(RADIATOR) How to configure Radiator to work with Cisco PEAP (Generic token)?
Bostjan Lemut
Bostjan.Lemut at arnes.si
Mon Sep 22 03:02:38 CDT 2003
Hi Hugh!
I've backed up the old log fiel and restarted radiusd to log into clean logfile.
Radiator does not complain about enything at startup.
Regards,
Bostjan
Insert from logfile:
bash-2.05$ tail -f var/log/radius/logfile
Mon Sep 22 09:39:46 2003: DEBUG: Reading dictionary file
'/opt/home/bostjan/etc/raddb/dictionary'
Mon Sep 22 09:39:47 2003: DEBUG: Creating authentication port {Radiator IP}:1645
Mon Sep 22 09:39:47 2003: DEBUG: Creating authentication port {Radiator IP}:1812
Mon Sep 22 09:39:47 2003: DEBUG: Creating accounting port {Radiator IP}:1646
Mon Sep 22 09:39:47 2003: DEBUG: Creating accounting port {Radiator IP}:1813
Mon Sep 22 09:39:47 2003: DEBUG: Creating authentication port 127.0.0.1:1645
Mon Sep 22 09:39:47 2003: DEBUG: Creating authentication port 127.0.0.1:1812
Mon Sep 22 09:39:47 2003: DEBUG: Creating accounting port 127.0.0.1:1646
Mon Sep 22 09:39:47 2003: DEBUG: Creating accounting port 127.0.0.1:1813
Mon Sep 22 09:39:47 2003: NOTICE: Server started: Radiator 3.6 on kladivo
Mon Sep 22 09:43:25 2003: DEBUG: Packet dump:
*** Received from {Cisco ap IP} port 1645 ....
Code: Access-Request
Identifier: 20
Authentic: <17>Z<219>U<159><213><150>h<131>Mki<21>!(<139>
Attributes:
User-Name = "PEAP-00409649152D"
Framed-MTU = 1400
Called-Station-Id = "0002.8a9e.5739"
Calling-Station-Id = "0040.9649.152d"
Message-Authenticator =
<179>,<130><241><155><224>x<237><4><184><15><150>A<213><234>'
EAP-Message = <2><2><0><22><1>PEAP-00409649152D
NAS-Port-Type = Virtual
NAS-Port = 266
NAS-IP-Address = {Cisco ap IP}
NAS-Identifier = "ap"
Mon Sep 22 09:43:25 2003: DEBUG: Handling request with Handler ''
Mon Sep 22 09:43:25 2003: DEBUG: Deleting session for PEAP-00409649152D, {Cisco
ap IP}, 266
Mon Sep 22 09:43:25 2003: DEBUG: Handling with Radius::AuthFILE:
Mon Sep 22 09:43:25 2003: DEBUG: Handling with EAP: code 2, 2, 22
Mon Sep 22 09:43:25 2003: DEBUG: Response type 1
Mon Sep 22 09:43:25 2003: ERR: Could not load EAP module Radius::EAP_25: Can't
locate Net/SSLeay.pm in @INC (@INC contains: .
/opt/gnu/lib/perl5/5.6.1/sun4-solaris /opt/gnu/lib/perl5/5.6.1
/opt/gnu/lib/perl5/site_perl/5.6.1/sun4-solaris
/opt/gnu/lib/perl5/site_perl/5.6.1 /opt/gnu/lib/perl5/site_perl .) at
/opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP_25.pm line 24.
BEGIN failed--compilation aborted at
/opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP_25.pm line 24.
Compilation failed in require at (eval 30) line 3.
Mon Sep 22 09:43:25 2003: INFO: Access rejected for PEAP-00409649152D:
Unsupported default EAP Response/Identity 25
Mon Sep 22 09:43:25 2003: DEBUG: Packet dump:
*** Sending to {Cisco ap IP} port 1645 ....
Code: Access-Reject
Identifier: 20
Authentic: <17>Z<219>U<159><213><150>h<131>Mki<21>!(<139>
Attributes:
Reply-Message = "Request Denied"
Hugh Irvine wrote:
> I suspect the problem occured earlier in the log file and there is
> probably a prerequisite Perl module missing.
