(RADIATOR) How to configure Radiator to work with Cisco PEAP (Generic token)?
Hugh Irvine
hugh at open.com.au
Mon Sep 22 17:16:52 CDT 2003
Hello Bostjan -
The log file does indeed complain about missing Perl modules.
> Mon Sep 22 09:43:25 2003: ERR: Could not load EAP module
> Radius::EAP_25: Can't locate Net/SSLeay.pm in @INC (@INC contains: .
> /opt/gnu/lib/perl5/5.6.1/sun4-solaris /opt/gnu/lib/perl5/5.6.1
> /opt/gnu/lib/perl5/site_perl/5.6.1/sun4-solaris
> /opt/gnu/lib/perl5/site_perl/5.6.1 /opt/gnu/lib/perl5/site_perl .) at
> /opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP_25.pm line 24.
> BEGIN failed--compilation aborted at
> /opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP_25.pm line 24.
> Compilation failed in require at (eval 30) line 3.
>
See the comment header in the file "goodies/eap_peap.cfg".
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# Requires Net_SSLeay.pm-1.21 or later from CPAN.
# Requires openssl 0.9.7beta3 or later from www.openssl.org
# Requires Digest-HMAC from CPAN
# Requires Digest-SHA1 from CPAN
#
You will need to install the prerequisite Perl modules shown above
first.
regards
Hugh
On Monday, Sep 22, 2003, at 18:02 Australia/Melbourne, Bostjan Lemut
wrote:
> Hi Hugh!
>
> I've backed up the old log fiel and restarted radiusd to log into
> clean logfile.
> Radiator does not complain about enything at startup.
>
> Regards,
>
> Bostjan
>
> Insert from logfile:
>
> bash-2.05$ tail -f var/log/radius/logfile
> Mon Sep 22 09:39:46 2003: DEBUG: Reading dictionary file
> '/opt/home/bostjan/etc/raddb/dictionary'
> Mon Sep 22 09:39:47 2003: DEBUG: Creating authentication port
> {Radiator IP}:1645
> Mon Sep 22 09:39:47 2003: DEBUG: Creating authentication port
> {Radiator IP}:1812
> Mon Sep 22 09:39:47 2003: DEBUG: Creating accounting port {Radiator
> IP}:1646
> Mon Sep 22 09:39:47 2003: DEBUG: Creating accounting port {Radiator
> IP}:1813
> Mon Sep 22 09:39:47 2003: DEBUG: Creating authentication port
> 127.0.0.1:1645
> Mon Sep 22 09:39:47 2003: DEBUG: Creating authentication port
> 127.0.0.1:1812
> Mon Sep 22 09:39:47 2003: DEBUG: Creating accounting port
> 127.0.0.1:1646
> Mon Sep 22 09:39:47 2003: DEBUG: Creating accounting port
> 127.0.0.1:1813
> Mon Sep 22 09:39:47 2003: NOTICE: Server started: Radiator 3.6 on
> kladivo
> Mon Sep 22 09:43:25 2003: DEBUG: Packet dump:
> *** Received from {Cisco ap IP} port 1645 ....
> Code: Access-Request
> Identifier: 20
> Authentic: <17>Z<219>U<159><213><150>h<131>Mki<21>!(<139>
> Attributes:
> User-Name = "PEAP-00409649152D"
> Framed-MTU = 1400
> Called-Station-Id = "0002.8a9e.5739"
> Calling-Station-Id = "0040.9649.152d"
> Message-Authenticator =
> <179>,<130><241><155><224>x<237><4><184><15><150>A<213><234>'
> EAP-Message = <2><2><0><22><1>PEAP-00409649152D
> NAS-Port-Type = Virtual
> NAS-Port = 266
> NAS-IP-Address = {Cisco ap IP}
> NAS-Identifier = "ap"
>
> Mon Sep 22 09:43:25 2003: DEBUG: Handling request with Handler ''
> Mon Sep 22 09:43:25 2003: DEBUG: Deleting session for
> PEAP-00409649152D, {Cisco ap IP}, 266
> Mon Sep 22 09:43:25 2003: DEBUG: Handling with Radius::AuthFILE:
> Mon Sep 22 09:43:25 2003: DEBUG: Handling with EAP: code 2, 2, 22
> Mon Sep 22 09:43:25 2003: DEBUG: Response type 1
> Mon Sep 22 09:43:25 2003: ERR: Could not load EAP module
> Radius::EAP_25: Can't locate Net/SSLeay.pm in @INC (@INC contains: .
