(RADIATOR) I need a little help with the log file
Stewart, Bill
wjs-corp at kaman.com
Tue Apr 5 07:08:22 CDT 2005
Mike,
We are using the lsa_eap_peap.cfg file. Here is what we have.
# windows.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# a simple system on Windows. You can then add and change features.
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
# This example is expected to be installed in
# c:\Program Files\Radiator\radius.cfg
# It will authenticate from a standard users file in
# c:\Program Files\Radiator\users
# it will log debug and other messages to
# c:\Program Files\Radiator\logfile
# and log accounting to a file in
# c:\Program Files\Radiator\detail
# (of course you can change all these by editing this config file if you
wish)
#
# It will accept requests from any client and try to handle requests
# for any realm.
# And it will print out what its doing in great detail to the log file.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# You should consider this file to be a starting point only
# $Id: windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $
#Foreground
LogStdout
LogDir c:/Program Files/Radiator
DbDir c:/Program Files/Radiator
# This will log at DEBUG level: very verbose
# User a lower trace level in production systems, typically use 3
Trace 4
AuthPort 1812
DictionaryFile %D/dictionary
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with. This will work
# at least with radpwtst running on the local machine
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
<Client 149.158.3.250>
Secret mysecret
</Client>
<Handler TunnelledByPEAP=1>
# Authenticate with Windows LSA
<AuthBy LSA>
# Specifies which Windows Domain is ALWAYS to be used to
authenticate
# users (even if they specify a different domain in their
username).
# Empty string means the local machine only
# Special characters are supported. Can be an Active
# directory domain or a Windows NT domain controller
# domain name
# Empty string (the default) means the local machine
Domain LAN_KCNT
# Specifies the Windows Domain to use if the user does not
# specify a doain domain in their username.
# Special characters are supported. Can be an Active
# directory domain or a Windows NT domain controller
# domain name
# Empty string (the default) means the local machine
DefaultDomain LAN_KCNT
# You can check whether each user is the member of a windows
group
# with the Group parameter. If more than one Group is
specified, then the
# user must be a member of at least one of them. Requires
Win32::NetAdmin
# (which is installed by default with ActivePerl). If no
Group
# parameters are specified, then Group checks will not be
performed.
#Group Administrators
#Group Domain Users
# You can specify which domain controller will be used to
check group
# membership with the DomainController parameter. If no
Group parameters
# are specified, DomainController wil not be used. Defaults
to
# empty string, meaning the default controller of the host
where this
# instance of Radaitor is running.
DomainController \\kcnt1
# This tells the PEAP client what types of inner EAP
requests
# we will honour
EAPType MSCHAP-V2
</AuthBy>
</Handler>
# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the inner
authentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to
select
# a specific handler, or else you can use EAPAnonymous to set a username and
realm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm,
and/or the
# fact that they were tunnelled. You can therfore act just as a PEAP server,
or also
# act as the AAA/H home server, and authenticate PEAP requests locally or
proxy
# them to another remote server based on the realm of the inner
authenticaiton request.
