On 06/21/2012 10:08 AM, Garth Ladlow wrote:
> Hoping someone can point me in the right direction for the error EAP
> result: 1, EAP authentication is not permitted.
The request goes to an AuthBy that has no EAPType set. From the log:
Thu Jun 21 17:01:28 2012: DEBUG: Handling request with Handler
'User-Name=/ACD\\.+/ ', Identifier ''
...
Thu Jun 21 17:01:28 2012: DEBUG: Handling with Radius::AuthLDAP2: LDAP
>From the config:
<Handler User-Name=/ACD\\.+/ >
...
AuthBy LDAP
<AuthBy LDAP2>
Identifier LDAP
There's no EAPType defined for this AuthBy
I noticed you have AuthBy FILE with Identifier Peap_outer_file in the
config. Maybe the Handler above should use 'AuthBy Peap_outer_file' to
take care of EAP requests?
Heikki
> Thu Jun 21 17:01:28 2012: DEBUG: Packet dump:
>
> *** Received from 172.22.220.253 port 1645 ....
>
> Code: Access-Request
>
> Identifier: 186
>
> Authentic: B<211>/<133>xd<174><195><252><243><168><201>?<17><9>_
>
> Attributes:
>
> NAS-IP-Address = 172.22.220.253
>
> NAS-Port = 50009
>
> NAS-Port-Type = Ethernet
>
> User-Name = "ACD\gladl"
>
> Called-Station-Id = "00-17-0E-74-26-09"
>
> Calling-Station-Id = "00-21-70-9E-40-1F"
>
> Service-Type = Framed-User
>
> Framed-MTU = 1500
>
> EAP-Message = <2><0><0><14><1>ACD\gladl
>
> Message-Authenticator =
> <201>%{<7><203><209>u<180><254>b<171><186><219><233><12><240>
>
>
>
> Thu Jun 21 17:01:28 2012: DEBUG: Handling request with Handler
> 'User-Name=/ACD\\.+/ ', Identifier ''
>
> Thu Jun 21 17:01:28 2012: DEBUG: Rewrote user name to gladl
>
> Thu Jun 21 17:01:28 2012: DEBUG: Deleting session for ACD\gladl,
> 172.22.220.253, 50009
>
> Thu Jun 21 17:01:28 2012: DEBUG: Handling with Radius::AuthLDAP2: LDAP
>
> Thu Jun 21 17:01:28 2012: DEBUG: Handling with EAP: code 2, 0, 14, 1
>
> Thu Jun 21 17:01:28 2012: DEBUG: Response type 1
>
> Thu Jun 21 17:01:28 2012: DEBUG: EAP result: 1, EAP authentication is
> not permitted.
>
> Thu Jun 21 17:01:28 2012: DEBUG: AuthBy LDAP2 result: REJECT, EAP
> authentication is not permitted.
>
> Thu Jun 21 17:01:28 2012: INFO: Access rejected for gladl: EAP
> authentication is not permitted.
>
> Thu Jun 21 17:01:28 2012: DEBUG: Packet dump:
>
> *** Sending to 172.22.220.253 port 1645 ....
>
> Code: Access-Reject
>
> Identifier: 186
>
> Authentic: <166><254><10><133>'ZI<28>T;j<161><229><238>9<146>
>
> Attributes:
>
> Reply-Message = "Request Denied"
>
>
>
> …
>
> …
>
>
>
>
>
> <AuthBy FILE>
>
>
>
> Identifier Peap_outer_file
>
>
>
> # The username of the outer authentication
>
> # must be in this file to get anywhere. In this example,
>
> # it requires an entry for 'anonymous' which is the standard
> username
>
> # in the outer requests, and it also requires an entry for the
>
> # actual user name who is trying to connect (ie the 'Login name'
> entered
>
> # in the Funk Odyssey 'Edit Profile Properties' page
>
> Filename %D/users
>
>
>
> # EAPType sets the EAP type(s) that Radiator will honour.
>
> # Options are: MD5-Challenge, One-Time-Password
>
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
>
> # Multiple types can be comma separated. With the default (most
>
> # preferred) type given first
>
> EAPType MD5-Challenge, PEAP
>
>
>
> # EAPTLS_CAFile is the name of a file of CA certificates
>
> # in PEM format. The file can contain several CA certificates
>
> # Radiator will first look in EAPTLS_CAFile then in
>
> # EAPTLS_CAPath, so there usually is no need to set both
>
> #EAPTLS_CAFile /etc/radius/certificates/DigiCertCA2.crt
>
> EAPTLS_CAFile /etc/radius/certificates/AustarCA.cer
>
>
>
> # EAPTLS_CertificateFile is the name of a file containing
>
> # the servers certificate. EAPTLS_CertificateType
>
> # specifies the type of the file. Can be PEM or ASN1
>
> # defaults to ASN1
>
> EAPTLS_CertificateFile /etc/radius/certificates/certnew.cer
>
> EAPTLS_CertificateType PEM
>
>
>
> # EAPTLS_PrivateKeyFile is the name of the file containing
>
> # the servers private key. It is sometimes in the same file
>
> # as the server certificate (EAPTLS_CertificateFile)
>
> # If the private key is encrypted (usually the case)
>
> # then EAPTLS_PrivateKeyPassword is the key to descrypt it
>
> EAPTLS_PrivateKeyFile
> /etc/radius/certificates/lab-rat.dsa_austar_com_au.key
>
> #EAPTLS_PrivateKeyPassword whatever
>
>
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
>
> # size that will be replied by Radiator. It must be small
>
> # enough to fit in a single Radius request (ie less than 4096)
>
> # and still leave enough space for other attributes
>
> # Aironet APs seem to need a smaller MaxFragmentSize
>
> # (eg 1024) than the default of 2048. Others need even smaller
> sizes.
