(RADIATOR) 802.1x authentication problems

Hugh Irvine hugh at open.com.au
Wed Aug 24 17:17:44 CDT 2005


Hello Guido -

 From the debug it appears that the client is trying to use PEAP, so  
your EAPType should look as follows:


# Authenticate all realms with this
<Realm DEFAULT>

     # Look up user details in a flat file
     <AuthBy FILE>
         # %D is replaced by DbDir above
         EAPType PEAP, MSCHAP-V2
         Filename %D/users
     </AuthBy>

     # Log accounting to a detail file. %D is replaced by DbDir above
     AcctLogFileName    %D/detail
</Realm>


regards

Hugh



On 25 Aug 2005, at 00:05, Guido Gerber wrote:

> To whom could help me...
> I work with networks and I was recently assigned a new proyect in  
> which I
> have to install a number of  HotStops (Proxim AP700), and as it is  
> for a
> private use, It authentication needs to be implemented.
> I was asked to at least authenticate against a File in the Radiator´s
> computer. I have added de user "test" and its passw "test", used the
> "radpwtst", which turned ok. However, when I go into the HotSpot´s
> configuration, I have to set the Security options, so I choose  
> "802.1x" and
> "PEAP (EAP-MSCHAP V2)" from the list that de Proxim AP700 provides
> ("EAP-TLS" , "EAP-TTLS" , "PEAP (EAP-GTC)" , "PEAP (EAP-MSCHAP V2)" ,
> "LEAP"). I then configure the user and passw (both "test"), but  
> when the
> computer goes against the hotspot and the hotspot against the  
> radiator, it
> won´t give me access. The HotSpot has Authentication mode  
> 802.1x,Cipher
> WEP,Encryption Key Length:64bits.
>
> The following screen information is outputted:
>
> ______________
> C:\>perl c:\perl\bin\radiusd
> Wed Aug 24 11:06:08 2005: DEBUG: Finished reading configuration file
> 'C:\Program Files\Radiator\radius.cfg'
> Wed Aug 24 11:06:08 2005: DEBUG: Reading dictionary file 'c:/Program
> Files/Radiator/dictionary'
> Wed Aug 24 11:06:08 2005: DEBUG: Creating authentication port  
> 0.0.0.0:1645
> Wed Aug 24 11:06:08 2005: DEBUG: Creating accounting port 0.0.0.0:1646
> Wed Aug 24 11:06:08 2005: NOTICE: Server started: Radiator 3.12 on  
> stream
> (LOCKED)
> Wed Aug 24 11:06:13 2005: DEBUG: Packet dump:
> *** Received from 192.168.1.219 port 6001 ....
> Code: Access-Request
> Identifier: 187
> Authentic: <0><0>sy<0><0>E<128><0><0>6K<0><0>G(
> Attributes:
> User-Name = "test"
> NAS-IP-Address = 192.168.1.219
> Called-Station-Id = "00-20-a6-59-9c-c9:UADE_DEMO"
> Calling-Station-Id = "00-20-a6-4e-cf-ac"
> NAS-Identifier = "UADEDEMO"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2><30><0><9><1>test
> Message-Authenticator =  
> <222><6><167>@<26><29><177>6<193><158>1.&f<26><221>
> Wed Aug 24 11:06:13 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Wed Aug 24 11:06:13 2005: DEBUG: Deleting session for test,  
> 192.168.1.219,
> Wed Aug 24 11:06:13 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Aug 24 11:06:13 2005: DEBUG: Handling with EAP: code 2, 30, 9
> Wed Aug 24 11:06:13 2005: DEBUG: Response type 1
> Wed Aug 24 11:06:13 2005: DEBUG: EAP result: 3, EAP MSCHAP-V2  
> Challenge
> Wed Aug 24 11:06:13 2005: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> MSCHAP-V2 Challenge
> Wed Aug 24 11:06:13 2005: DEBUG: Access challenged for test: EAP  
> MSCHAP-V2
> Challenge
> Wed Aug 24 11:06:13 2005: DEBUG: Packet dump:
> *** Sending to 192.168.1.219 port 6001 ....
> Code: Access-Challenge
> Identifier: 187
