(RADIATOR) PEAP and Filter-ID
Berndt Sevcik
berndt.sevcik at tgm.ac.at
Wed Jan 19 08:33:57 CST 2005
Also with the latest patches.
regards
Berndt
Am Mit, den 19.01.2005 schrieb Hugh Irvine um 8:48:
> Hello Berndt -
>
> Have you installed all the latest patches?
>
> regards
>
> Hugh
>
>
> On 19 Jan 2005, at 18:15, Berndt Sevcik wrote:
>
> > I am using already the latest version of Radiator (3.11).
> >
> > Berndt
> >
> > Am 19.01.2005 um 00:51 schrieb Hugh Irvine:
> >
> >>
> >> Hello Berndt -
> >>
> >> There is only one Access-Accept returned to the access point.
> >>
> >> The first Access-Accept is dealt with inside Radiator and causes an
> >> Access-Challenge to be sent to the NAS to complete the MS-CHAP
> >> authentication.
> >>
> >> Can you please tell me what version of Radiator you are using? The
> >> latest version is Radiator 3.11 plus patches.
> >>
> >> Please try the latest version and let me know how you get on.
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >> On 19 Jan 2005, at 05:16, Berndt Sevcik wrote:
> >>
> >>> I configured 802.1x authentication with PEAP. Why do I get two Access
> >>> Accept messages?
> >>>
> >>> I also added with AddToReply an attribute to the answer message
> >>> (Filter-Id = "Enterasys:version=1:policy=ITS") which is included in
> >>> the
> >>> first access accept message. Why message is investigated by the
> >>> access
> >>> point? When the last one is interpreted by the access point how can I
> >>> assign the Filter-ID Attribut also to this one?
> >>>
> >>> I also attached my config at the end.
> >>>
> >>> Thanks
> >>> Berndt
> >>>
> >>> Tue Jan 18 18:59:57 2005: DEBUG: Handling request with Handler
> >>> 'Client-Identifier = IntegerVLANTag'
> >>> Tue Jan 18 18:59:57 2005: DEBUG: Deleting session for berndt.sevcik,
> >>> 10.3.4.5,
> >>> Tue Jan 18 18:59:57 2005: DEBUG: Handling with Radius::AuthLDAP2:
> >>> Tue Jan 18 18:59:57 2005: INFO: Connecting to 10.2.4.22, port 389
> >>> Tue Jan 18 18:59:57 2005: INFO: Attempting to bind to LDAP server
> >>> 10.2.4.22:389)
> >>> Tue Jan 18 18:59:57 2005: DEBUG: LDAP got result for
> >>> uid=berndt.sevcik,ou=People,ou=admin,dc=tgm,dc=ac,dc=at
> >>> Tue Jan 18 18:59:57 2005: DEBUG: LDAP got rcryptPassword:
> >>> {rcrypt}xxxx
> >>> Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 looks for match
> >>> with
> >>> berndt.sevcik
> >>> Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> >>> Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
> >>> Tue Jan 18 18:59:58 2005: DEBUG: Returned TTLS tunnelled Diameter
> >>> Packet
> >>> dump:
> >>> Code: Access-Accept
> >>> Identifier: UNDEF
> >>> Authentic:
> >>> <235>#<139><214><6><177>7<0><148>5<202><226>2<151><239><29>
> >>> Attributes:
> >>> MS-CHAP2-Success =
> >>> "<147>S=2BD0EAE2485256CD3D22D5184043F195A0B072EE"
> >>> MS-MPPE-Send-Key =
> >>> "<176><253>$~<171><231><251>x<188>#<167><182><208>H<174><136>Rp<136><
> >>> 166>q<253>hS}<155>B<234><243><147><210><147>&<128>"
> >>> MS-MPPE-Recv-Key =
> >>> "<215><22>Qh<194><128><7><129><2><130><201><202><167><196>7<234><197>
> >>> <222><180><1>m$<188><161><184><22><176>or<238><6><176>>T"
> >>> Filter-Id = "Enterasys:version=1:policy=ITS"
> >>>
> >>> Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 3, EAP TTLS Inner
> >>> authentication challenged
> >>> Tue Jan 18 18:59:58 2005: DEBUG: Access challenged for berndt.sevcik:
> >>> EAP TTLS Inner authentication challenged
> >>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
> >>> *** Sending to 10.3.4.5 port 1046 ....
