(RADIATOR) PEAP and NT Domain auth

Mon, 15 Dec 2003 08:21:38 -0800 

I can get nt domain auth working and peap against a local file, but how does 
one configure peap and nt together?  It appears that it doesn't know how to 
handle the inner request for anonymous.

Thanks,
----
Chuck Byam

============

Foreground
LogStdout
LogDir          /var/log/radius
DbDir           /etc/radiator
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace           5

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with

<Client 10.4.40.31>
        Secret mysecret
</Client>

<Client 127.0.0.1>
        Secret mysecret
</Client>

# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1>
        <AuthBy FILE>
                Filename %D/users

                # This tells the PEAP tclient what types of inner EAP requests
                # we will honour
                EAPType PEAP

                # This will set up some standard reply items for
                # your NAS, you may need others for your NAS
                DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP

                # This tells the PEAP client what types of inner EAP requests
                # we will honour
                EAPType MSCHAP-V2
        </AuthBy>
</Handler>


# Handles all realms:
<Handler>
        <AuthBy FILE>
                Filename %D/users
                EAPType PEAP
                EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
                EAPTLS_CertificateFile %D/certificates/cert-srv.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                EAPTLS_PrivateKeyPassword whatever
                EAPTLS_MaxFragmentSize 1024
                AutoMPPEKeys
                SSLeayTrace 4

                # You can configure the User-Name that will be used for the inner
                # authentication. Defaults to 'anonymous'. This can be useful
                # when proxying the inner authentication. If tehre is a realm, it can
                # be used to choose a local Realm to handle the inner authentication.
                # %0 is replaced with the EAP identitiy
                # EAPAnonymous [EMAIL PROTECTED]
        </AuthBy>

        # Log accounting to the detail file in LogDir
        AcctLogFileName ./detail
</Handler>


Mon Dec 15 09:28:58 2003: DEBUG: Handling request with Handler ''
Mon Dec 15 09:28:58 2003: DEBUG:  Deleting session for crb6x, 10.4.40.31, 29
Mon Dec 15 09:28:58 2003: DEBUG: Handling with Radius::AuthFILE:
Mon Dec 15 09:28:58 2003: DEBUG: Handling with EAP: code 2, 252, 87
Mon Dec 15 09:28:58 2003: DEBUG: Response type 25
Mon Dec 15 09:28:58 2003: DEBUG: EAP PEAP inner authentication request for 
anonymous
Mon Dec 15 09:28:58 2003: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  r<127>o <22><246>i<132><248>L<151>C<18><186>w$
Attributes:
        EAP-Message = 
<2><252><0><<26><2><252><0>;1<130><137><184><191>"<135><192>`<28><224><203>?<207><10><251>%<0><0><0><0><0><0><0><0>:<237>}V<156><171>.<178><205>I<27><223>z<169>c<152>>FMi<177><227><217>5<0>crb6x
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        User-Name = "anonymous"
        NAS-IP-Address = 10.4.40.31
        NAS-Port = 29
        Calling-Station-Id = "004096432B05"


Mon Dec 15 09:28:58 2003: DEBUG: Handling request with Handler ''
Mon Dec 15 09:28:58 2003: DEBUG:  Deleting session for crb6x, 10.4.40.31, 29
Mon Dec 15 09:28:58 2003: DEBUG: Handling with Radius::AuthFILE:
Mon Dec 15 09:28:58 2003: DEBUG: Handling with EAP: code 2, 252, 87
Mon Dec 15 09:28:58 2003: DEBUG: Response type 25
Mon Dec 15 09:28:58 2003: DEBUG: EAP PEAP inner authentication request for 
anonymous
Mon Dec 15 09:28:58 2003: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  r<127>o <22><246>i<132><248>L<151>C<18><186>w$
Attributes:
        EAP-Message = 
<2><252><0><<26><2><252><0>;1<130><137><184><191>"<135><192>`<28><224><203>?<207><10><251>%<0><0><0><0><0><0><0><0>:<237>}V<156><171>.<178><205>I<27><223>z<169>c<152>>FMi<177><227><217>5<0>crb6x
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        User-Name = "anonymous"
        NAS-IP-Address = 10.4.40.31
        NAS-Port = 29
        Calling-Station-Id = "004096432B05"
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Reply via email to