>
> EAPTLS_MaxFragmentSize 1000
>
>
>
> # Some clients, depending on their configuration, may require
> you to specify
>
> # MPPE send and receive keys. This _will_ be required if you select
>
> # 'Keys will be generated automatically for data privacy' in the
> Funk Odyssey
>
> # client Network Properties dialog.
>
> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
>
> # in the final Access-Accept
>
> AutoMPPEKeys
>
>
>
>
>
> # You can control which version of the draft PEAP protocol to honour
>
> # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for
> unusual clients,
>
> # such as Funk Odyssey Client 2.22 or later.
>
> EAPTLS_PEAPVersion 0
>
> </AuthBy>
>
>
>
>
>
> <AuthBy LDAP2>
>
>
>
> Identifier LDAP
>
>
>
> BaseDN DC=acd,DC=internal
>
> AuthDN xxx@xxxxxxx
>
> AuthPassword xxxxxx
>
> ServerChecksPassword
>
> NoDefault
>
> Timeout 9
>
> FailureBackoffTime 90
>
> Host xxxxxxx
>
> Version 3
>
> UsernameAttr sAMAccountName
>
> #AuthAttrDef extensionAttribute10,
> Tunnel-Private-Group-ID,reply
>
> AddToReply Tunnel-Type=VLAN,
> Tunnel-Medium-Type=Ether_802, Tunnel-Private-Group-ID=220
>
>
>
>
>
> </AuthBy>
>
>
>
> <AuthBy LDAP2>
>
>
>
> Identifier LDAP_machine
>
>
>
> BaseDN DC=acd,DC=internal
>
> AuthDN xxxx@xxxx
>
> AuthPassword xxxxxxxxxxxx
>
> ServerChecksPassword
>
> NoDefault
>
> Timeout 9
>
> FailureBackoffTime 90
>
> Host xxxxxxxxxxxx
>
> Version 3
>
> UsernameAttr sAMAccountName
>
> #AddToReply Tunnel-Type=VLAN,
> Tunnel-Medium-Type=Ether_802, Tunnel-Private-Group-ID=222
>
>
>
>
>
> </AuthBy>
>
>
>
>
>
>
>
> ############################################################
>
>
>
> <AuthBy FILE>
>
>
>
> Identifier Peap_inner_file
>
> # Dont really need this
>
> # Filename %D/users
>
>
>
> # This tells the PEAP client what types of inner EAP requests
>
> # we will honour
>
> EAPType MSCHAP-V2
>
>
>
> # This flag tells EAPType MSCHAP-V2 to convert the inner
> EAP-MSCHAPV2 request into
>
> # an ordinary Radius-MSCHAPV2 request and redespatch to to a Handler
>
> # that matches ConvertedFromEAPMSCHAPV2=1 (see above)
>
> EAP_PEAP_MSCHAP_Convert 1
>
> </AuthBy>
>
>
>
>
>
> #############################################################
>
> #############################################################
>
> #
>
> # Handlers
>
> #
>
> #############################################################
>
> #############################################################
>
>
>
> # This is where the inner EAP-MSCHAPV2 request appears, after being
> converted to
>
> # a conventional Radius-MSCHAPV2 request. You can proxy or handle locally.
>
> # Since its an odinary Radius request, it can be proxied to non-EAP
> capable Radius
>
> # servers.
>
> <Handler ConvertedFromEAPMSCHAPV2=1>
>
> AuthBy LDAP
>
> </Handler>
>
>
>
> <Handler TunnelledByPEAP=1>
>
>
>
>
>
> AddToRequest Handler-used="TunnelledByPEAP=1"
>
> AuthBy Peap_inner_file
>
>
>
> </Handler>
>
>
>
> <Handler User-Name=/host\/.+/ >
>
> #dot1x auth on visitor switch
>
> RewriteUsername s/(.*)\/(.*)/$2/
>
> RewriteUsername s/.acd.internal//
>
> AuthBy LDAP_machine
>
> RejectHasReason
>
> AcctLogFileName %L/detail
>
> </Handler>
>
>
>
> <Handler User-Name=/ACD\\.+/ >
>
> #dot1x auth on visitor switch
>
> RewriteUsername s/(.*)\\(.*)/$2/
>
> AuthBy LDAP
>
> #RejectHasReason
>
> AcctLogFileName %L/detail
>
> </Handler>
>
> This e-mail, and any attachment, is confidential. If you are not the
> intended recipient, please delete it from your system, do not use or
> disclose the information in any way, and notify the sender immediately.
> Any views expressed in this message are those of the individual sender
> and may not be the views of AUSTAR, unless specifically stated. No
> warranty is made that the e-mail or attachment (s) are free from
> computer viruses or other defects.
>
>
> _______________________________________________
> radiator mailing list
> [email protected]
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
