(RADIATOR) Re: EAP-TLS on Cisco Ap350 series (NOT Ap 340)

Mike McCauley mikem at open.com.au
Wed Apr 23 18:36:34 CDT 2003 

Hello Bon,


On Thu, 24 Apr 2003 02:33 am, Bon sy wrote:
> Hi Mike,
>
> 	Thanks for the infor. I have installed Digest-MD4. I have two
> questions: one about EAP-PEAP and one about EAP-MD5.
>
> Question about EAP-PEAP:
> 	I got it to work with auth by through "users" file (version
> 1 below).
>
>    Version 1:
>         <Handler TunnelledByPEAP=1>
>                 <AuthBy FILE>
>                         Filename %D/users
>                         EAPType MSCHAP-V2
>                 </AuthBy>
>         </Handler>
>
>         <Handler NAS-IP-Address = xxx.xxx.xxx.xxx> #Request from the AP
>                 <AuthBy FILE>
>                         Filename %D/users
>
>                         Standard EAP stuff
>                 </AuthBy>
> 	</Handler>
>
> 	What I would like to do is to have "anonymous" inner auth
> through auth by "users" file, while the actual authentication done through
> the user/pass infor in an oracle database. I tried the followings but
> failed. What did I do wrong?

In order to authenticate PEAP-EAP-MSCHAPV2, Radiator _must_ have access to a 
plaintext password. This means it is impossible to make it work with Unix 
crypt passwords (this is not a Radiatyor limitation: it is logically 
impossible).

If you wanted to authenticate the outer with a flat file, and the inner with 
say SQL (where the SQL database contains a plaintext password), you would do 
something like this:

# This handles the inner authentication
         <Handler TunnelledByPEAP=1>
                 <AuthBy SQL>
                         EAPType MSCHAP-V2

			# usual SQL stuff.....
                 </AuthBy>
         </Handler>

# This handles the outer auth
         <Handler NAS-IP-Address = 192.168.123.102> #Request from the AP
                 <AuthBy FILE>
                         Filename %D/users

                         # Standard EAP stuff.....
                 </AuthBy>
 	</Handler>

Hope that helps.
Cheers.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list