(RADIATOR) I need a little help with the log file
Mike McCauley
mikem at open.com.au
Tue Apr 5 06:34:29 CDT 2005
Hello Bill,
On Tuesday 05 April 2005 21:01, Stewart, Bill wrote:
> Hi Mark,
>
> Maybe we can not do what I'm trying to do. Let me explain. My boss
> would like to have Windows XP machines, in a building that uses wireless
> communications, validate against our Windows NT domain. He does not want
> to have to install certificates on each of the machines. We also have some
> printers in those locations that would validate via MAC address. We have no
> problem with those. So my question is "Is it possible to validate to an NT
> domain without using certificates?" I thought my previous question was
> answered with a "yes" if we use the LSA validation.
LSA can be used to authenticate a wide range of different types of EAP
authentication. Some EAP types require certificates, and some dont. Of the
types that do require certificates, some require a certificate for each
client, some require the radius server to have a certificate.
The most common EAP type in use with windows XP is PEAP-MSCHAPV2. Radiator
works fine with PEAP-MSCHAPV2 and AuthBy LSA (see the example
goodies/lsa_eap_peap.cfg)
By default, PEAP requires the radius server to have a certificate, however you
can individually disable this requirement in the XP client configuration,
although this does result in a lower level of security.
PEAP does not require a certificate for every PEAP client, just for the radius
server.
We would normally recommend that you require radius server certificate
validation in your XP clients, which in turn means that you would need to
have a certificate for your Radius server.
Summary: you can use Radiator AuthBy LSA with PEAP-MSCHAPV2 with or without
certificates.
Radius server certificates can be purchased from public certificate vendors,
or created in-house with certificate authority software (such as our CATool
software).
Radiator can be configured to do MAC authentication at the same time as
PEAP/LSA authentication (ie MAC for some clients such as your printers and
PEAP-MSCHAPV2 for others that request it)
Hope that helps. Its a big subject, and there are pointers to more docs in the
FAQ at http://www.open.com.au/radiator/faq.html
Cheers.
>
> Thanks
>
> Bill
>
> Here is what I get with the test.
>
> >perl radiusd -config goodies/lsa_eap_peap.cfg
>
> Tue Apr 5 06:51:20 2005: ERR: Could not AdjustPrivilege SE_TCB_PRIVILEGE:
> A req
> uired privilege is not held by the client.
>
> Tue Apr 5 06:51:20 2005: ERR: Could not load AuthBy module
> Radius::AuthLSA: Tue Apr 5 06:51:20 2005: ERR: Unknown object 'AuthBy' in
> goodies/lsa_eap_peap.c
> fg line 102
> Tue Apr 5 06:51:20 2005: DEBUG: Finished reading configuration file
> 'goodies/ls
> a_eap_peap.cfg'
> This Radiator license will expire on 2005-10-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact admin at open.com.au
>
> Tue Apr 5 06:51:20 2005: DEBUG: Reading dictionary file './dictionary'
> Tue Apr 5 06:51:21 2005: DEBUG: Creating authentication port 0.0.0.0:1645
> Tue Apr 5 06:51:21 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> Tue Apr 5 06:51:21 2005: NOTICE: Server started: Radiator 3.12 on PC148
> (LOCKED
> )
>
> > -----Original Message-----
> > From: Mike McCauley [mailto:mikem at open.com.au]
> > Sent: Monday, April 04, 2005 6:26 PM
> > To: Stewart, Bill
> > Cc: 'radiator at open.com.au'
> > Subject: Re: (RADIATOR) I need a little help with the log file
> >
> >
> > Hello Bill,
> >
> > Looks like your Radiator is incorrectly configured to do EAP
> > authentication.
> > You should post your Radiator configuration file (no secrets).
> >
> > Note that there are a number of example configuration files
> > for Handling EAP
> > with LSA in the goodies directory of your distribution. All
> > of them require
> > certificates to handle PEAP (the default windows XP protocol).
> > The example config files work with the sample certificates
> > that we supply in
> > the distribution.
> > Perhaps your configuration does not define DbDir to point to
> > the directory
> > where your certificates are.
> >
> > You should be able to test with XP by doing:
> >
> > cd .....\Radiator-3.12
> > perl radiusd -config goodies/lsa_eap_peap.cfg
> >
> > Cheers.
> >
> > On Monday 04 April 2005 23:57, Stewart, Bill wrote:
> > > Mike,
> > >
> > > Thanks, that installed O.K. Now I do need an example
> >
> > for validating
> >
> > > a wireless XP notebook. I'm sure I'm overlooking something
> >
> > in the .cfg
> >
> > > file for LSA validation. Here is what I get in the
> >
> > logfile. Looks like it
> >
> > > is trying to verify via certificates.
