(RADIATOR) How to configure Radiator to work with Cisco PEAP (Generic token)?
Bostjan Lemut
Bostjan.Lemut at arnes.si
Tue Sep 23 08:06:11 CDT 2003
Hugh,
Thanks for the info. I've missed that one in multitasking rush. The SA already
installed the missing modules, and now I get a login screen on the W2k client.
Radiator still complains:
Tue Sep 23 14:46:04 2003: DEBUG: Handling request with Handler 'TunnelledByPEAP=1'
Tue Sep 23 14:46:04 2003: DEBUG: Deleting session for , 193.2.121.66, 285
Tue Sep 23 14:46:04 2003: DEBUG: Handling with Radius::AuthFILE:
Tue Sep 23 14:46:04 2003: DEBUG: Handling with EAP: code 2, 0, 9
Tue Sep 23 14:46:04 2003: DEBUG: Response type 1
Tue Sep 23 14:46:04 2003: ERR: Could not load EAP module Radius::EAP_6: Can't
locate Radius/EAP_6.pm
in @INC (@INC contains: . /opt/gnu/lib/perl5/5.6.1/sun4-solaris
/opt/gnu/lib/perl5/5.6.1 /opt/gnu/l
ib/perl5/site_perl/5.6.1/sun4-solaris /opt/gnu/lib/perl5/site_perl/5.6.1
/opt/gnu/lib/perl5/site_per
l .) at (eval 40) line 3.
Tue Sep 23 14:46:04 2003: INFO: Access rejected for anonymous: Unsupported
default EAP Response/Iden
tity 6
I can't find info on EAP type 6, the module is missing. I'm trying to use
Generic-Token as inner EAP.
Bostjan
Hugh Irvine wrote:
> Hello Bostjan -
>
> The log file does indeed complain about missing Perl modules.
>
>> Mon Sep 22 09:43:25 2003: ERR: Could not load EAP module
>> Radius::EAP_25: Can't locate Net/SSLeay.pm in @INC (@INC contains: .
>> /opt/gnu/lib/perl5/5.6.1/sun4-solaris /opt/gnu/lib/perl5/5.6.1
>> /opt/gnu/lib/perl5/site_perl/5.6.1/sun4-solaris
>> /opt/gnu/lib/perl5/site_perl/5.6.1 /opt/gnu/lib/perl5/site_perl .) at
>> /opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP_25.pm line 24.
>> BEGIN failed--compilation aborted at
>> /opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP_25.pm line 24.
>> Compilation failed in require at (eval 30) line 3.
>>
>
> See the comment header in the file "goodies/eap_peap.cfg".
>
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # Requires Net_SSLeay.pm-1.21 or later from CPAN.
> # Requires openssl 0.9.7beta3 or later from www.openssl.org
> # Requires Digest-HMAC from CPAN
> # Requires Digest-SHA1 from CPAN
> #
>
> You will need to install the prerequisite Perl modules shown above first.
>
> regards
>
> Hugh
>
>
> On Monday, Sep 22, 2003, at 18:02 Australia/Melbourne, Bostjan Lemut wrote:
>
>> Hi Hugh!
>>
>> I've backed up the old log fiel and restarted radiusd to log into
>> clean logfile.
>> Radiator does not complain about enything at startup.
>>
>> Regards,
>>
>> Bostjan
>>
>> Insert from logfile:
>>
>> bash-2.05$ tail -f var/log/radius/logfile
>> Mon Sep 22 09:39:46 2003: DEBUG: Reading dictionary file
>> '/opt/home/bostjan/etc/raddb/dictionary'
>> Mon Sep 22 09:39:47 2003: DEBUG: Creating authentication port
>> {Radiator IP}:1645
>> Mon Sep 22 09:39:47 2003: DEBUG: Creating authentication port
>> {Radiator IP}:1812
>> Mon Sep 22 09:39:47 2003: DEBUG: Creating accounting port {Radiator
>> IP}:1646
>> Mon Sep 22 09:39:47 2003: DEBUG: Creating accounting port {Radiator
>> IP}:1813
>> Mon Sep 22 09:39:47 2003: DEBUG: Creating authentication port
>> 127.0.0.1:1645
>> Mon Sep 22 09:39:47 2003: DEBUG: Creating authentication port
>> 127.0.0.1:1812
>> Mon Sep 22 09:39:47 2003: DEBUG: Creating accounting port 127.0.0.1:1646
>> Mon Sep 22 09:39:47 2003: DEBUG: Creating accounting port 127.0.0.1:1813
>> Mon Sep 22 09:39:47 2003: NOTICE: Server started: Radiator 3.6 on kladivo
>> Mon Sep 22 09:43:25 2003: DEBUG: Packet dump:
>> *** Received from {Cisco ap IP} port 1645 ....
