 00 02 1a 0d 00 00 60 b5 03 07 00 00 00 00
> 00 1a 1a 00 00 60 b5 01 14 00 01 05 31 2e 30 02
> 03 01 03 03 01 07 06 00 00 02 8a
> Code: Access-Request
> Identifier: 9
> Authentic: 3<157><167><190><3>h<152><19><0>K<181><179>o<178>k.
> Attributes:
> User-Name = "{am=1}c63a2a38c45914908f0394f53834f...@anuwimax.com"
> EAP-Message =
> <2><1><0>8<1>{am=1}c63a2a38c45914908f0394f53834f...@anuwimax.com
> Message-Authenticator =
> <162>l<237>3[|<146><152>P<134><212>(^<129><159>V
> NAS-Identifier = "018"
> NAS-IP-Address = 10.1.100.100
> Calling-Station-Id = "00-10-E7-E2-C0-54"
> WiMAX-BS-ID = <1><1><1><22><22><2>
> NAS-Port-Type = Wireless-IEEE-802.16
> Framed-MTU = 2000
> Service-Type = Framed-User
> WiMAX-GMT-Timezone-Offset = 0
> WiMAX-Capability =
> Release=1.0,Accounting-Capabilities=IP-Session-Based,Hotlining-Capabilities=Hotline-Profile-Id,ASN-Network-Service-Capabilities=650
> Thu Nov 24 08:25:20 2016: INFO: Duplicate request id 9 received from
> 172.20.152.237(33511): retransmit reply
>
The client sends the original request again which is correctly marked as a
duplicate.
> Thu Nov 24 08:25:20 2016: DEBUG: Packet dump:
> *** Sending to 172.20.152.237 port 33511
> Packet length = 46
> 0b 09 00 2e 33 59 ad 2e a9 25 18 08 e4 12 54 be
> 8b bb 26 6f 4f 08 01 02 00 06 19 20 50 12 b0 bf
> 51 31 b6 fd 7a bd f9 1b 07 b2 6c 23 12 2f
> Code: Access-Challenge
> Identifier: 9
> Authentic: 3Y<173>.<169>%<24><8><228><18>T<190><139><187>&o
> Attributes:
> EAP-Message = <1>&
Re: [RADIATOR] TTLS/EAP setup
Hello,
> On 09 Dec 2016, at 18:18, rohan.henry cwjamaica.com
> wrote:
>
> It seems Radiator is not receiving expected response after sending
> access-challenge to NAS (Telrad station).
>
> Does my radiator response look ok?
>
> ...
> Thu Nov 24 08:25:15 2016: DEBUG: Handling with EAP: code 2, 1, 56, 1
> Thu Nov 24 08:25:15 2016: DEBUG: Response type 1
> Thu Nov 24 08:25:15 2016: DEBUG: EAP result: 3, EAP PEAP Challenge
> Thu Nov 24 08:25:15 2016: DEBUG: AuthBy SQL result: CHALLENGE, EAP PEAP
> Challenge
> Thu Nov 24 08:25:15 2016: DEBUG: PostAuthHook: Cypress = Access-Request
> Thu Nov 24 08:25:15 2016: DEBUG: PostAuthHook: Cypress Reason = EAP PEAP
> Challenge
> Thu Nov 24 08:25:15 2016: DEBUG: Access challenged for
> {am=1}c63a2a38c45914908f0394f53834f...@anuwimax.com: EAP PEAP Challenge
> Thu Nov 24 08:25:15 2016: DEBUG: Packet dump:
> *** Sending to 172.20.152.237 port 33511
> Packet length = 46
> 0b 09 00 2e 33 59 ad 2e a9 25 18 08 e4 12 54 be
> 8b bb 26 6f 4f 08 01 02 00 06 19 20 50 12 b0 bf
> 51 31 b6 fd 7a bd f9 1b 07 b2 6c 23 12 2f
> Code: Access-Challenge
> Identifier: 9
> Authentic: 3Y<173>.<169>%<24><8><228><18>T<190><139><187>&o
> Attributes:
> EAP-Message = <1><2><0><6><25>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
above, Radiator sends a response to EAP-Identity from the client and suggests
EAP-PEAP (25) to be used.
