(RADIATOR) How to configure Radiator to work with Cisco PEAP (Generic token)?
Hugh Irvine
hugh at open.com.au
Sat Sep 20 04:43:46 CDT 2003
Hello Bostjan -
I suspect the problem occured earlier in the log file and there is
probably a prerequisite Perl module missing.
You should check the messages in the log file from startup on.
regards
Hugh
On Friday, Sep 19, 2003, at 17:46 Australia/Melbourne, Bostjan Lemut
wrote:
> Hello!
>
> I am relativelly new to wireless and 802.1x authentication. Colegue of
> mine left for another job and I was given the "wireless" project with
> practically no knowledge of what to do.
> In Radiator 3.6 Instalation and Reference Manual I've read, the LEAP
> and Generic token EAP types are not supported, but then again, they
> are supported in patch for Radiator 3.6. So far I've successfully
> tried the LEAP authentication and it works fine, but that was easy.
> I've tried the goodie for the PEAP type with changing the inner
> protocol from MSCHAP-V2 to Generic-Token, but it does not seem to
> work. I've also searched the mailing list archives and FAQs, but it
> seems nobody tried or had problems using Cisco PEAP (Generic Token).
> Please, give me some pointers or better yet, working example:-)
>
> I'm using Cisco ap Aironet 1100, Cisco Aironet 340 WLAN adapter and
> Radiator 3.6 with patch, running radiusd as a user.
>
> Regards,
>
> Bostjan Lemut,
> ARNES
>
>
> Radiator 3.6 log insert:
>
> Wed Sep 17 12:39:56 2003: DEBUG: Packet dump:
> *** Received from {Cisco AP IP} port 1645 ....
> Code: Access-Request
> Identifier: 19
> Authentic: S<213>\?|<203><205><253><238><162>W<140>1<190><139><251>
> Attributes:
> User-Name = "PEAP-00409649152D"
> Framed-MTU = 1400
> Called-Station-Id = "0002.8a9e.5739"
> Calling-Station-Id = "0040.9649.152d"
> Message-Authenticator =
> /(&D<30>`<130>?<157><22><171>!<226><152>E<219>
> EAP-Message = <2><1><0><22><1>PEAP-00409649152D
> NAS-Port-Type = Virtual
> NAS-Port = 265
> NAS-IP-Address = {Cisco AP IP}
> NAS-Identifier = "ap"
>
> Wed Sep 17 12:39:56 2003: DEBUG: Handling request with Handler ''
> Wed Sep 17 12:39:56 2003: DEBUG: Deleting session for
> PEAP-00409649152D, 193.2.121.66, 265
> Wed Sep 17 12:39:56 2003: DEBUG: Handling with Radius::AuthFILE:
> Wed Sep 17 12:39:56 2003: DEBUG: Handling with EAP: code 2, 1, 22
> Wed Sep 17 12:39:56 2003: DEBUG: Response type 1
> Wed Sep 17 12:39:56 2003: ERR: Could not handle an EAP request: Can't
> locate object method "response_identity" via package "Radius::EAP_25"
> (perhaps you forgot to load "Radius::EAP_25"?) at
> /opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP.pm line 142.
>
> Wed Sep 17 12:39:56 2003: INFO: Access rejected for PEAP-00409649152D:
> Could not handle an EAP request
> Wed Sep 17 12:39:56 2003: DEBUG: Packet dump:
> *** Sending to {Cisco AP IP} port 1645 ....
> Code: Access-Reject
> Identifier: 19
> Authentic: S<213>\?|<203><205><253><238><162>W<140>1<190><139><251>
> Attributes:
> Reply-Message = "Request Denied"
>
>
> radius.cfg:
>
> # radius.cfg
>
> # Set this to the directory where your logfile and details file are to
> go
> LogDir /opt/home/bostjan/var/log/radius
>
> # Set this to the database directory. It should contain these files:
> # users The user database
> # dictionary The dictionary for your NAS
> DbDir /opt/home/bostjan/etc/raddb
>
> Trace 4
> AuthPort 1645,1812
> AcctPort 1646,1813
> BindAddress {Radius server IP},127.0.0.1
>
> # This clause defines a single client to listen to
> <Client DEFAULT>
> IgnoreAcctSignature
> Secret skritogeslo
> DupInterval 0
> </Client>
>
> # For testing: this allows us to honour requests from radpwtst
> # on the same host.
> <Client localhost>
> IgnoreAcctSignature
> Secret mysecret
> DupInterval 0
> </Client>
>
>
>
> # For testing: this allows us to honour requests from radpwtst
> # on the same host.
> <Client localhost>
> IgnoreAcctSignature
> Secret mysecret
> DupInterval 0
> </Client>
>
>
>
> # This is where we autneticate a PEAP inner request, which will be an
> EAP
> # request. The username of the inner request will be anonymous,
> although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> <Handler TunnelledByPEAP=1>
> <AuthBy FILE>
> # anonymous-PEAP must be in here:
> Filename %D/users
>
> # This tells the PEAP client what types of inner EAP
> requests
> # we will honour
> #EAPType MSCHAP-V2
> EAPType Generic-Token
> </AuthBy>
> </Handler>
>
>
> # The original PEAP request from a NAS will be sent to a matching
> # Realm or Handler in the usual way, where it will be unpacked and the
> inner authentication
> # extracted.
