(RADIATOR) 802.1x Peap

José Borges Ferreira jcbf at accao.net
Fri Nov 29 09:26:00 CST 2002 

Hi!

We are trying to use eap_peap auth with Radiator , Win2k client and a
Cisco AP350.

 It works fine when we use the eap_peap.cfg from the goodies dir.

For our second stage i've tried  to move the authentication to SQL. To
do that i changed the default Handler to use AuthBy SQL and left the
anonymous ( TunnelledByPEAP=1 ) Handler with AuthBy FILE. That also
worked fine.
	Then i removed all the entries from users file and left only the
anonymous entry. When i done this the autentication stoped working. Then
i "moved" the anonymous Handler to AuthSQL and worked again. Since i
want to check some attributes added  a "AuthColumnDef   1,GENERIC,check"
in the default handler. Aparentlly nothing is checked and the user is
always authenticated.

	By this time i've returned to AuthBy FILE on both Handlers and tried to
check the attribute on the user, namely :
anonymous at some.other.realm
mikem   User-Password = "fred",cisco-avpair="ssid=tsunami"

 By this time the "anonymous" was denied and the authentication failed.
The strange part is that the anonymous user was denied because of the
seconde checked attribute (cisco-avpair) as shown on the logs :
Code:       Access-Request
Identifier: UNDEF
Authentic: 
<239><181><202><164>K<245>j<31><243><9><229>7?<131><128><154>
Attributes:
        EAP-Message =
<2><13><0><<26><2><13><0>;1<211>T<209>1<7><163><194>Ni=<17><1><220><234><249>W<0><0><0><0><0><0><0><0><2><247><4><245>&<167><136>{<154><181><169><208><255>I<132><230>?<143><239><166><221><194><146>8<0>mikem
        User-Name = "anonymous at some.other.realm"
        NAS-IP-Address = 192.168.51.105
        NAS-Identifier = "AP350-5af24e"
        NAS-Port = 37
        Calling-Station-Id = "00022d2b80bf"

Fri Nov 29 13:27:54 2002: DEBUG: Handling request with Handler
'TunnelledByPEAP=1'
Fri Nov 29 13:27:54 2002: DEBUG:  Deleting session for , 192.168.51.105,
37
Fri Nov 29 13:27:54 2002: DEBUG: Handling with Radius::AuthFILE:
Fri Nov 29 13:27:54 2002: DEBUG: Handling with EAP: code 2, 13, 60
Fri Nov 29 13:27:54 2002: DEBUG: Response type 26
Fri Nov 29 13:27:54 2002: DEBUG: Radius::AuthFILE looks for match with
mikem
Fri Nov 29 13:27:54 2002: DEBUG: Radius::AuthFILE REJECT: Check item
cisco-avpair expression 'ssid=tsunami2' does not match '' in request
Fri Nov 29 13:27:54 2002: INFO: Access rejected for
anonymous at some.other.realm: EAP MSCHAP V2 failed
Fri Nov 29 13:27:54 2002: DEBUG: Access challenged for mikem: EAP PEAP
inner authentication redespatched to a Handler
Fri Nov 29 13:27:54 2002: DEBUG: Packet dump:
*** Sending to 192.168.51.105 port 1164 ....

Any idea ?

José Borges Ferreira
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list