(RADIATOR) User always get authentication succeeded after Timeleft expired with 802.1x PEAP/aironet1100 WLAN

Scott Xiao - ANTlabs scottxiao at antlabs.com
Wed Jul 21 08:13:03 CDT 2004


Hi,Mike,Hugh,Terry,
Thanks for your good advice!I am trying to get valid server certificate and
will test it soon,then it should be ok.


Hi,
The current question I am facing is:
I set the Radiator to use mysql database authentication,I created one user
which supposed only be able to  use this account for 1 hour (in the test,I
set to 1minute),after the PEAP authentication ,the user can surf
internet,after 1 minute the user ID was deleted on my access control server
according to the instruction from Radiator.But the user(on XP) automatically
send the authentication information to the AC and radiator and got
authentication succeeded and he can surf again,XP can cache the login info
to registry so not prompt for login again.By right,this account should be
expired already.Here below is the config file.What I can do to make this
user can only use the account valid for only 1 hour and the user will need
to get a new account for login?Thanks!
Rgds
Scott
+++++++++++++++++++++++++++++++++++++++++
Config file on Radiator:

Foreground
LogStdout
LogDir		/var/log/radius
DbDir		/etc/radiator

AuthPort 1812
AcctPort 1813

# User a lower trace level in production systems:
Trace 		4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
	Secret t-antlabs
	DupInterval 0
</Client>

<Client 192.168.123.9>
	Secret  antlabs
	DupInterval 0
</Client>


# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1>
  # Windows XP when configured for a workgroup might send tunnelled user
names
        # in the format COMPUTERNAME\username (eg BAKER\mikem). This
        # will strip the computer name leaving just the user name
        RewriteUsername s/(.*)\\(.*)/$2/


#	<AuthBy FILE>
#		Filename %D/users
#
#		# This tells the PEAP client what types of inner EAP requests
#		# we will honour
#		EAPType MSCHAP-V2
#	</AuthBy>
	# This hook fixes the problem with some implementations of PEAP, where the
	# accounting requests have the User-Name of anonymous, instead of the real
	# users name. After authenticating the inner TTLS request, the
	# PostAuthHook caches the _real_ user name in an SQL table,
	# The PreProcessingHook replaces the 'anonymous' user name in
	# accounting requests with the
	# real user name that was previously cached for the NAS and NAS-Port.
	# You can see the correct real User-Name logged in the AcctLogFileName
	# Must be used in conjunction with PreProcessingHook below
#	PostAuthHook file:"goodies/eap_anon_hook.pl"

#Replace the authby users file to  this mysql below for testing-- Scott --
: ->

#<Realm DEFAULT>
    AuthByPolicy ContinueWhileAccept
   <AuthBy SQL>
# Adjust DBSource, DBUsername, DBAuth to suit your DB
        DBSource        dbi:mysql:idausrdb
        DBUsername	antlabs

        DBAuth		hidenpassword

        AcctColumnDef   USERNAME,User-Name
        AcctColumnDef   TIME_STAMP,Timestamp,integer
        AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
        AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
        AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
        AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
        AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
        AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
        AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
        AcctColumnDef   NASIDENTIFIER,NAS-Identifier
        AcctColumnDef   NASPORT,NAS-Port,integer
#	EAPType MSCHAP-V2
#	EAPType PEAP,MSCHAP-V2
	EAPType MSCHAP-V2


# Adjust DBSource, DBUsername, DBAuth to suit your DB
#       DBSource        dbi:mysql:radius
#       DBUsername      mikem
#       DBAuth          fred

        # Only one session per user at a time
        DefaultSimultaneousUse 1

        # Let the user in if they have any time left, set
        # the Session-timeout to the time left
        AuthSelect select PASSWORD, TIMELEFT from SUBSCRIBERS where
USERNAME=%0 and TIMELEFT > 0
        AuthColumnDef   0,User-Password,check
        AuthColumnDef   1,Session-Timeout,reply

        # Adjust the time left when they log out
        AccountingStopsOnly
        AcctSQLStatement update SUBSCRIBERS set
TIMELEFT=TIMELEFT-0%{Acct-Session-Time} where USERNAME='%n'

