(RADIATOR) authentication by using DBFile
Hugh Irvine
hugh at open.com.au
Wed Jul 9 03:31:34 CDT 2003
Hello Masa -
What is the problem? And why are you using a DB file?
Please send me a trace 4 debug from Radiator showing the problem
together with a clear description of what is happening.
regards
Hugh
On Wednesday, Jul 9, 2003, at 02:03 Australia/Melbourne,
nagataki at nri-net.com wrote:
> Hello,
>
> I have a problem for authentication by using DB_File,
> and can't see what's wrong.
>
> I'll describe the configuration below.
>
> ----------------------------------------------------------------
> <EAP_TYPE>
> PEAP with MSCHAPv2 or LEAP
> ----------------------------------------------------------------
> <BUILDDB_COMMAND>
> #./builddb -u -f /etc/radiator/users -t ANYDB_File /etc/radiator/users
> ----------------------------------------------------------------
> <USERS_FLAT_FILE>
> nagataki User-Password=masahiro
> ----------------------------------------------------------------
> <EAP_CONFIG>
> #Foreground
> #LogStdout
> LogDir /var/log
> #DbDir .
> AuthPort 1812
> AcctPort 1813
> DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco
> # User a lower trace level in production systems:
> Trace 4
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> # This is where we autneticate a PEAP inner request, which will be an
> EAP
> # request. The username of the inner request will be anonymous,
> although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> <Handler TunnelledByPEAP=1>
> <AuthBy DBFILE>
> # anonymous-PEAP must be in here:
> Filename /etc/radiator/users.db
>
> # This tells the PEAP client what types of inner EAP
> requests
> # we will honour
> EAPType PEAP,MSCHAP-V2
> </AuthBy>
> </Handler>
>
>
> # The original PEAP request from a NAS will be sent to a matching
> # Realm or Handler in the usual way, where it will be unpacked and the
> inner aut
> hentication
> # extracted.
> # The inner authentication request will be sent again to a matching
> # Realm or Handler. The special check item TunnelledByPEAP=1 can be
> used to sele
> ct
> # a specific handler, or else you can use EAPAnonymous to set a
> username and rea
> lm
> # which can be used to select a Realm clause for the inner request.
> # This allows you to select an inner authentication method based on
> Realm, and/o
> r the
> # fact that they were tunnelled. You can therfore act just as a PEAP
> server, or
> also
> # act as the AAA/H home server, and authenticate PEAP requests locally
> or proxy
> # them to another remote server based on the realm of the inner
> authenticaiton r
> equest.
> # In this basic example, both the inner and outer authentication are
> authenticat
> ed
> # from a file by AuthBy FILE
> <Handler>
> <AuthBy DBFILE>
> # The username of the outer authentication
> # must be in this file to get anywhere. In this
> example,
> # it requires an entry for 'anonymous' which is the
> standard use
> rname
> # in the outer requests, and it also requires an entry
> for the
> # actual user name who is trying to connect (ie the
> 'Login name'
> entered
> # in the Funk Odyssey 'Edit Profile Properties' page
> Filename /etc/radiator/users.db
>
> # EAPType sets the EAP type(s) that Radiator will
> honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the
> default (most
> # preferred) type given first
> EAPType PEAP,MSCHAP-V2,LEAP
>
> # EAPTLS_CAFile is the name of a file of CA
> certificates
> # in PEM format. The file can contain several CA
> certificates
> # Radiator will first look in EAPTLS_CAFile then in
> # EAPTLS_CAPath, so there usually is no need to set
> both
> #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> #EAPTLS_CAFile /usr/local/ssl/LocalCA/cacert.pem
> EAPTLS_CAFile /usr/local/ssl/demoCA/cacert.pem
>
> # EAPTLS_CAPath is the name of a directory containing
> CA
> # certificates in PEM format. The files each contain
> one
> # CA certificate. The files are looked up by the CA
> # subject name hash value
> # EAPTLS_CAPath
>
> # EAPTLS_CertificateFile is the name of a file
> containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> #EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateFile /usr/local/ssl/cert-srv.pem
> EAPTLS_CertificateType PEM
>
> # EAPTLS_PrivateKeyFile is the name of the file
> containing
> # the servers private key. It is sometimes in the same
> file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to
> descrypt it
> #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> #EAPTLS_PrivateKeyPassword whatever
> EAPTLS_PrivateKeyFile /usr/local/ssl/cert-srv.pem
> EAPTLS_PrivateKeyPassword 1qaz2wsx
>
> # EAPTLS_RandomFile is an optional file containing
> # randdomness
> # EAPTLS_RandomFile %D/certificates/random
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be
> small
> # enough to fit in a single Radius request (ie less
> than 4096)
> # and still leave enough space for other attributes
> # Aironet APs seem to need a smaller MaxFragmentSize
> # (eg 1024) than the default of 2048
> EAPTLS_MaxFragmentSize 1024
>
> # EAPTLS_DHFile if set specifies the DH group file. It
> # may be required if you need to use ephemeral DH keys.