> Thu Nov 24 08:25:20 2016: DEBUG: Packet dump:
> *** Received from 172.20.152.237 port 33511
> Packet length = 251
> 01 09 00 fb 33 9d a7 be 03 68 98 13 00 4b b5 b3
> 6f b2 6b 2e 01 35 7b 61 6d 3d 31 7d 63 36 33 61
> 32 61 33 38 63 34 35 39 31 34 39 30 38 66 30 33
> 39 34 66 35 33 38 33 34 66 37 39 30 40 61 6e 75
> 77 69 6d 61 78 2e 63 6f 6d 4f 3a 02 01 00 38 01
> 7b 61 6d 3d 31 7d 63 36 33 61 32 61 33 38 63 34
> 35 39 31 34 39 30 38 66 30 33 39 34 66 35 33 38
> 33 34 66 37 39 30 40 61 6e 75 77 69 6d 61 78 2e
> 63 6f 6d 50 12 a2 6c ed 33 5b 7c 92 98 50 86 d4
> 28 5e 81 9f 56 20 05 30 31 38 04 06 0a 01 64 64
> 1f 13 30 30 2d 31 30 2d 45 37 2d 45 32 2d 43 30
> 2d 35 34 1a 0f 00 00 60 b5 2e 09 00 01 01 01 16
> 16 02 3d 06 00 00 00 1b 0c 06 00 00 07 d0 06 06
> 00 00 00 02 1a 0d 00 00 60 b5 03 07 00 00 00 00
> 00 1a 1a 00 00 60 b5 01 14 00 01 05 31 2e 30 02
> 03 01 03 03 01 07 06 00 00 02 8a
> Code: Access-Request
> Identifier: 9
> Authentic: 3<157><167><190><3>h<152><19><0>K<181><179>o<178>k.
> Attributes:
> User-Name = "{am=1}c63a2a38c45914908f0394f53834f...@anuwimax.com"
> EAP-Message =
> <2><1><0>8<1>{am=1}c63a2a38c45914908f0394f53834f...@anuwimax.com
> Message-Authenticator =
> <162>l<237>3[|<146><152>P<134><212>(^<129><159>V
> NAS-Identifier = "018"
> NAS-IP-Address = 10.1.100.100
> Calling-Station-Id = "00-10-E7-E2-C0-54"
> WiMAX-BS-ID = <1><1><1><22><22><2>
> NAS-Port-Type = Wireless-IEEE-802.16
> Framed-MTU = 2000
> Service-Type = Framed-User
> WiMAX-GMT-Timezone-Offset = 0
> WiMAX-Capability =
> Release=1.0,Accounting-Capabilities=IP-Session-Based,Hotlining-Capabilities=Hotline-Profile-Id,ASN-Network-Service-Capabilities=650
> Thu Nov 24 08:25:20 2016: INFO: Duplicate request id 9 received from
> 172.20.152.237(33511): retransmit reply
>
The client sends the original request again which is correctly marked as a
duplicate.
> Thu Nov 24 08:25:20 2016: DEBUG: Packet dump:
> *** Sending to 172.20.152.237 port 33511
> Packet length = 46
> 0b 09 00 2e 33 59 ad 2e a9 25 18 08 e4 12 54 be
> 8b bb 26 6f 4f 08 01 02 00 06 19 20 50 12 b0 bf
> 51 31 b6 fd 7a bd f9 1b 07 b2 6c 23 12 2f
> Code: Access-Challenge
> Identifier: 9
> Authentic: 3Y<173>.<169>%<24><8><228><18>T<190><139><187>&o
> Attributes:
> EAP-Message = <1><2><0><6><25>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
and the same response is sent again from a duplicate cache.
The reason why the client resends the request is that either the original
response
was lost/dropped in the network or in the air interface (wimax) (this is the
more probable cause)
or the client for some reason rejected the response. If an EAP client does not
support the EAP method
which the server suggests, the client should reply with an EAP NaK and suggests
another
EAP method to be used.
(ref: https://tools.ietf.org/html/rfc3748#section-5.3)
BR
--
Tuure Vartiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] TTLS/EAP setup
On 25.11.2016 1.00, rohan.henry cwjamaica.com wrote: It seems Radiator is not receiving expected response after sending access-challenge to NAS (Telrad station). Does my radiator response look ok? It does look ok for PEAP. You are receiving EAP-Response/Identity to which Radiator responds with EAP-Request/PEAP-Start. This looks like normal PEAP authentication start. What happens then is that the RADIUS client sends again the same request. I'd say this means the response from Radiator is dropped, ignored or, in general, does not reach the RADIUS client (or maybe the device trying the authenticate with EAP-TTLS). Maybe the request is dropped because Radiator tries to start PEAP and only EAP-TTLS is supported and the client does not know how to send NAK and request EAP-TTLS. See that your configuration does not have EAPType set to PEAP. Plain 'EAPType TTLS' should be enough. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
