Fwd: (RADIATOR) Help with configure radius.cfg with eap and ldap

tudalat at shaw.ca tudalat at shaw.ca
Tue Jan 20 10:36:13 CST 2004



----- Original Message -----
From: Hugh Irvine <hugh at open.com.au>
Date: Sunday, January 18, 2004 3:20 pm
Subject: Fwd: (RADIATOR) Help with configure radius.cfg with eap and ldap

> 
> Hello Andy -

Hi Hugh and Mike:
 I tried your suggestion but it's still a no go. The same CFG works
with LDAP but not with EAP. When I tried with EAP authentication, I
see the following using tcpdump:
 1. Client sends radius EAP request
 2. Radiusd sends EAP challenge
 3. Client sends radius EAP request
 4. ...
    ... successful LDAP bind
    ...
 5. Radius sends EAP reject

Can you advise? Thanks in advance for any help/pointer.

Included below are my CFG and log.

Andy Dalat
tudata at shaw.ca
> 
> See Mike's comments below.
> 
> You can't use "ServerChecksPasswords" as Radiator requires the 
> plaintext password.
> 
> regards
> 
> Hugh
> 
> 
>




## This is my CFG

Trace 4
Foreground
LogDir /usr/local/radius/log
DbDir /usr/local/radius/etc
LogFile %L/log.radiusd
PidFile %L/../run/radiusd.pid
AuthPort 1812
AcctPort 1813

<Client DEFAULT>
        Secret                  xxxtest
        IgnoreAcctSignature
        DupInterval 0
</Client>

<Realm DEFAULT>
        RewriteUsername s/(.*)@.*$/$1/
        AuthByPolicy ContinueAlways
        <AuthBy LDAP2>
                NoDefault
                Host            failover.ldap.ucalgary.ca
                Port            389
                AuthDN          uid=ucaccess,ou=ldapadmin,o=ucalgary.ca
                AuthPassword    secret
#                ServerChecksPassword  1
                BaseDN          ou=xxxauthent,o=ucalgary.ca
                Version         3
                Debug           255
                EAPType         MD5-Challenge
        </AuthBy>
        AcctLogFileName         %L/detail.ldap
</Realm>



### successful Ldap authentication
###

Mon Jan 19 15:17:09 2004: DEBUG: Packet dump:
*** Received from xxx.xxx.254.205 port 32868 ....
Code:       Access-Request
Identifier: 9
Authentic:  1234567890123456
Attributes:
        User-Name = "tudalat"
        Service-Type = Framed-User
        NAS-IP-Address = xxx.xxx.124.2
        NAS-Port = 1234
        Called-Station-Id = "2202880"
        Calling-Station-Id = "4032205155"
        NAS-Port-Type = Async
        User-Password = "d<248>y'R<219>s<11><134>]<176><195><157><152><242><243>"

Mon Jan 19 15:17:09 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon Jan 19 15:17:09 2004: DEBUG: Rewrote user name to tudalat
Mon Jan 19 15:17:09 2004: DEBUG:  Deleting session for tudalat, xxx.xxx.124.2, 1234
Mon Jan 19 15:17:09 2004: DEBUG: Handling with Radius::AuthLDAP2:
Mon Jan 19 15:17:09 2004: INFO: Connecting to failover.ldap.ucalgary.ca, port 389
Mon Jan 19 15:17:09 2004: INFO: Attempting to bind to LDAP server failover.ldap.ucalgary.ca:389)
Mon Jan 19 15:17:09 2004: DEBUG: LDAP got result for uid=tudalat,ou=xxxauthent,o=ucalgary.ca
Mon Jan 19 15:17:09 2004: DEBUG: Radius::AuthLDAP2 looks for match with tudalat
Mon Jan 19 15:17:09 2004: DEBUG: Radius::AuthLDAP2 ACCEPT:
Mon Jan 19 15:17:09 2004: DEBUG: Access accepted for tudalat
Mon Jan 19 15:17:09 2004: DEBUG: Packet dump:
*** Sending to xxx.xxx.254.205 port 32868 ....
Code:       Access-Accept
Identifier: 9
Authentic:  1234567890123456
Attributes:


### unsuccessful EAP authentication
###

Mon Jan 19 15:17:35 2004: DEBUG: Packet dump:
*** Received from xxx.xxx.254.224 port 1024 ....
Code:       Access-Request
Identifier: 144
Authentic:  L^<187>.<147><23>:X<130><168><19><136><152><159><231><247>
Attributes:
        Framed-MTU = 1480
        NAS-IP-Address = xxx.xxx.254.224
        NAS-Identifier = "HP ProCurve Switch 2626"
        User-Name = "tudalat"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 23
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "23"
        Called-Station-Id = "00-30-6e-ae-d1-29"
        Calling-Station-Id = "00-d0-b7-70-8d-7c"
        Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
        Tunnel-Type = 0:13
        Tunnel-Medium-Type = 0:Ether_802
        Tunnel-Private-Group-ID = 1
        EAP-Message = <2><1><0><11><1>tudalat
        Message-Authenticator = <159><170><180>N&<176>es<166>p7<151><170><206>G<235>