    </AuthBy>
  #<AuthBy FILE>
  #    Filename defuser
  # </AuthBy>
#</Realm>

</Handler>


# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the inner
authentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to
select
# a specific handler, or else you can use EAPAnonymous to set a username and
realm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm,
and/or the
# fact that they were tunnelled. You can therfore act just as a PEAP server,
or also
# act as the AAA/H home server, and authenticate PEAP requests locally or
proxy
# them to another remote server based on the realm of the inner
authenticaiton request.
# In this basic example, both the inner and outer authentication are
authenticated
# from a file by AuthBy FILE


#This below is for outer authentication ,use mysql too.
#Auth method is PEAP -- Scott

<Handler>
#	<AuthBy FILE>
       # <AuthBy SQL>
		# The username of the outer authentication
		#  must be in this file to get anywhere. In this example,
		# it requires an entry for 'anonymous' which is the standard username
		# in the outer requests, and it also requires an entry for the
		# actual user name who is trying to connect (ie the 'Login name' entered
		# in the Funk Odyssey 'Edit Profile Properties' page
#	Filename %D/users

		# EAPType sets the EAP type(s) that Radiator will honour.
		# Options are: MD5-Challenge, One-Time-Password
		# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
		# Multiple types can be comma separated. With the default (most
		# preferred) type given first
		#EAPType PEAP
   <AuthBy SQL>
        DBSource        dbi:mysql:idausrdb
        DBUsername	antlabs
        DBAuth		hidenpassword
        AcctColumnDef   USERNAME,User-Name
        AcctColumnDef   TIME_STAMP,Timestamp,integer
        AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
        AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
        AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
        AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
        AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
        AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
        AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
        AcctColumnDef   NASIDENTIFIER,NAS-Identifier
        AcctColumnDef   NASPORT,NAS-Port,integer

   #	EAPType PEAP
#	EAPType MSCHAP-V2,PEAP
	EAPType PEAP,MSCHAP-V2
		# EAPTLS_CAFile is the name of a file of CA certificates
		# in PEM format. The file can contain several CA certificates
		# Radiator will first look in EAPTLS_CAFile then in
		# EAPTLS_CAPath, so there usually is no need to set both
		EAPTLS_CAFile %D/certificates/demoCA/cacert.pem

		# EAPTLS_CAPath is the name of a directory containing CA
    		# certificates in PEM format. The files each contain one
		# CA certificate. The files are looked up by the CA
		# subject name hash value
#		EAPTLS_CAPath

		# EAPTLS_CertificateFile is the name of a file containing
		# the servers certificate. EAPTLS_CertificateType
		# specifies the type of the file. Can be PEM or ASN1
		# defaults to ASN1
		EAPTLS_CertificateFile %D/certificates/cert-srv.pem
		EAPTLS_CertificateType PEM

		# EAPTLS_PrivateKeyFile is the name of the file containing
		# the servers private key. It is sometimes in the same file
		# as the server certificate (EAPTLS_CertificateFile)
		# If the private key is encrypted (usually the case)
		# then EAPTLS_PrivateKeyPassword is the key to descrypt it
		EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
		EAPTLS_PrivateKeyPassword whatever

		# EAPTLS_RandomFile is an optional file containing
		# randdomness
#		EAPTLS_RandomFile %D/certificates/random

		# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
		# size that will be replied by Radiator. It must be small
		# enough to fit in a single Radius request (ie less than 4096)
		# and still leave enough space for other attributes
		# Aironet APs seem to need a smaller MaxFragmentSize
		# (eg 1024) than the default of 2048. Others need even smaller sizes.
		EAPTLS_MaxFragmentSize 1000

		# EAPTLS_DHFile if set specifies the DH group file. It
		# may be required if you need to use ephemeral DH keys.
#		EAPTLS_DHFile %D/certificates/cert/dh


