(RADIATOR) 802.1x and vlan assignment
Hugh Irvine
hugh at open.com.au
Tue Sep 16 18:52:26 CDT 2003
Hello Dordaneh -
Excellent - I am pleased the patch has fixed the problem.
As to the Windows problem, I am afraid I don't have an answer for you,
although it sounds like there is a configuration problem with either
the network settings or with the client software.
Perhaps there is someone on the list who knows more about Windows than
I do?
regards
Hugh
On Wednesday, Sep 17, 2003, at 00:38 Australia/Melbourne, Arangeh,
Dordaneh wrote:
> Hello Hugh,
> The problem is solved now. It was patch problem. Now I get all
> attributes and the vlan assignment is working well. Thanks for tips.
> Nevertheless, the Windows problem is persisting. Once you give username
> and password, you can not change it any more. And also the problem with
> a funny usrname azbycx which, I don't know where from is coming,
> remains
> as before.
>
> Regards
> Dordaneh
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Dienstag, 16. September 2003 00:50
> To: Arangeh, Dordaneh
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) 802.1x and vlan assignment
>
>
> Hello Dordaneh -
>
> Have you installed the latest Radiator 3.6 patches? There was a problem
> with reply attributes that was fixed some time ago.
>
> regards
>
> Hugh
>
>
> On Monday, Sep 15, 2003, at 19:41 Australia/Melbourne, Arangeh,
> Dordaneh wrote:
>
>> Hello -
>> Thanks for your answer.
>> With dictionary every thing is fine. I activated a log file for DB to
>> see weather it sends the desired attributes or not. DB is sending
> them,
>> it is radiator which is not giving them further to the client. I
> tested
>> my DB by means of radpwtst with all three optins (-mschap -mschap2 and
>> -eapmd5). In all three cases , three attributes are sent correctly.
>> Unfortunately I have no opting to test the thing with radpwtst and
> peap
>> because there is no possibility to check radpwtst with peap and peap
> is
>> the only option one can use for 802.1x authentication, or am I wrong
> in
>> this? Please correct me if it is so.
>> Any further tip, what the 802.1x authentication problem could be?
>>
>> Thanking you in advance
>>
>> -----Original Message-----
>> From: Hugh Irvine [mailto:hugh at open.com.au]
>> Sent: Samstag, 13. September 2003 09:26
>> To: Arangeh, Dordaneh
>> Cc: radiator at open.com.au
>> Subject: Re: (RADIATOR) 802.1x and vlan assignment
>>
>>
>> Hello -
>>
>> You should check your Radiator dictionary to make sure the attributes
>> you are using are defined (they are in the standard Radiator 3.6
>> dictionary).
>>
>> The trace debug doesn't show the reply attributes at all, so I suspect
>> there is a problem with the database response.
>>
>> regards
>>
>> Hugh
>>
>>
>> On Friday, Sep 12, 2003, at 23:19 Australia/Melbourne, Dordaneh
> Arangeh
>> wrote:
>>
>>> Hello everybody,
>>> I have configured the cfg file for radiator for authenticating with
>>> eap-peap. Furthermore I have added a part under auth PLsql, so as the
>>> radiator sends three attributes (Vlan identity) to the client. cfg
>> file
>>> is included at the end of the message. The client is a Windows2000
>> one
>>> and the authentication part of its LAN connection is configured to
> use
>>> EAP-PEAP. When the PC is connected to the Switch (which is naturally
>>> configured for 802.1x) , it sends access request to the radiator and
>>> every thing is fine. Client is authenticated.
>>> Problems:
>>>
>>> 1. The vlan assignment doesn't work. Three attributes which are
>> defined
>>> to be returned by radiator (Tunnel-Type = VLAN , Tunnel-Medium-Type =
>>> 802 ,Tunnel-Private-Group-ID = xxxxxxx) , are not returned. Instead
> of
>>> these attributes I see in the trace following strings: (xxxxxx is
> what
>>
>>> I
>>> put for the sake of having shorter email!!)
>>>
>>> ..........
>>> Code: Access-Accept
>>> Identifier: 235
>>> Authentic: <3>&<10><190><4><1><3><203><10><23>%e%<128><9><199>
>>> Attributes:
>>> MS-MPPE-Send-Key = "xxxxxxxx"
>>> MS-MPPE-Recv-Key = xxxxxxxxxx
>>> EAP-Message = <3><10><0><4>
>>> Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> ..................
>>>
>>> So the vlan assignment is not done.
>>>
>>> 2. The windows in the client side is saving the username and password
>>> somewhere and one can not change it any more . It means I can not try
>>> with any other username !!
>>>
>>> 3. Client is sending priodically an access request with a very funny
>>> username which I never anywhere configured. Some thing like:
>>> User-Name = "azbycx" and then starts for Access chanllenge and
>> remains
>>> there, neither reject nor accept.
>>>
>>>
>>> Thanking you in advance for helps and tips.
>>>
>>> Dordaneh
>>> --------------------------------------------
>>> cfg File
>>> --------------------------------------------
>>> Foreground
>>> LogStdout
>>> LogDir .
>>> DbDir .
>>> Trace 4
>>> <Client DEFAULT>
>>> Secret xxxxxxx
>>> DupInterval 0
>>> </Client>
>>> <Handler TunnelledByPEAP=1>
>>> <AuthBy PLSQL>
>>> NoDefault
>>> DBSource dbi:Oracle:xx.xxxx
>>> DBUxsername xxxx
>>> DBAuth xxxx
>>>
>>> # Authentication
>>> AuthBlock BEGIN \
>>> NETngRadius.getUserData
>>> ('%n',:passwd,:reply_item);\
>>> END;
>>>
>>>
>>> AuthParamDef :passwd, User-Password, check
>>> AuthParamDef :reply_item, GENERIC, reply
>>> </AuthBy>
>>> </Handler>
>>>
>>> <Handler>
>>> <AuthBy PLSQL>
>>> NoDefault
>>> DBSource dbi:Oracle:xx.xxxxx
>>> DBUsername xxxxx
>>> DBAuth xxxxx
>>>
>>> # Authentication
>>> AuthBlock BEGIN \
>>> NETngRadius.getUserData
>>> ('%n',:passwd,:reply_item);\
>>> END;
>>>
>>> AuthParamDef :passwd, User-Password, check
>>> AuthParamDef :reply_item, GENERIC, reply
>>> EAPType PEAP
>>> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>>> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>>> EAPTLS_CertificateType PEM
>>> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>>> EAPTLS_PrivateKeyPassword whatever
>>> EAPTLS_MaxFragmentSize 1024
>>> AutoMPPEKeys
>>>
>>> SSLeayTrace 4
>>> </AuthBy>
>>> </Handler>
>>>
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list