>> Code: Access-Request
>> Identifier: 20
>> Authentic: <17>Z<219>U<159><213><150>h<131>Mki<21>!(<139>
>> Attributes:
>> User-Name = "PEAP-00409649152D"
>> Framed-MTU = 1400
>> Called-Station-Id = "0002.8a9e.5739"
>> Calling-Station-Id = "0040.9649.152d"
>> Message-Authenticator =
>> <179>,<130><241><155><224>x<237><4><184><15><150>A<213><234>'
>> EAP-Message = <2><2><0><22><1>PEAP-00409649152D
>> NAS-Port-Type = Virtual
>> NAS-Port = 266
>> NAS-IP-Address = {Cisco ap IP}
>> NAS-Identifier = "ap"
>>
>> Mon Sep 22 09:43:25 2003: DEBUG: Handling request with Handler ''
>> Mon Sep 22 09:43:25 2003: DEBUG: Deleting session for
>> PEAP-00409649152D, {Cisco ap IP}, 266
>> Mon Sep 22 09:43:25 2003: DEBUG: Handling with Radius::AuthFILE:
>> Mon Sep 22 09:43:25 2003: DEBUG: Handling with EAP: code 2, 2, 22
>> Mon Sep 22 09:43:25 2003: DEBUG: Response type 1
>> Mon Sep 22 09:43:25 2003: ERR: Could not load EAP module
>> Radius::EAP_25: Can't locate Net/SSLeay.pm in @INC (@INC contains: .
>> /opt/gnu/lib/perl5/5.6.1/sun4-solaris /opt/gnu/lib/perl5/5.6.1
>> /opt/gnu/lib/perl5/site_perl/5.6.1/sun4-solaris
>> /opt/gnu/lib/perl5/site_perl/5.6.1 /opt/gnu/lib/perl5/site_perl .) at
>> /opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP_25.pm line 24.
>> BEGIN failed--compilation aborted at
>> /opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP_25.pm line 24.
>> Compilation failed in require at (eval 30) line 3.
>>
>> Mon Sep 22 09:43:25 2003: INFO: Access rejected for PEAP-00409649152D:
>> Unsupported default EAP Response/Identity 25
>> Mon Sep 22 09:43:25 2003: DEBUG: Packet dump:
>> *** Sending to {Cisco ap IP} port 1645 ....
>> Code: Access-Reject
>> Identifier: 20
>> Authentic: <17>Z<219>U<159><213><150>h<131>Mki<21>!(<139>
>> Attributes:
>> Reply-Message = "Request Denied"
>>
>>
>> Hugh Irvine wrote:
>>
>>> I suspect the problem occured earlier in the log file and there is
>>> probably a prerequisite Perl module missing.
>>> You should check the messages in the log file from startup on.
>>
>>
>>> On Friday, Sep 19, 2003, at 17:46 Australia/Melbourne, Bostjan Lemut
>>> wrote:
>>>
>>>> I am relativelly new to wireless and 802.1x authentication. Colegue
>>>> of mine left for another job and I was given the "wireless" project
>>>> with practically no knowledge of what to do.
>>>> In Radiator 3.6 Instalation and Reference Manual I've read, the LEAP
>>>> and Generic token EAP types are not supported, but then again, they
>>>> are supported in patch for Radiator 3.6. So far I've successfully
>>>> tried the LEAP authentication and it works fine, but that was easy.
>>>> I've tried the goodie for the PEAP type with changing the inner
>>>> protocol from MSCHAP-V2 to Generic-Token, but it does not seem to
>>>> work. I've also searched the mailing list archives and FAQs, but it
>>>> seems nobody tried or had problems using Cisco PEAP (Generic Token).
