(RADIATOR) User always get authentication succeeded after Timeleft expired with 802.1x PEAP/aironet1100 WLAN
Scott Xiao - ANTlabs
scottxiao at antlabs.com
Thu Jul 22 03:35:04 CDT 2004
Thanks Hugh,
According to the trace 4 log below,
The Session-Timeout = 60 was returned,but the user was re-authenticated
successfully again....
Cheers
Scott
[root at FC radius]# tail -200 logfile | more
EAP-Message =
<2><28><0>V<25><0><23><3><1><0>KL<129><228><31>/<228><192><127>Awh<9><241><2
00>:m<233>1<244><174>'G<12>
<204>N<222>JH~a<165><1><243><16>E5<167><250><247>.<234>0A<162>=?<162>7<216>j
<13>[<230><0><253><25><145>"=oM<30>4<240><7>!<145
><222><252>?<19><131>5<15>?
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 464
Service-Type = Framed-User
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "ps-ap"
Proxy-State = 113
Mon Jul 19 17:35:15 2004: DEBUG: Handling request with Handler ''
Mon Jul 19 17:35:15 2004: DEBUG: Deleting session for john, 10.0.0.1, 464
Mon Jul 19 17:35:15 2004: DEBUG: Handling with Radius::AuthSQL
Mon Jul 19 17:35:15 2004: DEBUG: Handling with Radius::AuthSQL:
Mon Jul 19 17:35:15 2004: DEBUG: Handling with EAP: code 2, 28, 86
Mon Jul 19 17:35:15 2004: DEBUG: Response type 25
Mon Jul 19 17:35:15 2004: DEBUG: EAP PEAP inner authentication request for
anonymous
Mon Jul 19 17:35:15 2004: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <14>6<146><147><2><233>]<204><178><253>d<13>4<141><230><172>
Attributes:
EAP-Message =
<2><28><0>;<26><2><28><0>:1<26>t<241><161><3><200><207>vCw<141>2<149>jh<158>
<0><0><0><0><0><0><0><0><30
><144><157><131><198><161>Y<211>&Y<240><156><28><21><225>V<14>.<133><<15>PA<
19><0>john
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "ps-ap"
NAS-Port = 464
Calling-Station-Id = "000c.f108.37bf"
Mon Jul 19 17:35:15 2004: DEBUG: Handling request with Handler
'TunnelledByPEAP=1'
Mon Jul 19 17:35:15 2004: DEBUG: Rewrote user name to anonymous
Mon Jul 19 17:35:15 2004: DEBUG: Deleting session for , 10.0.0.1, 464
Mon Jul 19 17:35:15 2004: DEBUG: Handling with Radius::AuthSQL
Mon Jul 19 17:35:15 2004: DEBUG: Handling with Radius::AuthSQL:
Mon Jul 19 17:35:15 2004: DEBUG: Handling with EAP: code 2, 28, 59
Mon Jul 19 17:35:15 2004: DEBUG: Response type 26
Mon Jul 19 17:35:15 2004: DEBUG: Query is: 'select PASSWORD, TIMELEFT from
SUBSCRIBERS where USERNAME='john' and TIMELEFT > 0
':
Mon Jul 19 17:35:15 2004: DEBUG: Radius::AuthSQL looks for match with john
Mon Jul 19 17:35:15 2004: DEBUG: Radius::AuthSQL ACCEPT:
Mon Jul 19 17:35:15 2004: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge:
Success
Mon Jul 19 17:35:15 2004: DEBUG: Access challenged for anonymous: EAP MSCHAP
V2 Challenge: Success
Mon Jul 19 17:35:15 2004: DEBUG: EAP result: 3, EAP PEAP inner
authentication redespatched to a Handler
Mon Jul 19 17:35:15 2004: DEBUG: Access challenged for john: EAP PEAP inner
authentication redespatched to a Handler
Mon Jul 19 17:35:15 2004: DEBUG: Packet dump:
*** Sending to 192.168.123.9 port 1814 ....
Code: Access-Challenge
Identifier: 162
Authentic: <204><189>D<167><24>|<209><139>'fQ!<155><17>X<211>
Attributes:
EAP-Message =
<1><29><0>T<25><0><23><3><1><0>I<232><234><155><23>y<243><133><219><22><139>
<128><161><16><250>`<194>`<
222><230><199>;<203><9><180><27><153><254>a<207><150>v+<167><227>G<22><1><19
6>EY<235><190>@O<174>T*<148>~<172><131><188><229>
zRn<214>u<204>#<18><140>%<217><151>m<14><160><137><169>p><165>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Proxy-State = 113
Mon Jul 19 17:35:16 2004: DEBUG: Packet dump:
*** Received from 192.168.123.9 port 1814 ....
Code: Access-Request
Identifier: 163
Authentic: <247><210><144>C)<227>w<232>Y<255><190><247><227><142><193><238>
Attributes:
User-Name = "john"
Framed-MTU = 1400
Called-Station-Id = "000f.34db.6690"
Calling-Station-Id = "000c.f108.37bf"
Message-Authenticator =
<158><136><195>$<2><143>+D<240>(j<155><230><141><224><235>
EAP-Message =
<2><29><0><29><25><0><23><3><1><0><18>J<213>l{$<5>^<145><20><10><29>d<9>W<13
><204><220><144>
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 464
Service-Type = Framed-User
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "ps-ap"
Proxy-State = 114
Mon Jul 19 17:35:16 2004: DEBUG: Handling request with Handler ''
Mon Jul 19 17:35:16 2004: DEBUG: Deleting session for john, 10.0.0.1, 464
Mon Jul 19 17:35:16 2004: DEBUG: Handling with Radius::AuthSQL
Mon Jul 19 17:35:16 2004: DEBUG: Handling with Radius::AuthSQL:
Mon Jul 19 17:35:16 2004: DEBUG: Handling with EAP: code 2, 29, 29
Mon Jul 19 17:35:16 2004: DEBUG: Response type 25
Mon Jul 19 17:35:16 2004: DEBUG: EAP PEAP inner authentication request for
anonymous
Mon Jul 19 17:35:16 2004: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic:
<232><205><160><183><4><219><240><2><163>/G<157><226><229><218><255>
Attributes:
EAP-Message = <2><29><0><2><26><3>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = "anonymous"
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "ps-ap"
NAS-Port = 464
Calling-Station-Id = "000c.f108.37bf"
Mon Jul 19 17:35:16 2004: DEBUG: Handling request with Handler
'TunnelledByPEAP=1'
Mon Jul 19 17:35:16 2004: DEBUG: Rewrote user name to anonymous
Mon Jul 19 17:35:16 2004: DEBUG: Deleting session for , 10.0.0.1, 464
Mon Jul 19 17:35:16 2004: DEBUG: Handling with Radius::AuthSQL
Mon Jul 19 17:35:16 2004: DEBUG: Handling with Radius::AuthSQL:
Mon Jul 19 17:35:16 2004: DEBUG: Handling with EAP: code 2, 29, 2
Mon Jul 19 17:35:16 2004: DEBUG: Response type 26
Mon Jul 19 17:35:16 2004: DEBUG: EAP result: 0,
Mon Jul 19 17:35:16 2004: DEBUG: Access accepted for anonymous
Mon Jul 19 17:35:16 2004: DEBUG: EAP result: 3, EAP PEAP inner
authentication redespatched to a Handler
Mon Jul 19 17:35:16 2004: DEBUG: Access challenged for john: EAP PEAP inner
authentication redespatched to a Handler
Mon Jul 19 17:35:17 2004: DEBUG: Packet dump:
*** Sending to 192.168.123.9 port 1814 ....
Code: Access-Challenge
Identifier: 163
Authentic: <247><210><144>C)<227>w<232>Y<255><190><247><227><142><193><238>
Attributes:
EAP-Message =
<1><30><0>&<25><0><23><3><1><0><27>,y^W<255><233><31>a<168><163><195><24><21
2><2>B<205><205>V<240><159>
.<219>A<253><18><181><255>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Proxy-State = 114
Mon Jul 19 17:35:17 2004: DEBUG: Packet dump:
*** Received from 192.168.123.9 port 1814 ....
Code: Access-Request
Identifier: 164
Authentic:
K<20><136><183><253><220>4<158><158><198>,<219><171><232><29><187>
Attributes:
User-Name = "john"
Framed-MTU = 1400
Called-Station-Id = "000f.34db.6690"
Calling-Station-Id = "000c.f108.37bf"
Message-Authenticator =
<164><153><127><21><18><21><171>~!<2>W<18><204><220><231><218>
EAP-Message =
<2><30><0>&<25><0><23><3><1><0><27><171><200><204><6><181><<250><136><135><1
2><162><232><227>{<231><172
><10><245><210>I<204><227><27><28>k<179><170>
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 464
Service-Type = Framed-User
NAS-IP-Address = 10.0.0.1
NAS-Identifier = "ps-ap"
Proxy-State = 115
Mon Jul 19 17:35:17 2004: DEBUG: Handling request with Handler ''
Mon Jul 19 17:35:17 2004: DEBUG: Deleting session for john, 10.0.0.1, 464
Mon Jul 19 17:35:17 2004: DEBUG: Handling with Radius::AuthSQL
Mon Jul 19 17:35:17 2004: DEBUG: Handling with Radius::AuthSQL:
Mon Jul 19 17:35:17 2004: DEBUG: Handling with EAP: code 2, 30, 38
Mon Jul 19 17:35:17 2004: DEBUG: Response type 25
Mon Jul 19 17:35:17 2004: DEBUG: EAP result: 0,
Mon Jul 19 17:35:17 2004: DEBUG: Access accepted for john
Mon Jul 19 17:35:17 2004: DEBUG: Packet dump:
*** Sending to 192.168.123.9 port 1814 ....
Code: Access-Accept
Identifier: 164
Authentic:
K<20><136><183><253><220>4<158><158><198>,<219><171><232><29><187>
Attributes:
Session-Timeout = 60
EAP-Message = <3><30><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
MS-MPPE-Send-Key =
"<231><22><161><18><199>'<20>K<194><211><178><178><24>h<185><20>s1<218>
<152><197><225><132><148>J
CS<187>}<182><31><171><245><<0><151><192><228>/x<129>!<155><215><137><171>5<
224><152>"
MS-MPPE-Recv-Key =
"<136>.bt<242><22><196><23><7>)P<20>;j(<23>T<130>I<196>[f<226><224><133>6<14
6>/V<227><248>/<158><1
75>v<25><226><235><140><226><8><147><202>B<226><179>w<18><184><214>"
Proxy-State = 115
Mon Jul 19 17:35:44 2004: DEBUG: Packet dump:
*** Received from 192.168.123.9 port 1814 ....
Code: Accounting-Request
Identifier: 165
Authentic: Qzv]<196>&%<212>~<221>:[<203><23><174><198>
Attributes:
User-Name = "john"
Acct-Session-Id = "000000D9"
Called-Station-Id = "000f.34db.6690"
Calling-Station-Id = "000c.f108.37bf"
cisco-avpair = "ssid=1xnet"
cisco-avpair = "nas-location=unspecified"
cisco-avpair = "vlan-id=1"
cisco-avpair = "auth-algo-type=eap-peap"
Acct-Authentic = RADIUS
cisco-avpair = "connect-progress=Auth Open"
Acct-Session-Time = 1429
Acct-Input-Octets = 505671
Acct-Output-Octets = 519023
Acct-Input-Packets = 5155
Acct-Output-Packets = 3123
Acct-Terminate-Cause = Lost-Carrier
cisco-avpair = "disc-cause-ext=No Reason"
Acct-Status-Type = Stop
NAS-Port-Type = Wireless-IEEE-802-11
Cisco-NAS-Port = "464"
NAS-Port = 464
Service-Type = Framed-User
NAS-IP-Address = 10.0.0.1
Acct-Delay-Time = 0
Proxy-State = 116
Mon Jul 19 17:35:44 2004: DEBUG: Handling request with Handler ''
Mon Jul 19 17:35:44 2004: DEBUG: Deleting session for john, 10.0.0.1, 464
Mon Jul 19 17:35:44 2004: DEBUG: Handling with Radius::AuthSQL
Mon Jul 19 17:35:44 2004: DEBUG: Handling accounting with Radius::AuthSQL
Mon Jul 19 17:35:44 2004: DEBUG: do query is: 'insert into ACCOUNTING
(ACCTDELAYTIME,ACCTINPUTOCTETS,ACCTOUTPUTOCTETS,ACCTSES
SIONID,ACCTSESSIONTIME,ACCTSTATUSTYPE,ACCTTERMINATECAUSE,NASPORT,TIME_STAMP,
USERNAME) values (0,505671,519023,'000000D9',1429
,'Stop','Lost-Carrier',464,1090229744,'john')':
Mon Jul 19 17:35:44 2004: DEBUG: Accounting accepted
Mon Jul 19 17:35:44 2004: DEBUG: Packet dump:
*** Sending to 192.168.123.9 port 1814 ....
Code: Accounting-Response
Identifier: 165
Authentic: Qzv]<196>&%<212>~<221>:[<203><23><174><198>
Attributes:
Proxy-State = 116
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Thursday, July 22, 2004 3:31 PM
To: scottxiao at antlabs.com
Cc: radiator at open.com.au; Terry Simons; Mike McCauley
Subject: Re: (RADIATOR) User always get authentication succeeded after
Timeleft expired with 802.1x PEAP/aironet1100 WLAN
Hello Scott -
You will need to check a trace 4 debug to verify that the
Session-Timeout is being set and sent correctly.
If it is being sent correctly, but the access point does not drop the
connection then the problem is with the access point.
If the Session-Timeout is not being decremented correctly then it is
probably a problem with the accounting sent by the access point.
The only way to see what is happening is to look at a trace 4 debug.
regards
Hugh
On 21 Jul 2004, at 23:13, Scott Xiao - ANTlabs wrote:
> Hi,Mike,Hugh,Terry,
> Thanks for your good advice!I am trying to get valid server
> certificate and
> will test it soon,then it should be ok.