> /opt/gnu/lib/perl5/5.6.1/sun4-solaris /opt/gnu/lib/perl5/5.6.1
> /opt/gnu/lib/perl5/site_perl/5.6.1/sun4-solaris
> /opt/gnu/lib/perl5/site_perl/5.6.1 /opt/gnu/lib/perl5/site_perl .) at
> /opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP_25.pm line 24.
> BEGIN failed--compilation aborted at
> /opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP_25.pm line 24.
> Compilation failed in require at (eval 30) line 3.
>
> Mon Sep 22 09:43:25 2003: INFO: Access rejected for PEAP-00409649152D:
> Unsupported default EAP Response/Identity 25
> Mon Sep 22 09:43:25 2003: DEBUG: Packet dump:
> *** Sending to {Cisco ap IP} port 1645 ....
> Code: Access-Reject
> Identifier: 20
> Authentic: <17>Z<219>U<159><213><150>h<131>Mki<21>!(<139>
> Attributes:
> Reply-Message = "Request Denied"
>
>
> Hugh Irvine wrote:
>
>> I suspect the problem occured earlier in the log file and there is
>> probably a prerequisite Perl module missing.
>> You should check the messages in the log file from startup on.
>
>> On Friday, Sep 19, 2003, at 17:46 Australia/Melbourne, Bostjan Lemut
>> wrote:
>>> I am relativelly new to wireless and 802.1x authentication. Colegue
>>> of mine left for another job and I was given the "wireless" project
>>> with practically no knowledge of what to do.
>>> In Radiator 3.6 Instalation and Reference Manual I've read, the LEAP
>>> and Generic token EAP types are not supported, but then again, they
>>> are supported in patch for Radiator 3.6. So far I've successfully
>>> tried the LEAP authentication and it works fine, but that was easy.
>>> I've tried the goodie for the PEAP type with changing the inner
>>> protocol from MSCHAP-V2 to Generic-Token, but it does not seem to
>>> work. I've also searched the mailing list archives and FAQs, but it
>>> seems nobody tried or had problems using Cisco PEAP (Generic Token).
>>> Please, give me some pointers or better yet, working example:-)
>>>
>>> I'm using Cisco ap Aironet 1100, Cisco Aironet 340 WLAN adapter and
>>> Radiator 3.6 with patch, running radiusd as a user.
>>>
>>> Radiator 3.6 log insert:
>>>
>>> Wed Sep 17 12:39:56 2003: DEBUG: Packet dump:
>>> *** Received from {Cisco AP IP} port 1645 ....
>>> Code: Access-Request
>>> Identifier: 19
>>> Authentic: S<213>\?|<203><205><253><238><162>W<140>1<190><139><251>
>>> Attributes:
>>> User-Name = "PEAP-00409649152D"
>>> Framed-MTU = 1400
>>> Called-Station-Id = "0002.8a9e.5739"
>>> Calling-Station-Id = "0040.9649.152d"
>>> Message-Authenticator =
>>> /(&D<30>`<130>?<157><22><171>!<226><152>E<219>
>>> EAP-Message = <2><1><0><22><1>PEAP-00409649152D
>>> NAS-Port-Type = Virtual
>>> NAS-Port = 265
>>> NAS-IP-Address = {Cisco AP IP}
>>> NAS-Identifier = "ap"
>>>
>>> Wed Sep 17 12:39:56 2003: DEBUG: Handling request with Handler ''
>>> Wed Sep 17 12:39:56 2003: DEBUG: Deleting session for
>>> PEAP-00409649152D, {Cisco ap IP}, 265
>>> Wed Sep 17 12:39:56 2003: DEBUG: Handling with Radius::AuthFILE:
>>> Wed Sep 17 12:39:56 2003: DEBUG: Handling with EAP: code 2, 1, 22
>>> Wed Sep 17 12:39:56 2003: DEBUG: Response type 1
>>> Wed Sep 17 12:39:56 2003: ERR: Could not handle an EAP request:
>>> Can't locate object method "response_identity" via package
>>> "Radius::EAP_25" (perhaps you forgot to load "Radius::EAP_25"?) at
>>> /opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP.pm line 142.
>>>
>>> Wed Sep 17 12:39:56 2003: INFO: Access rejected for
>>> PEAP-00409649152D: Could not handle an EAP request
>>> Wed Sep 17 12:39:56 2003: DEBUG: Packet dump:
>>> *** Sending to {Cisco AP IP} port 1645 ....
