I think the config below is fine now. ( And MSCAHCAPV means MSCHAP-V2... ) But I'm new to radiator ... So if anyone thinks I'm doing stupid things, please tell me before this thing will be in production .
The handler with EAPType=TLS ids doing everything for the smartcards. I even can use a separate ca : the smartcard CA For Windows it handles automatic machine authentication host/pcxxx.x.y, user dom/username, with no realm, And manual user input [email protected] with realm x.y ( necessary for eduroam) Does this works by accident, or is everything ok like this ? Specifying Realm= ,means Realm = NULL , I hope, and not Realm Default. Regards Luc Vandenbroucke System Engineer SCK-CEN ... config file <AuthBy LSA> Identifier LSASCK UsernameMatchesWithoutRealm DefaultDomain SCK.BE #Group Administrators EAPType MSCHAP-V2 AddToReply Trapeze-VLAN-Name="guest" </AuthBy> #Here I'm using a public CA and server certificate, for proxying through the eduroam network. <AuthBy LSA> Identifier LSAPEAP EAPType PEAP,TTLS DefaultDomain SCK.BE EAPTLS_CAFile %D/certificates/Addtrust/AddTrustChain.pem EAPTLS_CertificateFile %D/certificates/radius.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/radius.pvk EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys EAPTLS_PEAPVersion 0 EAPTLS_PEAPBrokenV1Label </AuthBy> <Handler TunnelledByPEAP=1,Realm=sck.be> AuthBy LSASCK </Handler> #empty realm when automatic login by windows. <Handler TunnelledByPEAP=1,Realm=> AuthBy LSASCK </Handler> <Handler EAPType=PEAP,Realm=> AuthBy LSAPEAP </Handler> <Handler EAPType=PEAP,Realm=sck.be> AuthBy LSAPEAP </Handler> .... # Windows Smartcard authentication # I'm using an internal CA, and server Certificate, from the same CA that provides the smartcards. # this is only internally. Because no outside company will trust our ca, but neither will they proxy or smartcard request. <Handler EAPType=TLS> Identifier HPEAPTLS <AuthBy FILE> Filename %D/users EAPType TLS EAPTLS_CAFile %D/certificates/sckCA/sckCA.pem EAPTLS_CertificateFile %D/certificates/pc2848.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/pc2848.pvk EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys EAPTLS_SessionResumption 0 AddToReplyIfNotExist Trapeze-VLAN-Name="guest" </AuthBy> </Handler> -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Vandenbroucke Luc Sent: dinsdag 21 juni 2011 13:51 To: '[email protected]' Subject: [RADIATOR] EAP-PEAP-MSCAHCAPV and EAP-PEAP-TLS ( smartcard) Hi I would like to make the config useable for both EAP-PEAP protocols on Windows 7 Smartcard certificate and MSCHAPV2 Is it possible to use a different outer handler and different inner handlers ? I do have two configuration files successfully working, one for eap-peap-tls ( using AuthBy File ) and the other eap-peap-mschap-v2 using AuthBy LSA. I just don't succeed putting them in one config, (using the same realm). Regards, Luc Vandenbroucke System Engineer SCK*CEN Belgium SCK-CEN Disclaimer: http://www.sckcen.be/en/Legal-aspects/E-mail-disclaimer _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