>
>
> Hi,
> The current question I am facing is:
> I set the Radiator to use mysql database authentication,I created one
> user
> which supposed only be able to use this account for 1 hour (in the
> test,I
> set to 1minute),after the PEAP authentication ,the user can surf
> internet,after 1 minute the user ID was deleted on my access control
> server
> according to the instruction from Radiator.But the user(on XP)
> automatically
> send the authentication information to the AC and radiator and got
> authentication succeeded and he can surf again,XP can cache the login
> info
> to registry so not prompt for login again.By right,this account should
> be
> expired already.Here below is the config file.What I can do to make
> this
> user can only use the account valid for only 1 hour and the user will
> need
> to get a new account for login?Thanks!
> Rgds
> Scott
> +++++++++++++++++++++++++++++++++++++++++
> Config file on Radiator:
>
> Foreground
> LogStdout
> LogDir /var/log/radius
> DbDir /etc/radiator
>
> AuthPort 1812
> AcctPort 1813
>
> # User a lower trace level in production systems:
> Trace 4
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> Secret t-antlabs
> DupInterval 0
> </Client>
>
> <Client 192.168.123.9>
> Secret antlabs
> DupInterval 0
> </Client>
>
>
> # This is where we autneticate a PEAP inner request, which will be an
> EAP
> # request. The username of the inner request will be anonymous,
> although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> <Handler TunnelledByPEAP=1>
> # Windows XP when configured for a workgroup might send tunnelled
> user
> names
> # in the format COMPUTERNAME\username (eg BAKER\mikem). This
> # will strip the computer name leaving just the user name
> RewriteUsername s/(.*)\\(.*)/$2/
>
>
> # <AuthBy FILE>
> # Filename %D/users
> #
> # # This tells the PEAP client what types of inner EAP requests
> # # we will honour
> # EAPType MSCHAP-V2
> # </AuthBy>
> # This hook fixes the problem with some implementations of PEAP,
> where the
> # accounting requests have the User-Name of anonymous, instead of the
> real
> # users name. After authenticating the inner TTLS request, the
> # PostAuthHook caches the _real_ user name in an SQL table,
> # The PreProcessingHook replaces the 'anonymous' user name in
> # accounting requests with the
> # real user name that was previously cached for the NAS and NAS-Port.
> # You can see the correct real User-Name logged in the AcctLogFileName
> # Must be used in conjunction with PreProcessingHook below
> # PostAuthHook file:"goodies/eap_anon_hook.pl"
>
> #Replace the authby users file to this mysql below for testing--
> Scott --
> : ->
>
> #<Realm DEFAULT>
> AuthByPolicy ContinueWhileAccept
> <AuthBy SQL>
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
> DBSource dbi:mysql:idausrdb
> DBUsername antlabs
>
> DBAuth hidenpassword
>
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> # EAPType MSCHAP-V2
> # EAPType PEAP,MSCHAP-V2
> EAPType MSCHAP-V2
>
>
> # Adjust DBSource, DBUsername, DBAuth to suit your DB
> # DBSource dbi:mysql:radius
> # DBUsername mikem
> # DBAuth fred
>
> # Only one session per user at a time
> DefaultSimultaneousUse 1
>
> # Let the user in if they have any time left, set
> # the Session-timeout to the time left
> AuthSelect select PASSWORD, TIMELEFT from SUBSCRIBERS where
> USERNAME=%0 and TIMELEFT > 0
> AuthColumnDef 0,User-Password,check
> AuthColumnDef 1,Session-Timeout,reply
>
> # Adjust the time left when they log out
> AccountingStopsOnly
> AcctSQLStatement update SUBSCRIBERS set
> TIMELEFT=TIMELEFT-0%{Acct-Session-Time} where USERNAME='%n'
>
> </AuthBy>
> #<AuthBy FILE>
> # Filename defuser
> # </AuthBy>
> #</Realm>
>
> </Handler>
>
>
> # The original PEAP request from a NAS will be sent to a matching
> # Realm or Handler in the usual way, where it will be unpacked and the
> inner
> authentication
> # extracted.
> # The inner authentication request will be sent again to a matching
> # Realm or Handler. The special check item TunnelledByPEAP=1 can be
> used to
> select
> # a specific handler, or else you can use EAPAnonymous to set a
> username and
> realm
> # which can be used to select a Realm clause for the inner request.
> # This allows you to select an inner authentication method based on
> Realm,
> and/or the
> # fact that they were tunnelled. You can therfore act just as a PEAP
> server,
> or also
> # act as the AAA/H home server, and authenticate PEAP requests locally
> or
> proxy
> # them to another remote server based on the realm of the inner
> authenticaiton request.
> # In this basic example, both the inner and outer authentication are
> authenticated
> # from a file by AuthBy FILE
>
>
> #This below is for outer authentication ,use mysql too.
