(RADIATOR) PEAP and Filter-ID

Berndt Sevcik berndt.sevcik at tgm.ac.at
Tue Jan 18 12:16:21 CST 2005


I configured 802.1x authentication with PEAP. Why do I get two Access
Accept messages?

I also added with AddToReply an attribute to the answer message
(Filter-Id = "Enterasys:version=1:policy=ITS") which is included in the
first access accept message. Why message is investigated by the access
point? When the last one is interpreted by the access point how can I
assign the Filter-ID Attribut also to this one?

I also attached my config at the end.

Thanks
Berndt

Tue Jan 18 18:59:57 2005: DEBUG: Handling request with Handler
'Client-Identifier = IntegerVLANTag'
Tue Jan 18 18:59:57 2005: DEBUG:  Deleting session for berndt.sevcik,
10.3.4.5,
Tue Jan 18 18:59:57 2005: DEBUG: Handling with Radius::AuthLDAP2:
Tue Jan 18 18:59:57 2005: INFO: Connecting to 10.2.4.22, port 389
Tue Jan 18 18:59:57 2005: INFO: Attempting to bind to LDAP server
10.2.4.22:389)
Tue Jan 18 18:59:57 2005: DEBUG: LDAP got result for
uid=berndt.sevcik,ou=People,ou=admin,dc=tgm,dc=ac,dc=at
Tue Jan 18 18:59:57 2005: DEBUG: LDAP got rcryptPassword: {rcrypt}xxxx
Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 looks for match with
berndt.sevcik
Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
Tue Jan 18 18:59:58 2005: DEBUG: Returned TTLS tunnelled Diameter Packet
dump:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  <235>#<139><214><6><177>7<0><148>5<202><226>2<151><239><29>
Attributes:
        MS-CHAP2-Success =
"<147>S=2BD0EAE2485256CD3D22D5184043F195A0B072EE"
        MS-MPPE-Send-Key =
"<176><253>$~<171><231><251>x<188>#<167><182><208>H<174><136>Rp<136><166>q<253>hS}<155>B<234><243><147><210><147>&<128>"
        MS-MPPE-Recv-Key =
"<215><22>Qh<194><128><7><129><2><130><201><202><167><196>7<234><197><222><180><1>m$<188><161><184><22><176>or<238><6><176>>T"
        Filter-Id = "Enterasys:version=1:policy=ITS"

Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 3, EAP TTLS Inner
authentication challenged
Tue Jan 18 18:59:58 2005: DEBUG: Access challenged for berndt.sevcik:
EAP TTLS Inner authentication challenged
Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
*** Sending to 10.3.4.5 port 1046 ....
Code:       Access-Challenge
Identifier: 112
Authentic:  p:<0><0>/0<0><0><236>0<0><0><4>q<0><0>
Attributes:
        EAP-Message =
<1><7><0><227><21><128><0><0><0><217><23><3><1><0><212><168><192><137>Z<250>_x"<15><252>Is<178>C<198><234><221>''<246><16><131>s<190><241>;<192><11>F<204><187><194>btGH<183><219>M<252><7><145><227><19>OW<161><230><175><240><205><196><229><11><166><225><13><201><215>3<155>Q<141>:<129><246>o<222><218><28>P<155><193>_<134>[<131><13><129>l<173>Q<240>"Q<200><149><137><181><204><19><13><225><200><254>r<17><11>7<231><219>+g]<25> <14>)<140>u<21><5><13><135><9><253><127><148>x<209>.,b<5>c<174><246><147>A]<209>v<1><222><13><8><17>g<169><143>(X!<15>H<169>9<248>*<141>z?<219>.<201><168><238><147><235><172><211>b<227><213><237><159><222><163><134><186>A<11><243><238>A')<18><177>k_<9>Kr<15><2>l<138>cW<128>La<237>j<179><136><29><212><26>d<189><192><169>(<161><206>.<11>?<229>b
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
*** Received from 10.3.4.5 port 1046 ....
Code:       Access-Request
Identifier: 113
Authentic:  <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
Attributes:
        Message-Authenticator = &{<137>o<187>Dl <197><235>o7<25>G<8>#
        User-Name = "berndt.sevcik"
        State = ""
        NAS-IP-Address = 10.3.4.5
        NAS-Port = 2
        NAS-Port-Type = Wireless-IEEE-802-11
        Calling-Station-Id = "00-0d-93-89-cc-6f"
        Framed-MTU = 1000
        EAP-Message = <2><7><0><6><21><0>

Tue Jan 18 18:59:58 2005: DEBUG: Handling request with Handler
'Client-Identifier = IntegerVLANTag'
Tue Jan 18 18:59:58 2005: DEBUG:  Deleting session for berndt.sevcik,
10.3.4.5, 2
Tue Jan 18 18:59:58 2005: DEBUG: Handling with Radius::AuthLDAP2:
Tue Jan 18 18:59:58 2005: DEBUG: Handling with EAP: code 2, 7, 6
Tue Jan 18 18:59:58 2005: DEBUG: Response type 21
Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 0,
Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
*** Sending to 10.3.4.5 port 1046 ....
Code:       Access-Accept
Identifier: 113
Authentic:  <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
Attributes:
        MS-MPPE-Send-Key =
"<147><164>q<158><167>bS<239><191><152><155><225>kB<170><192>8X<200><220>$<195><203><210>I(Z]<5><159>f<253><217><184><138><207><148><210>Is<169><150><175>Kp#<201><236><151>W"
        MS-MPPE-Recv-Key =
"<167><246>R<181>v<157><22><14><132>pDQ<219><186>k~<175><255>>q<151>QH<237><133>8<14>%),<217>{<209><157><202><129>.<245><138>-<190><7><222><19><31>k<<223>&<199>"
        EAP-Message = <3><7><0><4>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

My config:

# Foreground
LogStdout
LogDir          /var/log/radiator
LogFile         %L/radiator.log

DbDir           /etc/radiator
PidFile         /var/run/radiusd.pid
Trace           4

AuthPort 1645
AcctPort 1646

<Client 10.3.4.5>
        Secret  secret
        Identifier IntegerVLANTag
</Client>

<Handler Client-Identifier = IntegerVLANTag>
<AuthBy LDAP2>
    EAPType PEAP,TTLS
    EAPTLS_CAFile %D/certificates/cacert.pem
    EAPTLS_CertificateFile %D/certificates/edu-pdc02.pem
    EAPTLS_CertificateType PEM
    EAPTLS_PrivateKeyFile %D/certificates/edu-pdc02.pem
    EAPTLS_PrivateKeyPassword whatever
    EAPTLS_MaxFragmentSize 1000
    AutoMPPEKeys
    #RewriteUsername s/(.*)\\(.*)/$2/
    RcryptKey   whatever
    Host                10.2.4.22
    AuthDN              cn=admin,dc=tgm,dc=ac,dc=at
    AuthPassword        whatever
    BaseDN              dc=tgm,dc=ac,dc=at
    UsernameAttr        uid
    PasswordAttr        rcryptPassword
    AuthAttrDef         radiusAuthType,GENERIC,check
    #ReplyAttr       radiusReplyItem
    Debug 255
    AddToReply Filter-Id = Enterasys:version=1:policy=ITS
</AuthBy>
  #  PostAuthHook file:"%D/hooks/vlan-ascii-to-binary-postauth"
</Handler>



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list