>>> Code: Access-Reject
>>> Identifier: 19
>>> Authentic: S<213>\?|<203><205><253><238><162>W<140>1<190><139><251>
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>>
>>>
>>> radius.cfg:
>>>
>>> # radius.cfg
>>>
>>> # Set this to the directory where your logfile and details file are
>>> to go
>>> LogDir /opt/home/bostjan/var/log/radius
>>>
>>> # Set this to the database directory. It should contain these files:
>>> # users The user database
>>> # dictionary The dictionary for your NAS
>>> DbDir /opt/home/bostjan/etc/raddb
>>>
>>> Trace 4
>>> AuthPort 1645,1812
>>> AcctPort 1646,1813
>>> BindAddress {Radius server IP},127.0.0.1
>>>
>>> # This clause defines a single client to listen to
>>> <Client DEFAULT>
>>> IgnoreAcctSignature
>>> Secret skritogeslo
>>> DupInterval 0
>>> </Client>
>>>
>>> # For testing: this allows us to honour requests from radpwtst
>>> # on the same host.
>>> <Client localhost>
>>> IgnoreAcctSignature
>>> Secret mysecret
>>> DupInterval 0
>>> </Client>
>>>
>>>
>>>
>>> # For testing: this allows us to honour requests from radpwtst
>>> # on the same host.
>>> <Client localhost>
>>> IgnoreAcctSignature
>>> Secret mysecret
>>> DupInterval 0
>>> </Client>
>>>
>>>
>>>
>>> # This is where we autneticate a PEAP inner request, which will be
>>> an EAP
>>> # request. The username of the inner request will be anonymous,
>>> although
>>> # the identity of the EAP request will be the real username we are
>>> # trying to authenticate.
>>> <Handler TunnelledByPEAP=1>
>>> <AuthBy FILE>
>>> # anonymous-PEAP must be in here:
>>> Filename %D/users
>>>
>>> # This tells the PEAP client what types of inner EAP
>>> requests
>>> # we will honour
>>> #EAPType MSCHAP-V2
>>> EAPType Generic-Token
>>> </AuthBy>
>>> </Handler>
>>>
>>>
>>> # The original PEAP request from a NAS will be sent to a matching
>>> # Realm or Handler in the usual way, where it will be unpacked and
>>> the inner authentication
>>> # extracted.
>>> # The inner authentication request will be sent again to a matching
>>> # Realm or Handler. The special check item TunnelledByPEAP=1 can be
>>> used to select
>>> # a specific handler, or else you can use EAPAnonymous to set a
>>> username and realm
>>> # which can be used to select a Realm clause for the inner request.
>>> # This allows you to select an inner authentication method based on
>>> Realm, and/or the
>>> # fact that they were tunnelled. You can therfore act just as a PEAP
>>> server, or also
>>> # act as the AAA/H home server, and authenticate PEAP requests
>>> locally or proxy
>>> # them to another remote server based on the realm of the inner
>>> authenticaiton request.
>>> # In this basic example, both the inner and outer authentication are
>>> authenticated
>>> # from a file by AuthBy FILE
>>> <Handler>
>>> <AuthBy FILE>
>>> # The username of the outer authentication
>>> # must be in this file to get anywhere. In this
>>> example,
>>> # it requires an entry for 'anonymous' which is the
>>> standard username
>>> # in the outer requests, and it also requires an
>>> entry for the
>>> # actual user name who is trying to connect (ie the
>>> 'Login name' entered
>>> # in the Funk Odyssey 'Edit Profile Properties' page
>>> Filename %D/users
>>>
>>> # EAPType sets the EAP type(s) that Radiator will
>>> honour.
>>> # Options are: MD5-Challenge, One-Time-Password
>>> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
>>> # Multiple types can be comma separated. With the
>>> default (most
>>> # preferred) type given first
>>> EAPType PEAP
>>>
>>> # EAPTLS_CAFile is the name of a file of CA
>>> certificates
>>> # in PEM format. The file can contain several CA
>>> certificates
>>> # Radiator will first look in EAPTLS_CAFile then in
>>> # EAPTLS_CAPath, so there usually is no need to set
>>> both
>>> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>>>
>>> # EAPTLS_CAPath is the name of a directory
>>> containing CA
>>> # certificates in PEM format. The files each contain
>>> one
>>> # CA certificate. The files are looked up by the CA
>>> # subject name hash value
>>> # EAPTLS_CAPath
>>>
>>> # EAPTLS_CertificateFile is the name of a file
>>> containing
>>> # the servers certificate. EAPTLS_CertificateType
>>> # specifies the type of the file. Can be PEM or ASN1
>>> # defaults to ASN1
>>> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>>> EAPTLS_CertificateType PEM
>>>
>>>
>>>
>>> # EAPTLS_PrivateKeyFile is the name of the file
>>> containing
>>> # the servers private key. It is sometimes in the
>>> same file
>>> # as the server certificate (EAPTLS_CertificateFile)
>>> # If the private key is encrypted (usually the case)
>>> # then EAPTLS_PrivateKeyPassword is the key to
>>> descrypt it
>>> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>>> EAPTLS_PrivateKeyPassword whatever
>>>
>>> # EAPTLS_RandomFile is an optional file containing
>>> # randdomness
>>> # EAPTLS_RandomFile %D/certificates/random
>>>
>>> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
>>> # size that will be replied by Radiator. It must be
>>> small
>>> # enough to fit in a single Radius request (ie less
>>> than 4096)
>>> # and still leave enough space for other attributes
>>> # Aironet APs seem to need a smaller MaxFragmentSize
>>> # (eg 1024) than the default of 2048. Others need
>>> even smaller sizes.