> You should check the messages in the log file from startup on.
> On Friday, Sep 19, 2003, at 17:46 Australia/Melbourne, Bostjan Lemut wrote:
>> I am relativelly new to wireless and 802.1x authentication. Colegue of
>> mine left for another job and I was given the "wireless" project with
>> practically no knowledge of what to do.
>> In Radiator 3.6 Instalation and Reference Manual I've read, the LEAP
>> and Generic token EAP types are not supported, but then again, they
>> are supported in patch for Radiator 3.6. So far I've successfully
>> tried the LEAP authentication and it works fine, but that was easy.
>> I've tried the goodie for the PEAP type with changing the inner
>> protocol from MSCHAP-V2 to Generic-Token, but it does not seem to
>> work. I've also searched the mailing list archives and FAQs, but it
>> seems nobody tried or had problems using Cisco PEAP (Generic Token).
>> Please, give me some pointers or better yet, working example:-)
>>
>> I'm using Cisco ap Aironet 1100, Cisco Aironet 340 WLAN adapter and
>> Radiator 3.6 with patch, running radiusd as a user.
>>
>> Radiator 3.6 log insert:
>>
>> Wed Sep 17 12:39:56 2003: DEBUG: Packet dump:
>> *** Received from {Cisco AP IP} port 1645 ....
>> Code: Access-Request
>> Identifier: 19
>> Authentic: S<213>\?|<203><205><253><238><162>W<140>1<190><139><251>
>> Attributes:
>> User-Name = "PEAP-00409649152D"
>> Framed-MTU = 1400
>> Called-Station-Id = "0002.8a9e.5739"
>> Calling-Station-Id = "0040.9649.152d"
>> Message-Authenticator =
>> /(&D<30>`<130>?<157><22><171>!<226><152>E<219>
>> EAP-Message = <2><1><0><22><1>PEAP-00409649152D
>> NAS-Port-Type = Virtual
>> NAS-Port = 265
>> NAS-IP-Address = {Cisco AP IP}
>> NAS-Identifier = "ap"
>>
>> Wed Sep 17 12:39:56 2003: DEBUG: Handling request with Handler ''
>> Wed Sep 17 12:39:56 2003: DEBUG: Deleting session for
>> PEAP-00409649152D, {Cisco ap IP}, 265
>> Wed Sep 17 12:39:56 2003: DEBUG: Handling with Radius::AuthFILE:
>> Wed Sep 17 12:39:56 2003: DEBUG: Handling with EAP: code 2, 1, 22
>> Wed Sep 17 12:39:56 2003: DEBUG: Response type 1
>> Wed Sep 17 12:39:56 2003: ERR: Could not handle an EAP request: Can't
>> locate object method "response_identity" via package "Radius::EAP_25"
>> (perhaps you forgot to load "Radius::EAP_25"?) at
>> /opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP.pm line 142.
>>
>> Wed Sep 17 12:39:56 2003: INFO: Access rejected for PEAP-00409649152D:
>> Could not handle an EAP request
>> Wed Sep 17 12:39:56 2003: DEBUG: Packet dump:
>> *** Sending to {Cisco AP IP} port 1645 ....
>> Code: Access-Reject
>> Identifier: 19
>> Authentic: S<213>\?|<203><205><253><238><162>W<140>1<190><139><251>
>> Attributes:
>> Reply-Message = "Request Denied"
>>
>>
>> radius.cfg:
>>
>> # radius.cfg
>>
>> # Set this to the directory where your logfile and details file are to go
>> LogDir /opt/home/bostjan/var/log/radius
>>
>> # Set this to the database directory. It should contain these files:
>> # users The user database
>> # dictionary The dictionary for your NAS
>> DbDir /opt/home/bostjan/etc/raddb
>>
>> Trace 4
>> AuthPort 1645,1812
>> AcctPort 1646,1813
>> BindAddress {Radius server IP},127.0.0.1
>>
>> # This clause defines a single client to listen to
>> <Client DEFAULT>
>> IgnoreAcctSignature
>> Secret skritogeslo
>> DupInterval 0
>> </Client>
>>
>> # For testing: this allows us to honour requests from radpwtst
>> # on the same host.