Mon Jan 19 15:17:35 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon Jan 19 15:17:35 2004: DEBUG: Rewrote user name to tudalat
Mon Jan 19 15:17:35 2004: DEBUG:  Deleting session for tudalat, xxx.xxx.254.224, 23
Mon Jan 19 15:17:35 2004: DEBUG: Handling with Radius::AuthLDAP2:
Mon Jan 19 15:17:35 2004: DEBUG: Handling with EAP: code 2, 1, 11
Mon Jan 19 15:17:35 2004: DEBUG: Response type 1
Mon Jan 19 15:17:35 2004: DEBUG: EAP result: 3, EAP MD5-Challenge
Mon Jan 19 15:17:35 2004: DEBUG: Access challenged for tudalat: EAP MD5-Challenge
Mon Jan 19 15:17:35 2004: DEBUG: Packet dump:
*** Sending to xxx.xxx.254.224 port 1024 ....
Code:       Access-Challenge
Identifier: 144
Authentic:  L^<187>.<147><23>:X<130><168><19><136><152><159><231><247>
Attributes:
        EAP-Message = <1><2><0>-<4><16><212><23>EV<210><235><128>2<211><15><175>{<244><135>{<12>254-205.acs.ucalgary.ca
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Mon Jan 19 15:17:35 2004: DEBUG: Packet dump:
*** Received from xxx.xxx.254.224 port 1024 ....
Code:       Access-Request
Identifier: 145
Authentic:  <27><170>[f<196><209><167><181>)w<222>E<238><15><251><15>
Attributes:
        Framed-MTU = 1480
        NAS-IP-Address = xxx.xxx.254.224
        NAS-Identifier = "HP ProCurve Switch 2626"
        User-Name = "tudalat"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 23
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "23"
        Called-Station-Id = "00-30-6e-ae-d1-29"
        Calling-Station-Id = "00-d0-b7-70-8d-7c"
        Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
        Tunnel-Type = 0:13
        Tunnel-Medium-Type = 0:Ether_802
        Tunnel-Private-Group-ID = 1
        EAP-Message = <2><2><0><28><4><16><164><148>f<242><3><28>m<168>4<178>Ep@<248><144><204>tudalat
        Message-Authenticator = <238>$<254>?<151><24><13>_<144><224>|Di<250><218>o

Mon Jan 19 15:17:35 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon Jan 19 15:17:35 2004: DEBUG: Rewrote user name to tudalat
Mon Jan 19 15:17:35 2004: DEBUG:  Deleting session for tudalat, xxx.xxx.254.224, 23
Mon Jan 19 15:17:35 2004: DEBUG: Handling with Radius::AuthLDAP2:
Mon Jan 19 15:17:35 2004: DEBUG: Handling with EAP: code 2, 2, 28
Mon Jan 19 15:17:35 2004: DEBUG: Response type 4
Mon Jan 19 15:17:35 2004: INFO: Connecting to failover.ldap.ucalgary.ca, port 389
Mon Jan 19 15:17:35 2004: INFO: Attempting to bind to LDAP server failover.ldap.ucalgary.ca:389)
Mon Jan 19 15:17:35 2004: DEBUG: LDAP got result for uid=tudalat,ou=xxxauthent,o=ucalgary.ca
Mon Jan 19 15:17:35 2004: DEBUG: Radius::AuthLDAP2 looks for match with tudalat
Mon Jan 19 15:17:35 2004: DEBUG: Radius::AuthLDAP2 ACCEPT:
Mon Jan 19 15:17:35 2004: DEBUG: EAP result: 1, EAP MD5-Challenge failed
Mon Jan 19 15:17:35 2004: INFO: Access rejected for tudalat: EAP MD5-Challenge failed
Mon Jan 19 15:17:35 2004: DEBUG: Packet dump:
*** Sending to xxx.xxx.254.224 port 1024 ....
Code:       Access-Reject
Identifier: 145
Authentic:  <27><170>[f<196><209><167><181>)w<222>E<238><15><251><15>
Attributes:
        EAP-Message = <4><2><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"


 
 
-------------- next part --------------
An embedded message was scrubbed...
From: tudalat at shaw.ca
Subject: Re: Fwd: (RADIATOR) Help with configure radius.cfg with eap and ldap
Date: Mon, 19 Jan 2004 15:40:36 -0700
Size: 8107
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040120/1205d07d/attachment.mht>


More information about the radiator mailing list