		# If EAPTLS_CRLCheck is set  and the client presents a certificate
		# then Radiator will look for a certificate revocation list (CRL)
		# for the certificate issuer
		# when authenticating each client. If a CRL file is not found, or
		# if the CRL says the certificate has neen revoked, the authentication
will
		# fail with an error:
		#   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
		# One or more CRLs can be named with the EAPTLS_CRLFile parameter.
		# Alternatively, CRLs may follow a file naming convention:
		#  the hash of the issuer subject name
		# and a suffix that depends on the serial number.
		# eg ab1331b2.r0, ab1331b2.r1 etc.
		# You can find out the hash of the issuer name in a CRL with
		#  openssl crl -in crl.pem -hash -noout
		# CRLs with tis name convention
		# will be searched in EAPTLS_CAPath, else in the openssl
		# certificates directory typically /usr/local/openssl/certs/
		# CRLs are expected to be in PEM format.
		# A CRL files can be generated with openssl like this:
		#  openssl ca -gencrl -revoke cert-clt.pem
		#  openssl ca -gencrl -out crl.pem
		# Use of these flags requires Net_SSLeay-1.21 or later
		#EAPTLS_CRLCheck
		#EAPTLS_CRLFile %D/certificates/crl.pem
		#EAPTLS_CRLFile %D/certificates/revocations.pem

		# Some clients, depending on their configuration, may require you to
specify
		# MPPE send and receive keys. This _will_ be required if you select
		# 'Keys will be generated automatically for data privacy' in the Funk
Odyssey
		# client Network Properties dialog.
		# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
		# in the final Access-Accept
		AutoMPPEKeys

		# You can enable some warning messages from the Net::SSLeay
		# module by setting SSLeayTrace to an integer from 1 to 4
		# 1=ciphers, 2=trace, 3=dump data
		SSLeayTrace 4

		# You can configure the User-Name that will be used for the inner
		# authentication. Defaults to 'anonymous'. This can be useful
		# when proxying the inner authentication. If tehre is a realm, it can
		# be used to choose a local Realm to handle the inner authentication.
		# %0 is replaced with the EAP identitiy
		# EAPAnonymous anonymous at some.other.realm

		# You can enable or disable support for TTLS Session Resumption and
		# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
		# Default is enabled
		#EAPTLS_SessionResumption 0

		# You can limit how long after the initial session that a session can be
resumed
		# with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to 43200
		# (12 hours)
		#EAPTLS_SessionResumptionLimit 10

		# You can control which version of the draft PEAP protocol to honour
		# with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual clients,
		# such as Funk Odyssey Client 2.22 or later.
		EAPTLS_PEAPVersion 1

        	AuthSelect select TIMELEFT from SUBSCRIBERS where USERNAME=%0 and
TIMELEFT > 0
        	AuthColumnDef   0,Session-Timeout,reply

	</AuthBy>

	# This hook fixes the problem with some implementations of PEAP, where the
	# accounting requests have the User-Name of anonymous, instead of the real
	# users name. After authenticating the inner TTLS request, the
	# PostAuthHook caches the _real_ user name in an SQL table,
	# The PreProcessingHook replaces the 'anonymous' user name in
	# accounting requests with the
	# real user name that was previously cached for the NAS and NAS-Port.
	# You can see the correct real User-Name logged in the AcctLogFileName
	# Must be used in conjunction with PostAuthHook above
#	PreProcessingHook file:"goodies/eap_anon_hook.pl"
</Handler>



-----Original Message-----
From: Terry Simons [mailto:galimore at mac.com]
Sent: Saturday, July 17, 2004 12:45 AM
To: scottxiao at antlabs.com
Cc: Mike McCauley; radiator at open.com.au; Hugh Irvine
Subject: Re: (RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted:
problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100
AP and Radiator 3.9


Hi Scott, Mike, Hugh.  ;-)

I'd like to suggest that perhaps it is less than favorable to turn off
server certificate validation in a production environment because it
basically allows Man in The Middle attacks to be carried out on users
in a fashion that a user wouldn't even realize what was going on.

A better solution that purchasing a certificate might be to run your
own CA and create your own certificates.  In fact, this is a much
better and more secure solution than even using somebody like Verisign.