> # EAPTLS_DHFile %D/certificates/cert/dh
>
>
> # If EAPTLS_CRLCheck is set and the client presents a
> certifica
> te
> # then Radiator will look for a certificate revocation
> list (CRL
> )
> # for the certificate issuer
> # when authenticating each client. If a CRL file is
> not found, o
> r
> # if the CRL says the certificate has neen revoked,
> the authenti
> cation will
> # fail with an error:
> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> # One or more CRLs can be named with the
> EAPTLS_CRLFile paramete
> r.
> # Alternatively, CRLs may follow a file naming
> convention:
> # the hash of the issuer subject name
> # and a suffix that depends on the serial number.
> # eg ab1331b2.r0, ab1331b2.r1 etc.
> # You can find out the hash of the issuer name in a
> CRL with
> # openssl crl -in crl.pem -hash -noout
> # CRLs with tis name convention
> # will be searched in EAPTLS_CAPath, else in the
> openssl
> # certificates directory typically
> /usr/local/openssl/certs/
> # CRLs are expected to be in PEM format.
> # A CRL files can be generated with openssl like this:
> # openssl ca -gencrl -revoke cert-clt.pem
> # openssl ca -gencrl -out crl.pem
> # Use of these flags requires Net_SSLeay-1.21 or later
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> # Some clients, depending on their configuration, may
> require yo
> u to specify
> # MPPE send and receive keys. This _will_ be required
> if you sel
> ect
> # 'Keys will be generated automatically for data
> privacy' in the
> Funk Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and
> MS-MPPE-Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can enable some warning messages from the
> Net::SSLeay
> # module by setting SSLeayTrace to an integer from 1
> to 4
> # 1=ciphers, 2=trace, 3=dump data
> SSLeayTrace 4
>
> # You can configure the User-Name that will be used
> for the inne
> r
> # authentication. Defaults to 'anonymous'. This can be
> useful
> # when proxying the inner authentication. If tehre is
> a realm, i
> t can
> # be used to choose a local Realm to handle the inner
> authentica
> tion.
> # %0 is replaced with the EAP identitiy
> # EAPAnonymous anonymous at some.other.realm
>
> # You can enable or disable support for TTLS Session
> Resumption
> and
> # PEAP Fast Reconnect with the
> EAPTLS_SessionResumption flag.
> # Default is enabled
> #EAPTLS_SessionResumption 0
>
> # You can limit how long after the initial session
> that a sessio
> n can be resumed
> # with EAPTLS_SessionResumptionLimit (time in
> seconds). Defaults
> to 43200
> # (12 hours)
> #EAPTLS_SessionResumptionLimit 10
> </AuthBy>
> </Handler>
> ---------------------------------------------------------------------
>
> Regards.
>
> Masa
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list