(RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted: problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and Radiator 3.9
Scott Xiao - ANTlabs
scottxiao at antlabs.com
Fri Jul 16 05:59:06 CDT 2004
Thanks Hugh, yes,it's one option;the other one I think is,I need let the
customer to purchase an official certificate for the Radius server from
,maybe,Verisign,for the convenience of wlan users because it will not be
very secure without " validate server certificate" comparatively any way.
Thanks,Hugh and Mike!
Scott
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Friday, July 16, 2004 4:07 PM
To: scottxiao at antlabs.com
Cc: radiator at open.com.au; Mike McCauley
Subject: Re: (RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted:
problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100
AP and Radiator 3.9
Hello Scott -
If the authentication succeeds without "validate server certificate" on
XP then that is what you should tell your users to do.
regards
Hugh
On 16 Jul 2004, at 16:29, Scott Xiao - ANTlabs wrote:
> Hi,
> In the config file,I changed back my EAPtype as before and now
> authentication succeeded.So what Mike suggested,to comment out REALM
> DEFAULT
> ,is the key point to resolve the problem (Desired EAP type 25 not
> permitted)
> ,thanks!!
> My other question as I asked before is,now I disabled "validate server
> certificate" on client,how can I let the authentication pass without
> requiring the XP client to install any specific certificate?Thanks.
> Cheers
> Scott
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
> Behalf Of Scott Xiao - ANTlabs
> Sent: Friday, July 16, 2004 11:06 AM
> To: radiator at open.com.au
> Cc: Hugh Irvine; Mike McCauley
> Subject: (RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted:
> problem
> with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100
> AP and
> Radiator 3.9
>
>
> Hi,Thanks to Mike and Hugh for advice! ...but I still got the same
> problem....
> I have modified the configuration file according to your advice:
> 1.comment out the <Realm DEFAULT>
> 2.Change EAPType to PEAP round the other way with MSChAP-V2
> Below is the udpated config file. But when I try to authenticate after
> restart the service,it still give me the erorr " Access rejected for
> idatesta: Desired EAP type 25 not permitted" ,See the log below after
> the
> config file in the email please.What is the problem?For Inner
> authentication,do I have to use defuser instead of mySQL?
> Thanks for reminder of the the maillist,actually I believe I have been
> in
> the mail list for 2 days,I received a lot of email from other
> subscribers
> regarding their questions.
> Please advise,thanks!
> Rgds
> Scott
>
> conifig file mysql-peap.cfg (running with /usr/bin/perl
> /usr/bin/radiusd -config_file /etc/radiator/mysql-peap.cfg)
> ........
>
> <Handler TunnelledByPEAP=1>
>
> RewriteUsername s/(.*)\\(.*)/$2/
>
> #<Realm DEFAULT>
>
> AuthByPolicy ContinueWhileAccept
> <AuthBy SQL>
> DBSource dbi:mysql:idausrdb
> DBUsername
> DBAuth
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> # EAPType MSCHAP-V2
> EAPType PEAP
> </AuthBy>
>
> #</Realm>
>
> </Handler>
>
> <Handler>
>
> <AuthBy SQL>
> DBSource dbi:mysql:idausrdb
> DBUsername
> DBAuth
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
>
> # EAPType PEAP
> EAPType MSCHAP-V2
>
> </AuthBy>
>
>
> The log file:
> [root at FC radius]# tail -50 logfile | more
> Fri Jul 16 00:51:27 2004: DEBUG: Response type 3
> Fri Jul 16 00:51:27 2004: INFO: EAP Nak desires type 25
> Fri Jul 16 00:51:27 2004: DEBUG: EAP result: 1, Desired EAP type 25 not
> permitte
> d
> Fri Jul 16 00:51:27 2004: INFO: Access rejected for idatesta: Desired
> EAP
> type 2
> 5 not permitted
> Fri Jul 16 00:51:27 2004: DEBUG: Packet dump:
> *** Sending to 192.168.123.9 port 1647 ....
> Code: Access-Reject
> Identifier: 18
> Authentic: <250><200><252><11>.<135>e<197><181>_%<250>(<254><180>z
> Attributes:
> Reply-Message = "Request Denied"
> Proxy-State = 181
>
> Fri Jul 16 00:51:39 2004: DEBUG: Packet dump:
> *** Received from 192.168.123.9 port 1647 ....