>> <Client localhost>
>> IgnoreAcctSignature
>> Secret mysecret
>> DupInterval 0
>> </Client>
>>
>>
>>
>> # For testing: this allows us to honour requests from radpwtst
>> # on the same host.
>> <Client localhost>
>> IgnoreAcctSignature
>> Secret mysecret
>> DupInterval 0
>> </Client>
>>
>>
>>
>> # This is where we autneticate a PEAP inner request, which will be an EAP
>> # request. The username of the inner request will be anonymous, although
>> # the identity of the EAP request will be the real username we are
>> # trying to authenticate.
>> <Handler TunnelledByPEAP=1>
>> <AuthBy FILE>
>> # anonymous-PEAP must be in here:
>> Filename %D/users
>>
>> # This tells the PEAP client what types of inner EAP
>> requests
>> # we will honour
>> #EAPType MSCHAP-V2
>> EAPType Generic-Token
>> </AuthBy>
>> </Handler>
>>
>>
>> # The original PEAP request from a NAS will be sent to a matching
>> # Realm or Handler in the usual way, where it will be unpacked and the
>> inner authentication
>> # extracted.
>> # The inner authentication request will be sent again to a matching
>> # Realm or Handler. The special check item TunnelledByPEAP=1 can be
>> used to select
>> # a specific handler, or else you can use EAPAnonymous to set a
>> username and realm
>> # which can be used to select a Realm clause for the inner request.
>> # This allows you to select an inner authentication method based on
>> Realm, and/or the
>> # fact that they were tunnelled. You can therfore act just as a PEAP
>> server, or also
>> # act as the AAA/H home server, and authenticate PEAP requests locally
>> or proxy
>> # them to another remote server based on the realm of the inner
>> authenticaiton request.
>> # In this basic example, both the inner and outer authentication are
>> authenticated
>> # from a file by AuthBy FILE
>> <Handler>
>> <AuthBy FILE>
>> # The username of the outer authentication
>> # must be in this file to get anywhere. In this example,
>> # it requires an entry for 'anonymous' which is the
>> standard username
>> # in the outer requests, and it also requires an entry
>> for the
>> # actual user name who is trying to connect (ie the
>> 'Login name' entered
>> # in the Funk Odyssey 'Edit Profile Properties' page
>> Filename %D/users
>>
>> # EAPType sets the EAP type(s) that Radiator will honour.
>> # Options are: MD5-Challenge, One-Time-Password
>> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
>> # Multiple types can be comma separated. With the
>> default (most
>> # preferred) type given first
>> EAPType PEAP
>>
>> # EAPTLS_CAFile is the name of a file of CA certificates
>> # in PEM format. The file can contain several CA
>> certificates
>> # Radiator will first look in EAPTLS_CAFile then in
>> # EAPTLS_CAPath, so there usually is no need to set both
>> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>>
>> # EAPTLS_CAPath is the name of a directory containing CA
>> # certificates in PEM format. The files each contain one
>> # CA certificate. The files are looked up by the CA
>> # subject name hash value
>> # EAPTLS_CAPath
>>
>> # EAPTLS_CertificateFile is the name of a file containing
>> # the servers certificate. EAPTLS_CertificateType
>> # specifies the type of the file. Can be PEM or ASN1
>> # defaults to ASN1
>> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>> EAPTLS_CertificateType PEM
>>
>>
>>
>> # EAPTLS_PrivateKeyFile is the name of the file
>> containing
>> # the servers private key. It is sometimes in the same
>> file
>> # as the server certificate (EAPTLS_CertificateFile)
>> # If the private key is encrypted (usually the case)
>> # then EAPTLS_PrivateKeyPassword is the key to
>> descrypt it
>> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>> EAPTLS_PrivateKeyPassword whatever
>>
>> # EAPTLS_RandomFile is an optional file containing
>> # randdomness
>> # EAPTLS_RandomFile %D/certificates/random
>>
>> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
>> # size that will be replied by Radiator. It must be small
>> # enough to fit in a single Radius request (ie less
>> than 4096)
>> # and still leave enough space for other attributes
>> # Aironet APs seem to need a smaller MaxFragmentSize
>> # (eg 1024) than the default of 2048. Others need even
>> smaller sizes.
