(RADIATOR) How to configure Radiator to work with Cisco PEAP (Generic token)?

Bostjan Lemut Bostjan.Lemut at arnes.si
Fri Sep 19 02:46:40 CDT 2003


Hello!

I am relativelly new to wireless and 802.1x authentication. Colegue of mine left 
for another job and I was given the "wireless" project with practically no 
knowledge of what to do.
In Radiator 3.6 Instalation and Reference Manual I've read, the LEAP and Generic 
token EAP types are not supported, but then again, they are supported in patch 
for Radiator 3.6. So far I've successfully tried the LEAP authentication and it 
works fine, but that was easy. I've tried the goodie for the PEAP type with 
changing the inner protocol from MSCHAP-V2 to Generic-Token, but it does not 
seem to work. I've also searched the mailing list archives and FAQs, but it 
seems nobody tried or had problems using Cisco PEAP (Generic Token). Please, 
give me some pointers or  better yet, working example:-)

I'm using Cisco ap Aironet 1100, Cisco Aironet 340 WLAN adapter and Radiator 3.6 
with patch, running radiusd as a user.

Regards,

Bostjan Lemut,
ARNES


Radiator 3.6 log insert:

Wed Sep 17 12:39:56 2003: DEBUG: Packet dump:
*** Received from {Cisco AP IP} port 1645 ....
Code:       Access-Request
Identifier: 19
Authentic:  S<213>\?|<203><205><253><238><162>W<140>1<190><139><251>
Attributes:
         User-Name = "PEAP-00409649152D"
         Framed-MTU = 1400
         Called-Station-Id = "0002.8a9e.5739"
         Calling-Station-Id = "0040.9649.152d"
         Message-Authenticator = /(&D<30>`<130>?<157><22><171>!<226><152>E<219>
         EAP-Message = <2><1><0><22><1>PEAP-00409649152D
         NAS-Port-Type = Virtual
         NAS-Port = 265
         NAS-IP-Address = {Cisco AP IP}
         NAS-Identifier = "ap"

Wed Sep 17 12:39:56 2003: DEBUG: Handling request with Handler ''
Wed Sep 17 12:39:56 2003: DEBUG:  Deleting session for PEAP-00409649152D, 
193.2.121.66, 265
Wed Sep 17 12:39:56 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Sep 17 12:39:56 2003: DEBUG: Handling with EAP: code 2, 1, 22
Wed Sep 17 12:39:56 2003: DEBUG: Response type 1
Wed Sep 17 12:39:56 2003: ERR: Could not handle an EAP request: Can't locate 
object method "response_identity" via package "Radius::EAP_25" (perhaps you 
forgot to load "Radius::EAP_25"?) at 
/opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP.pm line 142.

Wed Sep 17 12:39:56 2003: INFO: Access rejected for PEAP-00409649152D: Could not 
handle an EAP request
Wed Sep 17 12:39:56 2003: DEBUG: Packet dump:
*** Sending to {Cisco AP IP} port 1645 ....
Code:       Access-Reject
Identifier: 19
Authentic:  S<213>\?|<203><205><253><238><162>W<140>1<190><139><251>
Attributes:
         Reply-Message = "Request Denied"


radius.cfg:

# radius.cfg

# Set this to the directory where your logfile and details file are to go
LogDir /opt/home/bostjan/var/log/radius

# Set this to the database directory. It should contain these files:
# users           The user database
# dictionary      The dictionary for your NAS
DbDir /opt/home/bostjan/etc/raddb

Trace 4
AuthPort 1645,1812
AcctPort 1646,1813
BindAddress {Radius server IP},127.0.0.1

# This clause defines a single client to listen to
<Client DEFAULT>
         IgnoreAcctSignature
         Secret  skritogeslo
         DupInterval 0
</Client>

# For testing: this allows us to honour requests from radpwtst
# on the same host.
<Client localhost>
         IgnoreAcctSignature
         Secret mysecret
         DupInterval 0
</Client>



# For testing: this allows us to honour requests from radpwtst
# on the same host.
<Client localhost>
         IgnoreAcctSignature
         Secret mysecret
         DupInterval 0
</Client>



# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1>
         <AuthBy FILE>
                 # anonymous-PEAP must be in here:
                 Filename %D/users

                 # This tells the PEAP client what types of inner EAP requests
                 # we will honour
                 #EAPType MSCHAP-V2
                 EAPType Generic-Token
         </AuthBy>
</Handler>


# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the inner 
authentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to select
# a specific handler, or else you can use EAPAnonymous to set a username and realm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm, 
and/or the
# fact that they were tunnelled. You can therfore act just as a PEAP server, or also
# act as the AAA/H home server, and authenticate PEAP requests locally or proxy
# them to another remote server based on the realm of the inner authenticaiton 
request.
# In this basic example, both the inner and outer authentication are authenticated
# from a file by AuthBy FILE
<Handler>
         <AuthBy FILE>
                 # The username of the outer authentication
                 #  must be in this file to get anywhere. In this example,
                 # it requires an entry for 'anonymous' which is the standard 
username
                 # in the outer requests, and it also requires an entry for the
                 # actual user name who is trying to connect (ie the 'Login 
name' entered
                 # in the Funk Odyssey 'Edit Profile Properties' page
                 Filename %D/users

