(RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted: problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and Radiator 3.9
Scott Xiao - ANTlabs
scottxiao at antlabs.com
Fri Jul 16 01:29:58 CDT 2004
Hi,
In the config file,I changed back my EAPtype as before and now
authentication succeeded.So what Mike suggested,to comment out REALM DEFAULT
,is the key point to resolve the problem (Desired EAP type 25 not permitted)
,thanks!!
My other question as I asked before is,now I disabled "validate server
certificate" on client,how can I let the authentication pass without
requiring the XP client to install any specific certificate?Thanks.
Cheers
Scott
-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
Behalf Of Scott Xiao - ANTlabs
Sent: Friday, July 16, 2004 11:06 AM
To: radiator at open.com.au
Cc: Hugh Irvine; Mike McCauley
Subject: (RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted: problem
with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and
Radiator 3.9
Hi,Thanks to Mike and Hugh for advice! ...but I still got the same
problem....
I have modified the configuration file according to your advice:
1.comment out the <Realm DEFAULT>
2.Change EAPType to PEAP round the other way with MSChAP-V2
Below is the udpated config file. But when I try to authenticate after
restart the service,it still give me the erorr " Access rejected for
idatesta: Desired EAP type 25 not permitted" ,See the log below after the
config file in the email please.What is the problem?For Inner
authentication,do I have to use defuser instead of mySQL?
Thanks for reminder of the the maillist,actually I believe I have been in
the mail list for 2 days,I received a lot of email from other subscribers
regarding their questions.
Please advise,thanks!
Rgds
Scott
conifig file mysql-peap.cfg (running with /usr/bin/perl
/usr/bin/radiusd -config_file /etc/radiator/mysql-peap.cfg)
........
<Handler TunnelledByPEAP=1>
RewriteUsername s/(.*)\\(.*)/$2/
#<Realm DEFAULT>
AuthByPolicy ContinueWhileAccept
<AuthBy SQL>
DBSource dbi:mysql:idausrdb
DBUsername
DBAuth
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
# EAPType MSCHAP-V2
EAPType PEAP
</AuthBy>
#</Realm>
</Handler>
<Handler>
<AuthBy SQL>
DBSource dbi:mysql:idausrdb
DBUsername
DBAuth
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
# EAPType PEAP
EAPType MSCHAP-V2
</AuthBy>
The log file:
[root at FC radius]# tail -50 logfile | more
Fri Jul 16 00:51:27 2004: DEBUG: Response type 3
Fri Jul 16 00:51:27 2004: INFO: EAP Nak desires type 25
Fri Jul 16 00:51:27 2004: DEBUG: EAP result: 1, Desired EAP type 25 not
permitte
d
Fri Jul 16 00:51:27 2004: INFO: Access rejected for idatesta: Desired EAP
type 2
5 not permitted
Fri Jul 16 00:51:27 2004: DEBUG: Packet dump:
*** Sending to 192.168.123.9 port 1647 ....
Code: Access-Reject
Identifier: 18
Authentic: <250><200><252><11>.<135>e<197><181>_%<250>(<254><180>z
Attributes:
Reply-Message = "Request Denied"
Proxy-State = 181
Fri Jul 16 00:51:39 2004: DEBUG: Packet dump:
*** Received from 192.168.123.9 port 1647 ....
Code: Access-Request
Identifier: 19
Authentic: <250><200><252><11>.<135>e<197><181>_%<250>(<254><180>z
Attributes:
User-Name = "idatesta"
Framed-MTU = 1400
Called-Station-Id = "000f.34db.6690"
Calling-Station-Id = "000c.f108.37bf"
Message-Authenticator =
Do<15><183>1<131>Q<23>e<19><168><162><254>Ns<245>
EAP-Message = <2><1><0><13><1>idatesta
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 419
Service-Type = Framed-User
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "ps-ap"
Proxy-State = 182
Fri Jul 16 00:51:39 2004: DEBUG: Handling request with Handler ''
Fri Jul 16 00:51:39 2004: DEBUG: Deleting session for idatesta, 10.0.0.1,
419
Fri Jul 16 00:51:39 2004: DEBUG: Handling with Radius::AuthSQL
Fri Jul 16 00:51:39 2004: DEBUG: Handling with Radius::AuthSQL:
Fri Jul 16 00:51:39 2004: DEBUG: Handling with EAP: code 2, 1, 13
Fri Jul 16 00:51:39 2004: DEBUG: Response type 1
Fri Jul 16 00:51:39 2004: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Fri Jul 16 00:51:39 2004: DEBUG: Access challenged for idatesta: EAP
MSCHAP-V2 Challenge
Fri Jul 16 00:51:39 2004: DEBUG: Packet dump:
-----Original Message-----
From: Mike McCauley [mailto:mikem at open.com.au]
Sent: Friday, July 16, 2004 6:42 AM
To: Scott Xiao - ANTlabs
Cc: Hugh Irvine
Subject: Re: (Radiator)Desired EAP type 25 not permitted: problem with my
802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and Radiator
3.9
Hello Scott,
Your email was identified as spam by my spamassassin, mostly due to html
content. Its lucky I got to see it. Please dont use HTML.
BTW, it would be better if you address any future technical questions you
might have to the Radiator mailing list. That way others can learn
from the question and answer, and possibly contribute in areas
where I am not expert. Also, we have other staff on the mailing list
who can respond when I am not available.
You can join the Radiator mailing list by sending email with the
single word subscribe in the body (not in the subject line) to
radiator-request at open.com.au
There is an archive at http://www.open.com.au/archives/radiator/
If you require a guaranteed response to your questions, you should consider
a support contract, see http://www.open.com.au/support.html
The problem you report is due to the fact that you have your EAP types
around
the wrong way, in that the Handler which handles the inner request is type
PEAP, and the Realm is type MSCHAP-V2. They should be round the other way.
Also you have a Realm DEFAULT which will get all requests, including the
inner. You should use <Handler> instead of <Realm DEFAULT>. Mixing Realms
and
Handlers is generally a bad idea.
Cheers.
On Thu, 15 Jul 2004 09:52 pm, you wrote:
> Spam detection software, running on the system "server1.open.com.au", has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn't spam) or block
> similar future email. If you have any questions, see
> postmaster at open.com.au for details.
>
> Content preview: Hi,Mike, Can you advise?Thanks! Scott
>
> Content analysis details: (5.3 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> -------------------------------------------------- 0.8 HTML_30_40
> BODY: Message is 30% to 40% HTML
> 0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red
> 0.2 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
> 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
> 0.0 HTML_MESSAGE BODY: HTML included in message
> 0.5 HTML_TITLE_EMPTY BODY: HTML title contains no text
> 1.1 RCVD_IN_SORBS_MISC RBL: SORBS: sender is open proxy server
> [203.125.41.199 listed in dnsbl.sorbs.net]
> 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
> [203.125.41.199 listed in dnsbl.sorbs.net]
> 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org
> [203.125.41.199 listed in dnsbl.njabl.org]
> 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
> [<http://dsbl.org/listing?ip=203.125.41.199>]
> 1.1 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
> [203.125.41.199 listed in dnsbl.njabl.org]
>
> The original message was not completely plain text, and may be unsafe to
> open with some email clients; in particular, it may contain a virus,
> or confirm that your address can receive spam. If you wish to view
> it, it may be safer to save it to a file and open it with an editor.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list