# In this basic example, both the inner and outer authentication are
authenticated
# from a file by AuthBy FILE
<Handler>
<AuthBy FILE>
# The username of the outer authentication
# must be in this file to get anywhere. In this example,
# it requires an entry for 'anonymous' which is the standard
username
# in the outer requests, and it also requires an entry for
the
# actual user name who is trying to connect (ie the 'Login
name' entered
# in the Funk Odyssey 'Edit Profile Properties' page
Filename %D/users
# EAPType sets the EAP type(s) that Radiator will honour.
# Options are: MD5-Challenge, One-Time-Password
# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
# Multiple types can be comma separated. With the default
(most
# preferred) type given first
EAPType PEAP
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA
certificates
# Radiator will first look in EAPTLS_CAFile then in
# EAPTLS_CAPath, so there usually is no need to set both
# EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CAPath is the name of a directory containing CA
# certificates in PEM format. The files each contain one
# CA certificate. The files are looked up by the CA
# subject name hash value
# EAPTLS_CAPath
# EAPTLS_CertificateFile is the name of a file containing
# the servers certificate. EAPTLS_CertificateType
# specifies the type of the file. Can be PEM or ASN1
# defaults to ASN1
# EAPTLS_CertificateFile %D/certificates/cert-srv.pem
# EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile is the name of the file containing
# the servers private key. It is sometimes in the same file
# as the server certificate (EAPTLS_CertificateFile)
# If the private key is encrypted (usually the case)
# then EAPTLS_PrivateKeyPassword is the key to descrypt it
# EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
# EAPTLS_PrivateKeyPassword whatever
# EAPTLS_RandomFile is an optional file containing
# randdomness
# EAPTLS_RandomFile %D/certificates/random
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# enough to fit in a single Radius request (ie less than
4096)
# and still leave enough space for other attributes
# Aironet APs seem to need a smaller MaxFragmentSize
# (eg 1024) than the default of 2048. Others need even
smaller sizes.
# EAPTLS_MaxFragmentSize 1000
# EAPTLS_DHFile if set specifies the DH group file. It
# may be required if you need to use ephemeral DH keys.
# EAPTLS_DHFile %D/certificates/cert/dh
# If EAPTLS_CRLCheck is set and the client presents a
certificate
# then Radiator will look for a certificate revocation list
(CRL)
# for the certificate issuer
# when authenticating each client. If a CRL file is not
found, or
# if the CRL says the certificate has neen revoked, the
authentication will
# fail with an error:
# SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
# One or more CRLs can be named with the EAPTLS_CRLFile
parameter.
# Alternatively, CRLs may follow a file naming convention:
# the hash of the issuer subject name
# and a suffix that depends on the serial number.
# eg ab1331b2.r0, ab1331b2.r1 etc.
# You can find out the hash of the issuer name in a CRL with
# openssl crl -in crl.pem -hash -noout
# CRLs with tis name convention
# will be searched in EAPTLS_CAPath, else in the openssl
# certificates directory typically /usr/local/openssl/certs/
# CRLs are expected to be in PEM format.
# A CRL files can be generated with openssl like this:
# openssl ca -gencrl -revoke cert-clt.pem
# openssl ca -gencrl -out crl.pem
# Use of these flags requires Net_SSLeay-1.21 or later
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
# Some clients, depending on their configuration, may
require you to specify
# MPPE send and receive keys. This _will_ be required if you
select
# 'Keys will be generated automatically for data privacy' in
the Funk Odyssey
# client Network Properties dialog.
# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
# in the final Access-Accept
AutoMPPEKeys
# You can enable some warning messages from the Net::SSLeay
# module by setting SSLeayTrace to an integer from 1 to 4
# 1=ciphers, 2=trace, 3=dump data
SSLeayTrace 4
# You can configure the User-Name that will be used for the
inner
# authentication. Defaults to 'anonymous'. This can be
useful
# when proxying the inner authentication. If tehre is a
realm, it can
# be used to choose a local Realm to handle the inner
authentication.
# %0 is replaced with the EAP identitiy
# EAPAnonymous anonymous at some.other.realm
# You can enable or disable support for TTLS Session
Resumption and
# PEAP Fast Reconnect with the EAPTLS_SessionResumption
flag.