> #Auth method is PEAP -- Scott
>
> <Handler>
> # <AuthBy FILE>
> # <AuthBy SQL>
> # The username of the outer authentication
> # must be in this file to get anywhere. In this example,
> # it requires an entry for 'anonymous' which is the standard username
> # in the outer requests, and it also requires an entry for the
> # actual user name who is trying to connect (ie the 'Login name'
> entered
> # in the Funk Odyssey 'Edit Profile Properties' page
> # Filename %D/users
>
> # EAPType sets the EAP type(s) that Radiator will honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the default (most
> # preferred) type given first
> #EAPType PEAP
> <AuthBy SQL>
> DBSource dbi:mysql:idausrdb
> DBUsername antlabs
> DBAuth hidenpassword
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
>
> # EAPType PEAP
> # EAPType MSCHAP-V2,PEAP
> EAPType PEAP,MSCHAP-V2
> # EAPTLS_CAFile is the name of a file of CA certificates
> # in PEM format. The file can contain several CA certificates
> # Radiator will first look in EAPTLS_CAFile then in
> # EAPTLS_CAPath, so there usually is no need to set both
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>
> # EAPTLS_CAPath is the name of a directory containing CA
> # certificates in PEM format. The files each contain one
> # CA certificate. The files are looked up by the CA
> # subject name hash value
> # EAPTLS_CAPath
>
> # EAPTLS_CertificateFile is the name of a file containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
>
> # EAPTLS_PrivateKeyFile is the name of the file containing
> # the servers private key. It is sometimes in the same file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to descrypt it
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
>
> # EAPTLS_RandomFile is an optional file containing
> # randdomness
> # EAPTLS_RandomFile %D/certificates/random
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be small
> # enough to fit in a single Radius request (ie less than 4096)
> # and still leave enough space for other attributes
> # Aironet APs seem to need a smaller MaxFragmentSize
> # (eg 1024) than the default of 2048. Others need even smaller sizes.
> EAPTLS_MaxFragmentSize 1000
>
> # EAPTLS_DHFile if set specifies the DH group file. It
> # may be required if you need to use ephemeral DH keys.
> # EAPTLS_DHFile %D/certificates/cert/dh
>
>
> # If EAPTLS_CRLCheck is set and the client presents a certificate
> # then Radiator will look for a certificate revocation list (CRL)
> # for the certificate issuer
> # when authenticating each client. If a CRL file is not found, or
> # if the CRL says the certificate has neen revoked, the
> authentication
> will
> # fail with an error:
> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> # One or more CRLs can be named with the EAPTLS_CRLFile parameter.
> # Alternatively, CRLs may follow a file naming convention:
> # the hash of the issuer subject name
> # and a suffix that depends on the serial number.
> # eg ab1331b2.r0, ab1331b2.r1 etc.
> # You can find out the hash of the issuer name in a CRL with
> # openssl crl -in crl.pem -hash -noout
> # CRLs with tis name convention
> # will be searched in EAPTLS_CAPath, else in the openssl
> # certificates directory typically /usr/local/openssl/certs/
> # CRLs are expected to be in PEM format.
> # A CRL files can be generated with openssl like this:
> # openssl ca -gencrl -revoke cert-clt.pem
> # openssl ca -gencrl -out crl.pem
> # Use of these flags requires Net_SSLeay-1.21 or later
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> # Some clients, depending on their configuration, may require you to
> specify
> # MPPE send and receive keys. This _will_ be required if you select
> # 'Keys will be generated automatically for data privacy' in the Funk
> Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can enable some warning messages from the Net::SSLeay
> # module by setting SSLeayTrace to an integer from 1 to 4
> # 1=ciphers, 2=trace, 3=dump data
> SSLeayTrace 4
>
> # You can configure the User-Name that will be used for the inner
> # authentication. Defaults to 'anonymous'. This can be useful
> # when proxying the inner authentication. If tehre is a realm, it can
> # be used to choose a local Realm to handle the inner authentication.
> # %0 is replaced with the EAP identitiy
> # EAPAnonymous anonymous at some.other.realm
>
> # You can enable or disable support for TTLS Session Resumption and
> # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
> # Default is enabled
> #EAPTLS_SessionResumption 0
>
> # You can limit how long after the initial session that a session
> can be
> resumed
> # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to
> 43200
> # (12 hours)
> #EAPTLS_SessionResumptionLimit 10
>
> # You can control which version of the draft PEAP protocol to honour
> # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual
> clients,
> # such as Funk Odyssey Client 2.22 or later.