>>> EAPTLS_MaxFragmentSize 1000
>>>
>>> # EAPTLS_DHFile if set specifies the DH group file.
>>> It
>>> # may be required if you need to use ephemeral DH
>>> keys.
>>> # EAPTLS_DHFile %D/certificates/cert/dh
>>>
>>>
>>> # If EAPTLS_CRLCheck is set and the client presents
>>> a certificate
>>> # then Radiator will look for a certificate
>>> revocation list (CRL)
>>> # for the certificate issuer
>>> # when authenticating each client. If a CRL file is
>>> not found, or
>>> # if the CRL says the certificate has neen revoked,
>>> the authentication will
>>> # fail with an error:
>>> # SSL3_GET_CLIENT_CERTIFICATE:no certificate
>>> returned
>>> # One or more CRLs can be named with the
>>> EAPTLS_CRLFile parameter.
>>> # Alternatively, CRLs may follow a file naming
>>> convention:
>>> # the hash of the issuer subject name
>>> # and a suffix that depends on the serial number.
>>> # eg ab1331b2.r0, ab1331b2.r1 etc.
>>> # You can find out the hash of the issuer name in a
>>> CRL with
>>> # openssl crl -in crl.pem -hash -noout
>>> # CRLs with tis name convention
>>> # will be searched in EAPTLS_CAPath, else in the
>>> openssl
>>> # certificates directory typically
>>> /usr/local/openssl/certs/
>>> # CRLs are expected to be in PEM format.
>>> # A CRL files can be generated with openssl like
>>> this:
>>> # openssl ca -gencrl -revoke cert-clt.pem
>>> # openssl ca -gencrl -out crl.pem
>>> # Use of these flags requires Net_SSLeay-1.21 or
>>> later
>>> #EAPTLS_CRLCheck
>>>
>>> #EAPTLS_CRLFile %D/certificates/crl.pem
>>> #EAPTLS_CRLFile %D/certificates/revocations.pem
>>>
>>> # Some clients, depending on their configuration,
>>> may require you to specify
>>> # MPPE send and receive keys. This _will_ be
>>> required if you select
>>> # 'Keys will be generated automatically for data
>>> privacy' in the Funk Odyssey
>>> # client Network Properties dialog.
>>> # Automatically sets MS-MPPE-Send-Key and
>>> MS-MPPE-Recv-Key
>>> # in the final Access-Accept
>>> AutoMPPEKeys
>>>
>>> # You can enable some warning messages from the
>>> Net::SSLeay
>>> # module by setting SSLeayTrace to an integer from 1
>>> to 4
>>> # 1=ciphers, 2=trace, 3=dump data
>>> SSLeayTrace 4
>>>
>>> # You can configure the User-Name that will be used
>>> for the inner
>>> # authentication. Defaults to 'anonymous'. This can
>>> be useful
>>> # when proxying the inner authentication. If tehre
>>> is a realm, it can
>>> # be used to choose a local Realm to handle the
>>> inner authentication.
>>> # %0 is replaced with the EAP identitiy
>>> # EAPAnonymous anonymous at some.other.realm
>>>
>>> # You can enable or disable support for TTLS Session
>>> Resumption and
>>> # PEAP Fast Reconnect with the
>>> EAPTLS_SessionResumption flag.
>>> # Default is enabled
>>> #EAPTLS_SessionResumption 0
>>>
>>> # You can limit how long after the initial session
>>> that a session can be resumed
>>> # with EAPTLS_SessionResumptionLimit (time in
>>> seconds). Defaults to 43200
>>> # (12 hours)
>>> #EAPTLS_SessionResumptionLimit 10
>>> </AuthBy>
>>> </Handler>
>>>
>>>
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list