(RADIATOR) autheticating wireless client through radiator with AuthBy INTERNAL
John Pertalion
pertalionaj at appstate.edu
Fri Dec 9 15:12:28 CST 2005
Hello,
I'd like to authenticate any wireless client on a Aruba wireless network
through Radiator with AuthBy INTERNAL regardless of who they are.
I've had this working fine with an AuthBy FILE and SQL against a MySQL
database.
Enclosed is the cfg file for AuthBy INTERNAL with the working AuthBy
FILE stuff commented out.
Also enclosed is the logfile when trying to AuthBy INTERNAL. It never
actually rejects the client, it seems like it just kind of trails off
without allowing the client to finish off its authentication on the AAA
server.
Any suggestions are greatly appreciated.
Thanks,
John Pertalion
Appalachian State University
Boone, NC
/ *********************************************************************** /
radius.cfg:
LogDir /var/log/radius
DbDir /etc/radiator
AuthPort 1812
AcctPort 1813
# User a lower trace level in production systems:
Trace 4
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Identifier DEFAULT-CLIENT
Secret mysecret
DupInterval 0
</Client>
# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1,User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
# <AuthBy FILE>
<AuthBy INTERNAL>
Identifier PEAP-TUNNEL
# Comment out for AuthBy INTERNAL
# Filename %D/users
# EAPType MSCHAP-V2
DefaultResult ACCEPT
AddToReply Filter-Id = admin
</AuthBy>
</Handler>
<Handler User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
# <AuthBy FILE>
<AuthBy INTERNAL>
Identifier EAP-TUNNEL
# Comment out for AuthBy INTERNAL
# Filename %D/users
EAPType PEAP
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 4
EAPTLS_PEAPVersion 0
DefaultResult ACCEPT
</AuthBy>
</Handler>
/ *********************************************************************** /
Log of unsuccessful authentication from client:
Fri Dec 9 15:41:33 2005: NOTICE: SIGTERM received: stopping
Fri Dec 9 15:41:36 2005: DEBUG: Finished reading configuration file
'/etc/radiator/radius.cfg'
Fri Dec 9 15:41:36 2005: DEBUG: Reading dictionary file
'/etc/radiator/dictionary'
Fri Dec 9 15:41:36 2005: DEBUG: Creating authentication port 0.0.0.0:1812
Fri Dec 9 15:41:36 2005: DEBUG: Creating accounting port 0.0.0.0:1813
Fri Dec 9 15:41:36 2005: NOTICE: Server started: Radiator 3.13 on cronus
Fri Dec 9 15:41:46 2005: ERR: Attribute number 5 (vendor 14823) is not
defined in your dictionary
Fri Dec 9 15:41:46 2005: ERR: Attribute number 6 (vendor 14823) is not
defined in your dictionary
Fri Dec 9 15:41:46 2005: DEBUG: Packet dump:
*** Received from 152.10.239.231 port 32771 ....
Code: Access-Request
Identifier: 24
Authentic: <31><239><207>${<183>(<164><4><254><13><161><14>N<138><188>
Attributes:
User-Name = "pertalionaj"
NAS-IP-Address = 152.10.239.230
NAS-Port = 1
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = "0030651084D0"
Called-Station-Id = "000B86505AC0"
Framed-MTU = 1100
EAP-Message = <2>-<0><16><1>pertalionaj
Message-Authenticator =
<142><147>b(<249>W[<203><198><21>n<170><17>1<197><173>
Fri Dec 9 15:41:46 2005: DEBUG: Handling request with Handler
'User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/'
Fri Dec 9 15:41:46 2005: DEBUG: Deleting session for pertalionaj,
152.10.239.230, 1
Fri Dec 9 15:41:46 2005: DEBUG: Handling with AuthINTERNAL: EAP-TUNNEL
Fri Dec 9 15:41:46 2005: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed
by DefaultResult
Fri Dec 9 15:41:46 2005: DEBUG: Access accepted for pertalionaj
Fri Dec 9 15:41:46 2005: DEBUG: Packet dump:
*** Sending to 152.10.239.231 port 32771 ....
Code: Access-Accept
Identifier: 24
Authentic: <31><239><207>${<183>(<164><4><254><13><161><14>N<138><188>
Attributes:
Fri Dec 9 15:41:50 2005: ERR: Attribute number 5 (vendor 14823) is not
defined in your dictionary
Fri Dec 9 15:41:50 2005: ERR: Attribute number 6 (vendor 14823) is not
defined in your dictionary
Fri Dec 9 15:41:50 2005: DEBUG: Packet dump:
