Hi, I currently have Radiator for Windows 4.3.1 and I want to authenticate clients against windows AD 2003. I am assuming that I use Authby LSA to do this. I want to use PEAP as the authententication type. The config below comes after all the client stuff etc and I have a user Anonymous in the %D/users database. I have included a section of log that includes the error. Any help on correct configuration will be appreciated. <Handler TunnelledByPEAP=1> # Authenticate with Windows LSA <AuthBy LSA> UsernameMatchesWithoutRealm # This tells the PEAP client what types of inner EAP requests # we will honour EAPType MSCHAP-V2 </AuthBy> </Handler>
# The original PEAP request from a NAS will be sent to a matching # Realm or Handler in the usual way, where it will be unpacked and the inner authentication # extracted. # The inner authentication request will be sent again to a matching # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to select # a specific handler, or else you can use EAPAnonymous to set a username and realm # which can be used to select a Realm clause for the inner request. # This allows you to select an inner authentication method based on Realm, and/or the # fact that they were tunnelled. You can therfore act just as a PEAP server, or also # act as the AAA/H home server, and authenticate PEAP requests locally or proxy # them to another remote server based on the realm of the inner authenticaiton request. # In this basic example, both the inner and outer authentication are authenticated # from a file by AuthBy FILE <Handler Realm=ntu.ac.uk> <AuthBy FILE> # The username of the outer authentication # must be in this file to get anywhere. In this example, # it requires an entry for 'anonymous' which is the standard username # in the outer requests, and it also requires an entry for the # actual user name who is trying to connect (ie the 'Login name' entered # in the Funk Odyssey 'Edit Profile Properties' page Filename %D/users # EAPType sets the EAP type(s) that Radiator will honour. # Options are: MD5-Challenge, One-Time-Password # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2 # Multiple types can be comma separated. With the default (most # preferred) type given first EAPType PEAP EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys SSLeayTrace 4 EAPTLS_PEAPVersion 1 EAPTLS_PEAPBrokenV1Label </AuthBy> </Handler> Section of log where error occurs Thu Aug 19 16:37:40 2010: DEBUG: Handling request with Handler 'TunnelledByPEAP=1' Thu Aug 19 16:37:40 2010: DEBUG: Deleting session for anonymous, 10.15.100.4, 29 Thu Aug 19 16:37:40 2010: DEBUG: Handling with Radius::AuthLSA: Thu Aug 19 16:37:40 2010: DEBUG: Handling with EAP: code 2, 8, 80, 26 Thu Aug 19 16:37:40 2010: DEBUG: Response type 26 Thu Aug 19 16:37:40 2010: DEBUG: Radius::AuthLSA looks for match with com3pearsmw [anonymous] Thu Aug 19 16:37:40 2010: DEBUG: Radius::AuthLSA ACCEPT: : com3pearsmw [anonymous] Thu Aug 19 16:37:40 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225508, 2228600, The handle is invalid. Thu Aug 19 16:37:40 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure Thu Aug 19 16:37:40 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP-V2 Authentication failure Thu Aug 19 16:37:40 2010: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure Thu Aug 19 16:37:40 2010: DEBUG: Returned PEAP tunnelled packet dump: Code: Access-Reject regards Mark Pearson Senior Technical Support Analyst Information Systems Nottingham Trent University tel: 0115 8488287 regards Mark Pearson Senior Technical Support Analyst Information Systems Nottingham Trent University tel: 0115 8488287
_______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
