Hello Berndt -
You cannot put a Realm clause inside a Handler.
It should look like this:
<Handler TunnelledByPEAP=1>
RewriteUsername s/^(.*)\\(.*)/$2/
<AuthBy LDAP2>server Host 10.2.4.21 AuthDN cn=admin, dc=tgm, dc=ac, dc=at AuthPassword password BaseDN dc=tgm, dc=ac, dc=at UsernameAttr cn PasswordAttr ntPassword Debug 255 EAPType MSCHAP-V2 </AuthBy>
</Handler>
There has been quite a bit of discussion on the mailing list, so you should check the archive:
www.open.com.au/archives/radiator
regards
Hugh
On 20/12/2003, at 5:59 AM, Sevcik Berndt wrote:
I am really new to radiator and have problems to understand the
configuration files. I tries the ldap.cfg config and it workes (with
fred/fred). I tried the eap_peap.cfg and worked to (mikem/fred). Then I
tried to connect the two and now the problems start. Can someone help me
to build my first configuration from where I can than go further on.
Here my not working config (PEAP with MS-CHAPv2 und LDAP:
Foreground LogStdout LogDir . DbDir .
Trace 4
<Client DEFAULT> Secret xxx DupInterval 0 </Client>
<Handler TunnelledByPEAP=1>
RewriteUsername s/^(.*)\\(.*)/$2/
<Realm DEFAULT> <AuthBy LDAP2>server Host 10.2.4.21 AuthDN cn=admin, dc=tgm, dc=ac, dc=at AuthPassword password BaseDN dc=tgm, dc=ac, dc=at UsernameAttr cn PasswordAttr ntPassword Debug 255 EAPType MSCHAP-V2 </AuthBy> </Realm> </Handler>
<Handler> <AuthBy FILE> Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys SSLeayTrace 4 </AuthBy> </Handler>
The output:
Fri Dec 19 20:49:23 2003: DEBUG: Packet dump: *** Received from 10.2.12.101 port 1112 .... Code: Access-Request Identifier: 152 Authentic: <238>C<0><0>k<26><0><0>K@<0><0>F><0><0> Attributes: Message-Authenticator = [<239><212><138>Ebm!m<199>:<167><10><233><153><25> User-Name = "ACER-SEVCIK\sevcikb" NAS-IP-Address = 10.2.12.101 NAS-Port = 2 NAS-Port-Type = Wireless-IEEE-802-11 Calling-Station-Id = "00-04-23-77-4b-a3" EAP-Message = <2><2><0><24><1>ACER-SEVCIK\sevcikb Framed-MTU = 1000
Fri Dec 19 20:49:23 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Dec 19 20:49:23 2003: DEBUG: Deleting session for
ACER-SEVCIK\sevcikb, 10.2.12.101, 2
Fri Dec 19 20:49:23 2003: DEBUG: Handling with Radius::AuthLDAP2:
Fri Dec 19 20:49:23 2003: DEBUG: Handling with EAP: code 2, 2, 24
Fri Dec 19 20:49:23 2003: DEBUG: Response type 1
Fri Dec 19 20:49:23 2003: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Fri Dec 19 20:49:23 2003: DEBUG: Access challenged for
ACER-SEVCIK\sevcikb: EAP MSCHAP-V2 Challenge
Fri Dec 19 20:49:23 2003: DEBUG: Packet dump:
*** Sending to 10.2.12.101 port 1112 ....
Code: Access-Challenge
Identifier: 152
Authentic: <238>C<0><0>k<26><0><0>K@<0><0>F><0><0>
Attributes:
EAP-Message =
<1><3><0>#<26><1><3><0><30><16><202>; +YY<227><233>KJ<136>[<172><159><197><147><130>ITS-Test1
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Fri Dec 19 20:49:23 2003: DEBUG: Packet dump: *** Received from 10.2.12.101 port 1112 .... Code: Access-Request Identifier: 153 Authentic: <190>(<0><0><213><18><0><0>><18><0><0><153>r<0><0> Attributes: Message-Authenticator = 2avy<165>Y<232><175>Y9<195><144><180>Hk<161> User-Name = "ACER-SEVCIK\sevcikb" State = "" NAS-IP-Address = 10.2.12.101 NAS-Port = 2 NAS-Port-Type = Wireless-IEEE-802-11 Calling-Station-Id = "00-04-23-77-4b-a3" Framed-MTU = 1000 EAP-Message = <2><3><0><6><3><25>
Fri Dec 19 20:49:23 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Fri Dec 19 20:49:23 2003: DEBUG: Deleting session for
ACER-SEVCIK\sevcikb, 10.2.12.101, 2
Fri Dec 19 20:49:23 2003: DEBUG: Handling with Radius::AuthLDAP2:
Fri Dec 19 20:49:23 2003: DEBUG: Handling with EAP: code 2, 3, 6
Fri Dec 19 20:49:23 2003: DEBUG: Response type 3
Fri Dec 19 20:49:23 2003: INFO: EAP Nak desires type 25
Fri Dec 19 20:49:23 2003: DEBUG: EAP result: 1, Desired EAP type 25 not
permitted
Fri Dec 19 20:49:23 2003: INFO: Access rejected for ACER-SEVCIK\sevcikb:
Desired EAP type 25 not permitted
Fri Dec 19 20:49:23 2003: DEBUG: Packet dump:
*** Sending to 10.2.12.101 port 1112 ....
Code: Access-Reject
Identifier: 153
Authentic: <190>(<0><0><213><18><0><0>><18><0><0><153>r<0><0>
Attributes:
Reply-Message = "Request Denied"
Thanks Berndt
-- Diese Message wurde erstellt mit freundlicher Unterstuetzung eines freilaufenden Pinguins aus artgerechter Freilandhaltung. Sie ist garantiert frei von Microsoftschen Viren.
----------------------------------------- TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] -----------------------------------------
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.