# Default is enabled
#EAPTLS_SessionResumption 0
# You can limit how long after the initial session that a
session can be resumed
# with EAPTLS_SessionResumptionLimit (time in seconds).
Defaults to 43200
# (12 hours)
#EAPTLS_SessionResumptionLimit 10
</AuthBy>
</Handler>
Here is what we get in the logfile:
Tue Apr 5 08:03:50 2005: DEBUG: Finished reading configuration file
'C:\Program Files\Radiator\radius.cfg'
Tue Apr 5 08:03:50 2005: DEBUG: Reading dictionary file 'c:/Program
Files/Radiator/dictionary'
Tue Apr 5 08:03:50 2005: DEBUG: Creating authentication port 0.0.0.0:1812
Tue Apr 5 08:03:50 2005: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Apr 5 08:03:50 2005: NOTICE: Server started: Radiator 3.12 on PC148
(LOCKED)
Tue Apr 5 08:05:42 2005: DEBUG: Packet dump:
*** Received from 149.158.3.250 port 1174 ....
Code: Access-Request
Identifier: 149
Authentic: m:<0><0><141>0<0><0>EU<0><0><156>l<0><0>
Attributes:
User-Name = "00-01-f4-ec-97-29"
User-Password =
"<135>G"<248><235><174><251><17><16>*9K<249><253><187><179>"
NAS-IP-Address = 149.158.3.250
NAS-Port = 2
Tue Apr 5 08:05:42 2005: DEBUG: Handling request with Handler ''
Tue Apr 5 08:05:42 2005: DEBUG: Deleting session for 00-01-f4-ec-97-29,
149.158.3.250, 2
Tue Apr 5 08:05:42 2005: DEBUG: Handling with Radius::AuthFILE:
Tue Apr 5 08:05:42 2005: DEBUG: Reading users file c:/Program
Files/Radiator/users
Tue Apr 5 08:05:42 2005: DEBUG: Radius::AuthFILE looks for match with
00-01-f4-ec-97-29
Tue Apr 5 08:05:42 2005: DEBUG: AuthBy FILE result: REJECT, No such user
Tue Apr 5 08:05:42 2005: INFO: Access rejected for 00-01-f4-ec-97-29: No
such user
Tue Apr 5 08:05:42 2005: DEBUG: Packet dump:
*** Sending to 149.158.3.250 port 1174 ....
Code: Access-Reject
Identifier: 149
Authentic: m:<0><0><141>0<0><0>EU<0><0><156>l<0><0>
Attributes:
Reply-Message = "Request Denied"
Tue Apr 5 08:06:01 2005: DEBUG: Packet dump:
*** Received from 149.158.3.250 port 1175 ....
Code: Access-Request
Identifier: 150
Authentic: <175>(<0><0>p2<0><0><200>*<0><0><139><12><0><0>
Attributes:
Message-Authenticator =
<204><196><9><17><13><141><153>Q<181><31><168>L<15><239>#U
User-Name = "LAN_KCNT\wjs"
NAS-IP-Address = 149.158.3.250
NAS-Port = 2
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = "00-01-f4-ec-97-29"
EAP-Message = <2><1><0><17><1>LAN_KCNT\wjs
Framed-MTU = 1000
Tue Apr 5 08:06:01 2005: DEBUG: Handling request with Handler ''
Tue Apr 5 08:06:01 2005: DEBUG: Deleting session for LAN_KCNT\wjs,
149.158.3.250, 2
Tue Apr 5 08:06:01 2005: DEBUG: Handling with Radius::AuthFILE:
Tue Apr 5 08:06:01 2005: DEBUG: Handling with EAP: code 2, 1, 17
Tue Apr 5 08:06:01 2005: DEBUG: Response type 1
Tue Apr 5 08:06:01 2005: ERR: TLS could not load_verify_locations , :
Tue Apr 5 08:06:01 2005: DEBUG: EAP result: 1, EAP TLS Could not initialise
context
Tue Apr 5 08:06:01 2005: DEBUG: AuthBy FILE result: REJECT, EAP TLS Could
not initialise context
Tue Apr 5 08:06:01 2005: INFO: Access rejected for LAN_KCNT\wjs: EAP TLS
Could not initialise context
Tue Apr 5 08:06:01 2005: DEBUG: Packet dump:
*** Sending to 149.158.3.250 port 1175 ....
Code: Access-Reject
Identifier: 150
Authentic: <175>(<0><0>p2<0><0><200>*<0><0><139><12><0><0>
Attributes:
Reply-Message = "Request Denied"
So what am I missing?