> EAPTLS_PEAPVersion 1
>
> AuthSelect select TIMELEFT from SUBSCRIBERS where USERNAME=%0
> and
> TIMELEFT > 0
> AuthColumnDef 0,Session-Timeout,reply
>
> </AuthBy>
>
> # This hook fixes the problem with some implementations of PEAP,
> where the
> # accounting requests have the User-Name of anonymous, instead of the
> real
> # users name. After authenticating the inner TTLS request, the
> # PostAuthHook caches the _real_ user name in an SQL table,
> # The PreProcessingHook replaces the 'anonymous' user name in
> # accounting requests with the
> # real user name that was previously cached for the NAS and NAS-Port.
> # You can see the correct real User-Name logged in the AcctLogFileName
> # Must be used in conjunction with PostAuthHook above
> # PreProcessingHook file:"goodies/eap_anon_hook.pl"
> </Handler>
>
>
>
> -----Original Message-----
> From: Terry Simons [mailto:galimore at mac.com]
> Sent: Saturday, July 17, 2004 12:45 AM
> To: scottxiao at antlabs.com
> Cc: Mike McCauley; radiator at open.com.au; Hugh Irvine
> Subject: Re: (RADIATOR) RE: (Radiator)Desired EAP type 25 not
> permitted:
> problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco
> arionet1100
> AP and Radiator 3.9
>
>
> Hi Scott, Mike, Hugh. ;-)
>
> I'd like to suggest that perhaps it is less than favorable to turn off
> server certificate validation in a production environment because it
> basically allows Man in The Middle attacks to be carried out on users
> in a fashion that a user wouldn't even realize what was going on.
>
> A better solution that purchasing a certificate might be to run your
> own CA and create your own certificates. In fact, this is a much
> better and more secure solution than even using somebody like Verisign.
>
> If you were running a verisign CA signed server certificate for 802.1X
> authentication, I could also request a verisign server certificate, and
> hand it to your user to pull off a Man in the Middle attack. Because
> your client is going to verify Verisign (because that's what your
> certificate was signed against), they will also allow my server
> certificate (which was also signed by verisign). This is a bad idea in
> general, and should probably be avoided.
>
> If you use a private CA to sign your server and client certificates,
> the attacker is not going to be able to produce certificates signed by
> that CA, so they will have a much harder time pulling off a Man in the
> Middle attack.
>
> Anyway, I'm not trying to tell you what to do, but there are
> implications to consider when dealing with 802.1X and ensuring the
> security of your users, and unfortunately the brunt of the work falls
> on the administrator, especially when dealing with certificates. :-)
>
> Cheers,
>
> - Terry
>
> On Jul 16, 2004, at 4:59 AM, Scott Xiao - ANTlabs wrote:
>
>> Thanks Hugh, yes,it's one option;the other one I think is,I need let
>> the
>> customer to purchase an official certificate for the Radius server
>> from
>> ,maybe,Verisign,for the convenience of wlan users because it will not
>> be
>> very secure without " validate server certificate" comparatively any
>> way.
>> Thanks,Hugh and Mike!
>> Scott
>>
>> -----Original Message-----
>> From: Hugh Irvine [mailto:hugh at open.com.au]
>> Sent: Friday, July 16, 2004 4:07 PM
>> To: scottxiao at antlabs.com
>> Cc: radiator at open.com.au; Mike McCauley
>> Subject: Re: (RADIATOR) RE: (Radiator)Desired EAP type 25 not
>> permitted:
>> problem with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco
>> arionet1100
>> AP and Radiator 3.9
>>
>>
>>
>> Hello Scott -
>>
>> If the authentication succeeds without "validate server certificate"
>> on
>> XP then that is what you should tell your users to do.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 16 Jul 2004, at 16:29, Scott Xiao - ANTlabs wrote:
>>
>>> Hi,
>>> In the config file,I changed back my EAPtype as before and now
>>> authentication succeeded.So what Mike suggested,to comment out REALM
>>> DEFAULT
>>> ,is the key point to resolve the problem (Desired EAP type 25 not
>>> permitted)
>>> ,thanks!!
>>> My other question as I asked before is,now I disabled "validate
>>> server
>>> certificate" on client,how can I let the authentication pass without
>>> requiring the XP client to install any specific certificate?Thanks.
>>> Cheers
>>> Scott
>>>
>>> -----Original Message-----
>>> From: owner-radiator at open.com.au
>>> [mailto:owner-radiator at open.com.au]On
>>> Behalf Of Scott Xiao - ANTlabs
>>> Sent: Friday, July 16, 2004 11:06 AM
>>> To: radiator at open.com.au
>>> Cc: Hugh Irvine; Mike McCauley
>>> Subject: (RADIATOR) RE: (Radiator)Desired EAP type 25 not permitted:
>>> problem
>>> with my 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100
>>> AP and
>>> Radiator 3.9
>>>
>>>
>>> Hi,Thanks to Mike and Hugh for advice! ...but I still got the same
>>> problem....