If you were running a verisign CA signed server certificate for 802.1X
authentication, I could also request a verisign server certificate, and
hand it to your user to pull off a Man in the Middle attack.  Because
your client is going to verify Verisign (because that's what your
certificate was signed against), they will also allow my server
certificate (which was also signed by verisign).  This is a bad idea in
general, and should probably be avoided.

If you use a private CA to sign your server and client certificates,
the attacker is not going to be able to produce certificates signed by
that CA, so they will have a much harder time pulling off a Man in the
Middle attack.

Anyway, I'm not trying to tell you what to do, but there are
implications to consider when dealing with 802.1X and ensuring the
security of your users, and unfortunately the brunt of the work falls
on the administrator, especially when dealing with certificates.  :-)

Cheers,

- Terry

On Jul 16, 2004, at 4:59 AM, Scott Xiao - ANTlabs wrote:

> Thanks Hugh, yes,it's one option;the other one I think is,I need let
> the
> customer to purchase an official certificate for the Radius server from
> ,maybe,Verisign,for the convenience of wlan users because it will not
> be
> very secure without " validate server certificate" comparatively any
> way.
> Thanks,Hugh and Mike!
> Scott
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Friday, July 16, 2004 4:07 PM
> To: scottxiao at antlabs.com
> Cc: radiator at open.com.au; Mike McCauley
> Subject: Re: (RADIATOR) RE: (Radiator)Desired EAP type 25 not
> permitted:
> problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco
> arionet1100
> AP and Radiator 3.9
>
>
>
> Hello Scott -
>
> If the authentication succeeds without "validate server certificate" on
> XP then that is what you should tell your users to do.
>
> regards
>
> Hugh
>
>
> On 16 Jul 2004, at 16:29, Scott Xiao - ANTlabs wrote:
>
>> Hi,
>> In the config file,I changed back my EAPtype as before and now
>> authentication succeeded.So what Mike suggested,to comment out REALM
>> DEFAULT
>> ,is the key point to resolve the problem (Desired EAP type 25 not
>> permitted)
>> ,thanks!!
>> My other question as I asked before is,now I disabled "validate server
>> certificate" on client,how can I let the authentication pass without
>> requiring the XP client to  install any  specific certificate?Thanks.
>> Cheers
>> Scott
>>
>> -----Original Message-----
>> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
>> Behalf Of Scott Xiao - ANTlabs
>> Sent: Friday, July 16, 2004 11:06 AM
>> To: radiator at open.com.au
>> Cc: Hugh Irvine; Mike McCauley
>> Subject: (RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted:
>> problem
>> with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100
>> AP and
>> Radiator 3.9
>>
>>
>> Hi,Thanks to Mike and Hugh for advice! ...but I still got the same
>> problem....
>> I have modified the configuration file according to your advice:
>> 1.comment out the <Realm DEFAULT>
>> 2.Change EAPType to PEAP  round the other way with MSChAP-V2
>> Below is the udpated config file. But when I try to authenticate after
>> restart the service,it still  give me the erorr " Access rejected for
>> idatesta: Desired EAP type 25 not permitted" ,See the log below after
>> the
>> config file in the email please.What is the problem?For Inner
>> authentication,do I have to use defuser instead of mySQL?
>> Thanks for reminder of the the maillist,actually I believe I have been
>> in
>> the mail list for 2 days,I received a lot of email from other
>> subscribers
>> regarding their questions.
>> Please advise,thanks!
>> Rgds
>> Scott
>>
>> conifig file mysql-peap.cfg  (running with /usr/bin/perl
>> /usr/bin/radiusd -config_file /etc/radiator/mysql-peap.cfg)
>> ........
>>
>> <Handler TunnelledByPEAP=1>
>>
>>         RewriteUsername s/(.*)\\(.*)/$2/
>>
>> #<Realm DEFAULT>
>>
>>     AuthByPolicy ContinueWhileAccept