> Authentic: <0><0>sy<0><0>E<128><0><0>6K<0><0>G(
> Attributes:
> EAP-Message = <1><31><0>
> <26><1><31><0><27><16>YJ<221>H<18><160><142>w<166><190><223><199>#q<16 
> ><0>st
> ream
> Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Aug 24 11:06:13 2005: DEBUG: Packet dump:
> *** Received from 192.168.1.219 port 6001 ....
> Code: Access-Request
> Identifier: 188
> Authentic: <0><0>sy<0><0>E<128><0><0>6K<0><0>G(
> Attributes:
> User-Name = "test"
> NAS-IP-Address = 192.168.1.219
> Called-Station-Id = "00-20-a6-59-9c-c9:UADE_DEMO"
> Calling-Station-Id = "00-20-a6-4e-cf-ac"
> NAS-Identifier = "UADEDEMO"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> EAP-Message = <2><31><0><6><3><25>
> Message-Authenticator = *<160>Z<185>[<251><28>:) 
> <223><218><160><11><19>LR
> Wed Aug 24 11:06:13 2005: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Wed Aug 24 11:06:13 2005: DEBUG: Deleting session for test,  
> 192.168.1.219,
> Wed Aug 24 11:06:13 2005: DEBUG: Handling with Radius::AuthFILE:
> Wed Aug 24 11:06:13 2005: DEBUG: Handling with EAP: code 2, 31, 6
> Wed Aug 24 11:06:13 2005: DEBUG: Response type 3
> Wed Aug 24 11:06:13 2005: INFO: EAP Nak desires type 25
> Wed Aug 24 11:06:13 2005: DEBUG: EAP result: 1, Desired EAP type 25  
> not
> permitted
> Wed Aug 24 11:06:13 2005: DEBUG: AuthBy FILE result: REJECT,  
> Desired EAP
> type 25not permitted
> Wed Aug 24 11:06:13 2005: INFO: Access rejected for test: Desired  
> EAP type
> 25 not permitted
> Wed Aug 24 11:06:13 2005: DEBUG: Packet dump:
> *** Sending to 192.168.1.219 port 6001 ....
> Code: Access-Reject
> Identifier: 188
> Authentic: <0><0>sy<0><0>E<128><0><0>6K<0><0>G(
> Attributes:
> Reply-Message = "Request Denied"
> ______________
>
> The following is the users file:
> ______________
> # users
> # This is an example of how to set up simple user for
> # AuthBy FILE.
> # The example user mikem has a password of fred, and will
> # receive reply attributes suitable for most NASs.
> # You can do many more interesting things. See the Radiator reference
> # manual for more details
> #
> # You can test this user with the command
> #  perl radpwtst
>
>
> test User-Password = "test"
> _____________
>
> The following is the radius.cfg:
> _____________
> # windows.cfg
> [...]
> #
> # You should consider this file to be a starting point only
> # $Id: windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $
>
> Foreground
> LogStdout
> LogDir        c:/Program Files/Radiator
> DbDir        c:/Program Files/Radiator
>
> # This will log at DEBUG level: very verbose
> # User a lower trace level in production systems, typically use 3
> Trace         4
>
>
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with. This will work
> # at least with radpwtst running on the local machine
> <Client DEFAULT>
>     Secret    mysecret
>     DupInterval 0
> </Client>
>
> # Authenticate all realms with this
> <Realm DEFAULT>
>     # Look up user details in a flat file
>     <AuthBy FILE>
>         # %D is replaced by DbDir above
>         EAPType MSCHAP-V2
>         Filename %D/users
>
>     </AuthBy>
>
>     # Log accounting to a detail file. %D is replaced by DbDir above
>     AcctLogFileName    %D/detail
> </Realm>
>
> <Handler>
> <AuthBy FILE>
>     EAPType MSCHAP-v2
>     Filename %D/users
> </AuthBy>
> </Handler>
> _____________
>
> I would appreciate any idea to solve this ASAP.
> Thanks !
>
> Guido
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list