(RADIATOR) Inner Auth MSCHAP-V2 failure
Alexandre Frederico de Sousa
asousa at hiperbit.pt
Mon Apr 12 09:27:13 CDT 2004
I have a Radius environment in which I have set Radius to get the
authentication information from the Active Directory LDAP server using
AuthBy LDAP2. The purpose is to have Cisco 1100 AP's authenticate wireless
users using 802.1x. The wireless clients are mostly running Windows XP,
using PEAP and MSCHAP-V2 to authenticate on the wireless network.
I have configured Radiator's Handler for the local realm and the handler for
the PEAP requests.
I have ran through a series of problems and now I'm stuck with a PEAP
Authentication problem regarding a MSCHAP-V2 Authentication Failure.
Together with this email I'm sending a sample of my configuration and a
level 4 trace file. I was wondering if someone could give me a hint at
what's wrong this time.
Best Regards,
Alexandre Sousa
--------------------------------------------------------------------------
Configuration File
AuthPort 1812
AcctPort 1813
LogDir /var/log/radius
DbDir /etc/radius
DictionaryFile
/etc/radius/dictionary,/etc/radius/dictionary.ascend,/etc/radius/dictionary.
cisco
PidFile /var/run/radius.pid
Trace 4
*** SKIPPED LOG SECTION ***
## Client for local tests
<Client 10.0.0.209>
Secret passwordgoeshere
Identifier testelocal
DupInterval 0
</Client>
## Clients for local APs
<Client 10.0.0.206>
Secret passwordgoeshere
Identifier localuser
</Client>
####### Special Purpose Rewrites
####### In case the user has a DOMAIN\USER username, this takes care of it
RewriteUsername s/^(.+)\\(.+)$/$2\@$1/
####### HANDLERS
## To local LDAP (W2K AD Server)
<Handler Realm=SAMPLE.ORG>
RewriteUsername s/^([^@]+).*/$1/
<AuthBy LDAP2>
Host 10.0.0.10
AuthDN cn=Administrator,cn=Users,dc=SAMPLE,dc=ORG
AuthPassword passwordgoeshere
BaseDN cn=Users,dc=SAMPLE,dc=ORG
ServerChecksPassword
UsernameAttr sAMAccountName
AuthAttrDef logonHours,MS-Login-Hours,check
Version 3
EAPType PEAP
EAPAnonymous %n
EAPTLS_CAFile /etc/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile /etc/certificates/servername.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/certificates/servername.pem
EAPTLS_PrivateKeyPassword passwordgoeshere
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
</Realm>
<Handler TunnelledByPEAP=1>
<AuthBy LDAP2>
Host 10.0.0.10
AuthDN cn=Administrator,cn=Users,dc=SAMPLE,dc=ORG
AuthPassword passwordgoeshere
BaseDN cn=Users,dc=SAMPLE,dc=ORG
ServerChecksPassword
UsernameAttr sAMAccountName
AuthAttrDef logonHours,MS-Login-Hours,check
Version 3
EAPType MSCHAP-V2
RewriteUsername s/^([^@]+).*/$1/
</AuthBy>
</Realm>
The level 4 tracefile is on the attached file.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040412/8ff77806/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logfile
Type: application/octet-stream
Size: 20841 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040412/8ff77806/attachment.obj>
More information about the radiator
mailing list