Fwd: (RADIATOR) Help with configure radius.cfg with eap and ldap
tudalat at shaw.ca
tudalat at shaw.ca
Tue Jan 20 10:36:13 CST 2004
----- Original Message -----
From: Hugh Irvine <hugh at open.com.au>
Date: Sunday, January 18, 2004 3:20 pm
Subject: Fwd: (RADIATOR) Help with configure radius.cfg with eap and ldap
>
> Hello Andy -
Hi Hugh and Mike:
I tried your suggestion but it's still a no go. The same CFG works
with LDAP but not with EAP. When I tried with EAP authentication, I
see the following using tcpdump:
1. Client sends radius EAP request
2. Radiusd sends EAP challenge
3. Client sends radius EAP request
4. ...
... successful LDAP bind
...
5. Radius sends EAP reject
Can you advise? Thanks in advance for any help/pointer.
Included below are my CFG and log.
Andy Dalat
tudata at shaw.ca
>
> See Mike's comments below.
>
> You can't use "ServerChecksPasswords" as Radiator requires the
> plaintext password.
>
> regards
>
> Hugh
>
>
>
## This is my CFG
Trace 4
Foreground
LogDir /usr/local/radius/log
DbDir /usr/local/radius/etc
LogFile %L/log.radiusd
PidFile %L/../run/radiusd.pid
AuthPort 1812
AcctPort 1813
<Client DEFAULT>
Secret xxxtest
IgnoreAcctSignature
DupInterval 0
</Client>
<Realm DEFAULT>
RewriteUsername s/(.*)@.*$/$1/
AuthByPolicy ContinueAlways
<AuthBy LDAP2>
NoDefault
Host failover.ldap.ucalgary.ca
Port 389
AuthDN uid=ucaccess,ou=ldapadmin,o=ucalgary.ca
AuthPassword secret
# ServerChecksPassword 1
BaseDN ou=xxxauthent,o=ucalgary.ca
Version 3
Debug 255
EAPType MD5-Challenge
</AuthBy>
AcctLogFileName %L/detail.ldap
</Realm>
### successful Ldap authentication
###
Mon Jan 19 15:17:09 2004: DEBUG: Packet dump:
*** Received from xxx.xxx.254.205 port 32868 ....
Code: Access-Request
Identifier: 9
Authentic: 1234567890123456
Attributes:
User-Name = "tudalat"
Service-Type = Framed-User
NAS-IP-Address = xxx.xxx.124.2
NAS-Port = 1234
Called-Station-Id = "2202880"
Calling-Station-Id = "4032205155"
NAS-Port-Type = Async
User-Password = "d<248>y'R<219>s<11><134>]<176><195><157><152><242><243>"
Mon Jan 19 15:17:09 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon Jan 19 15:17:09 2004: DEBUG: Rewrote user name to tudalat
Mon Jan 19 15:17:09 2004: DEBUG: Deleting session for tudalat, xxx.xxx.124.2, 1234
Mon Jan 19 15:17:09 2004: DEBUG: Handling with Radius::AuthLDAP2:
Mon Jan 19 15:17:09 2004: INFO: Connecting to failover.ldap.ucalgary.ca, port 389
Mon Jan 19 15:17:09 2004: INFO: Attempting to bind to LDAP server failover.ldap.ucalgary.ca:389)
Mon Jan 19 15:17:09 2004: DEBUG: LDAP got result for uid=tudalat,ou=xxxauthent,o=ucalgary.ca
Mon Jan 19 15:17:09 2004: DEBUG: Radius::AuthLDAP2 looks for match with tudalat
Mon Jan 19 15:17:09 2004: DEBUG: Radius::AuthLDAP2 ACCEPT:
Mon Jan 19 15:17:09 2004: DEBUG: Access accepted for tudalat
Mon Jan 19 15:17:09 2004: DEBUG: Packet dump:
*** Sending to xxx.xxx.254.205 port 32868 ....
Code: Access-Accept
Identifier: 9
Authentic: 1234567890123456
Attributes:
### unsuccessful EAP authentication
###
Mon Jan 19 15:17:35 2004: DEBUG: Packet dump:
*** Received from xxx.xxx.254.224 port 1024 ....
Code: Access-Request
Identifier: 144
Authentic: L^<187>.<147><23>:X<130><168><19><136><152><159><231><247>
Attributes:
Framed-MTU = 1480
NAS-IP-Address = xxx.xxx.254.224
NAS-Identifier = "HP ProCurve Switch 2626"
User-Name = "tudalat"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 23
NAS-Port-Type = Ethernet
NAS-Port-Id = "23"
Called-Station-Id = "00-30-6e-ae-d1-29"
Calling-Station-Id = "00-d0-b7-70-8d-7c"
Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
Tunnel-Type = 0:13
Tunnel-Medium-Type = 0:Ether_802
Tunnel-Private-Group-ID = 1
EAP-Message = <2><1><0><11><1>tudalat
Message-Authenticator = <159><170><180>N&<176>es<166>p7<151><170><206>G<235>
Mon Jan 19 15:17:35 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon Jan 19 15:17:35 2004: DEBUG: Rewrote user name to tudalat
Mon Jan 19 15:17:35 2004: DEBUG: Deleting session for tudalat, xxx.xxx.254.224, 23
Mon Jan 19 15:17:35 2004: DEBUG: Handling with Radius::AuthLDAP2:
Mon Jan 19 15:17:35 2004: DEBUG: Handling with EAP: code 2, 1, 11
Mon Jan 19 15:17:35 2004: DEBUG: Response type 1
Mon Jan 19 15:17:35 2004: DEBUG: EAP result: 3, EAP MD5-Challenge
Mon Jan 19 15:17:35 2004: DEBUG: Access challenged for tudalat: EAP MD5-Challenge
Mon Jan 19 15:17:35 2004: DEBUG: Packet dump:
*** Sending to xxx.xxx.254.224 port 1024 ....
Code: Access-Challenge
Identifier: 144
Authentic: L^<187>.<147><23>:X<130><168><19><136><152><159><231><247>
Attributes:
EAP-Message = <1><2><0>-<4><16><212><23>EV<210><235><128>2<211><15><175>{<244><135>{<12>254-205.acs.ucalgary.ca
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Mon Jan 19 15:17:35 2004: DEBUG: Packet dump:
*** Received from xxx.xxx.254.224 port 1024 ....
Code: Access-Request
Identifier: 145
Authentic: <27><170>[f<196><209><167><181>)w<222>E<238><15><251><15>
Attributes:
Framed-MTU = 1480
NAS-IP-Address = xxx.xxx.254.224
NAS-Identifier = "HP ProCurve Switch 2626"
User-Name = "tudalat"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 23
NAS-Port-Type = Ethernet
NAS-Port-Id = "23"
Called-Station-Id = "00-30-6e-ae-d1-29"
Calling-Station-Id = "00-d0-b7-70-8d-7c"
Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
Tunnel-Type = 0:13
Tunnel-Medium-Type = 0:Ether_802
Tunnel-Private-Group-ID = 1
EAP-Message = <2><2><0><28><4><16><164><148>f<242><3><28>m<168>4<178>Ep@<248><144><204>tudalat
Message-Authenticator = <238>$<254>?<151><24><13>_<144><224>|Di<250><218>o
Mon Jan 19 15:17:35 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Mon Jan 19 15:17:35 2004: DEBUG: Rewrote user name to tudalat
Mon Jan 19 15:17:35 2004: DEBUG: Deleting session for tudalat, xxx.xxx.254.224, 23
Mon Jan 19 15:17:35 2004: DEBUG: Handling with Radius::AuthLDAP2:
Mon Jan 19 15:17:35 2004: DEBUG: Handling with EAP: code 2, 2, 28
Mon Jan 19 15:17:35 2004: DEBUG: Response type 4
Mon Jan 19 15:17:35 2004: INFO: Connecting to failover.ldap.ucalgary.ca, port 389
Mon Jan 19 15:17:35 2004: INFO: Attempting to bind to LDAP server failover.ldap.ucalgary.ca:389)
Mon Jan 19 15:17:35 2004: DEBUG: LDAP got result for uid=tudalat,ou=xxxauthent,o=ucalgary.ca
Mon Jan 19 15:17:35 2004: DEBUG: Radius::AuthLDAP2 looks for match with tudalat
Mon Jan 19 15:17:35 2004: DEBUG: Radius::AuthLDAP2 ACCEPT:
Mon Jan 19 15:17:35 2004: DEBUG: EAP result: 1, EAP MD5-Challenge failed
Mon Jan 19 15:17:35 2004: INFO: Access rejected for tudalat: EAP MD5-Challenge failed
Mon Jan 19 15:17:35 2004: DEBUG: Packet dump:
*** Sending to xxx.xxx.254.224 port 1024 ....
Code: Access-Reject
Identifier: 145
Authentic: <27><170>[f<196><209><167><181>)w<222>E<238><15><251><15>
Attributes:
EAP-Message = <4><2><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
-------------- next part --------------
An embedded message was scrubbed...
From: tudalat at shaw.ca
Subject: Re: Fwd: (RADIATOR) Help with configure radius.cfg with eap and ldap
Date: Mon, 19 Jan 2004 15:40:36 -0700
Size: 8107
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040120/1205d07d/attachment.mht>
More information about the radiator
mailing list