>>>> Please, give me some pointers or better yet, working example:-)
>>>>
>>>> I'm using Cisco ap Aironet 1100, Cisco Aironet 340 WLAN adapter and
>>>> Radiator 3.6 with patch, running radiusd as a user.
>>>>
>>>> Radiator 3.6 log insert:
>>>>
>>>> Wed Sep 17 12:39:56 2003: DEBUG: Packet dump:
>>>> *** Received from {Cisco AP IP} port 1645 ....
>>>> Code: Access-Request
>>>> Identifier: 19
>>>> Authentic: S<213>\?|<203><205><253><238><162>W<140>1<190><139><251>
>>>> Attributes:
>>>> User-Name = "PEAP-00409649152D"
>>>> Framed-MTU = 1400
>>>> Called-Station-Id = "0002.8a9e.5739"
>>>> Calling-Station-Id = "0040.9649.152d"
>>>> Message-Authenticator =
>>>> /(&D<30>`<130>?<157><22><171>!<226><152>E<219>
>>>> EAP-Message = <2><1><0><22><1>PEAP-00409649152D
>>>> NAS-Port-Type = Virtual
>>>> NAS-Port = 265
>>>> NAS-IP-Address = {Cisco AP IP}
>>>> NAS-Identifier = "ap"
>>>>
>>>> Wed Sep 17 12:39:56 2003: DEBUG: Handling request with Handler ''
>>>> Wed Sep 17 12:39:56 2003: DEBUG: Deleting session for
>>>> PEAP-00409649152D, {Cisco ap IP}, 265
>>>> Wed Sep 17 12:39:56 2003: DEBUG: Handling with Radius::AuthFILE:
>>>> Wed Sep 17 12:39:56 2003: DEBUG: Handling with EAP: code 2, 1, 22
>>>> Wed Sep 17 12:39:56 2003: DEBUG: Response type 1
>>>> Wed Sep 17 12:39:56 2003: ERR: Could not handle an EAP request:
>>>> Can't locate object method "response_identity" via package
>>>> "Radius::EAP_25" (perhaps you forgot to load "Radius::EAP_25"?) at
>>>> /opt/gnu/lib/perl5/site_perl/5.6.1/Radius/EAP.pm line 142.
>>>>
>>>> Wed Sep 17 12:39:56 2003: INFO: Access rejected for
>>>> PEAP-00409649152D: Could not handle an EAP request
>>>> Wed Sep 17 12:39:56 2003: DEBUG: Packet dump:
>>>> *** Sending to {Cisco AP IP} port 1645 ....
>>>> Code: Access-Reject
>>>> Identifier: 19
>>>> Authentic: S<213>\?|<203><205><253><238><162>W<140>1<190><139><251>
>>>> Attributes:
>>>> Reply-Message = "Request Denied"
>>>>
>>>>
>>>> radius.cfg:
>>>>
>>>> # radius.cfg
>>>>
>>>> # Set this to the directory where your logfile and details file are
>>>> to go
>>>> LogDir /opt/home/bostjan/var/log/radius
>>>>
>>>> # Set this to the database directory. It should contain these files:
>>>> # users The user database
>>>> # dictionary The dictionary for your NAS
>>>> DbDir /opt/home/bostjan/etc/raddb
>>>>
>>>> Trace 4
>>>> AuthPort 1645,1812
>>>> AcctPort 1646,1813
>>>> BindAddress {Radius server IP},127.0.0.1
>>>>
>>>> # This clause defines a single client to listen to
>>>> <Client DEFAULT>
>>>> IgnoreAcctSignature
>>>> Secret skritogeslo
>>>> DupInterval 0
>>>> </Client>
>>>>
>>>> # For testing: this allows us to honour requests from radpwtst
>>>> # on the same host.
>>>> <Client localhost>
>>>> IgnoreAcctSignature
>>>> Secret mysecret
>>>> DupInterval 0
>>>> </Client>
>>>>
>>>>
>>>>
>>>> # For testing: this allows us to honour requests from radpwtst
>>>> # on the same host.
