(RADIATOR) PEAP and Filter-ID
Hugh Irvine
hugh at open.com.au
Wed Jan 19 01:48:12 CST 2005
Hello Berndt -
Have you installed all the latest patches?
regards
Hugh
On 19 Jan 2005, at 18:15, Berndt Sevcik wrote:
> I am using already the latest version of Radiator (3.11).
>
> Berndt
>
> Am 19.01.2005 um 00:51 schrieb Hugh Irvine:
>
>>
>> Hello Berndt -
>>
>> There is only one Access-Accept returned to the access point.
>>
>> The first Access-Accept is dealt with inside Radiator and causes an
>> Access-Challenge to be sent to the NAS to complete the MS-CHAP
>> authentication.
>>
>> Can you please tell me what version of Radiator you are using? The
>> latest version is Radiator 3.11 plus patches.
>>
>> Please try the latest version and let me know how you get on.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 19 Jan 2005, at 05:16, Berndt Sevcik wrote:
>>
>>> I configured 802.1x authentication with PEAP. Why do I get two Access
>>> Accept messages?
>>>
>>> I also added with AddToReply an attribute to the answer message
>>> (Filter-Id = "Enterasys:version=1:policy=ITS") which is included in
>>> the
>>> first access accept message. Why message is investigated by the
>>> access
>>> point? When the last one is interpreted by the access point how can I
>>> assign the Filter-ID Attribut also to this one?
>>>
>>> I also attached my config at the end.
>>>
>>> Thanks
>>> Berndt
>>>
>>> Tue Jan 18 18:59:57 2005: DEBUG: Handling request with Handler
>>> 'Client-Identifier = IntegerVLANTag'
>>> Tue Jan 18 18:59:57 2005: DEBUG: Deleting session for berndt.sevcik,
>>> 10.3.4.5,
>>> Tue Jan 18 18:59:57 2005: DEBUG: Handling with Radius::AuthLDAP2:
>>> Tue Jan 18 18:59:57 2005: INFO: Connecting to 10.2.4.22, port 389
>>> Tue Jan 18 18:59:57 2005: INFO: Attempting to bind to LDAP server
>>> 10.2.4.22:389)
>>> Tue Jan 18 18:59:57 2005: DEBUG: LDAP got result for
>>> uid=berndt.sevcik,ou=People,ou=admin,dc=tgm,dc=ac,dc=at
>>> Tue Jan 18 18:59:57 2005: DEBUG: LDAP got rcryptPassword:
>>> {rcrypt}xxxx
>>> Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 looks for match
>>> with
>>> berndt.sevcik
>>> Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
>>> Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
>>> Tue Jan 18 18:59:58 2005: DEBUG: Returned TTLS tunnelled Diameter
>>> Packet
>>> dump:
>>> Code: Access-Accept
>>> Identifier: UNDEF
>>> Authentic:
>>> <235>#<139><214><6><177>7<0><148>5<202><226>2<151><239><29>
>>> Attributes:
>>> MS-CHAP2-Success =
>>> "<147>S=2BD0EAE2485256CD3D22D5184043F195A0B072EE"
>>> MS-MPPE-Send-Key =
>>> "<176><253>$~<171><231><251>x<188>#<167><182><208>H<174><136>Rp<136><
>>> 166>q<253>hS}<155>B<234><243><147><210><147>&<128>"
>>> MS-MPPE-Recv-Key =
>>> "<215><22>Qh<194><128><7><129><2><130><201><202><167><196>7<234><197>
>>> <222><180><1>m$<188><161><184><22><176>or<238><6><176>>T"
>>> Filter-Id = "Enterasys:version=1:policy=ITS"
>>>
>>> Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 3, EAP TTLS Inner
>>> authentication challenged
>>> Tue Jan 18 18:59:58 2005: DEBUG: Access challenged for berndt.sevcik:
>>> EAP TTLS Inner authentication challenged
>>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
>>> *** Sending to 10.3.4.5 port 1046 ....
>>> Code: Access-Challenge
>>> Identifier: 112
>>> Authentic: p:<0><0>/0<0><0><236>0<0><0><4>q<0><0>
>>> Attributes:
>>> EAP-Message =
>>> <1><7><0><227><21><128><0><0><0><217><23><3><1><0><212><168><192><137
>>> >Z<250>_x"<15><252>Is<178>C<198><234><221>''<246><16><131>s<190><241>
>>> ;
>>> <192><11>F<204><187><194>btGH<183><219>M<252><7><145><227><19>OW<161>
>>> <230><175><240><205><196><229><11><166><225><13><201><215>3<155>Q<141
>>> >:
>>> <129><246>o<222><218><28>P<155><193>_<134>[<131><13><129>l<173>Q<240>
>>> "Q<200><149><137><181><204><19><13><225><200><254>r<17><11>7<231><219
>>> >+g]<25>
>>> <14>)<140>u<21><5><13><135><9><253><127><148>x<209>.,b<5>c<174><246><
>>> 147>A]<209>v<1><222><13><8><17>g<169><143>(X!