> > >
> > > Mon Apr 4 09:27:36 2005: DEBUG: Packet dump:
> > > *** Received from 149.158.3.250 port 1147 ....
> > > Code: Access-Request
> > > Identifier: 122
> > > Authentic: l&<0><0><243>P<0><0>]a<0><0>`<8><0><0>
> > > Attributes:
> > > Message-Authenticator =
> > > %<152>@<249><128>z<169><192><199><167><137><202>
> > > F<157><18>}
> > > User-Name = "LAN_KCNT\wjs"
> > > NAS-IP-Address = 149.158.3.250
> > > NAS-Port = 2
> > > NAS-Port-Type = Wireless-IEEE-802-11
> > > Calling-Station-Id = "00-01-f4-ec-97-29"
> > > EAP-Message = <2><1><0><17><1>LAN_KCNT\wjs
> > > Framed-MTU = 1000
> > >
> > > Mon Apr 4 09:27:36 2005: DEBUG: Handling request with Handler ''
> > > Mon Apr 4 09:27:36 2005: DEBUG: Deleting session for LAN_KCNT\wjs,
> > > 149.158.3.2
> > > 50, 2
> > > Mon Apr 4 09:27:36 2005: DEBUG: Handling with Radius::AuthFILE:
> > > Mon Apr 4 09:27:36 2005: DEBUG: Handling with EAP: code 2, 1, 17
> > > Mon Apr 4 09:27:36 2005: DEBUG: Response type 1
> > > Mon Apr 4 09:27:36 2005: ERR: TLS could not load_verify_locations
> > > %D/certificat
> > > es/demoCA/cacert.pem, : 328: 1 - error:02001003:system
> >
> > library:fopen:No
> >
> > > such pr
> > > ocess
> > > 328: 2 - error:2006D080:BIO routines:BIO_new_file:no such file
> > > 328: 3 - error:0B084002:x509 certificate
> > > routines:X509_load_cert_crl_file:syste
> > > m lib
> > >
> > > Mon Apr 4 09:27:36 2005: DEBUG: EAP result: 1, EAP TLS Could not
> > > initialise con
> > > text
> > > Mon Apr 4 09:27:36 2005: DEBUG: AuthBy FILE result:
> >
> > REJECT, EAP TLS Could
> >
> > > not i
> > > nitialise context
> > > Mon Apr 4 09:27:36 2005: INFO: Access rejected for
> >
> > LAN_KCNT\wjs: EAP TLS
> >
> > > Could
> > > not initialise context
> > > Mon Apr 4 09:27:36 2005: DEBUG: Packet dump:
> > > *** Sending to 149.158.3.250 port 1147 ....
> > > Code: Access-Reject
> > > Identifier: 122
> > > Authentic: l&<0><0><243>P<0><0>]a<0><0>`<8><0><0>
> > > Attributes:
> > > Reply-Message = "Request Denied"
> > >
> > >
> > > Bill
> > >
> > > > -----Original Message-----
> > > > From: Mike McCauley [mailto:mikem at open.com.au]
> > > > Sent: Saturday, April 02, 2005 6:38 AM
> > > > To: Stewart, Bill
> > > > Cc: 'radiator at open.com.au'
> > > > Subject: Re: (RADIATOR) I need a little help with the log file
> > > >
> > > >
> > > > Hello again,
> > > >
> > > > On Saturday 02 April 2005 21:10, Mike McCauley wrote:
> > > > > Hello Bill,
> > > > >
> > > > > You dont have to compile Net::SSLeay.
> > > > >
> > > > > There is a precompiled Net::SSLeay PPM for ActiveState on
> > > >
> > > > our web site.
> > > >
> > > > > Hugh shows the relevant extract from the FAQ.
> > > > >
> > > > > Run this command on your Radiator host:
> > > >
> > > > Ooops I meant:
> > > >
> > > > ppm install
> > > > http://www.open.com.au/radiator/free-downloads/Net_SSLeay.pm.ppd
> > > >
> > > > Cheers.
> > > >
> > > > > http://www.open.com.au/radiator/free-downloads/Net_SSLeay.pm.ppd
> > > > >
> > > > > It will download and install Net::SSLeay.
> > > > >
> > > > > Cheers.
> > > > >
> > > > > On Saturday 02 April 2005 04:59, Stewart, Bill wrote:
> > > > > > I installed openssl, and tried to install Net::SSLeay.
