(RADIATOR) I need a little help with the log file
Mike McCauley
mikem at open.com.au
Tue Apr 5 16:47:44 CDT 2005
Hello Bill,
I see that you have commented out most of the configuration parameters to do
with EAP certificates. That is why the TLS modules are unable to start up
properly. I suggest you use the lsa_eap_peap.cfg as delivered. If you do not
want to use certificates, you should disable this in each client.
Cheers.
On Tuesday 05 April 2005 22:08, Stewart, Bill wrote:
> Mike,
>
> We are using the lsa_eap_peap.cfg file. Here is what we have.
>
> # windows.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # a simple system on Windows. You can then add and change features.
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> # This example is expected to be installed in
> # c:\Program Files\Radiator\radius.cfg
> # It will authenticate from a standard users file in
> # c:\Program Files\Radiator\users
> # it will log debug and other messages to
> # c:\Program Files\Radiator\logfile
> # and log accounting to a file in
> # c:\Program Files\Radiator\detail
> # (of course you can change all these by editing this config file if you
> wish)
> #
> # It will accept requests from any client and try to handle requests
> # for any realm.
> # And it will print out what its doing in great detail to the log file.
> #
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # You should consider this file to be a starting point only
> # $Id: windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $
>
> #Foreground
> LogStdout
> LogDir c:/Program Files/Radiator
> DbDir c:/Program Files/Radiator
>
> # This will log at DEBUG level: very verbose
> # User a lower trace level in production systems, typically use 3
> Trace 4
>
> AuthPort 1812
> DictionaryFile %D/dictionary
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with. This will work
> # at least with radpwtst running on the local machine
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> <Client 149.158.3.250>
> Secret mysecret
> </Client>
>
> <Handler TunnelledByPEAP=1>
> # Authenticate with Windows LSA
> <AuthBy LSA>
> # Specifies which Windows Domain is ALWAYS to be used to
> authenticate
> # users (even if they specify a different domain in their
> username).
> # Empty string means the local machine only
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> # Empty string (the default) means the local machine
> Domain LAN_KCNT
>
> # Specifies the Windows Domain to use if the user does not
> # specify a doain domain in their username.
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> # Empty string (the default) means the local machine
> DefaultDomain LAN_KCNT
>
> # You can check whether each user is the member of a windows
> group
> # with the Group parameter. If more than one Group is
> specified, then the
> # user must be a member of at least one of them. Requires
> Win32::NetAdmin
> # (which is installed by default with ActivePerl). If no
> Group
> # parameters are specified, then Group checks will not be
> performed.
> #Group Administrators
> #Group Domain Users
>
> # You can specify which domain controller will be used to
> check group
> # membership with the DomainController parameter. If no
> Group parameters
> # are specified, DomainController wil not be used. Defaults
> to
> # empty string, meaning the default controller of the host
> where this
> # instance of Radaitor is running.
> DomainController \\kcnt1
>
> # This tells the PEAP client what types of inner EAP
> requests
> # we will honour
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
>
> # The original PEAP request from a NAS will be sent to a matching
> # Realm or Handler in the usual way, where it will be unpacked and the
> inner authentication
> # extracted.
> # The inner authentication request will be sent again to a matching
> # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to
> select
> # a specific handler, or else you can use EAPAnonymous to set a username
> and realm
> # which can be used to select a Realm clause for the inner request.
> # This allows you to select an inner authentication method based on Realm,
> and/or the
> # fact that they were tunnelled. You can therfore act just as a PEAP
> server, or also
> # act as the AAA/H home server, and authenticate PEAP requests locally or
> proxy
> # them to another remote server based on the realm of the inner
> authenticaiton request.