>> EAPTLS_MaxFragmentSize 1000
>>
>> # EAPTLS_DHFile if set specifies the DH group file. It
>> # may be required if you need to use ephemeral DH keys.
>> # EAPTLS_DHFile %D/certificates/cert/dh
>>
>>
>> # If EAPTLS_CRLCheck is set and the client presents a
>> certificate
>> # then Radiator will look for a certificate revocation
>> list (CRL)
>> # for the certificate issuer
>> # when authenticating each client. If a CRL file is
>> not found, or
>> # if the CRL says the certificate has neen revoked,
>> the authentication will
>> # fail with an error:
>> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>> # One or more CRLs can be named with the
>> EAPTLS_CRLFile parameter.
>> # Alternatively, CRLs may follow a file naming
>> convention:
>> # the hash of the issuer subject name
>> # and a suffix that depends on the serial number.
>> # eg ab1331b2.r0, ab1331b2.r1 etc.
>> # You can find out the hash of the issuer name in a
>> CRL with
>> # openssl crl -in crl.pem -hash -noout
>> # CRLs with tis name convention
>> # will be searched in EAPTLS_CAPath, else in the openssl
>> # certificates directory typically
>> /usr/local/openssl/certs/
>> # CRLs are expected to be in PEM format.
>> # A CRL files can be generated with openssl like this:
>> # openssl ca -gencrl -revoke cert-clt.pem
>> # openssl ca -gencrl -out crl.pem
>> # Use of these flags requires Net_SSLeay-1.21 or later
>> #EAPTLS_CRLCheck
>>
>> #EAPTLS_CRLFile %D/certificates/crl.pem
>> #EAPTLS_CRLFile %D/certificates/revocations.pem
>>
>> # Some clients, depending on their configuration, may
>> require you to specify
>> # MPPE send and receive keys. This _will_ be required
>> if you select
>> # 'Keys will be generated automatically for data
>> privacy' in the Funk Odyssey
>> # client Network Properties dialog.
>> # Automatically sets MS-MPPE-Send-Key and
>> MS-MPPE-Recv-Key
>> # in the final Access-Accept
>> AutoMPPEKeys
>>
>> # You can enable some warning messages from the
>> Net::SSLeay
>> # module by setting SSLeayTrace to an integer from 1 to 4
>> # 1=ciphers, 2=trace, 3=dump data
>> SSLeayTrace 4
>>
>> # You can configure the User-Name that will be used
>> for the inner
>> # authentication. Defaults to 'anonymous'. This can be
>> useful
>> # when proxying the inner authentication. If tehre is
>> a realm, it can
>> # be used to choose a local Realm to handle the inner
>> authentication.
>> # %0 is replaced with the EAP identitiy
>> # EAPAnonymous anonymous at some.other.realm
>>
>> # You can enable or disable support for TTLS Session
>> Resumption and
>> # PEAP Fast Reconnect with the
>> EAPTLS_SessionResumption flag.
>> # Default is enabled
>> #EAPTLS_SessionResumption 0
>>
>> # You can limit how long after the initial session
>> that a session can be resumed
>> # with EAPTLS_SessionResumptionLimit (time in
>> seconds). Defaults to 43200
>> # (12 hours)
>> #EAPTLS_SessionResumptionLimit 10
>> </AuthBy>
>> </Handler>
>>
>>
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list