                 # EAPType sets the EAP type(s) that Radiator will honour.
                 # Options are: MD5-Challenge, One-Time-Password
                 # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
                 # Multiple types can be comma separated. With the default (most
                 # preferred) type given first
                 EAPType PEAP

                 # EAPTLS_CAFile is the name of a file of CA certificates
                 # in PEM format. The file can contain several CA certificates
                 # Radiator will first look in EAPTLS_CAFile then in
                 # EAPTLS_CAPath, so there usually is no need to set both
                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem

                 # EAPTLS_CAPath is the name of a directory containing CA
                 # certificates in PEM format. The files each contain one
                 # CA certificate. The files are looked up by the CA
                 # subject name hash value
#               EAPTLS_CAPath

                 # EAPTLS_CertificateFile is the name of a file containing
                 # the servers certificate. EAPTLS_CertificateType
                 # specifies the type of the file. Can be PEM or ASN1
                 # defaults to ASN1
                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
                 EAPTLS_CertificateType PEM



                 # EAPTLS_PrivateKeyFile is the name of the file containing
                 # the servers private key. It is sometimes in the same file
                 # as the server certificate (EAPTLS_CertificateFile)
                 # If the private key is encrypted (usually the case)
                 # then EAPTLS_PrivateKeyPassword is the key to descrypt it
                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                 EAPTLS_PrivateKeyPassword whatever

                 # EAPTLS_RandomFile is an optional file containing
                 # randdomness
#               EAPTLS_RandomFile %D/certificates/random

                 # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
                 # size that will be replied by Radiator. It must be small
                 # enough to fit in a single Radius request (ie less than 4096)
                 # and still leave enough space for other attributes
                 # Aironet APs seem to need a smaller MaxFragmentSize
                 # (eg 1024) than the default of 2048. Others need even smaller 
sizes.
                 EAPTLS_MaxFragmentSize 1000

                 # EAPTLS_DHFile if set specifies the DH group file. It
                 # may be required if you need to use ephemeral DH keys.
#               EAPTLS_DHFile %D/certificates/cert/dh


                 # If EAPTLS_CRLCheck is set  and the client presents a certificate
                 # then Radiator will look for a certificate revocation list (CRL)
                 # for the certificate issuer
                 # when authenticating each client. If a CRL file is not found, or
                 # if the CRL says the certificate has neen revoked, the 
authentication will
                 # fail with an error:
                 #   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
                 # One or more CRLs can be named with the EAPTLS_CRLFile parameter.
                 # Alternatively, CRLs may follow a file naming convention:
                 #  the hash of the issuer subject name
                 # and a suffix that depends on the serial number.
                 # eg ab1331b2.r0, ab1331b2.r1 etc.
                 # You can find out the hash of the issuer name in a CRL with
                 #  openssl crl -in crl.pem -hash -noout
                 # CRLs with tis name convention
                 # will be searched in EAPTLS_CAPath, else in the openssl
                 # certificates directory typically /usr/local/openssl/certs/
                 # CRLs are expected to be in PEM format.
                 # A CRL files can be generated with openssl like this:
                 #  openssl ca -gencrl -revoke cert-clt.pem
                 #  openssl ca -gencrl -out crl.pem
                 # Use of these flags requires Net_SSLeay-1.21 or later
                 #EAPTLS_CRLCheck

                 #EAPTLS_CRLFile %D/certificates/crl.pem
                 #EAPTLS_CRLFile %D/certificates/revocations.pem

                 # Some clients, depending on their configuration, may require 
you to specify
                 # MPPE send and receive keys. This _will_ be required if you select
                 # 'Keys will be generated automatically for data privacy' in 
the Funk Odyssey
                 # client Network Properties dialog.
                 # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
                 # in the final Access-Accept
                 AutoMPPEKeys

                 # You can enable some warning messages from the Net::SSLeay
                 # module by setting SSLeayTrace to an integer from 1 to 4
                 # 1=ciphers, 2=trace, 3=dump data
                 SSLeayTrace 4

                 # You can configure the User-Name that will be used for the inner
                 # authentication. Defaults to 'anonymous'. This can be useful
                 # when proxying the inner authentication. If tehre is a realm, 
it can
                 # be used to choose a local Realm to handle the inner 
authentication.
                 # %0 is replaced with the EAP identitiy
                 # EAPAnonymous anonymous at some.other.realm

                 # You can enable or disable support for TTLS Session Resumption and
                 # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
                 # Default is enabled
                 #EAPTLS_SessionResumption 0

                 # You can limit how long after the initial session that a 
session can be resumed
                 # with EAPTLS_SessionResumptionLimit (time in seconds). 
Defaults to 43200
                 # (12 hours)
                 #EAPTLS_SessionResumptionLimit 10
         </AuthBy>
</Handler>



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list