Re: [RADIATOR] PEAP from Radiator via Juniper switches

Sun, 28 Jul 2013 18:28:26 -0700 

Hi Alan,

The config is pretty straight forward.  Here you go:


# User check from user file
<AuthBy FILE>
        Identifier                      user-file-auth

        # Location of the users file
        Filename                        %D/users

        # Suppoted EAP Types and session info
        EAPType                         PEAP,TLS,MSCHAP-V2
        EAPTLS_MaxFragmentSize          1024
        EAPTLS_SessionResumptionLimit   60

        # Certificate Info
        EAPTLS_CAFile                   %D/certs/ca.pem
        EAPTLS_CertificateType          PEM
        EAPTLS_PrivateKeyFile           %D/certs/%h.pem
        EAPTLS_CertificateChainFile     %D/certs/%h.pem

        # This flag tells EAPType MSCHAP-V2 to convert the inner EAP-MSCHAPV2 
request into
        # an ordinary Radius-MSCHAPV2 request and redespatch to to a Handler
        # that matches ConvertedFromEAPMSCHAPV2=1
        EAP_PEAP_MSCHAP_Convert         1

        # Deal with MPPE keys
        AutoMPPEKeys
</AuthBy>

From: Alan Buxey [mailto:[email protected]]
Sent: Saturday, July 27, 2013 7:22 AM
To: Garry Shtern; '[email protected]'
Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches

config?

alan




-------- Original message --------
From: Garry Shtern <[email protected]<mailto:[email protected]>>
Date: 26/07/2013 22:40 (GMT+00:00)
To: "'[email protected]'" <[email protected]<mailto:[email protected]>>
Subject: [RADIATOR] PEAP from Radiator via Juniper switches

All,

I ran into an interesting issue.  I am trying to do PEAP/MSCHAPv2 via Juniper 
EX switch to Radiator.  I am seeing the Access-Request come in, and Radiator 
responds with Access-Challenge which is dropped by the EX.  However, I have the 
same switch pointing to Microsoft NPS and everything works flawlessly.

Looking over packet captures and debugs on the Radiator I noticed the following 
difference in responses:

-          NPS returns "Authenticator" and following AVPs:

o   Session-Timeout

o    EAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and PEAP 
version 0

o   State

o   Messages-Authenticator

-          Radiator returns "Authenticator" and none of the AVPs.

I am suspecting that Juniper EX has an issue with this and that's why it's 
dropping the frames, while Cisco IOS switch is absolutely fine and forwards the 
traffic back to the client w/o much of a consideration.

Is there any easy way to force Radiator to add the same attributes to the 
Challenge as NPS?

Thanks.



_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to