>>> I have modified the configuration file according to your advice:
>>> 1.comment out the <Realm DEFAULT>
>>> 2.Change EAPType to PEAP round the other way with MSChAP-V2
>>> Below is the udpated config file. But when I try to authenticate
>>> after
>>> restart the service,it still give me the erorr " Access rejected for
>>> idatesta: Desired EAP type 25 not permitted" ,See the log below after
>>> the
>>> config file in the email please.What is the problem?For Inner
>>> authentication,do I have to use defuser instead of mySQL?
>>> Thanks for reminder of the the maillist,actually I believe I have
>>> been
>>> in
>>> the mail list for 2 days,I received a lot of email from other
>>> subscribers
>>> regarding their questions.
>>> Please advise,thanks!
>>> Rgds
>>> Scott
>>>
>>> conifig file mysql-peap.cfg (running with /usr/bin/perl
>>> /usr/bin/radiusd -config_file /etc/radiator/mysql-peap.cfg)
>>> ........
>>>
>>> <Handler TunnelledByPEAP=1>
>>>
>>> RewriteUsername s/(.*)\\(.*)/$2/
>>>
>>> #<Realm DEFAULT>
>>>
>>> AuthByPolicy ContinueWhileAccept
>>> <AuthBy SQL>
>>> DBSource dbi:mysql:idausrdb
>>> DBUsername
>>> DBAuth
>>> AcctColumnDef USERNAME,User-Name
>>> AcctColumnDef TIME_STAMP,Timestamp,integer
>>> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>>> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>>> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>>> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>>> AcctColumnDef NASPORT,NAS-Port,integer
>>> # EAPType MSCHAP-V2
>>> EAPType PEAP
>>> </AuthBy>
>>>
>>> #</Realm>
>>>
>>> </Handler>
>>>
>>> <Handler>
>>>
>>> <AuthBy SQL>
>>> DBSource dbi:mysql:idausrdb
>>> DBUsername
>>> DBAuth
>>> AcctColumnDef USERNAME,User-Name
>>> AcctColumnDef TIME_STAMP,Timestamp,integer
>>> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>>> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>>> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>>> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
>>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>>> AcctColumnDef NASPORT,NAS-Port,integer
>>>
>>> # EAPType PEAP
>>> EAPType MSCHAP-V2
>>>
>>> </AuthBy>
>>>
>>>
>>> The log file:
>>> [root at FC radius]# tail -50 logfile | more
>>> Fri Jul 16 00:51:27 2004: DEBUG: Response type 3
>>> Fri Jul 16 00:51:27 2004: INFO: EAP Nak desires type 25
>>> Fri Jul 16 00:51:27 2004: DEBUG: EAP result: 1, Desired EAP type 25
>>> not
>>> permitte
>>> d
>>> Fri Jul 16 00:51:27 2004: INFO: Access rejected for idatesta: Desired
>>> EAP
>>> type 2
>>> 5 not permitted
>>> Fri Jul 16 00:51:27 2004: DEBUG: Packet dump:
>>> *** Sending to 192.168.123.9 port 1647 ....
>>> Code: Access-Reject
>>> Identifier: 18
>>> Authentic: <250><200><252><11>.<135>e<197><181>_%<250>(<254><180>z
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>> Proxy-State = 181
>>>
>>> Fri Jul 16 00:51:39 2004: DEBUG: Packet dump:
>>> *** Received from 192.168.123.9 port 1647 ....
>>> Code: Access-Request
>>> Identifier: 19
>>> Authentic: <250><200><252><11>.<135>e<197><181>_%<250>(<254><180>z
>>> Attributes:
>>> User-Name = "idatesta"
>>> Framed-MTU = 1400
>>> Called-Station-Id = "000f.34db.6690"
>>> Calling-Station-Id = "000c.f108.37bf"
>>> Message-Authenticator =
>>> Do<15><183>1<131>Q<23>e<19><168><162><254>Ns<245>
>>> EAP-Message = <2><1><0><13><1>idatesta
>>> NAS-Port-Type = Wireless-IEEE-802-11
>>> NAS-Port = 419
>>> Service-Type = Framed-User
>>> NAS-IP-Address = 10.0.0.1
>>> NAS-Identifier = "ps-ap"
>>> Proxy-State = 182
>>>
>>> Fri Jul 16 00:51:39 2004: DEBUG: Handling request with Handler ''
>>> Fri Jul 16 00:51:39 2004: DEBUG: Deleting session for idatesta,
>>> 10.0.0.1,
>>> 419
>>> Fri Jul 16 00:51:39 2004: DEBUG: Handling with Radius::AuthSQL
>>> Fri Jul 16 00:51:39 2004: DEBUG: Handling with Radius::AuthSQL:
>>> Fri Jul 16 00:51:39 2004: DEBUG: Handling with EAP: code 2, 1, 13
>>> Fri Jul 16 00:51:39 2004: DEBUG: Response type 1
>>> Fri Jul 16 00:51:39 2004: DEBUG: EAP result: 3, EAP MSCHAP-V2
>>> Challenge
>>> Fri Jul 16 00:51:39 2004: DEBUG: Access challenged for idatesta: EAP
>>> MSCHAP-V2 Challenge
>>> Fri Jul 16 00:51:39 2004: DEBUG: Packet dump:
>>> -----Original Message-----
>>> From: Mike McCauley [mailto:mikem at open.com.au]
>>> Sent: Friday, July 16, 2004 6:42 AM
>>> To: Scott Xiao - ANTlabs
>>> Cc: Hugh Irvine
>>> Subject: Re: (Radiator)Desired EAP type 25 not permitted: problem
>>> with
>>> my
>>> 802.1x PEAP MSCHAPv2 with MySQL testing // Cisco arionet1100 AP and
>>> Radiator
>>> 3.9
>>>
>>>
>>> Hello Scott,
>>>
>>> Your email was identified as spam by my spamassassin, mostly due to
>>> html
>>> content. Its lucky I got to see it. Please dont use HTML.
