(RADIATOR) Authentication with Active Directory Server using EAP-TTLS

Elena Alcantud Perez ealcantud at hotmail.com
Fri Sep 3 06:28:44 CDT 2004 

Hi,

We are configurating Radiator (on Windows XP) for wireless authentication 
(802.1x/EAP-TTLS) in a large enterprise. We use Active Directory for every 
user in our domain and we have not get the rigth configuration of the server 
to connect to the Windows 2000 server.

Till now, it has worked perfectly with local users, so the problem doesn´t 
seem to be the TTLS part.
Here is the debug and the radius configuration considering "radius.local" as 
our real realm.

I don´t know if as "ldapserver" we have to put de IP address of the server 
or its name.
We have entered "anonymous at radius.local" for establishing the TLS tunnel.

Radius configuration:


Foreground
LogStdout
LogDir		c:/Program Files/Radiator
DbDir		c:/Program Files/Radiator
Trace           4

AuthPort 1812
AcctPort 1813
SocketQueueLength 1000000
#RewriteUsername	s/^(.*)\\(.*)/$2\@$1/


<Client DEFAULT>
         Secret romea
         DupInterval 0
	   DefaultRealm carm.es

</Client>



<Realm DEFAULT>
	  # RewriteUsername allows you to alter the User-Name in
	# request before  further processing. This one
	# Strips the realm. You will want to do this if your database
	# contains usernames without realms
	RewriteUsername	s/^([^@]+).*/$1/
	# This one translates all uppercase chars to lowercase
	#RewriteUsername	tr/[A-Z]/[a-z]/
	MaxSessions	2
	AcctLogFileName	%L/detail
	WtmpFileName %L/wtmp

	<AuthLog FILE>
		Identifier myauthlogger
		Filename %L/authlog
		LogSuccess 1
		LogFailure 1
	</AuthLog>

	RejectHasReason

<AuthBy ADSI>
	Identifier ADSI

	#SearchAttribute   userPrincipalName

	BindString LDAP://Server-IP-address/cn=%0,cn=Users,dc=radius,dc=local

	AuthUser  %0 at radius.local

	AuthFlags 0

	DefaultReply Service-Type=Framed-User,Framed-Protocol=PPP
      AddToReply Reply-Message=hello
	 RcryptKey XXXXX

     EAPType                         TTLS, TLS
     EAPTLS_MaxFragmentSize          1000
     EAPTLS_CAFile                   C:\Documents and 
Settings\eap96l\Escritorio\certs\demoCA\cacert.pem
     EAPTLS_CertificateType          PEM
     EAPTLS_CertificateFile          C:\Documents and 
Settings\eap96l\Escritorio\certs\radius.pem
     EAPTLS_PrivateKeyFile           C:\Documents and 
Settings\eap96l\Escritorio\certs\radius.pem
     EAPTLS_PrivateKeyPassword       whatever
     EAPTLS_RandomFile 	 C:\Documents and 
Settings\eap96l\Escritorio\certs\random
     EAPTLS_DHFile 		 C:\Documents and Settings\eap96l\Escritorio\certs\dh
     EAPTLS_SessionResumption 	 0
     EAPAnonymous                	 anonymous at radius.local
     AutoMPPEKeys

	</AuthBy>



</Realm>

<Handler TunnelledByTTLS=1>
     AuthBy BY_FILE
</Handler>


Log:


Fri Sep  3 13:03:08 2004: DEBUG: Packet dump:
*** Received from xxxxxxx port 1645 ....
Code:       Access-Request
Identifier: 25
Authentic:  <148><161>1b<152><253><3>o_<183><244>Up<130>sv
Attributes:
	User-Name = "anonymous"
	Framed-MTU = 1400
	Called-Station-Id = "0002.8a78.b876"
	Calling-Station-Id = "0004.75bb.554c"
	NAS-Port-Type = Wireless-IEEE-802-11
	Message-Authenticator = 
<150><161>0<0><254><3><181>k<156>J<184><226>Z<144><207>x
	EAP-Message = <2><1><0><14><1>anonymous
	NAS-Port-Type = Virtual
	NAS-Port = 71
	Service-Type = Login-User
	NAS-IP-Address = xxxxxxxx
	NAS-Identifier = "ap1-cisco"

Fri Sep  3 13:03:08 2004: DEBUG: Handling request with Handler 
'Realm=DEFAULT'
Fri Sep  3 13:03:08 2004: DEBUG: Rewrote user name to anonymous
Fri Sep  3 13:03:08 2004: DEBUG:  Deleting session for anonymous, xxxxxxx, 
71
Fri Sep  3 13:03:08 2004: DEBUG: Handling with ASDI
Fri Sep  3 13:03:08 2004: DEBUG: BindString converted to 
LDAP://147.84.115.18/cn=anonymous,cn=Users,dc=radius,dc=local
Fri Sep  3 13:03:08 2004: DEBUG: AuthUser converted to 
anonymous at radius.local
Fri Sep  3 13:03:08 2004: DEBUG: Connecting to namespace: LDAP:
Fri Sep  3 13:03:08 2004: DEBUG: Running OpenDSObject on 
LDAP://147.84.115.18/cn=anonymous,cn=Users,dc=radius,dc=local
Fri Sep  3 13:03:08 2004: DEBUG: Could not get user object: 
Win32::OLE(0.1701) error 0x8002000f: "Parámetro no opcional"
    in METHOD/PROPERTYGET "OpenDSObject"
Fri Sep  3 13:03:08 2004: INFO: Access rejected for anonymous: Could not 
find user
Fri Sep  3 13:03:08 2004: DEBUG: Packet dump:
*** Sending to 147.84.115.17 port 1645 ....
Code:       Access-Reject
Identifier: 25
Authentic:  <148><161>1b<152><253><3>o_<183><244>Up<130>sv
Attributes:
Reply-Message = "Could not find user"



Thank you

_________________________________________________________________
Descarga gratis la Barra de Herramientas de MSN 
http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list