(RADIATOR) LDAP and PEAP
Hugh Irvine
hugh at open.com.au
Fri Dec 19 17:53:50 CST 2003
Hello Berndt -
You cannot put a Realm clause inside a Handler.
It should look like this:
<Handler TunnelledByPEAP=1>
RewriteUsername s/^(.*)\\(.*)/$2/
<AuthBy LDAP2>server
Host 10.2.4.21
AuthDN cn=admin, dc=tgm, dc=ac, dc=at
AuthPassword password
BaseDN dc=tgm, dc=ac, dc=at
UsernameAttr cn
PasswordAttr ntPassword
Debug 255
EAPType MSCHAP-V2
</AuthBy>
</Handler>
There has been quite a bit of discussion on the mailing list, so you
should check the archive:
www.open.com.au/archives/radiator
regards
Hugh
On 20/12/2003, at 5:59 AM, Sevcik Berndt wrote:
> I am really new to radiator and have problems to understand the
> configuration files. I tries the ldap.cfg config and it workes (with
> fred/fred). I tried the eap_peap.cfg and worked to (mikem/fred). Then I
> tried to connect the two and now the problems start. Can someone help
> me
> to build my first configuration from where I can than go further on.
>
> Here my not working config (PEAP with MS-CHAPv2 und LDAP:
>
> Foreground
> LogStdout
> LogDir .
> DbDir .
>
> Trace 4
>
> <Client DEFAULT>
> Secret xxx
> DupInterval 0
> </Client>
>
> <Handler TunnelledByPEAP=1>
>
> RewriteUsername s/^(.*)\\(.*)/$2/
>
> <Realm DEFAULT>
> <AuthBy LDAP2>server
> Host 10.2.4.21
> AuthDN cn=admin, dc=tgm, dc=ac, dc=at
> AuthPassword password
> BaseDN dc=tgm, dc=ac, dc=at
> UsernameAttr cn
> PasswordAttr ntPassword
> Debug 255
> EAPType MSCHAP-V2
> </AuthBy>
> </Realm>
> </Handler>
>
> <Handler>
> <AuthBy FILE>
> Filename %D/users
> EAPType PEAP
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> </AuthBy>
> </Handler>
>
> The output:
>
> Fri Dec 19 20:49:23 2003: DEBUG: Packet dump:
> *** Received from 10.2.12.101 port 1112 ....
> Code: Access-Request
> Identifier: 152
> Authentic: <238>C<0><0>k<26><0><0>K@<0><0>F><0><0>
> Attributes:
> Message-Authenticator =
> [<239><212><138>Ebm!m<199>:<167><10><233><153><25>
> User-Name = "ACER-SEVCIK\sevcikb"
> NAS-IP-Address = 10.2.12.101
> NAS-Port = 2
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "00-04-23-77-4b-a3"
> EAP-Message = <2><2><0><24><1>ACER-SEVCIK\sevcikb
> Framed-MTU = 1000
>
> Fri Dec 19 20:49:23 2003: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Dec 19 20:49:23 2003: DEBUG: Deleting session for
> ACER-SEVCIK\sevcikb, 10.2.12.101, 2
> Fri Dec 19 20:49:23 2003: DEBUG: Handling with Radius::AuthLDAP2:
> Fri Dec 19 20:49:23 2003: DEBUG: Handling with EAP: code 2, 2, 24
> Fri Dec 19 20:49:23 2003: DEBUG: Response type 1
> Fri Dec 19 20:49:23 2003: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Fri Dec 19 20:49:23 2003: DEBUG: Access challenged for
> ACER-SEVCIK\sevcikb: EAP MSCHAP-V2 Challenge
> Fri Dec 19 20:49:23 2003: DEBUG: Packet dump:
> *** Sending to 10.2.12.101 port 1112 ....
> Code: Access-Challenge
> Identifier: 152
> Authentic: <238>C<0><0>k<26><0><0>K@<0><0>F><0><0>
> Attributes:
> EAP-Message =
> <1><3><0>#<26><1><3><0><30><16><202>;
> +YY<227><233>KJ<136>[<172><159><197><147><130>ITS-Test1
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Fri Dec 19 20:49:23 2003: DEBUG: Packet dump:
> *** Received from 10.2.12.101 port 1112 ....
> Code: Access-Request
> Identifier: 153
> Authentic: <190>(<0><0><213><18><0><0>><18><0><0><153>r<0><0>
> Attributes:
> Message-Authenticator =
> 2avy<165>Y<232><175>Y9<195><144><180>Hk<161>
> User-Name = "ACER-SEVCIK\sevcikb"
> State = ""
> NAS-IP-Address = 10.2.12.101
> NAS-Port = 2
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "00-04-23-77-4b-a3"
> Framed-MTU = 1000
> EAP-Message = <2><3><0><6><3><25>
>
> Fri Dec 19 20:49:23 2003: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Dec 19 20:49:23 2003: DEBUG: Deleting session for
> ACER-SEVCIK\sevcikb, 10.2.12.101, 2
> Fri Dec 19 20:49:23 2003: DEBUG: Handling with Radius::AuthLDAP2:
> Fri Dec 19 20:49:23 2003: DEBUG: Handling with EAP: code 2, 3, 6
> Fri Dec 19 20:49:23 2003: DEBUG: Response type 3
> Fri Dec 19 20:49:23 2003: INFO: EAP Nak desires type 25
> Fri Dec 19 20:49:23 2003: DEBUG: EAP result: 1, Desired EAP type 25 not
> permitted
> Fri Dec 19 20:49:23 2003: INFO: Access rejected for
> ACER-SEVCIK\sevcikb:
> Desired EAP type 25 not permitted
> Fri Dec 19 20:49:23 2003: DEBUG: Packet dump:
> *** Sending to 10.2.12.101 port 1112 ....
> Code: Access-Reject
> Identifier: 153
> Authentic: <190>(<0><0><213><18><0><0>><18><0><0><153>r<0><0>
> Attributes:
> Reply-Message = "Request Denied"
>
> Thanks
> Berndt
>
> --
> Diese Message wurde erstellt mit freundlicher Unterstuetzung
> eines freilaufenden Pinguins aus artgerechter Freilandhaltung.
> Sie ist garantiert frei von Microsoftschen Viren.
>
> -----------------------------------------
> TGM - Die Schule der Technik
> IT-Service
> A-1200 Wien, Wexstr. 19-23
> Tel. +43(1)33126/316 Fax: +43(1)33126/154
> E-Mail: berndt.sevcik at tgm.ac.at
> -----------------------------------------
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list