*** Received from 152.10.239.231 port 32771 ....
Code: Access-Request
Identifier: 25
Authentic: CK<226><16>h<146><209><226>g3<181><15>^<207>!<9>
Attributes:
User-Name = "pertalionaj"
NAS-IP-Address = 152.10.239.230
NAS-Port = 1
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = "0030651084D0"
Called-Station-Id = "000B86505AC0"
Framed-MTU = 1100
EAP-Message = <2>.<0><16><1>pertalionaj
Message-Authenticator =
<192>HU<253><5><28>dfK<26><247><250><10><226><168>:
Fri Dec 9 15:41:50 2005: DEBUG: Handling request with Handler
'User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/'
Fri Dec 9 15:41:50 2005: DEBUG: Deleting session for pertalionaj,
152.10.239.230, 1
Fri Dec 9 15:41:50 2005: DEBUG: Handling with AuthINTERNAL: EAP-TUNNEL
Fri Dec 9 15:41:50 2005: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed
by DefaultResult
Fri Dec 9 15:41:50 2005: DEBUG: Access accepted for pertalionaj
Fri Dec 9 15:41:50 2005: DEBUG: Packet dump:
*** Sending to 152.10.239.231 port 32771 ....
Code: Access-Accept
Identifier: 25
Authentic: CK<226><16>h<146><209><226>g3<181><15>^<207>!<9>
Attributes:
Fri Dec 9 15:42:20 2005: ERR: Attribute number 5 (vendor 14823) is not
defined in your dictionary
Fri Dec 9 15:42:20 2005: ERR: Attribute number 6 (vendor 14823) is not
defined in your dictionary
Fri Dec 9 15:42:20 2005: DEBUG: Packet dump:
*** Received from 152.10.239.231 port 32771 ....
Code: Access-Request
Identifier: 26
Authentic: r<18><230><179>;<232>-<226><24><172><230>\Zd<203><19>
Attributes:
User-Name = "pertalionaj"
NAS-IP-Address = 152.10.239.230
NAS-Port = 1
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = "0030651084D0"
Called-Station-Id = "000B86505AC0"
Framed-MTU = 1100
EAP-Message = <2>/<0><16><1>pertalionaj
Message-Authenticator =
<204>w<193><183><191>~<246><152><30><16><0><154><224><8>'<152>
Fri Dec 9 15:42:20 2005: DEBUG: Handling request with Handler
'User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/'
Fri Dec 9 15:42:20 2005: DEBUG: Deleting session for pertalionaj,
152.10.239.230, 1
Fri Dec 9 15:42:20 2005: DEBUG: Handling with AuthINTERNAL: EAP-TUNNEL
Fri Dec 9 15:42:20 2005: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed
by DefaultResult
Fri Dec 9 15:42:20 2005: DEBUG: Access accepted for pertalionaj
Fri Dec 9 15:42:20 2005: DEBUG: Packet dump:
*** Sending to 152.10.239.231 port 32771 ....
Code: Access-Accept
Identifier: 26
Authentic: r<18><230><179>;<232>-<226><24><172><230>\Zd<203><19>
Attributes:
Fri Dec 9 15:42:50 2005: ERR: Attribute number 5 (vendor 14823) is not
defined in your dictionary
Fri Dec 9 15:42:50 2005: ERR: Attribute number 6 (vendor 14823) is not
defined in your dictionary
Fri Dec 9 15:42:50 2005: DEBUG: Packet dump:
*** Received from 152.10.239.231 port 32771 ....
Code: Access-Request
Identifier: 27
Authentic: %<218><193>d<4>n~"mnC<228>W2&<183>
Attributes:
User-Name = "pertalionaj"
NAS-IP-Address = 152.10.239.230
NAS-Port = 1
NAS-Port-Type = Wireless-IEEE-802-11
Calling-Station-Id = "0030651084D0"
Called-Station-Id = "000B86505AC0"
Framed-MTU = 1100
EAP-Message = <2>0<0><16><1>pertalionaj
Message-Authenticator =
<218><136>><225><186>N<160><12><143>m<3><139><160><28>`<235>
Fri Dec 9 15:42:50 2005: DEBUG: Handling request with Handler
'User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/'
Fri Dec 9 15:42:50 2005: DEBUG: Deleting session for pertalionaj,
152.10.239.230, 1
Fri Dec 9 15:42:50 2005: DEBUG: Handling with AuthINTERNAL: EAP-TUNNEL
Fri Dec 9 15:42:50 2005: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed
by DefaultResult
Fri Dec 9 15:42:50 2005: DEBUG: Access accepted for pertalionaj
Fri Dec 9 15:42:50 2005: DEBUG: Packet dump:
*** Sending to 152.10.239.231 port 32771 ....
Code: Access-Accept
Identifier: 27
Authentic: %<218><193>d<4>n~"mnC<228>W2&<183>
Attributes:
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list