(RADIATOR) PEAP and AuthBy NT, AuthBy PAM

Kawakubo, Ken kkawakub at fhcrc.org
Tue Feb 25 17:18:06 CST 2003 

All,

I have been evaluating Radiator for PEAP and EAP-TTLS wireless
authentication. I started out with eap_multi.cfg and have been able to
authenitcate XP SP1 via PEAP, W2K SP3 via PEAP, Funk EAP-TTLS client, and
Meetinghouse MacOSX beta client via EAP-TTLS. I have been using AuthBy File
for authentication. For production, I would like to authenticate against NT
username/password. So far I tried AuthBy PAM using pam_smb and Authby NT but
have not gone very far.

I am getting the following message with Authby PAM. AuthBy NT produces
similar messages.

Code:       Access-Request
Identifier: 220
Authentic:  /<178><140><221><159><224><<199>,@<246><202><213><15><234>r
Attributes:
        User-Name = "kkawakub"
        Framed-MTU = 1400
        Called-Station-Id = "0002.8a21.8f18"
        Calling-Station-Id = "000a.b74c.c2be"
        NAS-Port-Type = 19
        Message-Authenticator =
n<18><179><207><244>'<143>fz<146>W<22>W<6><9>]
        EAP-Message = <2><1><0><13><1>kkawakub
        NAS-Port-Type = Virtual
        NAS-Port = 174
        Service-Type = Login-User
        NAS-IP-Address = 140.107.50.80
        NAS-Identifier = "test-eap         "

Mon Feb 24 11:24:01 2003: DEBUG: Handling request with Handler ''
Mon Feb 24 11:24:01 2003: DEBUG:  Deleting session for kkawakub,
140.107.50.80, 174
Mon Feb 24 11:24:01 2003: DEBUG: Handling with PAM service radiator
Mon Feb 24 11:24:01 2003: DEBUG: PAM is asking for 1: 'Password'
Mon Feb 24 11:24:03 2003: INFO: Access rejected for kkawakub: Authentication
failure:
Mon Feb 24 11:24:03 2003: DEBUG: Packet dump:
*** Sending to 140.107.50.80 port 1645 ....
Code:       Access-Reject
Identifier: 220
Authentic:  /<178><140><221><159><224><<199>,@<246><202><213><15><234>r
Attributes:
        Reply-Message = "Request Denied"

Syslog debug (with pam_smb hack to show the password) shows the following.
The password shows up as blank. By the way, I am also I using pam_smb for
ssh authentication and it works fine and syslog debug shows the correct NT
username/password.

Feb 25 12:20:11 localhost perl[21408]: No Local authentication done, relying
on other modules for password file entry.
Feb 25 12:20:11 localhost perl[21408]: pam_smb: Configuration Data, Primary
wluc00, Backup wluc01, Domain FHCRC.
Feb 25 12:20:11 localhost perl[21408]:  password is
Feb 25 12:20:11 localhost perl[21408]: pam_smb: Incorrect NT password for
username : kkawakub

I am wondering if:

1) Since the Microsoft implementation of PEAP uses MSCHAPv2 for inner
authentication, and AuthBy NT and AuthBy PAM do not work with MSCHAPv2, I
cannot use AuthBy NT or PAM for PEAP/MSCHAPv2 authentication?

2) Right now I am running Radiator on RedHat Linux, but running it on
Windows would not make any difference?

3) I will not be able to use AuthBy ADSI either?

4) I need to look to authenticate PEAP/EAP-TTLS authentication requests
against some kind of local database?

If the above is the case, then what would be the best way to authenticate
PEAP/EAP-TTLS. Is there any way to use SQL database and synchonize it with
NT username/password?

I appreciate any feedback.

Regards,

Ken Kawakubo



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list