> # In this basic example, both the inner and outer authentication are
> authenticated
> # from a file by AuthBy FILE
> <Handler>
> <AuthBy FILE>
> # The username of the outer authentication
> # must be in this file to get anywhere. In this example,
> # it requires an entry for 'anonymous' which is the standard
> username
> # in the outer requests, and it also requires an entry for
> the
> # actual user name who is trying to connect (ie the 'Login
> name' entered
> # in the Funk Odyssey 'Edit Profile Properties' page
> Filename %D/users
>
> # EAPType sets the EAP type(s) that Radiator will honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the default
> (most
> # preferred) type given first
> EAPType PEAP
>
> # EAPTLS_CAFile is the name of a file of CA certificates
> # in PEM format. The file can contain several CA
> certificates
> # Radiator will first look in EAPTLS_CAFile then in
> # EAPTLS_CAPath, so there usually is no need to set both
> # EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>
> # EAPTLS_CAPath is the name of a directory containing CA
> # certificates in PEM format. The files each contain one
> # CA certificate. The files are looked up by the CA
> # subject name hash value
> # EAPTLS_CAPath
>
> # EAPTLS_CertificateFile is the name of a file containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> # EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> # EAPTLS_CertificateType PEM
>
> # EAPTLS_PrivateKeyFile is the name of the file containing
> # the servers private key. It is sometimes in the same file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to descrypt it
> # EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> # EAPTLS_PrivateKeyPassword whatever
>
> # EAPTLS_RandomFile is an optional file containing
> # randdomness
> # EAPTLS_RandomFile %D/certificates/random
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be small
> # enough to fit in a single Radius request (ie less than
> 4096)
> # and still leave enough space for other attributes
> # Aironet APs seem to need a smaller MaxFragmentSize
> # (eg 1024) than the default of 2048. Others need even
> smaller sizes.
> # EAPTLS_MaxFragmentSize 1000
>
> # EAPTLS_DHFile if set specifies the DH group file. It
> # may be required if you need to use ephemeral DH keys.
> # EAPTLS_DHFile %D/certificates/cert/dh
>
>
> # If EAPTLS_CRLCheck is set and the client presents a
> certificate
> # then Radiator will look for a certificate revocation list
> (CRL)
> # for the certificate issuer
> # when authenticating each client. If a CRL file is not
> found, or
> # if the CRL says the certificate has neen revoked, the
> authentication will
> # fail with an error:
> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> # One or more CRLs can be named with the EAPTLS_CRLFile
> parameter.
> # Alternatively, CRLs may follow a file naming convention:
> # the hash of the issuer subject name
> # and a suffix that depends on the serial number.
> # eg ab1331b2.r0, ab1331b2.r1 etc.
> # You can find out the hash of the issuer name in a CRL with
> # openssl crl -in crl.pem -hash -noout
> # CRLs with tis name convention
> # will be searched in EAPTLS_CAPath, else in the openssl
> # certificates directory typically /usr/local/openssl/certs/
> # CRLs are expected to be in PEM format.
> # A CRL files can be generated with openssl like this:
> # openssl ca -gencrl -revoke cert-clt.pem
> # openssl ca -gencrl -out crl.pem
> # Use of these flags requires Net_SSLeay-1.21 or later
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> # Some clients, depending on their configuration, may
> require you to specify
> # MPPE send and receive keys. This _will_ be required if you
> select
> # 'Keys will be generated automatically for data privacy' in
> the Funk Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can enable some warning messages from the Net::SSLeay
> # module by setting SSLeayTrace to an integer from 1 to 4
> # 1=ciphers, 2=trace, 3=dump data
> SSLeayTrace 4
>
> # You can configure the User-Name that will be used for the
> inner
> # authentication. Defaults to 'anonymous'. This can be
> useful
> # when proxying the inner authentication. If tehre is a
> realm, it can
> # be used to choose a local Realm to handle the inner
> authentication.
> # %0 is replaced with the EAP identitiy
> # EAPAnonymous anonymous at some.other.realm
>
> # You can enable or disable support for TTLS Session
> Resumption and
> # PEAP Fast Reconnect with the EAPTLS_SessionResumption
> flag.
> # Default is enabled
> #EAPTLS_SessionResumption 0
>
> # You can limit how long after the initial session that a
> session can be resumed
> # with EAPTLS_SessionResumptionLimit (time in seconds).
> Defaults to 43200
> # (12 hours)
> #EAPTLS_SessionResumptionLimit 10
> </AuthBy>
> </Handler>
>
>
> Here is what we get in the logfile:
>
> Tue Apr 5 08:03:50 2005: DEBUG: Finished reading configuration file
> 'C:\Program Files\Radiator\radius.cfg'
> Tue Apr 5 08:03:50 2005: DEBUG: Reading dictionary file 'c:/Program
> Files/Radiator/dictionary'
> Tue Apr 5 08:03:50 2005: DEBUG: Creating authentication port 0.0.0.0:1812
> Tue Apr 5 08:03:50 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> Tue Apr 5 08:03:50 2005: NOTICE: Server started: Radiator 3.12 on PC148
> (LOCKED)
> Tue Apr 5 08:05:42 2005: DEBUG: Packet dump:
> *** Received from 149.158.3.250 port 1174 ....
