(RADIATOR) Possible to Proxy PEAP-EAP-MSCHAP v2 to IAS?
Kawakubo, Ken
kkawakub at fhcrc.org
Mon Feb 9 11:17:56 CST 2004
Hi,
We use 3 EAP types: PEAP-EAP-MSCHAPv2 for Windows XP and 2K, LEAP for MacOSX
10.2 and Cisco wireless VoIP phone, and EAP-TTLS-PAP for the rest. Since
when we designed our wireless LAN, LSA module was not yet available and we
use AD for authentication, we proxy PEAP-EAP-MSCHAPv2 and LEAP auth requests
to IAS and Funk Odyssey respectively. As Mike pointed out, we cannot just
forward inner auth requests. This means that we can not use <Handler
TunnelledByTTLS=1> and <Handler TunnelledByPEAP=1> to differentiate packets.
What we did was as follows: If outer identitiy is anonymous, then use
EAP-TTLS-PAP to authenticate (locally authenticate), if realm is
xxxx at fhcrc.org then use LEAP to authenticate (proxy to Funk Odyssey),
otherwise use PEAP-EAP-MSCHAPv2 to authenticate (proxy to IAS). We trained
our MacOSX 10.2 users to enter xxxx at fhcrc.org as their user names.
Radius.cfg looks like this.
<AuthBy RADIUS>
EAPType PEAP
Identifier CheckRAD-PEAP
(omitted)
</AuthBy>
<AuthBy RADIUS>
Identifier CheckRAD-LEAP
(omitted)
</AuthBy>
<Handler TunnelledByTTLS=1>
<AuthBy NT>
Identifier CheckNT-EAP-TTLS
(omitted)
</AuthBy>
(omitted)
</Handler>
<Handler User-Name=anonymous>
<AuthBy FILE>
Filename /etc/radiator/users
Identifier CheckFILE
EAPType TTLS
(omitted)
</AuthBy>
(omitted)
</Handler>
<Handler Realm=fhcrc.org>
AuthBy CheckRAD-LEAP
(omitted)
</Handler>
<Handler>
AuthBy CheckRAD-PEAP
(omitted)
</Handler>
Since now Radiator supports LSA on Windows platform, we are planning to move
Radiator to Windows platform so that we authenticate every EAP type within
Radiator. (hopefully soon!)
Ken Kawakubo
-----Original Message-----
From: Jon Snyder [mailto:jon at pdx.edu]
Sent: Monday, February 09, 2004 12:09 AM
To: radiator at open.com.au
Subject: (RADIATOR) Possible to Proxy PEAP-EAP-MSCHAP v2 to IAS?
Hi all,
We're trying to configure EAP for 802.1x wireless authentication with the
general rule that Radiator will authenticate everything it can locally, and
proxy the authentication types it can't. Our Radiator instance is running
on Solaris with passwords in NIS, so we can't for example authenticate
MS-CHAP v2 requests.
What I would like to do is proxy PEAP-EAP-MSCHAP v2 (from the Windows XP SP1
PEAP client) to an IAS server running on Windows 2003, which can
authenticate the MS-CHAP v2 request. But, if the request is TTLS with PAP
or some other form that can be authenticated locally on the unix host, do so
there. The problem I think I'm running into is that Radiator is properly
proxying the inner EAP-MSCHAP v2 on to the IAS server, but IAS can't handle
EAP-MSCHAP v2 as it receives it; it wants either PEAP with MSCHAP v2 inside,
or a regular MSCHAP v2 challenge in the radius packet (no EAP).
Is it possible to accomplish what I'm trying to do? It seems like if I
could "extract" the MSCHAP v2 and send it over to IAS without it being
EAP-MSCHAP v2 it might work. I know it's possible with TTLS to have one
server take the EAP-TTLS requests, and proxy the actual authentication to
another server that knows nothing about EAP (as demonstrated in the goodies
configs). Can the same be done with PEAP?
I have this working if I use an AuthBy FILE for handling the inner
authentication, so I know it's not a general issue with my system or
configuration for PEAP. But with the AuthBy RADIUS below, no go.
Thanks in advance!
Here's what I'm doing in the Radiator config (this isn't the whole config,
but should be all the relevant portions):
<Handler TunnelledByPEAP=1,EAPType=MSCHAP-V2>
<Log FILE>
Filename %L/PEAPInside.log
Trace 4
</Log>
<AuthBy RADIUS>
NoDefault
EAPType MSCHAP-V2
<Host win2k3.ias.box>
Secret secret
AuthPort 1812
AcctPort 1813
</Host>
</AuthBy>
</Handler>
<Handler TunnelledByPEAP=1>
<AuthBy SYSTEM>
NoDefault
</AuthBy>
</Handler>
<Handler TunnelledByTTLS=1>
<AuthBy SYSTEM>
NoDefault
</AuthBy>
</Handler>
<Handler Client-Identifier=wiAPs>
<Log FILE>
Filename %L/PEAPOutside.log
</Log>
<AuthBy FILE>
Filename %D/users
EAPType PEAP,TTLS
EAPTLS_CAFile %D/certificates/thawte/ThawteServerCA.txt
EAPTLS_CertificateFile
%D/certificates/radius-server.cert.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/radius-server.key.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
</AuthBy>
</Handler>
----------
Jon Snyder
Computing & Network Services
Portland State University
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list