(RADIATOR) How to differentiate PEAP-EAP-CHAPV2 and EAP-TTLS radius packets

Kawakubo, Ken kkawakub at fhcrc.org
Thu Mar 20 13:24:49 CST 2003 

Hi Hugh,

I have tried using "AuthByPolicy ContinueUntilAccept" but it does not seem
to work as expected. I attatched the following.

1) config file without secrets
2) trace 4 file called ttls_hangs.txt that shows that instead of executing
"AuthBy CheckFILEthenPAM" Radiator moves on to "AuthBy ForwardToIAS" and
results in hanging, when received eap-ttls authentication request.
3) trace 4 file called ttls_pam_success.txt that shows eap-ttls successful
authentication when "AuthByPolicy ContinueUntilAccept" and "AuthBy
ForwardToIAS" are commented out.

Also, the strange thing is that when I use "AuthByPolicy
ContinueUntilAccept" peap-mschapv2 authentication also fails. It just keep
on sending proxy packets without any authentication. Again, if I comment out
"AuthByPolicy ContinueUntilAccept" and "AuthBy CheckFILEthenPAM" then it
succeeds. 

I am wondering if the failure of "AuthByPolicy" may have something to do
with the hander "Handler TunnelledByTTLS=1" using the actual pam
authentication "AuthBy CheckPAM-EAP-TTLS" which is not part of
"AuthByPolicy".

Regards,

Ken Kawakubo



-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Wednesday, March 19, 2003 6:12 PM
To: Kawakubo, Ken
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) How to differentiate PEAP-EAP-CHAPV2 and
EAP-TTLS radius packets



Hello Ken -

On thinking about this a bit more, you should be able to do what you 
need like this (note the AuthBy RADIUS must be last):

# define AuthBy clauses

<AuthBy PAM>
	Identifier CheckPAM
	.....
</AuthBy>

<AuthBy RADIUS>
	Identifier ForwardToIAS
	.....
</AuthBy>

.....

# define Realms or Handlers

<Handler ...>
	AuthByPolicy ContinueUntilAccept
	AuthBy CheckPAM
	AuthBy ForwardToIAS
	....
</Handler>

Note that the AuthBy RADIUS clause operates asynchronously, so it must 
be last in any list of AuthBy clauses.

regards

Hugh


On Thursday, Mar 20, 2003, at 11:11 Australia/Melbourne, Kawakubo, Ken 
wrote:

> All,
>
> I would like Radiator to do the following.
>
> When Radiator gets PEAP-EAP-CHAPv2 radius packets, Radiator proxies to 
> IAS
> on Windows 2003 server. When Radiator gets EAP-TTLS-PAP packets, 
> Radiator
> authenticate via Authby PAM using pam_smb. I have to do this setup 
> because
> we need to authenticate against NTLM. I can do NTLM authentication with
> EAP-TTLS since I can use plaintext PAP, but I cannot do NTLM 
> authentication
> with PEAP-EAP-CHAPv2 since it uses encrypted passwords.
>
> I got working both Radius proxy with PEAP-EAP-CHAPv2 and AuthBy PAM 
> with
> EAP-TTLS-PAP separately. But when I try to combine both packets 
> together, I
> am not getting it to work. Either one or the other fails 
> authentication. I
> have tried using AuthByPolicy and list both AuthBy clauses but it does 
> not
> seem to work.
>
> I am wondering if there is a way to check radius packets beforehand 
> and send
> them to the appropriate AuthBy clause. The first request packet uses 
> code 1
> instead of 25 (PEAP) or 21 (EAP-TTLS) and it seems to make it 
> difficult to
> differenticate.
>
> I appreciate any help. Thank you.
>
> Ken Kawakubo
>
>
>
>
>
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: eap_multi1.cfg.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030320/0e6b2ead/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ttls_hangs.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030320/0e6b2ead/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ttls_pam_success.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030320/0e6b2ead/attachment-0002.txt>

More information about the radiator mailing list