(RADIATOR) authentication by using DBFile
nagataki at nri-net.com
nagataki at nri-net.com
Tue Jul 8 11:03:50 CDT 2003
Hello,
I have a problem for authentication by using DB_File,
and can't see what's wrong.
I'll describe the configuration below.
----------------------------------------------------------------
<EAP_TYPE>
PEAP with MSCHAPv2 or LEAP
----------------------------------------------------------------
<BUILDDB_COMMAND>
#./builddb -u -f /etc/radiator/users -t ANYDB_File /etc/radiator/users
----------------------------------------------------------------
<USERS_FLAT_FILE>
nagataki User-Password=masahiro
----------------------------------------------------------------
<EAP_CONFIG>
#Foreground
#LogStdout
LogDir /var/log
#DbDir .
AuthPort 1812
AcctPort 1813
DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco
# User a lower trace level in production systems:
Trace 4
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1>
<AuthBy DBFILE>
# anonymous-PEAP must be in here:
Filename /etc/radiator/users.db
# This tells the PEAP client what types of inner EAP requests
# we will honour
EAPType PEAP,MSCHAP-V2
</AuthBy>
</Handler>
# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the inner aut
hentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to sele
ct
# a specific handler, or else you can use EAPAnonymous to set a username and rea
lm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm, and/o
r the
# fact that they were tunnelled. You can therfore act just as a PEAP server, or
also
# act as the AAA/H home server, and authenticate PEAP requests locally or proxy
# them to another remote server based on the realm of the inner authenticaiton r
equest.
# In this basic example, both the inner and outer authentication are authenticat
ed
# from a file by AuthBy FILE
<Handler>
<AuthBy DBFILE>
# The username of the outer authentication
# must be in this file to get anywhere. In this example,
# it requires an entry for 'anonymous' which is the standard use
rname
# in the outer requests, and it also requires an entry for the
# actual user name who is trying to connect (ie the 'Login name'
entered
# in the Funk Odyssey 'Edit Profile Properties' page
Filename /etc/radiator/users.db
# EAPType sets the EAP type(s) that Radiator will honour.
# Options are: MD5-Challenge, One-Time-Password
# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
# Multiple types can be comma separated. With the default (most
# preferred) type given first
EAPType PEAP,MSCHAP-V2,LEAP
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA certificates
# Radiator will first look in EAPTLS_CAFile then in
# EAPTLS_CAPath, so there usually is no need to set both
#EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
#EAPTLS_CAFile /usr/local/ssl/LocalCA/cacert.pem
EAPTLS_CAFile /usr/local/ssl/demoCA/cacert.pem
# EAPTLS_CAPath is the name of a directory containing CA
# certificates in PEM format. The files each contain one
# CA certificate. The files are looked up by the CA
# subject name hash value
# EAPTLS_CAPath
# EAPTLS_CertificateFile is the name of a file containing
# the servers certificate. EAPTLS_CertificateType
# specifies the type of the file. Can be PEM or ASN1
# defaults to ASN1
#EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateFile /usr/local/ssl/cert-srv.pem
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile is the name of the file containing
# the servers private key. It is sometimes in the same file
# as the server certificate (EAPTLS_CertificateFile)
# If the private key is encrypted (usually the case)
# then EAPTLS_PrivateKeyPassword is the key to descrypt it
#EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
#EAPTLS_PrivateKeyPassword whatever
EAPTLS_PrivateKeyFile /usr/local/ssl/cert-srv.pem
EAPTLS_PrivateKeyPassword 1qaz2wsx
# EAPTLS_RandomFile is an optional file containing
# randdomness
# EAPTLS_RandomFile %D/certificates/random
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# enough to fit in a single Radius request (ie less than 4096)
# and still leave enough space for other attributes
# Aironet APs seem to need a smaller MaxFragmentSize
# (eg 1024) than the default of 2048
EAPTLS_MaxFragmentSize 1024
# EAPTLS_DHFile if set specifies the DH group file. It
# may be required if you need to use ephemeral DH keys.
# EAPTLS_DHFile %D/certificates/cert/dh
# If EAPTLS_CRLCheck is set and the client presents a certifica
te
# then Radiator will look for a certificate revocation list (CRL
)
# for the certificate issuer
# when authenticating each client. If a CRL file is not found, o
r
# if the CRL says the certificate has neen revoked, the authenti
cation will
# fail with an error:
# SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
# One or more CRLs can be named with the EAPTLS_CRLFile paramete
r.
# Alternatively, CRLs may follow a file naming convention:
# the hash of the issuer subject name
# and a suffix that depends on the serial number.
# eg ab1331b2.r0, ab1331b2.r1 etc.
# You can find out the hash of the issuer name in a CRL with
# openssl crl -in crl.pem -hash -noout
# CRLs with tis name convention
# will be searched in EAPTLS_CAPath, else in the openssl
# certificates directory typically /usr/local/openssl/certs/
# CRLs are expected to be in PEM format.
# A CRL files can be generated with openssl like this:
# openssl ca -gencrl -revoke cert-clt.pem
# openssl ca -gencrl -out crl.pem
# Use of these flags requires Net_SSLeay-1.21 or later
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
# Some clients, depending on their configuration, may require yo
u to specify
# MPPE send and receive keys. This _will_ be required if you sel
ect
# 'Keys will be generated automatically for data privacy' in the
Funk Odyssey
# client Network Properties dialog.
# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
# in the final Access-Accept
AutoMPPEKeys
# You can enable some warning messages from the Net::SSLeay
# module by setting SSLeayTrace to an integer from 1 to 4
# 1=ciphers, 2=trace, 3=dump data
SSLeayTrace 4
# You can configure the User-Name that will be used for the inne
r
# authentication. Defaults to 'anonymous'. This can be useful
# when proxying the inner authentication. If tehre is a realm, i
t can
# be used to choose a local Realm to handle the inner authentica
tion.
# %0 is replaced with the EAP identitiy
# EAPAnonymous anonymous at some.other.realm
# You can enable or disable support for TTLS Session Resumption
and
# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
# Default is enabled
#EAPTLS_SessionResumption 0
# You can limit how long after the initial session that a sessio
n can be resumed
# with EAPTLS_SessionResumptionLimit (time in seconds). Defaults
to 43200
# (12 hours)
#EAPTLS_SessionResumptionLimit 10
</AuthBy>
</Handler>
---------------------------------------------------------------------
Regards.
Masa
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list