> > > >
> > > > When I follow the
> > > >
> > > > > > instructions, the nmake command gives me the following error:
> > > > > >
> > > > > > 'cl' is not recognized as an internal or external command,
> > > > > > operable program or batch file.
> > > > > > NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe'
> > > > :
> > > > : return code
> > > > :
> > > > > > '0x1' Stop.
> > > > > >
> > > > > > Any ideas?
> > > > > >
> > > > > > Bill
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Hugh Irvine [mailto:hugh at open.com.au]
> > > > > > > Sent: Friday, April 01, 2005 3:17 AM
> > > > > > > To: Stewart, Bill
> > > > > > > Cc: 'radiator at open.com.au'
> > > > > > > Subject: Re: (RADIATOR) I need a little help with
> >
> > the log file
> >
> > > > > > > Hello Bill -
> > > > > > >
> > > > > > > As the error message indicates you will need to install
> > > >
> > > > Net-SSLeay.
> > > >
> > > > > > > See the FAQ ("doc/faq.html"):
> > > > > > >
> > > > > > > 140. What do I have to install on Windows for Radiator to
> > > > > > > authenticate
> > > > > > > TLS, TTLS and PEAP
> > > > > > > Radiator requires OpenSSL and the perl Net::SSLeay
> >
> > module to be
> >
> > > > > > > installed on the radius server in order to support EAP
> > > >
> > > > TLS, TTLS or
> > > >
> > > > > > > PEAP. All these modules are freely available.
> > > > > > > 1. Install ActivePerl 5.8.4 from ActiveState
> > > > > > > 2. Install Win32 OpenSSL v0.9.7e or later from
> > > > > > > Shining Light
> > > > > > > Productions
> > > > > > > 3. Install the Net::SSLeay module using PPM
> > > > > > > included with ActivePerl:
> > > > > > >
> > > > > > > ppm install
> >
> > http://www.open.com.au/radiator/free-downloads/Net_SSLeay.pm.ppd
> >
> > > > > > > regards
> > > > > > >
> > > > > > > Hugh
> > > > > > >
> > > > > > > On 31 Mar 2005, at 20:50, Stewart, Bill wrote:
> > > > > > > > Here are some errors I getting in my logfile (running
> > > > > > >
> > > > > > > on windows xp
> > > > > > >
> > > > > > > > trying to validate a wireless laptop against a NT domain)
> > > > > > >
> > > > > > > Can anyone
> > > > > > >
> > > > > > > > help
> > > > > > > > me?
> > > > > > > >
> > > > > > > > Thu Mar 31 13:22:57 2005: DEBUG: Packet dump:
> > > > > > > > *** Received from 149.158.3.250 port 1134 ....
> > > > > > > > Code: Access-Request
> > > > > > > > Identifier: 109
> > > > > > > > Authentic: <161>3<0><0>n`<0><0>(]<0><0>7Q<0><0>
> > > > > > > > Attributes:
> > > > > > > > Message-Authenticator =
> >
> > <248><180>&<194>G<228><226>@:<242><174><243><233><143><173>e
> >
> > > > > > > > User-Name = "LAN_KCNT\wjs"
> > > > > > > > NAS-IP-Address = 149.158.3.250
> > > > > > > > NAS-Port = 2
> > > > > > > > NAS-Port-Type = Wireless-IEEE-802-11
> > > > > > > > Calling-Station-Id = "00-01-f4-ec-97-29"
> > > > > > > > EAP-Message = <2><1><0><17><1>LAN_KCNT\wjs
> > > > > > > > Framed-MTU = 1000
> > > > > > > >
> > > > > > > > Thu Mar 31 13:22:57 2005: DEBUG: Handling request
> > > >
> > > > with Handler ''
> > > >
> > > > > > > > Thu Mar 31 13:22:57 2005: DEBUG: Deleting session
> > > >
> > > > for LAN_KCNT\wjs,
> > > >
> > > > > > > > 149.158.3.250, 2
> > > > > > > > Thu Mar 31 13:22:57 2005: DEBUG: Handling with
> > > >
> > > > Radius::AuthFILE:
> > > > > > > > Thu Mar 31 13:22:57 2005: DEBUG: Handling with EAP:
> > > >
> > > > code 2, 1, 17
> > > >
> > > > > > > > Thu Mar 31 13:22:57 2005: DEBUG: Response type 1
> > > > > > > > Thu Mar 31 13:22:57 2005: ERR: Could not load EAP module
> > > > > > > > Radius::EAP_25:
> > > > > > > > Can't load
> > > >
> > > > 'C:/Perl/site/lib/auto/Net/SSLeay/SSLeay.dll' for module
> > > >
> > > > > > > > Net::SSLeay: load_file:The specified module could not
> > > >
> > > > be found at
> > > >
> > > > > > > > C:/Perl/lib/DynaLoader.pm line 206.
