(RADIATOR) Problems in PEAP ms-chap-v2 authentication
Paulo Valverde Costa
pcosta at ccom.uminho.pt
Fri Jun 25 09:13:22 CDT 2004
Hi
I am testing different eap methods, and I have successfully tested:
eap-tls
But, I have problems testing peap (ms-chap-v2).
(see log file below).
Any ideas how to resolve this?
My radiator configuration is:
----------------------------------------------------------------------------
-------------
<Handler Realm=/ci.uminho.pt$/>
Description Autentica Alunos - CIUM
RejectHasReason
RewriteUsername s/^([^@]+).*/$1/
<AuthBy LDAP2>
AutoMPPEKeys
AuthDN cn=ambrosio,ou=funcionarios,dc=ci,dc=uminho,dc=pt
AuthPassword xxxxxx
BaseDN ou=alunos, dc=ci,dc=uminho,dc=pt
ServerChecksPassword
UsernameAttr sAMAccountName
Description Autenticador por LDAP
EAPTLS_CAFile /etc/radiator/certs/cacert.pem
EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_MaxFragmentSize 1024
EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPType PEAP,MSCHAP-V2, TTLS
Host xxx.yyy.zzz.www
AuthAttrDef Title, Class, reply
AddToReply Tunnel-Type = VLAN, Tunnel-Medium-Type =
Ether_802
AuthAttrDef Company, Tunnel-Private-Group-ID, reply
Port 389
</AuthBy>
</Handler>
----------------------------------------------------------------------------
---------------
Fri Jun 25 14:40:03 2004: DEBUG: Packet dump:
*** Received from 172.16.45.65 port 21807 ....
Packet length = 158
01 98 00 9e b7 51 31 8e 3c 43 9e 21 b4 b6 ad 43
9c 5c 28 0c 01 17 75 73 65 72 31 40 74 65 73 74
65 2e 75 6d 69 6e 68 6f 2e 70 74 0c 06 00 00 05
78 1e 10 30 30 30 65 2e 64 37 63 64 2e 65 35 65
30 1f 10 30 30 30 62 2e 62 65 61 65 2e 66 34 35
38 06 06 00 00 00 08 50 12 65 e8 58 b5 cb b6 fa
d6 1a 90 2e 1f 67 ae 42 c1 4f 1f 02 8b 00 1d 19
00 17 03 01 00 12 eb cb 77 b7 b5 b6 d1 c9 79 af
2f e9 e6 95 5e cc a4 ae 3d 06 00 00 00 13 05 06
00 00 04 d7 04 06 ac 10 2d 41 20 04 61 70
Code: Access-Request
Identifier: 152
Authentic: <183>Q1<142><C<158>!<180><182><173>C<156>\(<12>
Attributes:
User-Name = "user1 at teste.uminho.pt"
Framed-MTU = 1400
Called-Station-Id = "000e.d7cd.e5e0"
Calling-Station-Id = "000b.beae.f458"
Service-Type = Authenticate-Only
Message-Authenticator =
e<232>X<181><203><182><250><214><26><144>.<31>g<174>B<193>
EAP-Message =
<2><139><0><29><25><0><23><3><1><0><18><235><203>w<183><181><182><209><201>y
<175>/<233><230><149>^<204><164><174>
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 1239
NAS-IP-Address = 172.16.45.65
NAS-Identifier = "ap"
Fri Jun 25 14:40:03 2004: DEBUG: Handling request with Handler
'Realm=/uminho.pt$/'
Fri Jun 25 14:40:03 2004: DEBUG: Deleting session for
user1 at teste.uminho.pt, 172.16.45.65, 1239
Fri Jun 25 14:40:03 2004: DEBUG: Handling with Radius::AuthLDAP2: ldapauth
Fri Jun 25 14:40:03 2004: DEBUG: Handling with EAP: code 2, 139, 29
Fri Jun 25 14:40:03 2004: DEBUG: Response type 25
Fri Jun 25 14:40:03 2004: DEBUG: EAP PEAP inner authentication request for
anonymous
Fri Jun 25 14:40:03 2004: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: *<235><188><183><171><129><159> <5>h<182><191>wk<215><158>
Attributes:
EAP-Message = <2><139><0><2><3><26>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = "anonymous"
NAS-IP-Address = 172.16.45.65
NAS-Identifier = "ap"
NAS-Port = 1239
Calling-Station-Id = "000b.beae.f458"
Fri Jun 25 14:40:03 2004: DEBUG: Handling request with Handler 'Realm=""'
Fri Jun 25 14:40:03 2004: DEBUG: Deleting session for , 172.16.45.65, 1239
Fri Jun 25 14:40:03 2004: DEBUG: Handling with Radius::AuthFILE:
Fri Jun 25 14:40:03 2004: DEBUG: Handling with EAP: code 2, 139, 2
Fri Jun 25 14:40:03 2004: DEBUG: Response type 3
Fri Jun 25 14:40:03 2004: INFO: EAP Nak desires type 26
Fri Jun 25 14:40:03 2004: DEBUG: EAP result: 1, Desired EAP type 26 not
permitted
Fri Jun 25 14:40:03 2004: INFO: Access rejected for anonymous: Desired EAP
type 26 not permitted
Fri Jun 25 14:40:03 2004: DEBUG: EAP result: 3, EAP PEAP inner
authentication redespatched to a Handler
Fri Jun 25 14:40:03 2004: DEBUG: Access challenged for
user1 at teste.uminho.pt: EAP PEAP inner authentication redespatched to a
Handler
best regards,
paulo
----------------------------------------------------------------------------
Paulo J. Valverde V. Costa
Serviço de Comunicações - Campus de Gualtar - Universidade do Minho
4710-057 Braga, PORTUGAL
Tel.: + 351 253 604023; Fax: + 351 253 604021
e-mail: pcosta at ccom.uminho.pt
http://www.ccom.uminho.pt
----------------------------------------------------------------------------
"For it is far better to know something about everything
than to know all about one thing. This universality is the best."
Blaise Pascal (1623-1662); French scientist and philosopher.
----------------------------------------------------------------------------
This email is confidential. If you are not the intended recipient,
you must not disclose or use the information contained in it.
If you have received this mail in error, please tell us
immediately by return email and delete the document.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list