>>>> <Client localhost>
>>>> IgnoreAcctSignature
>>>> Secret mysecret
>>>> DupInterval 0
>>>> </Client>
>>>>
>>>>
>>>>
>>>> # This is where we autneticate a PEAP inner request, which will be
>>>> an EAP
>>>> # request. The username of the inner request will be anonymous,
>>>> although
>>>> # the identity of the EAP request will be the real username we are
>>>> # trying to authenticate.
>>>> <Handler TunnelledByPEAP=1>
>>>> <AuthBy FILE>
>>>> # anonymous-PEAP must be in here:
>>>> Filename %D/users
>>>>
>>>> # This tells the PEAP client what types of inner EAP
>>>> requests
>>>> # we will honour
>>>> #EAPType MSCHAP-V2
>>>> EAPType Generic-Token
>>>> </AuthBy>
>>>> </Handler>
>>>>
>>>>
>>>> # The original PEAP request from a NAS will be sent to a matching
>>>> # Realm or Handler in the usual way, where it will be unpacked and
>>>> the inner authentication
>>>> # extracted.
>>>> # The inner authentication request will be sent again to a matching
>>>> # Realm or Handler. The special check item TunnelledByPEAP=1 can be
>>>> used to select
>>>> # a specific handler, or else you can use EAPAnonymous to set a
>>>> username and realm
>>>> # which can be used to select a Realm clause for the inner request.
>>>> # This allows you to select an inner authentication method based on
>>>> Realm, and/or the
>>>> # fact that they were tunnelled. You can therfore act just as a PEAP
>>>> server, or also
>>>> # act as the AAA/H home server, and authenticate PEAP requests
>>>> locally or proxy
>>>> # them to another remote server based on the realm of the inner
>>>> authenticaiton request.
>>>> # In this basic example, both the inner and outer authentication are
>>>> authenticated
>>>> # from a file by AuthBy FILE
>>>> <Handler>
>>>> <AuthBy FILE>
>>>> # The username of the outer authentication
>>>> # must be in this file to get anywhere. In this
>>>> example,
>>>> # it requires an entry for 'anonymous' which is the
>>>> standard username
>>>> # in the outer requests, and it also requires an
>>>> entry for the
>>>> # actual user name who is trying to connect (ie the
>>>> 'Login name' entered
>>>> # in the Funk Odyssey 'Edit Profile Properties' page
>>>> Filename %D/users
>>>>
>>>> # EAPType sets the EAP type(s) that Radiator will
>>>> honour.
>>>> # Options are: MD5-Challenge, One-Time-Password
>>>> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
>>>> # Multiple types can be comma separated. With the
>>>> default (most
>>>> # preferred) type given first
>>>> EAPType PEAP
>>>>
>>>> # EAPTLS_CAFile is the name of a file of CA
>>>> certificates
>>>> # in PEM format. The file can contain several CA
>>>> certificates
>>>> # Radiator will first look in EAPTLS_CAFile then in
>>>> # EAPTLS_CAPath, so there usually is no need to set
>>>> both
>>>> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>>>>
>>>> # EAPTLS_CAPath is the name of a directory
>>>> containing CA
>>>> # certificates in PEM format. The files each contain
>>>> one
>>>> # CA certificate. The files are looked up by the CA
>>>> # subject name hash value
>>>> # EAPTLS_CAPath
>>>>
>>>> # EAPTLS_CertificateFile is the name of a file
>>>> containing
>>>> # the servers certificate. EAPTLS_CertificateType
>>>> # specifies the type of the file. Can be PEM or ASN1
>>>> # defaults to ASN1
>>>> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>>>> EAPTLS_CertificateType PEM
>>>>
>>>>
>>>>
>>>> # EAPTLS_PrivateKeyFile is the name of the file
>>>> containing
>>>> # the servers private key. It is sometimes in the
>>>> same file
>>>> # as the server certificate (EAPTLS_CertificateFile)
>>>> # If the private key is encrypted (usually the case)
>>>> # then EAPTLS_PrivateKeyPassword is the key to
>>>> descrypt it
>>>> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>>>> EAPTLS_PrivateKeyPassword whatever
>>>>
>>>> # EAPTLS_RandomFile is an optional file containing
>>>> # randdomness
>>>> # EAPTLS_RandomFile %D/certificates/random
>>>>
>>>> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
>>>> # size that will be replied by Radiator. It must be
>>>> small
>>>> # enough to fit in a single Radius request (ie less
>>>> than 4096)
>>>> # and still leave enough space for other attributes
>>>> # Aironet APs seem to need a smaller MaxFragmentSize
>>>> # (eg 1024) than the default of 2048. Others need
>>>> even smaller sizes.