>>    <AuthBy SQL>
>>         DBSource        dbi:mysql:idausrdb
>>         DBUsername
>>         DBAuth
>>         AcctColumnDef   USERNAME,User-Name
>>         AcctColumnDef   TIME_STAMP,Timestamp,integer
>>         AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>>         AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>>         AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>         AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>         AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>>         AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>>         AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>         AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>>         AcctColumnDef   NASPORT,NAS-Port,integer
>> #       EAPType MSCHAP-V2
>>         EAPType PEAP
>>     </AuthBy>
>>
>> #</Realm>
>>
>> </Handler>
>>
>> <Handler>
>>
>>    <AuthBy SQL>
>>         DBSource        dbi:mysql:idausrdb
>>         DBUsername
>>         DBAuth
>>         AcctColumnDef   USERNAME,User-Name
>>         AcctColumnDef   TIME_STAMP,Timestamp,integer
>>         AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>>         AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>>         AcctColumnDef   ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>         AcctColumnDef   ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>         AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>>         AcctColumnDef   ACCTSESSIONTIME,Acct-Session-Time,integer
>>         AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>         AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>>         AcctColumnDef   NASPORT,NAS-Port,integer
>>
>>    #    EAPType PEAP
>>         EAPType MSCHAP-V2
>>
>>        </AuthBy>
>>
>>
>> The log file:
>> [root at FC radius]# tail -50 logfile | more
>> Fri Jul 16 00:51:27 2004: DEBUG: Response type 3
>> Fri Jul 16 00:51:27 2004: INFO: EAP Nak desires type 25
>> Fri Jul 16 00:51:27 2004: DEBUG: EAP result: 1, Desired EAP type 25
>> not
>> permitte
>> d
>> Fri Jul 16 00:51:27 2004: INFO: Access rejected for idatesta: Desired
>> EAP
>> type 2
>> 5 not permitted
>> Fri Jul 16 00:51:27 2004: DEBUG: Packet dump:
>> *** Sending to 192.168.123.9 port 1647 ....
>> Code:       Access-Reject
>> Identifier: 18
>> Authentic:  <250><200><252><11>.<135>e<197><181>_%<250>(<254><180>z
>> Attributes:
>>         Reply-Message = "Request Denied"
>>         Proxy-State = 181
>>
>> Fri Jul 16 00:51:39 2004: DEBUG: Packet dump:
>> *** Received from 192.168.123.9 port 1647 ....
>> Code:       Access-Request
>> Identifier: 19
>> Authentic:  <250><200><252><11>.<135>e<197><181>_%<250>(<254><180>z
>> Attributes:
>>         User-Name = "idatesta"
>>         Framed-MTU = 1400
>>         Called-Station-Id = "000f.34db.6690"
>>         Calling-Station-Id = "000c.f108.37bf"
>>         Message-Authenticator =
>> Do<15><183>1<131>Q<23>e<19><168><162><254>Ns<245>
>>         EAP-Message = <2><1><0><13><1>idatesta
>>         NAS-Port-Type = Wireless-IEEE-802-11
>>         NAS-Port = 419
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 10.0.0.1
>>         NAS-Identifier = "ps-ap"
>>         Proxy-State = 182
>>
>> Fri Jul 16 00:51:39 2004: DEBUG: Handling request with Handler ''
>> Fri Jul 16 00:51:39 2004: DEBUG:  Deleting session for idatesta,
>> 10.0.0.1,
>> 419
>> Fri Jul 16 00:51:39 2004: DEBUG: Handling with Radius::AuthSQL
>> Fri Jul 16 00:51:39 2004: DEBUG: Handling with Radius::AuthSQL:
>> Fri Jul 16 00:51:39 2004: DEBUG: Handling with EAP: code 2, 1, 13
>> Fri Jul 16 00:51:39 2004: DEBUG: Response type 1
>> Fri Jul 16 00:51:39 2004: DEBUG: EAP result: 3, EAP MSCHAP-V2
>> Challenge
>> Fri Jul 16 00:51:39 2004: DEBUG: Access challenged for idatesta: EAP
>> MSCHAP-V2 Challenge
>> Fri Jul 16 00:51:39 2004: DEBUG: Packet dump:
>> -----Original Message-----
>> From: Mike McCauley [mailto:mikem at open.com.au]
>> Sent: Friday, July 16, 2004 6:42 AM