>>>
>>> BTW, it would be better if you address any future technical questions
>>> you
>>> might have to the Radiator mailing list. That way others can learn
>>> from the question and answer, and possibly contribute in areas
>>> where I am not expert. Also, we have other staff on the mailing list
>>> who can respond when I am not available.
>>>
>>> You can join the Radiator mailing list by sending email with the
>>> single word subscribe in the body (not in the subject line) to
>>> radiator-request at open.com.au
>>> There is an archive at http://www.open.com.au/archives/radiator/
>>>
>>> If you require a guaranteed response to your questions, you should
>>> consider
>>> a support contract, see http://www.open.com.au/support.html
>>>
>>> The problem you report is due to the fact that you have your EAP
>>> types
>>> around
>>> the wrong way, in that the Handler which handles the inner request is
>>> type
>>> PEAP, and the Realm is type MSCHAP-V2. They should be round the other
>>> way.
>>> Also you have a Realm DEFAULT which will get all requests, including
>>> the
>>> inner. You should use <Handler> instead of <Realm DEFAULT>. Mixing
>>> Realms
>>> and
>>> Handlers is generally a bad idea.
>>>
>>> Cheers.
>>>
>>>
>>>
>>>
>>> On Thu, 15 Jul 2004 09:52 pm, you wrote:
>>>> Spam detection software, running on the system
>>>> "server1.open.com.au",
>>>> has
>>>> identified this incoming email as possible spam. The original
>>>> message
>>>> has been attached to this so you can view it (if it isn't spam) or
>>>> block
>>>> similar future email. If you have any questions, see
>>>> postmaster at open.com.au for details.
>>>>
>>>> Content preview: Hi,Mike, Can you advise?Thanks! Scott
>>>>
>>>> Content analysis details: (5.3 points, 5.0 required)
>>>>
>>>> pts rule name description
>>>> ---- ----------------------
>>>> -------------------------------------------------- 0.8 HTML_30_40
>>>> BODY: Message is 30% to 40% HTML
>>>> 0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red
>>>> 0.2 HTML_FONT_FACE_BAD BODY: HTML font face is not a word
>>>> 0.1 HTML_FONTCOLOR_BLUE BODY: HTML font color is blue
>>>> 0.0 HTML_MESSAGE BODY: HTML included in message
>>>> 0.5 HTML_TITLE_EMPTY BODY: HTML title contains no text
>>>> 1.1 RCVD_IN_SORBS_MISC RBL: SORBS: sender is open proxy server
>>>> [203.125.41.199 listed in
>>>> dnsbl.sorbs.net]
>>>> 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS
>>>> [203.125.41.199 listed in
>>>> dnsbl.sorbs.net]
>>>> 0.1 RCVD_IN_NJABL RBL: Received via a relay in
>>>> dnsbl.njabl.org
>>>> [203.125.41.199 listed in
>>>> dnsbl.njabl.org]
>>>> 1.1 RCVD_IN_DSBL RBL: Received via a relay in
>>>> list.dsbl.org
>>>>
>>>> [<http://dsbl.org/listing?ip=203.125.41.199>]
>>>> 1.1 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
>>>> [203.125.41.199 listed in
>>>> dnsbl.njabl.org]
>>>>
>>>> The original message was not completely plain text, and may be
>>>> unsafe
>>>> to
>>>> open with some email clients; in particular, it may contain a virus,
>>>> or confirm that your address can receive spam. If you wish to view
>>>> it, it may be safer to save it to a file and open it with an editor.
>>>
>>> --
>>> Mike McCauley mikem at open.com.au
>>> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++,
>>> WWW
>>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>>> http://www.open.com.au
>>> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>>>
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
>>> TLS,
>>> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list