(RADIATOR) 802.1x and vlan assignment
Dordaneh Arangeh
dordaneh.arangeh at id.ethz.ch
Fri Sep 12 08:19:45 CDT 2003
Hello everybody,
I have configured the cfg file for radiator for authenticating with
eap-peap. Furthermore I have added a part under auth PLsql, so as the
radiator sends three attributes (Vlan identity) to the client. cfg file
is included at the end of the message. The client is a Windows2000 one
and the authentication part of its LAN connection is configured to use
EAP-PEAP. When the PC is connected to the Switch (which is naturally
configured for 802.1x) , it sends access request to the radiator and
every thing is fine. Client is authenticated.
Problems:
1. The vlan assignment doesn't work. Three attributes which are defined
to be returned by radiator (Tunnel-Type = VLAN , Tunnel-Medium-Type =
802 ,Tunnel-Private-Group-ID = xxxxxxx) , are not returned. Instead of
these attributes I see in the trace following strings: (xxxxxx is what I
put for the sake of having shorter email!!)
..........
Code: Access-Accept
Identifier: 235
Authentic: <3>&<10><190><4><1><3><203><10><23>%e%<128><9><199>
Attributes:
MS-MPPE-Send-Key = "xxxxxxxx"
MS-MPPE-Recv-Key = xxxxxxxxxx
EAP-Message = <3><10><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
..................
So the vlan assignment is not done.
2. The windows in the client side is saving the username and password
somewhere and one can not change it any more . It means I can not try
with any other username !!
3. Client is sending priodically an access request with a very funny
username which I never anywhere configured. Some thing like:
User-Name = "azbycx" and then starts for Access chanllenge and remains
there, neither reject nor accept.
Thanking you in advance for helps and tips.
Dordaneh
--------------------------------------------
cfg File
--------------------------------------------
Foreground
LogStdout
LogDir .
DbDir .
Trace 4
<Client DEFAULT>
Secret xxxxxxx
DupInterval 0
</Client>
<Handler TunnelledByPEAP=1>
<AuthBy PLSQL>
NoDefault
DBSource dbi:Oracle:xx.xxxx
DBUxsername xxxx
DBAuth xxxx
# Authentication
AuthBlock BEGIN \
NETngRadius.getUserData
('%n',:passwd,:reply_item);\
END;
AuthParamDef :passwd, User-Password, check
AuthParamDef :reply_item, GENERIC, reply
</AuthBy>
</Handler>
<Handler>
<AuthBy PLSQL>
NoDefault
DBSource dbi:Oracle:xx.xxxxx
DBUsername xxxxx
DBAuth xxxxx
# Authentication
AuthBlock BEGIN \
NETngRadius.getUserData
('%n',:passwd,:reply_item);\
END;
AuthParamDef :passwd, User-Password, check
AuthParamDef :reply_item, GENERIC, reply
EAPType PEAP
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
</Handler>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list