(RADIATOR) 802.1x and vlan assignment
Hugh Irvine
hugh at open.com.au
Mon Sep 15 17:50:23 CDT 2003
Hello Dordaneh -
Have you installed the latest Radiator 3.6 patches? There was a problem
with reply attributes that was fixed some time ago.
regards
Hugh
On Monday, Sep 15, 2003, at 19:41 Australia/Melbourne, Arangeh,
Dordaneh wrote:
> Hello -
> Thanks for your answer.
> With dictionary every thing is fine. I activated a log file for DB to
> see weather it sends the desired attributes or not. DB is sending them,
> it is radiator which is not giving them further to the client. I tested
> my DB by means of radpwtst with all three optins (-mschap -mschap2 and
> -eapmd5). In all three cases , three attributes are sent correctly.
> Unfortunately I have no opting to test the thing with radpwtst and peap
> because there is no possibility to check radpwtst with peap and peap is
> the only option one can use for 802.1x authentication, or am I wrong in
> this? Please correct me if it is so.
> Any further tip, what the 802.1x authentication problem could be?
>
> Thanking you in advance
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Samstag, 13. September 2003 09:26
> To: Arangeh, Dordaneh
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) 802.1x and vlan assignment
>
>
> Hello -
>
> You should check your Radiator dictionary to make sure the attributes
> you are using are defined (they are in the standard Radiator 3.6
> dictionary).
>
> The trace debug doesn't show the reply attributes at all, so I suspect
> there is a problem with the database response.
>
> regards
>
> Hugh
>
>
> On Friday, Sep 12, 2003, at 23:19 Australia/Melbourne, Dordaneh Arangeh
> wrote:
>
>> Hello everybody,
>> I have configured the cfg file for radiator for authenticating with
>> eap-peap. Furthermore I have added a part under auth PLsql, so as the
>> radiator sends three attributes (Vlan identity) to the client. cfg
> file
>> is included at the end of the message. The client is a Windows2000
> one
>> and the authentication part of its LAN connection is configured to use
>> EAP-PEAP. When the PC is connected to the Switch (which is naturally
>> configured for 802.1x) , it sends access request to the radiator and
>> every thing is fine. Client is authenticated.
>> Problems:
>>
>> 1. The vlan assignment doesn't work. Three attributes which are
> defined
>> to be returned by radiator (Tunnel-Type = VLAN , Tunnel-Medium-Type =
>> 802 ,Tunnel-Private-Group-ID = xxxxxxx) , are not returned. Instead of
>> these attributes I see in the trace following strings: (xxxxxx is what
>
>> I
>> put for the sake of having shorter email!!)
>>
>> ..........
>> Code: Access-Accept
>> Identifier: 235
>> Authentic: <3>&<10><190><4><1><3><203><10><23>%e%<128><9><199>
>> Attributes:
>> MS-MPPE-Send-Key = "xxxxxxxx"
>> MS-MPPE-Recv-Key = xxxxxxxxxx
>> EAP-Message = <3><10><0><4>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> ..................
>>
>> So the vlan assignment is not done.
>>
>> 2. The windows in the client side is saving the username and password
>> somewhere and one can not change it any more . It means I can not try
>> with any other username !!
>>
>> 3. Client is sending priodically an access request with a very funny
>> username which I never anywhere configured. Some thing like:
>> User-Name = "azbycx" and then starts for Access chanllenge and
> remains
>> there, neither reject nor accept.
>>
>>
>> Thanking you in advance for helps and tips.
>>
>> Dordaneh
>> --------------------------------------------
>> cfg File
>> --------------------------------------------
>> Foreground
>> LogStdout
>> LogDir .
>> DbDir .
>> Trace 4
>> <Client DEFAULT>
>> Secret xxxxxxx
>> DupInterval 0
>> </Client>
>> <Handler TunnelledByPEAP=1>
>> <AuthBy PLSQL>
>> NoDefault
>> DBSource dbi:Oracle:xx.xxxx
>> DBUxsername xxxx
>> DBAuth xxxx
>>
>> # Authentication
>> AuthBlock BEGIN \
>> NETngRadius.getUserData
>> ('%n',:passwd,:reply_item);\
>> END;
>>
>>
>> AuthParamDef :passwd, User-Password, check
>> AuthParamDef :reply_item, GENERIC, reply
>> </AuthBy>
>> </Handler>
>>
>> <Handler>
>> <AuthBy PLSQL>
>> NoDefault
>> DBSource dbi:Oracle:xx.xxxxx
>> DBUsername xxxxx
>> DBAuth xxxxx
>>
>> # Authentication
>> AuthBlock BEGIN \
>> NETngRadius.getUserData
>> ('%n',:passwd,:reply_item);\
>> END;
>>
>> AuthParamDef :passwd, User-Password, check
>> AuthParamDef :reply_item, GENERIC, reply
>> EAPType PEAP
>> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>> EAPTLS_PrivateKeyPassword whatever
>> EAPTLS_MaxFragmentSize 1024
>> AutoMPPEKeys
>>
>> SSLeayTrace 4
>> </AuthBy>
>> </Handler>
>>
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list