(RADIATOR) PEAP config and proxying
Hugh Irvine
hugh at open.com.au
Mon Apr 14 19:20:28 CDT 2003
Hello Rute Sofia -
I suspect your configuration file needs to be changed somewhat, as you
cannot mix Realms and Handlers as you show below. You should change
everything to Handlers like this:
<Handler TunnelledByPEAP=1>
<AuthBy FILE>
# anonymous-PEAP must be in here:
Filename /tmp/users
# This tells the PEAP client what types of inner EAP
requests
# we will honour
EAPType MSCHAP-V2
</AuthBy>
</Handler>
<Handler Realm = mydomain.xpto>
<AuthBy FILE>
Filename /tmp/users
EAPType PEAP
EAPTLS_CAFile /etc/radius/cert/demoCA/cacert.pem
EAPTLS_CertificateFile /etc/radius/cert/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radius/cert/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
</AuthBy>
</Handler>
#proxies other requests
<Handler>
<AuthBy RADIUS>
Host central-radius.mydomain.xpto
Secret xxxxxx
AuthPort xxx
Retries 3
</AuthBy>
</Handler>
regards
Hugh
On Monday, Apr 14, 2003, at 22:22 Australia/Melbourne, Rute Sofia wrote:
> Hi,
>
> I'm trying to use PEAP with radiator, under the following scenario
> (the basic eap_peap config is working):
>
> I want users within my domain mydomain.xpto to authenticate locally
> (for now, a text file), and requests from users outside this domain,
> to be forwarded to another server.
>
> The radius.cfg I use is bellow. I'm having a problem with the
> "anonymous" user: because it is not within my realm, the request is
> forwarded by default to the central radius server and hence,
> authentication gets rejected. How can I avoid this, what exactly am I
> doing wrong?
>
> Radius.cfg:
>
> <Handler TunnelledByPEAP=1>
> <AuthBy FILE>
> # anonymous-PEAP must be in here:
> Filename /tmp/users
> # This tells the PEAP client what types of inner EAP
> requests
> # we will honour
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
> <Realm mydomain.xpto>
> <AuthBy FILE>
> Filename /tmp/users
> EAPType PEAP
> EAPTLS_CAFile /etc/radius/cert/demoCA/cacert.pem
> EAPTLS_CertificateFile /etc/radius/cert/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radius/cert/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1024
> AutoMPPEKeys
> </AuthBy>
> </Realm>
>
> #proxies other requests
> <Realm DEFAULT>
> <AuthBy RADIUS>
> Host central-radius.mydomain.xpto
> Secret xxxxxx
> AuthPort xxx
> Retries 3
> </AuthBy>
> </Realm>
>
>
> Regards,
> Rute Sofia
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list