>> To: Scott Xiao - ANTlabs
>> Cc: Hugh Irvine
>> Subject: Re: (Radiator)Desired EAP type 25 not permitted: problem with
>> my
>> 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and
>> Radiator
>> 3.9
>>
>>
>> Hello Scott,
>>
>> Your email was identified as spam by my spamassassin, mostly due to
>> html
>> content. Its lucky I got to see it. Please dont use HTML.
>>
>> BTW, it would be better if you address any future technical questions
>> you
>> might have to the Radiator mailing list. That way others can learn
>> from the question and answer, and possibly contribute in areas
>> where I am not expert. Also, we have other staff on the mailing list
>> who can respond when I am not available.
>>
>> You can join the Radiator mailing list by sending email with the
>> single word subscribe in the body (not in the subject line) to
>> radiator-request at open.com.au
>> There is an archive at http://www.open.com.au/archives/radiator/
>>
>> If you require a guaranteed response to your questions, you should
>> consider
>> a support contract, see http://www.open.com.au/support.html
>>
>> The problem you report is due to the fact that you have your EAP types
>> around
>> the wrong way, in that the Handler which handles the inner request is
>> type
>> PEAP, and the Realm is type MSCHAP-V2. They should be round the other
>> way.
>> Also you have a Realm DEFAULT which will get all requests, including
>> the
>> inner. You should use <Handler> instead of <Realm DEFAULT>. Mixing
>> Realms
>> and
>> Handlers is generally a bad idea.
>>
>> Cheers.
>>
>>
>>
>>
>> On Thu, 15 Jul 2004 09:52 pm, you wrote:
>>> Spam detection software, running on the system "server1.open.com.au",
>>> has
>>> identified this incoming email as possible spam.  The original
>>> message
>>> has been attached to this so you can view it (if it isn't spam) or
>>> block
>>> similar future email.  If you have any questions, see
>>> postmaster at open.com.au for details.
>>>
>>> Content preview:  Hi,Mike, Can you advise?Thanks! Scott
>>>
>>> Content analysis details:   (5.3 points, 5.0 required)
>>>
>>>  pts rule name              description
>>> ---- ----------------------
>>> -------------------------------------------------- 0.8 HTML_30_40
>>>   BODY: Message is 30% to 40% HTML
>>>  0.1 HTML_FONTCOLOR_RED     BODY: HTML font color is red
>>>  0.2 HTML_FONT_FACE_BAD     BODY: HTML font face is not a word
>>>  0.1 HTML_FONTCOLOR_BLUE    BODY: HTML font color is blue
>>>  0.0 HTML_MESSAGE           BODY: HTML included in message
>>>  0.5 HTML_TITLE_EMPTY       BODY: HTML title contains no text
>>>  1.1 RCVD_IN_SORBS_MISC     RBL: SORBS: sender is open proxy server
>>>                             [203.125.41.199 listed in
>>> dnsbl.sorbs.net]
>>>  0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
>>>                             [203.125.41.199 listed in
>>> dnsbl.sorbs.net]
>>>  0.1 RCVD_IN_NJABL          RBL: Received via a relay in
>>> dnsbl.njabl.org
>>>                             [203.125.41.199 listed in
>>> dnsbl.njabl.org]
>>>  1.1 RCVD_IN_DSBL           RBL: Received via a relay in
>>> list.dsbl.org
>>>
>>> [<http://dsbl.org/listing?ip=203.125.41.199>]
>>>  1.1 RCVD_IN_NJABL_PROXY    RBL: NJABL: sender is an open proxy
>>>                             [203.125.41.199 listed in
>>> dnsbl.njabl.org]
>>>
>>> The original message was not completely plain text, and may be unsafe
>>> to
>>> open with some email clients; in particular, it may contain a virus,
>>> or confirm that your address can receive spam.  If you wish to view
>>> it, it may be safer to save it to a file and open it with an editor.
>>
>> --
>> Mike McCauley                               mikem at open.com.au
>> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++,
>> WWW
>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>> http://www.open.com.au
>> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>> TLS,
>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list