>>> <15>H<169>9<248>*<141>z?
>>> <219>.<201><168><238><147><235><172><211>b<227><213><237><159><222><1
>>> 63><134><186>A<11><243><238>A')<18><177>k_<9>Kr<15><2>l<138>cW<128>La
>>> <237>j<179><136><29><212><26>d<189><192><169>(<161><206>.<11>?<229>b
>>> Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
>>> *** Received from 10.3.4.5 port 1046 ....
>>> Code: Access-Request
>>> Identifier: 113
>>> Authentic: <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
>>> Attributes:
>>> Message-Authenticator = &{<137>o<187>Dl <197><235>o7<25>G<8>#
>>> User-Name = "berndt.sevcik"
>>> State = ""
>>> NAS-IP-Address = 10.3.4.5
>>> NAS-Port = 2
>>> NAS-Port-Type = Wireless-IEEE-802-11
>>> Calling-Station-Id = "00-0d-93-89-cc-6f"
>>> Framed-MTU = 1000
>>> EAP-Message = <2><7><0><6><21><0>
>>>
>>> Tue Jan 18 18:59:58 2005: DEBUG: Handling request with Handler
>>> 'Client-Identifier = IntegerVLANTag'
>>> Tue Jan 18 18:59:58 2005: DEBUG: Deleting session for berndt.sevcik,
>>> 10.3.4.5, 2
>>> Tue Jan 18 18:59:58 2005: DEBUG: Handling with Radius::AuthLDAP2:
>>> Tue Jan 18 18:59:58 2005: DEBUG: Handling with EAP: code 2, 7, 6
>>> Tue Jan 18 18:59:58 2005: DEBUG: Response type 21
>>> Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 0,
>>> Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
>>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
>>> *** Sending to 10.3.4.5 port 1046 ....
>>> Code: Access-Accept
>>> Identifier: 113
>>> Authentic: <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
>>> Attributes:
>>> MS-MPPE-Send-Key =
>>> "<147><164>q<158><167>bS<239><191><152><155><225>kB<170><192>8X<200><
>>> 220>$<195><203><210>I(Z]<5><159>f<253><217><184><138><207><148><210>I
>>> s<169><150><175>Kp#<201><236><151>W"
>>> MS-MPPE-Recv-Key =
>>> "<167><246>R<181>v<157><22><14><132>pDQ<219><186>k~<175><255>>q<151>Q
>>> H<237><133>8<14>%),<217>{<209><157><202><129>.<245><138>-
>>> <190><7><222><19><31>k<<223>&<199>"
>>> EAP-Message = <3><7><0><4>
>>> Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> My config:
>>>
>>> # Foreground
>>> LogStdout
>>> LogDir /var/log/radiator
>>> LogFile %L/radiator.log
>>>
>>> DbDir /etc/radiator
>>> PidFile /var/run/radiusd.pid
>>> Trace 4
>>>
>>> AuthPort 1645
>>> AcctPort 1646
>>>
>>> <Client 10.3.4.5>
>>> Secret secret
>>> Identifier IntegerVLANTag
>>> </Client>
>>>
>>> <Handler Client-Identifier = IntegerVLANTag>
>>> <AuthBy LDAP2>
>>> EAPType PEAP,TTLS
>>> EAPTLS_CAFile %D/certificates/cacert.pem
>>> EAPTLS_CertificateFile %D/certificates/edu-pdc02.pem
>>> EAPTLS_CertificateType PEM
>>> EAPTLS_PrivateKeyFile %D/certificates/edu-pdc02.pem
>>> EAPTLS_PrivateKeyPassword whatever
>>> EAPTLS_MaxFragmentSize 1000
>>> AutoMPPEKeys
>>> #RewriteUsername s/(.*)\\(.*)/$2/
>>> RcryptKey whatever
>>> Host 10.2.4.22
>>> AuthDN cn=admin,dc=tgm,dc=ac,dc=at
>>> AuthPassword whatever
>>> BaseDN dc=tgm,dc=ac,dc=at
>>> UsernameAttr uid
>>> PasswordAttr rcryptPassword
>>> AuthAttrDef radiusAuthType,GENERIC,check
>>> #ReplyAttr radiusReplyItem
>>> Debug 255
>>> AddToReply Filter-Id = Enterasys:version=1:policy=ITS
>>> </AuthBy>
>>> # PostAuthHook file:"%D/hooks/vlan-ascii-to-binary-postauth"
>>> </Handler>
>>>
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
> -----------------------------------------
> TGM - Die Schule der Technik
> IT-Service
> A-1200 Wien, Wexstr. 19-23
> Tel. +43(1)33126/316 Fax: +43(1)33126/154
> E-Mail: berndt.sevcik at tgm.ac.at
> -----------------------------------------
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list