Hello Chuck,
On Tue, 16 Dec 2003 02:06 am, Chuck Byam wrote: > I can get nt domain auth working and peap against a local file, but how > does one configure peap and nt together? It appears that it doesn't know > how to handle the inner request for anonymous. In order to use PEAP-MSCHAPV2 with windows NT passwords, you will need to use the new AuthBy LSA module included as part of Radiator 3.7 and later. Cheers. > > Thanks, > ---- > Chuck Byam > > ============ > > Foreground > LogStdout > LogDir /var/log/radius > DbDir /etc/radiator > # Use a low trace level in production systems. Increase > # it to 4 or 5 for debugging, or use the -trace flag to radiusd > Trace 5 > > # You will probably want to add other Clients to suit your site, > # one for each NAS you want to work with > > <Client 10.4.40.31> > Secret mysecret > </Client> > > <Client 127.0.0.1> > Secret mysecret > </Client> > > # This is where we autneticate a PEAP inner request, which will be an EAP > # request. The username of the inner request will be anonymous, although > # the identity of the EAP request will be the real username we are > # trying to authenticate. > <Handler TunnelledByPEAP=1> > <AuthBy FILE> > Filename %D/users > > # This tells the PEAP tclient what types of inner EAP requests > # we will honour > EAPType PEAP > > # This will set up some standard reply items for > # your NAS, you may need others for your NAS > DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP > > # This tells the PEAP client what types of inner EAP requests > # we will honour > EAPType MSCHAP-V2 > </AuthBy> > </Handler> > > > # Handles all realms: > <Handler> > <AuthBy FILE> > Filename %D/users > EAPType PEAP > EAPTLS_CAFile %D/certificates/demoCA/cacert.pem > EAPTLS_CertificateFile %D/certificates/cert-srv.pem > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem > EAPTLS_PrivateKeyPassword whatever > EAPTLS_MaxFragmentSize 1024 > AutoMPPEKeys > SSLeayTrace 4 > > # You can configure the User-Name that will be used for the inner > # authentication. Defaults to 'anonymous'. This can be useful > # when proxying the inner authentication. If tehre is a realm, it can > # be used to choose a local Realm to handle the inner authentication. > # %0 is replaced with the EAP identitiy > # EAPAnonymous [EMAIL PROTECTED] > </AuthBy> > > # Log accounting to the detail file in LogDir > AcctLogFileName ./detail > </Handler> > > > Mon Dec 15 09:28:58 2003: DEBUG: Handling request with Handler '' > Mon Dec 15 09:28:58 2003: DEBUG: Deleting session for crb6x, 10.4.40.31, > 29 Mon Dec 15 09:28:58 2003: DEBUG: Handling with Radius::AuthFILE: > Mon Dec 15 09:28:58 2003: DEBUG: Handling with EAP: code 2, 252, 87 > Mon Dec 15 09:28:58 2003: DEBUG: Response type 25 > Mon Dec 15 09:28:58 2003: DEBUG: EAP PEAP inner authentication request for > anonymous > Mon Dec 15 09:28:58 2003: DEBUG: PEAP Tunnelled request Packet dump: > Code: Access-Request > Identifier: UNDEF > Authentic: r<127>o <22><246>i<132><248>L<151>C<18><186>w$ > Attributes: > EAP-Message = > <2><252><0><<26><2><252><0>;1<130><137><184><191>"<135><192>`<28><224><203> >?<207><10><251>%<0><0><0><0><0><0><0><0>:<237>}V<156><171>.<178><205>I<27><2 >23>z<169>c<152>>FMi<177><227><217>5<0>crb6x Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > User-Name = "anonymous" > NAS-IP-Address = 10.4.40.31 > NAS-Port = 29 > Calling-Station-Id = "004096432B05" > > > Mon Dec 15 09:28:58 2003: DEBUG: Handling request with Handler '' > Mon Dec 15 09:28:58 2003: DEBUG: Deleting session for crb6x, 10.4.40.31, > 29 Mon Dec 15 09:28:58 2003: DEBUG: Handling with Radius::AuthFILE: > Mon Dec 15 09:28:58 2003: DEBUG: Handling with EAP: code 2, 252, 87 > Mon Dec 15 09:28:58 2003: DEBUG: Response type 25 > Mon Dec 15 09:28:58 2003: DEBUG: EAP PEAP inner authentication request for > anonymous > Mon Dec 15 09:28:58 2003: DEBUG: PEAP Tunnelled request Packet dump: > Code: Access-Request > Identifier: UNDEF > Authentic: r<127>o <22><246>i<132><248>L<151>C<18><186>w$ > Attributes: > EAP-Message = > <2><252><0><<26><2><252><0>;1<130><137><184><191>"<135><192>`<28><224><203> >?<207><10><251>%<0><0><0><0><0><0><0><0>:<237>}V<156><171>.<178><205>I<27><2 >23>z<169>c<152>>FMi<177><227><217>5<0>crb6x Message-Authenticator = > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > User-Name = "anonymous" > NAS-IP-Address = 10.4.40.31 > NAS-Port = 29 > Calling-Station-Id = "004096432B05" > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