>>>> EAPTLS_MaxFragmentSize 1000
>>>>
>>>> # EAPTLS_DHFile if set specifies the DH group file. It
>>>> # may be required if you need to use ephemeral DH keys.
>>>> # EAPTLS_DHFile %D/certificates/cert/dh
>>>>
>>>>
>>>> # If EAPTLS_CRLCheck is set and the client presents
>>>> a certificate
>>>> # then Radiator will look for a certificate
>>>> revocation list (CRL)
>>>> # for the certificate issuer
>>>> # when authenticating each client. If a CRL file is
>>>> not found, or
>>>> # if the CRL says the certificate has neen revoked,
>>>> the authentication will
>>>> # fail with an error:
>>>> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>>> # One or more CRLs can be named with the
>>>> EAPTLS_CRLFile parameter.
>>>> # Alternatively, CRLs may follow a file naming
>>>> convention:
>>>> # the hash of the issuer subject name
>>>> # and a suffix that depends on the serial number.
>>>> # eg ab1331b2.r0, ab1331b2.r1 etc.
>>>> # You can find out the hash of the issuer name in a
>>>> CRL with
>>>> # openssl crl -in crl.pem -hash -noout
>>>> # CRLs with tis name convention
>>>> # will be searched in EAPTLS_CAPath, else in the
>>>> openssl
>>>> # certificates directory typically
>>>> /usr/local/openssl/certs/
>>>> # CRLs are expected to be in PEM format.
>>>> # A CRL files can be generated with openssl like this:
>>>> # openssl ca -gencrl -revoke cert-clt.pem
>>>> # openssl ca -gencrl -out crl.pem
>>>> # Use of these flags requires Net_SSLeay-1.21 or later
>>>> #EAPTLS_CRLCheck
>>>>
>>>> #EAPTLS_CRLFile %D/certificates/crl.pem
>>>> #EAPTLS_CRLFile %D/certificates/revocations.pem
>>>>
>>>> # Some clients, depending on their configuration,
>>>> may require you to specify
>>>> # MPPE send and receive keys. This _will_ be
>>>> required if you select
>>>> # 'Keys will be generated automatically for data
>>>> privacy' in the Funk Odyssey
>>>> # client Network Properties dialog.
>>>> # Automatically sets MS-MPPE-Send-Key and
>>>> MS-MPPE-Recv-Key
>>>> # in the final Access-Accept
>>>> AutoMPPEKeys
>>>>
>>>> # You can enable some warning messages from the
>>>> Net::SSLeay
>>>> # module by setting SSLeayTrace to an integer from 1
>>>> to 4
>>>> # 1=ciphers, 2=trace, 3=dump data
>>>> SSLeayTrace 4
>>>>
>>>> # You can configure the User-Name that will be used
>>>> for the inner
>>>> # authentication. Defaults to 'anonymous'. This can
>>>> be useful
>>>> # when proxying the inner authentication. If tehre
>>>> is a realm, it can
>>>> # be used to choose a local Realm to handle the
>>>> inner authentication.
>>>> # %0 is replaced with the EAP identitiy
>>>> # EAPAnonymous anonymous at some.other.realm
>>>>
>>>> # You can enable or disable support for TTLS Session
>>>> Resumption and
>>>> # PEAP Fast Reconnect with the
>>>> EAPTLS_SessionResumption flag.
>>>> # Default is enabled
>>>> #EAPTLS_SessionResumption 0
>>>>
>>>> # You can limit how long after the initial session
>>>> that a session can be resumed
>>>> # with EAPTLS_SessionResumptionLimit (time in
>>>> seconds). Defaults to 43200
>>>> # (12 hours)
>>>> #EAPTLS_SessionResumptionLimit 10
>>>> </AuthBy>
>>>> </Handler>
>>>>
>>>>
>>>>
>>>> ===
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>> NB: have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>
>>
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list