(RADIATOR) authentication by using DBFile

nagataki at nri-net.com nagataki at nri-net.com
Tue Jul 8 11:03:50 CDT 2003


Hello,

I have a problem for authentication by using DB_File,
and can't see what's wrong.

I'll describe the configuration below.

----------------------------------------------------------------
<EAP_TYPE>
PEAP with MSCHAPv2 or LEAP
----------------------------------------------------------------
<BUILDDB_COMMAND>
#./builddb -u -f /etc/radiator/users -t ANYDB_File /etc/radiator/users
----------------------------------------------------------------
<USERS_FLAT_FILE>
nagataki	User-Password=masahiro
----------------------------------------------------------------
<EAP_CONFIG>
#Foreground
#LogStdout
LogDir          /var/log
#DbDir          .
AuthPort        1812
AcctPort        1813
DictionaryFile  /etc/radiator/dictionary,/etc/radiator/dictionary.cisco
# User a lower trace level in production systems:
Trace           4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
        Secret  mysecret
        DupInterval 0
</Client>

# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1>
        <AuthBy DBFILE>
                # anonymous-PEAP must be in here:
                Filename /etc/radiator/users.db

                # This tells the PEAP client what types of inner EAP requests
                # we will honour
                EAPType PEAP,MSCHAP-V2
        </AuthBy>
</Handler>


# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the inner aut
hentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to sele
ct
# a specific handler, or else you can use EAPAnonymous to set a username and rea
lm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm, and/o
r the
# fact that they were tunnelled. You can therfore act just as a PEAP server, or
also
# act as the AAA/H home server, and authenticate PEAP requests locally or proxy
# them to another remote server based on the realm of the inner authenticaiton r
equest.
# In this basic example, both the inner and outer authentication are authenticat
ed
# from a file by AuthBy FILE
<Handler>
        <AuthBy DBFILE>
                # The username of the outer authentication
                #  must be in this file to get anywhere. In this example,
                # it requires an entry for 'anonymous' which is the standard use
rname
                # in the outer requests, and it also requires an entry for the
                # actual user name who is trying to connect (ie the 'Login name'
 entered
                # in the Funk Odyssey 'Edit Profile Properties' page
                Filename /etc/radiator/users.db

                # EAPType sets the EAP type(s) that Radiator will honour.
                # Options are: MD5-Challenge, One-Time-Password
                # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
                # Multiple types can be comma separated. With the default (most
                # preferred) type given first
                EAPType PEAP,MSCHAP-V2,LEAP

                # EAPTLS_CAFile is the name of a file of CA certificates
                # in PEM format. The file can contain several CA certificates
                # Radiator will first look in EAPTLS_CAFile then in
                # EAPTLS_CAPath, so there usually is no need to set both
                #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
                #EAPTLS_CAFile /usr/local/ssl/LocalCA/cacert.pem
                EAPTLS_CAFile /usr/local/ssl/demoCA/cacert.pem

                # EAPTLS_CAPath is the name of a directory containing CA
                # certificates in PEM format. The files each contain one
                # CA certificate. The files are looked up by the CA
                # subject name hash value
#               EAPTLS_CAPath

                # EAPTLS_CertificateFile is the name of a file containing
                # the servers certificate. EAPTLS_CertificateType
                # specifies the type of the file. Can be PEM or ASN1
                # defaults to ASN1
                #EAPTLS_CertificateFile %D/certificates/cert-srv.pem
                EAPTLS_CertificateFile /usr/local/ssl/cert-srv.pem
                EAPTLS_CertificateType PEM

                # EAPTLS_PrivateKeyFile is the name of the file containing
                # the servers private key. It is sometimes in the same file
                # as the server certificate (EAPTLS_CertificateFile)
                # If the private key is encrypted (usually the case)
                # then EAPTLS_PrivateKeyPassword is the key to descrypt it
                #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                #EAPTLS_PrivateKeyPassword whatever
                EAPTLS_PrivateKeyFile /usr/local/ssl/cert-srv.pem
                EAPTLS_PrivateKeyPassword 1qaz2wsx

                # EAPTLS_RandomFile is an optional file containing
                # randdomness
#               EAPTLS_RandomFile %D/certificates/random

                # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
                # size that will be replied by Radiator. It must be small
                # enough to fit in a single Radius request (ie less than 4096)
                # and still leave enough space for other attributes
                # Aironet APs seem to need a smaller MaxFragmentSize
                # (eg 1024) than the default of 2048
                EAPTLS_MaxFragmentSize 1024

                # EAPTLS_DHFile if set specifies the DH group file. It
                # may be required if you need to use ephemeral DH keys.
#               EAPTLS_DHFile %D/certificates/cert/dh


                # If EAPTLS_CRLCheck is set  and the client presents a certifica
te
                # then Radiator will look for a certificate revocation list (CRL
)
                # for the certificate issuer
                # when authenticating each client. If a CRL file is not found, o
r
                # if the CRL says the certificate has neen revoked, the authenti
cation will
                # fail with an error:
                #   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
                # One or more CRLs can be named with the EAPTLS_CRLFile paramete
r.
                # Alternatively, CRLs may follow a file naming convention:
                #  the hash of the issuer subject name
                # and a suffix that depends on the serial number.
                # eg ab1331b2.r0, ab1331b2.r1 etc.
                # You can find out the hash of the issuer name in a CRL with
                #  openssl crl -in crl.pem -hash -noout
                # CRLs with tis name convention
                # will be searched in EAPTLS_CAPath, else in the openssl
                # certificates directory typically /usr/local/openssl/certs/
                # CRLs are expected to be in PEM format.
                # A CRL files can be generated with openssl like this:
                #  openssl ca -gencrl -revoke cert-clt.pem
                #  openssl ca -gencrl -out crl.pem
                # Use of these flags requires Net_SSLeay-1.21 or later
                #EAPTLS_CRLCheck
                #EAPTLS_CRLFile %D/certificates/crl.pem
                #EAPTLS_CRLFile %D/certificates/revocations.pem

                # Some clients, depending on their configuration, may require yo
u to specify
                # MPPE send and receive keys. This _will_ be required if you sel
ect
                # 'Keys will be generated automatically for data privacy' in the
 Funk Odyssey
                # client Network Properties dialog.
                # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
                # in the final Access-Accept
                AutoMPPEKeys

                # You can enable some warning messages from the Net::SSLeay
                # module by setting SSLeayTrace to an integer from 1 to 4
                # 1=ciphers, 2=trace, 3=dump data
                SSLeayTrace 4

                # You can configure the User-Name that will be used for the inne
r
                # authentication. Defaults to 'anonymous'. This can be useful
                # when proxying the inner authentication. If tehre is a realm, i
t can
                # be used to choose a local Realm to handle the inner authentica
tion.
                # %0 is replaced with the EAP identitiy
                # EAPAnonymous anonymous at some.other.realm

                # You can enable or disable support for TTLS Session Resumption
and
                # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
                # Default is enabled
                #EAPTLS_SessionResumption 0

                # You can limit how long after the initial session that a sessio
n can be resumed
                # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults
 to 43200
                # (12 hours)
                #EAPTLS_SessionResumptionLimit 10
        </AuthBy>
</Handler>
---------------------------------------------------------------------

Regards.

Masa
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list