30.03.2010 11:05:29
VoipStudy
Posts: 2
|
Hi all,
we have a problem with tekradius authenticating Voip-Phones via Cisco 1131 Access-Points.
We're new to the RADIUS-Field so we do not know whether some entrys are good or bad.
we need to authenticate with PEAP and MS-CHAPv2 and somehow tekradius is telling us that the Authentication should be successful, but it doesnt seem to be.
here our log, hope somebody can help us:
30.03.2010 09:41:01 - TekRADIUS Service 3.4.0.0 is being started (Microsoft Windows NT 5.1.2600 Service Pack 3).
30.03.2010 09:41:02 - TekRADIUS Service is listening on : 192.168.42.1 (2 client(s))
RadAuth req. from : 192.168.42.20:1645 - 30.03.2010 09:41:26
Size : 129 / 129
Identifier : 115
Attributes :
30.03.2010 09:41:26 - Starting PEAP (A).
Calling-Station-Id = 0003.2a21.dda8
NAS-Port-Type = 19
Called-Station-Id = 003a.9816.c400
User-Name = admin
NAS-IP-Address = 192.168.42.20
Framed-MTU = 1400
Service-Type = 1
NAS-Identifier = AP2
NAS-Port-Id = 326
NAS-Port = 326
30.03.2010 09:41:26 - User configured for PEAP authentication; starting PEAP session.
30.03.2010 09:41:26 - Check items control - Start.
30.03.2010 09:41:26 - Check items control - Stop.
30.03.2010 09:41:26 - Fetching Success-Reply items - Start.
30.03.2010 09:41:26 - Fetching Success-Reply items - Stop.
30.03.2010 09:41:26 - Generating Reply Packet - Start.
30.03.2010 09:41:26 - Generating Reply Packet - Stop.
30.03.2010 09:41:26 - Authorization successfull for user admin
RadAuth reply to : 192.168.42.20 - 30.03.2010 09:41:26
Size : 51
Identifier : 115
Attributes :
User-Name = admin
30.03.2010 09:42:02 - Session timer expired for the session : e3723c36b4c87a67d46a2a1af881f048
30.03.2010 09:42:02 - Session timer expired for the session : 076706c85c44205589687e60ae12269f
RadAuth req. from : 192.168.42.20:1645 - 30.03.2010 09:42:36
Size : 129 / 129
Identifier : 116
Attributes :
30.03.2010 09:42:36 - Starting PEAP (A).
Calling-Station-Id = 0003.2a21.dda8
NAS-Port-Type = 19
Called-Station-Id = 003a.9816.c400
User-Name = admin
NAS-IP-Address = 192.168.42.20
Framed-MTU = 1400
Service-Type = 1
NAS-Identifier = AP2
NAS-Port-Id = 327
NAS-Port = 327
30.03.2010 09:42:36 - User configured for PEAP authentication; starting PEAP session.
30.03.2010 09:42:36 - Check items control - Start.
30.03.2010 09:42:36 - Check items control - Stop.
30.03.2010 09:42:36 - Fetching Success-Reply items - Start.
30.03.2010 09:42:36 - Fetching Success-Reply items - Stop.
30.03.2010 09:42:36 - Generating Reply Packet - Start.
30.03.2010 09:42:36 - Generating Reply Packet - Stop.
30.03.2010 09:42:36 - Authorization successfull for user admin
RadAuth reply to : 192.168.42.20 - 30.03.2010 09:42:36
Size : 51
Identifier : 116
Attributes :
User-Name = admin
|
|
0
• permalink
|
30.03.2010 20:59:09
Admin
Administrator
Posts: 1684
|
Hi,
Please uncheck Authorization Only option at Settings / Service Parameters (Why have you checked this option?).
Best regards,
Yasin KAPLAN
|
|
0
• permalink
|
07.04.2010 11:22:59
VoipStudy
Posts: 2
|
Heya,
we unchecked the Authorization Only option, we only had it this time activated for testing purposes.
here our log without Authorization Only:
07.04.2010 09:34:10 - TekRADIUS Service 3.4.0.0 is being started (Microsoft Windows NT 5.1.2600 Service Pack 3).
07.04.2010 09:34:12 - TekRADIUS Service is listening on : 192.168.42.1 (2 client(s))
RadAuth req. from : 192.168.42.20:1645 - 07.04.2010 10:15:20
Size : 124 / 124
Identifier : 89
Attributes :
07.04.2010 10:15:20 - Starting PEAP (A).
Calling-Station-Id = 0022.fb94.c8e8
NAS-Port-Type = 19
Called-Station-Id = 003a.9816.c400
User-Name = admin
NAS-IP-Address = 192.168.42.20
Framed-MTU = 1400
Service-Type = 1
NAS-Port-Id = 328
NAS-Port = 328
07.04.2010 10:15:20 - User configured for PEAP authentication; starting PEAP session.
