Hi,
On Mon, 7 Feb 2011, Raúl Tejeda Calero wrote:
Hi everyone,
I have another trouble with my radiator configuration.
I ´m trying to connect my winxp client with PeAP (without "validate server
certificate"), I have entered one valid user (mikem-fred 4 example) and the log
shows:
Mon Feb 7 15:28:39 2011: DEBUG: Packet dump:
*** Received from <ip>port 32768 ....
Code: Access-Request
Identifier: 74
Authentic: <175><136><30><157>sd<241><177><223><155><160>$s<228>o<129>
Attributes:
User-Name = "mikem"
Calling-Station-Id = "xx"
Called-Station-Id = "xx:Prueba"
NAS-Port = 13
NAS-IP-Address = xxx.yyy.zzz.www
NAS-Identifier = "WLC-1"
Airespace-WLAN-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 509
EAP-Message = <2><2><0><10><1>mikem
Message-Authenticator =
l<218>k<160><31><206><177><4>E<208><234><171>f<195><137>"
Mon Feb 7 15:28:39 2011: DEBUG: Handling request with Handler
'NAS-IP-Address=xxx.yyy.zzz.www', Identifier ''
Mon Feb 7 15:28:39 2011: DEBUG: Rewrote user name to mikem
Mon Feb 7 15:28:39 2011: DEBUG: Deleting session for mikem, <ip>, 13
Mon Feb 7 15:28:39 2011: DEBUG: Handling with Radius::AuthFILE:
Mon Feb 7 15:28:39 2011: DEBUG: Handling with EAP: code 2, 2, 10, 1
Mon Feb 7 15:28:39 2011: DEBUG: Response type 1
Mon Feb 7 15:28:39 2011: DEBUG: EAP result: 1, EAP authentication is not
permitted.
Mon Feb 7 15:28:39 2011: DEBUG: AuthBy FILE result: REJECT, EAP authentication
is not permitted.
Mon Feb 7 15:28:39 2011: INFO: Access rejected for mikem: EAP authentication
is not permitted.
Mon Feb 7 15:28:39 2011: DEBUG: Packet dump:
*** Sending to 10.223.0.4 port 32768 ....
Code: Access-Reject
Identifier: 74
Authentic: <2>N<9>4<26><237><212>A<231><249><15>T$<129><152>[
Attributes:
Reply-Message = "Request Denied"
you need to have a dummy user anonymous in your users file for the first stage
of outer authentication for any tunnelled eap method to work.
The sample radiator users file has this:
# For testing various EAP protocols. The Password can never be matched
anonymous Encrypted-Password=nevermatch
I like to use a simple
anoymous
in a separate users-file used only for the outer authentication.
My running config is something like this:
<snipp/>
#<Handler TunnelledByPEAP=1>
<Handler NAS-IP-Address="WLC-Address">
RewriteUsername s/(.*)\\(.*)/$2/
<AuthBy FILE>
<AuthBy FILE>
Filename %D/users
EAPType MSCHAP-V2, PEAP
# EAPTLS_CAFile %D/certificados/ca.pem
# EAPTLS_CertificateFile %D/certificados/serv.pem
# EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile %D/certificados/serv.key
# EAPTLS_MaxFragmentSize 500
</AuthBy>
</Handler>
Another problem (or the same, i don´t know) is the following:
If I use the handler "tunneledByPEAP=1", radiator says: Mon Feb 7 15:25:56
2011: WARNING: Could not find a handler for mikem: request is ignored
you cannot have just a single handler with tunneledByPEAP=1. Either you
combine inner and outer auth into a single handler like you have now
or you split them up into two handlers like for example:
-- radius.cfg --
# inner auth with MS-CHAP-V2
<Handler NAS-IP-Address="WLC-Address",TunnelledByPEAP=1>
<AuthBy FILE>
RewriteUsername s/(.*)\\(.*)/$2/
EAPType MSCHAP-V2
Filename %D/users
<AuthBy/>
</Handler>
# outer auth with just PEAP
<Handler NAS-IP-Address="WLC-Address">
<AuthBy FILE>
EAPType PEAP
Filename %D/users-eap
<AuthBy/>
</Handler>
-- radius.cfg --
-- users-eap --
anonymous
-- users-eap --
Also notice that I have put the RewriteUsername inside the AuthBy FILE with the
MSCHAP-V2.
As all chap variants include the username in calculating the challenge
any rewrites can break your chap. I believe EAP-MSCHAP has special code
to leave the identity intact dispite rewriting the username for the
lookup. Not sure that it works under all conditions though.
You might want to leave out rewriting at least until you get the config
to work first.
Thus, my access-request seems not tunneled by PeaP, perhaps I have configured
PeAP in my WLAN and client.
the trace shows that your client is attempting eap.
Greetings
Christian
Thanks for your help,
Regards,
Raúl Tejeda
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
--
Christian Kratzer CK Software GmbH
Email: [email protected] Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