> > > > > > > > Compilation failed in require at
> > > >
> > > > C:/Perl/site/lib/Radius/EAP_25.pm
> > > >
> > > > > > > > line 24.
> > > > > > > > BEGIN failed--compilation aborted at
> > > > > > >
> > > > > > > C:/Perl/site/lib/Radius/EAP_25.pm
> > > > > > >
> > > > > > > > line
> > > > > > > > 24.
> > > > > > > > Compilation failed in require at (eval 48) line 3.
> > > > > > > >
> > > > > > > > Thu Mar 31 13:22:57 2005: DEBUG: EAP result: 1,
> >
> > Unsupported
> >
> > > > > > > default EAP
> > > > > > >
> > > > > > > > Response/Identity 25
> > > > > > > > Thu Mar 31 13:22:57 2005: DEBUG: AuthBy FILE
> >
> > result: REJECT,
> >
> > > > > > > > Unsupported
> > > > > > > > default EAP Response/Identity 25
> > > > > > > > Thu Mar 31 13:22:57 2005: INFO: Access rejected for
> > > >
> > > > LAN_KCNT\wjs:
> > > > > > > > Unsupported default EAP Response/Identity 25
> > > > > > > > Thu Mar 31 13:22:57 2005: DEBUG: Packet dump:
> > > > > > > > *** Sending to 149.158.3.250 port 1134 ....
> > > > > > > > Code: Access-Reject
> > > > > > > > Identifier: 109
> > > > > > > > Authentic: <161>3<0><0>n`<0><0>(]<0><0>7Q<0><0>
> > > > > > > > Attributes:
> > > > > > > > Reply-Message = "Request Denied"
> > > > > > > >
> > > > > > > >
> > > > > > > > Bill Stewart :-)
> > > > > > > > Kaman Corporation
> > > > > > > > 1332 Blue Hills Avenue
> > > > > > > > Bloomfield, Connecticut, 06002
> > > > > > > > (860) 243-7058
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Archive at http://www.open.com.au/archives/radiator/
> > > > > > > > Announcements on radiator-announce at open.com.au
> > > > > > > > To unsubscribe, email 'majordomo at open.com.au' with
> > > > > > > > 'unsubscribe radiator' in the body of the message.
> > > > > > >
> > > > > > > NB: I am travelling this week, so there may be delays in our
> > > > > > > correspondence.
> > > > > > >
> > > > > > > --
> > > > > > > Radiator: the most portable, flexible and configurable
> > > >
> > > > RADIUS server
> > > >
> > > > > > > anywhere. Available on *NIX, *BSD, Windows 95/98/2000,
> > > >
> > > > NT, MacOS X.
> > > >
> > > > > > > -
> > > > > > > Nets: internetwork inventory and management -
> > > >
> > > > graphical, extensible,
> > > >
> > > > > > > flexible with hardware, software, platform and database
> > > >
> > > > independence.
> > > >
> > > > > > > -
> > > > > > > CATool: Private Certificate Authority for Unix and
> > > >
> > > > Unix-like systems.
> > > >
> > > > > > --
> > > > > > Archive at http://www.open.com.au/archives/radiator/
> > > > > > Announcements on radiator-announce at open.com.au
> > > > > > To unsubscribe, email 'majordomo at open.com.au' with
> > > > > > 'unsubscribe radiator' in the body of the message.
> > > >
> > > > --
> > > > Mike McCauley mikem at open.com.au
> > > > Open System Consultants Pty. Ltd Unix, Perl,
> > > > Motif, C++, WWW
> > > > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > >
> > > http://www.open.com.au
> > > Phone +61 7 5598-7474 Fax +61 7 5598-7070
> > >
> > > Radiator: the most portable, flexible and configurable RADIUS server
> > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > > Platypus, Freeside, TACACS+, PAM, external, Active
> >
> > Directory, EAP, TLS,
> >
> > > TTLS, PEAP etc on Unix, Windows, MacOS etc.
> >
> > --
> > Mike McCauley mikem at open.com.au
> > Open System Consultants Pty. Ltd Unix, Perl,
> > Motif, C++, WWW
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>
> http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list