Bill
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Tuesday, April 05, 2005 7:34 AM
> To: Stewart, Bill
> Cc: 'radiator at open.com.au'
> Subject: Re: (RADIATOR) I need a little help with the log file
>
>
> Hello Bill,
>
>
> On Tuesday 05 April 2005 21:01, Stewart, Bill wrote:
> > Hi Mark,
> >
> > Maybe we can not do what I'm trying to do. Let me
> explain. My boss
> > would like to have Windows XP machines, in a building that
> uses wireless
> > communications, validate against our Windows NT domain. He
> does not want
> > to have to install certificates on each of the machines.
> We also have some
> > printers in those locations that would validate via MAC
> address. We have no
> > problem with those. So my question is "Is it possible to
> validate to an NT
> > domain without using certificates?" I thought my previous
> question was
> > answered with a "yes" if we use the LSA validation.
>
> LSA can be used to authenticate a wide range of different
> types of EAP
> authentication. Some EAP types require certificates, and some
> dont. Of the
> types that do require certificates, some require a
> certificate for each
> client, some require the radius server to have a certificate.
>
> The most common EAP type in use with windows XP is
> PEAP-MSCHAPV2. Radiator
> works fine with PEAP-MSCHAPV2 and AuthBy LSA (see the example
> goodies/lsa_eap_peap.cfg)
> By default, PEAP requires the radius server to have a
> certificate, however you
> can individually disable this requirement in the XP client
> configuration,
> although this does result in a lower level of security.
> PEAP does not require a certificate for every PEAP client,
> just for the radius
> server.
>
> We would normally recommend that you require radius server
> certificate
> validation in your XP clients, which in turn means that you
> would need to
> have a certificate for your Radius server.
>
> Summary: you can use Radiator AuthBy LSA with PEAP-MSCHAPV2
> with or without
> certificates.
>
> Radius server certificates can be purchased from public
> certificate vendors,
> or created in-house with certificate authority software (such
> as our CATool
> software).
>
> Radiator can be configured to do MAC authentication at the
> same time as
> PEAP/LSA authentication (ie MAC for some clients such as your
> printers and
> PEAP-MSCHAPV2 for others that request it)
>
> Hope that helps. Its a big subject, and there are pointers to
> more docs in the
> FAQ at http://www.open.com.au/radiator/faq.html
>
> Cheers.
>
> >
> > Thanks
> >
> > Bill
> >
> > Here is what I get with the test.
> >
> > >perl radiusd -config goodies/lsa_eap_peap.cfg
> >
> > Tue Apr 5 06:51:20 2005: ERR: Could not AdjustPrivilege
> SE_TCB_PRIVILEGE:
> > A req
> > uired privilege is not held by the client.
> >
> > Tue Apr 5 06:51:20 2005: ERR: Could not load AuthBy module
> > Radius::AuthLSA: Tue Apr 5 06:51:20 2005: ERR: Unknown
> object 'AuthBy' in
> > goodies/lsa_eap_peap.c
> > fg line 102
> > Tue Apr 5 06:51:20 2005: DEBUG: Finished reading configuration file
> > 'goodies/ls
> > a_eap_peap.cfg'
> > This Radiator license will expire on 2005-10-01
> > This Radiator license will stop operating after 1000 requests
> > To purchase an unlimited full source version of Radiator, see
> > http://www.open.com.au/ordering.html
> > To extend your license period, contact admin at open.com.au
> >
> > Tue Apr 5 06:51:20 2005: DEBUG: Reading dictionary file
> './dictionary'
> > Tue Apr 5 06:51:21 2005: DEBUG: Creating authentication
> port 0.0.0.0:1645
> > Tue Apr 5 06:51:21 2005: DEBUG: Creating accounting port
> 0.0.0.0:1646
> > Tue Apr 5 06:51:21 2005: NOTICE: Server started: Radiator
> 3.12 on PC148
> > (LOCKED
> > )
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list