07.04.2010 10:15:20 - Check items control - Start.
07.04.2010 10:15:20 - Check items control - Stop.
07.04.2010 10:15:20 - PEAP Challenge sent for user 'admin'.
RadAuth req. from : 192.168.42.20:1645 - 07.04.2010 10:15:20
Size : 262 / 262
Identifier : 90
Attributes :
Calling-Station-Id = 0022.fb94.c8e8
NAS-Port-Type = 19
Called-Station-Id = 003a.9816.c400
User-Name = admin
NAS-IP-Address = 192.168.42.20
Framed-MTU = 1400
Service-Type = 1
NAS-Port-Id = 328
NAS-Port = 328
State = e7c49aba4015c4640902c4ed64667f07
07.04.2010 10:15:20 - Check items control - Start.
07.04.2010 10:15:20 - Check items control - Stop.
07.04.2010 10:15:20 - PEAP Challenge sent for user 'admin'.
RadAuth req. from : 192.168.42.20:1645 - 07.04.2010 10:15:21
Size : 165 / 165
Identifier : 91
Attributes :
07.04.2010 10:15:21 - Abnormal EAP request recevied, requesting identity. (PEAP State 3A)
07.04.2010 10:15:21 - Unsupported Cipher Suite, TLS Session has been aborted, sending Handshake Failure.
Calling-Station-Id = 0022.fb94.c8e8
NAS-Port-Type = 19
Called-Station-Id = 003a.9816.c400
User-Name = admin
NAS-IP-Address = 192.168.42.20
Framed-MTU = 1400
Service-Type = 1
NAS-Port-Id = 328
NAS-Port = 328
State = e7c49aba4015c4640902c4ed64667f07
07.04.2010 10:15:21 - Check items control - Start.
07.04.2010 10:15:21 - Check items control - Stop.
07.04.2010 10:15:21 - PEAP Challenge sent for user 'admin'.
any ideas??
|
|
0
• permalink
|
08.04.2010 08:53:59
Admin
Administrator
Posts: 1684
|
Hi,
TekRADIUS's TLS implementation supports only following cipher suites;
TLS_RSA_WITH_RC4_128_MD5TLS_RSA_WITH_RC4_128_SHAPlease check if built-in supplication in VoIP phones supports these cipher suites and if they are enabled.
Best regards,
Yasin KAPLAN
edited by admin on 08.04.2010
|
|
0
• permalink
|
03.05.2010 13:36:57
np20101
Posts: 3
|
Hi,
I get the same error:
03/05/2010 12:09:27 - Abnormal recevied EAP request, Requesting identity. (PEAP State 3A)
03/05/2010 12:09:27 - Unsupported Cipher Suite, TLS Session has-been aborted, sending Handshake Failure.
When I connect from a client with Windows XP SP3, it gives me the error. But when I connect with a client with Windows Vista or Windows 7, I get the error and I can not connect.
I generate the certificate probrado SelfSSL, Tekcertc ....
Any ideas.
Thanks
|
|
0
• permalink
|
03.05.2010 15:51:40
Admin
Administrator
Posts: 1684
|
Hi,
Please make sure that you have selected PEAP as EAP type in Wifi Authentication properties;
Best regards,
Yasin KAPLAN
|
|
0
• permalink
|
04.05.2010 12:52:27
np20101
Posts: 3
|
Yes, the PEAP as EAP type in Wifi Authentication properties is selected.
The problem is that with the same server configuration, when the client connects from a Windows XP SP3 everything works ok.
However, when the client connects from a Windows Vista or Windows 7 i have the error:
03/05/2010 12:09:27 - Abnormal recevied EAP request, Requesting identity. (PEAP State 3A)
03/05/2010 12:09:27 - Unsupported Cipher Suite, TLS Session has-been aborted, sending Handshake Failure.
I don't understand why
Thanks.
|
|
0
• permalink
|
04.05.2010 14:45:25
Admin
Administrator
Posts: 1684
|
Is it possible you to send me a Wireshark trace from the TekRADIUS server?
|
|
0
• permalink
|
11.05.2010 14:19:51
np20101
Posts: 3
|
Hi, i send you a Wireshark trace from the TekRADIUS server.
|
|
0
• permalink
|
12.05.2010 18:31:14
Admin
Administrator
Posts: 1684
|
Hi,
If you look at 9th message of the Windows 7 trace you’ll see that Windows 7 client does not accept server certificate offered by TekRADIUS.
You can either install server certificate (CertificadoWifi) to Windows client manually or you can disable Server Certificate Validation on Windows client.
Best regards,
Yasin KAPLAN
|
|
0
• permalink
|