(RADIATOR) PEAP and NT Domain auth

Mike McCauley mikem at open.com.au
Mon Dec 15 17:14:20 CST 2003 

Hello Chuck,


On Tue, 16 Dec 2003 02:06 am, Chuck Byam wrote:
> I can get nt domain auth working and peap against a local file, but how
> does one configure peap and nt together?  It appears that it doesn't know
> how to handle the inner request for anonymous.

In order to use PEAP-MSCHAPV2 with windows NT passwords, you will need to use 
the new AuthBy LSA module included as part of Radiator 3.7 and later.

Cheers.


>
> Thanks,
> ----
> Chuck Byam
>
> ============
>
> Foreground
> LogStdout
> LogDir		/var/log/radius
> DbDir		/etc/radiator
> # Use a low trace level in production systems. Increase
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> Trace 		5
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
>
> <Client 10.4.40.31>
> 	Secret mysecret
> </Client>
>
> <Client 127.0.0.1>
> 	Secret mysecret
> </Client>
>
> # This is where we autneticate a PEAP inner request, which will be an EAP
> # request. The username of the inner request will be anonymous, although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> <Handler TunnelledByPEAP=1>
> 	<AuthBy FILE>
> 		Filename %D/users
>
> 		# This tells the PEAP tclient what types of inner EAP requests
> 		# we will honour
> 		EAPType PEAP
>
>                 # This will set up some standard reply items for
>                 # your NAS, you may need others for your NAS
>                 DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP
>
> 		# This tells the PEAP client what types of inner EAP requests
> 		# we will honour
> 		EAPType MSCHAP-V2
> 	</AuthBy>
> </Handler>
>
>
> # Handles all realms:
> <Handler>
> 	<AuthBy FILE>
> 		Filename %D/users
> 		EAPType PEAP
> 		EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> 		EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> 		EAPTLS_CertificateType PEM
> 		EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> 		EAPTLS_PrivateKeyPassword whatever
> 		EAPTLS_MaxFragmentSize 1024
> 		AutoMPPEKeys
> 		SSLeayTrace 4
>
> 		# You can configure the User-Name that will be used for the inner
> 		# authentication. Defaults to 'anonymous'. This can be useful
> 		# when proxying the inner authentication. If tehre is a realm, it can
> 		# be used to choose a local Realm to handle the inner authentication.
> 		# %0 is replaced with the EAP identitiy
> 		# EAPAnonymous anonymous at localhost
> 	</AuthBy>
>
> 	# Log accounting to the detail file in LogDir
> 	AcctLogFileName	./detail
> </Handler>
>
>
> Mon Dec 15 09:28:58 2003: DEBUG: Handling request with Handler ''
> Mon Dec 15 09:28:58 2003: DEBUG:  Deleting session for crb6x, 10.4.40.31,
> 29 Mon Dec 15 09:28:58 2003: DEBUG: Handling with Radius::AuthFILE:
> Mon Dec 15 09:28:58 2003: DEBUG: Handling with EAP: code 2, 252, 87
> Mon Dec 15 09:28:58 2003: DEBUG: Response type 25
> Mon Dec 15 09:28:58 2003: DEBUG: EAP PEAP inner authentication request for
> anonymous
> Mon Dec 15 09:28:58 2003: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  r<127>o <22><246>i<132><248>L<151>C<18><186>w$
> Attributes:
>         EAP-Message =
> <2><252><0><<26><2><252><0>;1<130><137><184><191>"<135><192>`<28><224><203>
>?<207><10><251>%<0><0><0><0><0><0><0><0>:<237>}V<156><171>.<178><205>I<27><2
>23>z<169>c<152>>FMi<177><227><217>5<0>crb6x Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         User-Name = "anonymous"
>         NAS-IP-Address = 10.4.40.31
>         NAS-Port = 29
>         Calling-Station-Id = "004096432B05"
>
>
> Mon Dec 15 09:28:58 2003: DEBUG: Handling request with Handler ''
> Mon Dec 15 09:28:58 2003: DEBUG:  Deleting session for crb6x, 10.4.40.31,
> 29 Mon Dec 15 09:28:58 2003: DEBUG: Handling with Radius::AuthFILE:
> Mon Dec 15 09:28:58 2003: DEBUG: Handling with EAP: code 2, 252, 87
> Mon Dec 15 09:28:58 2003: DEBUG: Response type 25
> Mon Dec 15 09:28:58 2003: DEBUG: EAP PEAP inner authentication request for
> anonymous
> Mon Dec 15 09:28:58 2003: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  r<127>o <22><246>i<132><248>L<151>C<18><186>w$
> Attributes:
>         EAP-Message =
> <2><252><0><<26><2><252><0>;1<130><137><184><191>"<135><192>`<28><224><203>
>?<207><10><251>%<0><0><0><0><0><0><0><0>:<237>}V<156><171>.<178><205>I<27><2
>23>z<169>c<152>>FMi<177><227><217>5<0>crb6x Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         User-Name = "anonymous"
>         NAS-IP-Address = 10.4.40.31
>         NAS-Port = 29
>         Calling-Station-Id = "004096432B05"
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list