> # The inner authentication request will be sent again to a matching
> # Realm or Handler. The special check item TunnelledByPEAP=1 can be
> used to select
> # a specific handler, or else you can use EAPAnonymous to set a
> username and realm
> # which can be used to select a Realm clause for the inner request.
> # This allows you to select an inner authentication method based on
> Realm, and/or the
> # fact that they were tunnelled. You can therfore act just as a PEAP
> server, or also
> # act as the AAA/H home server, and authenticate PEAP requests locally
> or proxy
> # them to another remote server based on the realm of the inner
> authenticaiton request.
> # In this basic example, both the inner and outer authentication are
> authenticated
> # from a file by AuthBy FILE
> <Handler>
> <AuthBy FILE>
> # The username of the outer authentication
> # must be in this file to get anywhere. In this
> example,
> # it requires an entry for 'anonymous' which is the
> standard username
> # in the outer requests, and it also requires an entry
> for the
> # actual user name who is trying to connect (ie the
> 'Login name' entered
> # in the Funk Odyssey 'Edit Profile Properties' page
> Filename %D/users
>
> # EAPType sets the EAP type(s) that Radiator will
> honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the
> default (most
> # preferred) type given first
> EAPType PEAP
>
> # EAPTLS_CAFile is the name of a file of CA
> certificates
> # in PEM format. The file can contain several CA
> certificates
> # Radiator will first look in EAPTLS_CAFile then in
> # EAPTLS_CAPath, so there usually is no need to set
> both
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>
> # EAPTLS_CAPath is the name of a directory containing
> CA
> # certificates in PEM format. The files each contain
> one
> # CA certificate. The files are looked up by the CA
> # subject name hash value
> # EAPTLS_CAPath
>
> # EAPTLS_CertificateFile is the name of a file
> containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
>
>
>
> # EAPTLS_PrivateKeyFile is the name of the file
> containing
> # the servers private key. It is sometimes in the same
> file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to
> descrypt it
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
>
> # EAPTLS_RandomFile is an optional file containing
> # randdomness
> # EAPTLS_RandomFile %D/certificates/random
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be
> small
> # enough to fit in a single Radius request (ie less
> than 4096)
> # and still leave enough space for other attributes
> # Aironet APs seem to need a smaller MaxFragmentSize
> # (eg 1024) than the default of 2048. Others need even
> smaller sizes.
> EAPTLS_MaxFragmentSize 1000
>
> # EAPTLS_DHFile if set specifies the DH group file. It
> # may be required if you need to use ephemeral DH keys.
> # EAPTLS_DHFile %D/certificates/cert/dh
>
>
> # If EAPTLS_CRLCheck is set and the client presents a
> certificate
> # then Radiator will look for a certificate revocation
> list (CRL)
> # for the certificate issuer
> # when authenticating each client. If a CRL file is
> not found, or
> # if the CRL says the certificate has neen revoked,
> the authentication will
> # fail with an error:
> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> # One or more CRLs can be named with the
> EAPTLS_CRLFile parameter.
> # Alternatively, CRLs may follow a file naming
> convention:
> # the hash of the issuer subject name
> # and a suffix that depends on the serial number.
> # eg ab1331b2.r0, ab1331b2.r1 etc.
> # You can find out the hash of the issuer name in a
> CRL with
> # openssl crl -in crl.pem -hash -noout
> # CRLs with tis name convention
> # will be searched in EAPTLS_CAPath, else in the
> openssl
> # certificates directory typically
> /usr/local/openssl/certs/
> # CRLs are expected to be in PEM format.
> # A CRL files can be generated with openssl like this:
> # openssl ca -gencrl -revoke cert-clt.pem
> # openssl ca -gencrl -out crl.pem
> # Use of these flags requires Net_SSLeay-1.21 or later
> #EAPTLS_CRLCheck
>
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> # Some clients, depending on their configuration, may
> require you to specify
> # MPPE send and receive keys. This _will_ be required
> if you select
> # 'Keys will be generated automatically for data
> privacy' in the Funk Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and
> MS-MPPE-Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can enable some warning messages from the
> Net::SSLeay
> # module by setting SSLeayTrace to an integer from 1
> to 4
> # 1=ciphers, 2=trace, 3=dump data
> SSLeayTrace 4
>
> # You can configure the User-Name that will be used
> for the inner
> # authentication. Defaults to 'anonymous'. This can be
> useful
> # when proxying the inner authentication. If tehre is
> a realm, it can
> # be used to choose a local Realm to handle the inner
> authentication.
> # %0 is replaced with the EAP identitiy
> # EAPAnonymous anonymous at some.other.realm
>
> # You can enable or disable support for TTLS Session
> Resumption and
> # PEAP Fast Reconnect with the
> EAPTLS_SessionResumption flag.
> # Default is enabled
> #EAPTLS_SessionResumption 0
>
> # You can limit how long after the initial session
> that a session can be resumed
> # with EAPTLS_SessionResumptionLimit (time in
> seconds). Defaults to 43200
> # (12 hours)
> #EAPTLS_SessionResumptionLimit 10
> </AuthBy>
> </Handler>
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list