> Code: Access-Request
> Identifier: 149
> Authentic: m:<0><0><141>0<0><0>EU<0><0><156>l<0><0>
> Attributes:
> User-Name = "00-01-f4-ec-97-29"
> User-Password =
> "<135>G"<248><235><174><251><17><16>*9K<249><253><187><179>"
> NAS-IP-Address = 149.158.3.250
> NAS-Port = 2
>
> Tue Apr 5 08:05:42 2005: DEBUG: Handling request with Handler ''
> Tue Apr 5 08:05:42 2005: DEBUG: Deleting session for 00-01-f4-ec-97-29,
> 149.158.3.250, 2
> Tue Apr 5 08:05:42 2005: DEBUG: Handling with Radius::AuthFILE:
> Tue Apr 5 08:05:42 2005: DEBUG: Reading users file c:/Program
> Files/Radiator/users
> Tue Apr 5 08:05:42 2005: DEBUG: Radius::AuthFILE looks for match with
> 00-01-f4-ec-97-29
> Tue Apr 5 08:05:42 2005: DEBUG: AuthBy FILE result: REJECT, No such user
> Tue Apr 5 08:05:42 2005: INFO: Access rejected for 00-01-f4-ec-97-29: No
> such user
> Tue Apr 5 08:05:42 2005: DEBUG: Packet dump:
> *** Sending to 149.158.3.250 port 1174 ....
> Code: Access-Reject
> Identifier: 149
> Authentic: m:<0><0><141>0<0><0>EU<0><0><156>l<0><0>
> Attributes:
> Reply-Message = "Request Denied"
>
> Tue Apr 5 08:06:01 2005: DEBUG: Packet dump:
> *** Received from 149.158.3.250 port 1175 ....
> Code: Access-Request
> Identifier: 150
> Authentic: <175>(<0><0>p2<0><0><200>*<0><0><139><12><0><0>
> Attributes:
> Message-Authenticator =
> <204><196><9><17><13><141><153>Q<181><31><168>L<15><239>#U
> User-Name = "LAN_KCNT\wjs"
> NAS-IP-Address = 149.158.3.250
> NAS-Port = 2
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "00-01-f4-ec-97-29"
> EAP-Message = <2><1><0><17><1>LAN_KCNT\wjs
> Framed-MTU = 1000
>
> Tue Apr 5 08:06:01 2005: DEBUG: Handling request with Handler ''
> Tue Apr 5 08:06:01 2005: DEBUG: Deleting session for LAN_KCNT\wjs,
> 149.158.3.250, 2
> Tue Apr 5 08:06:01 2005: DEBUG: Handling with Radius::AuthFILE:
> Tue Apr 5 08:06:01 2005: DEBUG: Handling with EAP: code 2, 1, 17
> Tue Apr 5 08:06:01 2005: DEBUG: Response type 1
> Tue Apr 5 08:06:01 2005: ERR: TLS could not load_verify_locations , :
> Tue Apr 5 08:06:01 2005: DEBUG: EAP result: 1, EAP TLS Could not
> initialise context
> Tue Apr 5 08:06:01 2005: DEBUG: AuthBy FILE result: REJECT, EAP TLS Could
> not initialise context
> Tue Apr 5 08:06:01 2005: INFO: Access rejected for LAN_KCNT\wjs: EAP TLS
> Could not initialise context
> Tue Apr 5 08:06:01 2005: DEBUG: Packet dump:
> *** Sending to 149.158.3.250 port 1175 ....
> Code: Access-Reject
> Identifier: 150
> Authentic: <175>(<0><0>p2<0><0><200>*<0><0><139><12><0><0>
> Attributes:
> Reply-Message = "Request Denied"
>
>
> So what am I missing?
