(RADIATOR) PEAP and Filter-ID
Hugh Irvine
hugh at open.com.au
Tue Jan 18 17:51:56 CST 2005
Hello Berndt -
There is only one Access-Accept returned to the access point.
The first Access-Accept is dealt with inside Radiator and causes an
Access-Challenge to be sent to the NAS to complete the MS-CHAP
authentication.
Can you please tell me what version of Radiator you are using? The
latest version is Radiator 3.11 plus patches.
Please try the latest version and let me know how you get on.
regards
Hugh
On 19 Jan 2005, at 05:16, Berndt Sevcik wrote:
> I configured 802.1x authentication with PEAP. Why do I get two Access
> Accept messages?
>
> I also added with AddToReply an attribute to the answer message
> (Filter-Id = "Enterasys:version=1:policy=ITS") which is included in the
> first access accept message. Why message is investigated by the access
> point? When the last one is interpreted by the access point how can I
> assign the Filter-ID Attribut also to this one?
>
> I also attached my config at the end.
>
> Thanks
> Berndt
>
> Tue Jan 18 18:59:57 2005: DEBUG: Handling request with Handler
> 'Client-Identifier = IntegerVLANTag'
> Tue Jan 18 18:59:57 2005: DEBUG: Deleting session for berndt.sevcik,
> 10.3.4.5,
> Tue Jan 18 18:59:57 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Jan 18 18:59:57 2005: INFO: Connecting to 10.2.4.22, port 389
> Tue Jan 18 18:59:57 2005: INFO: Attempting to bind to LDAP server
> 10.2.4.22:389)
> Tue Jan 18 18:59:57 2005: DEBUG: LDAP got result for
> uid=berndt.sevcik,ou=People,ou=admin,dc=tgm,dc=ac,dc=at
> Tue Jan 18 18:59:57 2005: DEBUG: LDAP got rcryptPassword: {rcrypt}xxxx
> Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 looks for match with
> berndt.sevcik
> Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
> Tue Jan 18 18:59:58 2005: DEBUG: Returned TTLS tunnelled Diameter
> Packet
> dump:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: <235>#<139><214><6><177>7<0><148>5<202><226>2<151><239><29>
> Attributes:
> MS-CHAP2-Success =
> "<147>S=2BD0EAE2485256CD3D22D5184043F195A0B072EE"
> MS-MPPE-Send-Key =
> "<176><253>$~<171><231><251>x<188>#<167><182><208>H<174><136>Rp<136><16
> 6>q<253>hS}<155>B<234><243><147><210><147>&<128>"
> MS-MPPE-Recv-Key =
> "<215><22>Qh<194><128><7><129><2><130><201><202><167><196>7<234><197><2
> 22><180><1>m$<188><161><184><22><176>or<238><6><176>>T"
> Filter-Id = "Enterasys:version=1:policy=ITS"
>
> Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 3, EAP TTLS Inner
> authentication challenged
> Tue Jan 18 18:59:58 2005: DEBUG: Access challenged for berndt.sevcik:
> EAP TTLS Inner authentication challenged
> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
> *** Sending to 10.3.4.5 port 1046 ....
> Code: Access-Challenge
> Identifier: 112
> Authentic: p:<0><0>/0<0><0><236>0<0><0><4>q<0><0>
> Attributes:
> EAP-Message =
> <1><7><0><227><21><128><0><0><0><217><23><3><1><0><212><168><192><137>Z
> <250>_x"<15><252>Is<178>C<198><234><221>''<246><16><131>s<190><241>;
> <192><11>F<204><187><194>btGH<183><219>M<252><7><145><227><19>OW<161><2
> 30><175><240><205><196><229><11><166><225><13><201><215>3<155>Q<141>:
> <129><246>o<222><218><28>P<155><193>_<134>[<131><13><129>l<173>Q<240>"Q
> <200><149><137><181><204><19><13><225><200><254>r<17><11>7<231><219>+g]
> <25>
> <14>)<140>u<21><5><13><135><9><253><127><148>x<209>.,b<5>c<174><246><14
> 7>A]<209>v<1><222><13><8><17>g<169><143>(X!<15>H<169>9<248>*<141>z?
> <219>.<201><168><238><147><235><172><211>b<227><213><237><159><222><163
> ><134><186>A<11><243><238>A')<18><177>k_<9>Kr<15><2>l<138>cW<128>La<237
> >j<179><136><29><212><26>d<189><192><169>(<161><206>.<11>?<229>b
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
> *** Received from 10.3.4.5 port 1046 ....
> Code: Access-Request
> Identifier: 113
> Authentic: <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
> Attributes:
> Message-Authenticator = &{<137>o<187>Dl <197><235>o7<25>G<8>#
> User-Name = "berndt.sevcik"
> State = ""
> NAS-IP-Address = 10.3.4.5
> NAS-Port = 2
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "00-0d-93-89-cc-6f"
> Framed-MTU = 1000
> EAP-Message = <2><7><0><6><21><0>
>
> Tue Jan 18 18:59:58 2005: DEBUG: Handling request with Handler
> 'Client-Identifier = IntegerVLANTag'
> Tue Jan 18 18:59:58 2005: DEBUG: Deleting session for berndt.sevcik,
> 10.3.4.5, 2
> Tue Jan 18 18:59:58 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Jan 18 18:59:58 2005: DEBUG: Handling with EAP: code 2, 7, 6
> Tue Jan 18 18:59:58 2005: DEBUG: Response type 21
> Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 0,
> Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
> *** Sending to 10.3.4.5 port 1046 ....
> Code: Access-Accept
> Identifier: 113
> Authentic: <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
> Attributes:
> MS-MPPE-Send-Key =
> "<147><164>q<158><167>bS<239><191><152><155><225>kB<170><192>8X<200><22
> 0>$<195><203><210>I(Z]<5><159>f<253><217><184><138><207><148><210>Is<16
> 9><150><175>Kp#<201><236><151>W"
> MS-MPPE-Recv-Key =
> "<167><246>R<181>v<157><22><14><132>pDQ<219><186>k~<175><255>>q<151>QH<
> 237><133>8<14>%),<217>{<209><157><202><129>.<245><138>-
> <190><7><222><19><31>k<<223>&<199>"
> EAP-Message = <3><7><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> My config:
>
> # Foreground
> LogStdout
> LogDir /var/log/radiator
> LogFile %L/radiator.log
>
> DbDir /etc/radiator
> PidFile /var/run/radiusd.pid
> Trace 4
>
> AuthPort 1645
> AcctPort 1646
>
> <Client 10.3.4.5>
> Secret secret
> Identifier IntegerVLANTag
> </Client>
>
> <Handler Client-Identifier = IntegerVLANTag>
> <AuthBy LDAP2>
> EAPType PEAP,TTLS
> EAPTLS_CAFile %D/certificates/cacert.pem
> EAPTLS_CertificateFile %D/certificates/edu-pdc02.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/edu-pdc02.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> #RewriteUsername s/(.*)\\(.*)/$2/
> RcryptKey whatever
> Host 10.2.4.22
> AuthDN cn=admin,dc=tgm,dc=ac,dc=at
> AuthPassword whatever
> BaseDN dc=tgm,dc=ac,dc=at
> UsernameAttr uid
> PasswordAttr rcryptPassword
> AuthAttrDef radiusAuthType,GENERIC,check
> #ReplyAttr radiusReplyItem
> Debug 255
> AddToReply Filter-Id = Enterasys:version=1:policy=ITS
> </AuthBy>
> # PostAuthHook file:"%D/hooks/vlan-ascii-to-binary-postauth"
> </Handler>
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list