> Code: Access-Request
> Identifier: 19
> Authentic: <250><200><252><11>.<135>e<197><181>_%<250>(<254><180>z
> Attributes:
> User-Name = "idatesta"
> Framed-MTU = 1400
> Called-Station-Id = "000f.34db.6690"
> Calling-Station-Id = "000c.f108.37bf"
> Message-Authenticator =
> Do<15><183>1<131>Q<23>e<19><168><162><254>Ns<245>
> EAP-Message = <2><1><0><13><1>idatesta
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 419
> Service-Type = Framed-User
> NAS-IP-Address = 10.0.0.1
> NAS-Identifier = "ps-ap"
> Proxy-State = 182
>
> Fri Jul 16 00:51:39 2004: DEBUG: Handling request with Handler ''
> Fri Jul 16 00:51:39 2004: DEBUG: Deleting session for idatesta,
> 10.0.0.1,
> 419
> Fri Jul 16 00:51:39 2004: DEBUG: Handling with Radius::AuthSQL
> Fri Jul 16 00:51:39 2004: DEBUG: Handling with Radius::AuthSQL:
> Fri Jul 16 00:51:39 2004: DEBUG: Handling with EAP: code 2, 1, 13
> Fri Jul 16 00:51:39 2004: DEBUG: Response type 1
> Fri Jul 16 00:51:39 2004: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Fri Jul 16 00:51:39 2004: DEBUG: Access challenged for idatesta: EAP
> MSCHAP-V2 Challenge
> Fri Jul 16 00:51:39 2004: DEBUG: Packet dump:
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Friday, July 16, 2004 6:42 AM
> To: Scott Xiao - ANTlabs
> Cc: Hugh Irvine
> Subject: Re: (Radiator)Desired EAP type 25 not permitted: problem with
> my
> 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and
> Radiator
> 3.9
>
>
> Hello Scott,
>
> Your email was identified as spam by my spamassassin, mostly due to
> html
> content. Its lucky I got to see it. Please dont use HTML.
>
> BTW, it would be better if you address any future technical questions
> you
> might have to the Radiator mailing list. That way others can learn
> from the question and answer, and possibly contribute in areas
> where I am not expert. Also, we have other staff on the mailing list
> who can respond when I am not available.
>
> You can join the Radiator mailing list by sending email with the
> single word subscribe in the body (not in the subject line) to
> radiator-request at open.com.au
> There is an archive at http://www.open.com.au/archives/radiator/
>
> If you require a guaranteed response to your questions, you should
> consider
> a support contract, see http://www.open.com.au/support.html
>
> The problem you report is due to the fact that you have your EAP types
> around
> the wrong way, in that the Handler which handles the inner request is
> type
> PEAP, and the Realm is type MSCHAP-V2. They should be round the other
> way.
> Also you have a Realm DEFAULT which will get all requests, including
> the
> inner. You should use <Handler> instead of <Realm DEFAULT>. Mixing
> Realms
> and
> Handlers is generally a bad idea.
>
> Cheers.
>
>
>
>
> On Thu, 15 Jul 2004 09:52 pm, you wrote:
>> Spam detection software, running on the system "server1.open.com.au",
>> has
>> identified this incoming email as possible spam. The original message
>> has been attached to this so you can view it (if it isn't spam) or
>> block
>> similar future email. If you have any questions, see
>> postmaster at open.com.au for details.
>>
>> Content preview: Hi,Mike, Can you advise?Thanks! Scott
>>
>> Content analysis details: (5.3 points, 5.0 required)
>>
>> pts rule name description
>> ---- ----------------------
>> -------------------------------------------------- 0.8 HTML_30_40
>> BODY: Message is 30% to 40% HTML
>> 0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red
>> 0.2 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
>> 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
>> 0.0 HTML_MESSAGE BODY: HTML included in message
>> 0.5 HTML_TITLE_EMPTY BODY: HTML title contains no text
>> 1.1 RCVD_IN_SORBS_MISC RBL: SORBS: sender is open proxy server
>> [203.125.41.199 listed in dnsbl.sorbs.net]
>> 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
>> [203.125.41.199 listed in dnsbl.sorbs.net]
>> 0.1 RCVD_IN_NJABL RBL: Received via a relay in
>> dnsbl.njabl.org
>> [203.125.41.199 listed in dnsbl.njabl.org]
>> 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
>>
>> [<http://dsbl.org/listing?ip=203.125.41.199>]
>> 1.1 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
>> [203.125.41.199 listed in dnsbl.njabl.org]
>>
>> The original message was not completely plain text, and may be unsafe
>> to
>> open with some email clients; in particular, it may contain a virus,
>> or confirm that your address can receive spam. If you wish to view
>> it, it may be safer to save it to a file and open it with an editor.
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list