>
> Bill
>
> > -----Original Message-----
> > From: Mike McCauley [mailto:mikem at open.com.au]
> > Sent: Tuesday, April 05, 2005 7:34 AM
> > To: Stewart, Bill
> > Cc: 'radiator at open.com.au'
> > Subject: Re: (RADIATOR) I need a little help with the log file
> >
> >
> > Hello Bill,
> >
> > On Tuesday 05 April 2005 21:01, Stewart, Bill wrote:
> > > Hi Mark,
> > >
> > > Maybe we can not do what I'm trying to do. Let me
> >
> > explain. My boss
> >
> > > would like to have Windows XP machines, in a building that
> >
> > uses wireless
> >
> > > communications, validate against our Windows NT domain. He
> >
> > does not want
> >
> > > to have to install certificates on each of the machines.
> >
> > We also have some
> >
> > > printers in those locations that would validate via MAC
> >
> > address. We have no
> >
> > > problem with those. So my question is "Is it possible to
> >
> > validate to an NT
> >
> > > domain without using certificates?" I thought my previous
> >
> > question was
> >
> > > answered with a "yes" if we use the LSA validation.
> >
> > LSA can be used to authenticate a wide range of different
> > types of EAP
> > authentication. Some EAP types require certificates, and some
> > dont. Of the
> > types that do require certificates, some require a
> > certificate for each
> > client, some require the radius server to have a certificate.
> >
> > The most common EAP type in use with windows XP is
> > PEAP-MSCHAPV2. Radiator
> > works fine with PEAP-MSCHAPV2 and AuthBy LSA (see the example
> > goodies/lsa_eap_peap.cfg)
> > By default, PEAP requires the radius server to have a
> > certificate, however you
> > can individually disable this requirement in the XP client
> > configuration,
> > although this does result in a lower level of security.
> > PEAP does not require a certificate for every PEAP client,
> > just for the radius
> > server.
> >
> > We would normally recommend that you require radius server
> > certificate
> > validation in your XP clients, which in turn means that you
> > would need to
> > have a certificate for your Radius server.
> >
> > Summary: you can use Radiator AuthBy LSA with PEAP-MSCHAPV2
> > with or without
> > certificates.
> >
> > Radius server certificates can be purchased from public
> > certificate vendors,
> > or created in-house with certificate authority software (such
> > as our CATool
> > software).
> >
> > Radiator can be configured to do MAC authentication at the
> > same time as
> > PEAP/LSA authentication (ie MAC for some clients such as your
> > printers and
> > PEAP-MSCHAPV2 for others that request it)
> >
> > Hope that helps. Its a big subject, and there are pointers to
> > more docs in the
> > FAQ at http://www.open.com.au/radiator/faq.html
> >
> > Cheers.
> >
> > > Thanks
> > >
> > > Bill
> > >
> > > Here is what I get with the test.
> > >
> > > >perl radiusd -config goodies/lsa_eap_peap.cfg
> > >
> > > Tue Apr 5 06:51:20 2005: ERR: Could not AdjustPrivilege
> >
> > SE_TCB_PRIVILEGE:
> > > A req
> > > uired privilege is not held by the client.
> > >
> > > Tue Apr 5 06:51:20 2005: ERR: Could not load AuthBy module
> > > Radius::AuthLSA: Tue Apr 5 06:51:20 2005: ERR: Unknown
> >
> > object 'AuthBy' in
> >
> > > goodies/lsa_eap_peap.c
> > > fg line 102
> > > Tue Apr 5 06:51:20 2005: DEBUG: Finished reading configuration file
> > > 'goodies/ls
> > > a_eap_peap.cfg'
> > > This Radiator license will expire on 2005-10-01
> > > This Radiator license will stop operating after 1000 requests
> > > To purchase an unlimited full source version of Radiator, see
> > > http://www.open.com.au/ordering.html
> > > To extend your license period, contact admin at open.com.au
> > >
> > > Tue Apr 5 06:51:20 2005: DEBUG: Reading dictionary file
> >
> > './dictionary'
> >
> > > Tue Apr 5 06:51:21 2005: DEBUG: Creating authentication
> >
> > port 0.0.0.0:1645
> >
> > > Tue Apr 5 06:51:21 2005: DEBUG: Creating accounting port
> >
> > 0.0.0.0:1646
> >
> > > Tue Apr 5 06:51:21 2005: NOTICE: Server started: Radiator
> >
> > 3.12 on PC148
> >
> > > (LOCKED
> > > )
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list