> >>> Code: Access-Challenge
> >>> Identifier: 112
> >>> Authentic: p:<0><0>/0<0><0><236>0<0><0><4>q<0><0>
> >>> Attributes:
> >>> EAP-Message =
> >>> <1><7><0><227><21><128><0><0><0><217><23><3><1><0><212><168><192><137
> >>> >Z<250>_x"<15><252>Is<178>C<198><234><221>''<246><16><131>s<190><241>
> >>> ;
> >>> <192><11>F<204><187><194>btGH<183><219>M<252><7><145><227><19>OW<161>
> >>> <230><175><240><205><196><229><11><166><225><13><201><215>3<155>Q<141
> >>> >:
> >>> <129><246>o<222><218><28>P<155><193>_<134>[<131><13><129>l<173>Q<240>
> >>> "Q<200><149><137><181><204><19><13><225><200><254>r<17><11>7<231><219
> >>> >+g]<25>
> >>> <14>)<140>u<21><5><13><135><9><253><127><148>x<209>.,b<5>c<174><246><
> >>> 147>A]<209>v<1><222><13><8><17>g<169><143>(X!
> >>> <15>H<169>9<248>*<141>z?
> >>> <219>.<201><168><238><147><235><172><211>b<227><213><237><159><222><1
> >>> 63><134><186>A<11><243><238>A')<18><177>k_<9>Kr<15><2>l<138>cW<128>La
> >>> <237>j<179><136><29><212><26>d<189><192><169>(<161><206>.<11>?<229>b
> >>> Message-Authenticator =
> >>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>>
> >>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
> >>> *** Received from 10.3.4.5 port 1046 ....
> >>> Code: Access-Request
> >>> Identifier: 113
> >>> Authentic: <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
> >>> Attributes:
> >>> Message-Authenticator = &{<137>o<187>Dl <197><235>o7<25>G<8>#
> >>> User-Name = "berndt.sevcik"
> >>> State = ""
> >>> NAS-IP-Address = 10.3.4.5
> >>> NAS-Port = 2
> >>> NAS-Port-Type = Wireless-IEEE-802-11
> >>> Calling-Station-Id = "00-0d-93-89-cc-6f"
> >>> Framed-MTU = 1000
> >>> EAP-Message = <2><7><0><6><21><0>
> >>>
> >>> Tue Jan 18 18:59:58 2005: DEBUG: Handling request with Handler
> >>> 'Client-Identifier = IntegerVLANTag'
> >>> Tue Jan 18 18:59:58 2005: DEBUG: Deleting session for berndt.sevcik,
> >>> 10.3.4.5, 2
> >>> Tue Jan 18 18:59:58 2005: DEBUG: Handling with Radius::AuthLDAP2:
> >>> Tue Jan 18 18:59:58 2005: DEBUG: Handling with EAP: code 2, 7, 6
> >>> Tue Jan 18 18:59:58 2005: DEBUG: Response type 21
> >>> Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 0,
> >>> Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
> >>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
> >>> *** Sending to 10.3.4.5 port 1046 ....
> >>> Code: Access-Accept
> >>> Identifier: 113
> >>> Authentic: <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
> >>> Attributes:
> >>> MS-MPPE-Send-Key =
> >>> "<147><164>q<158><167>bS<239><191><152><155><225>kB<170><192>8X<200><
> >>> 220>$<195><203><210>I(Z]<5><159>f<253><217><184><138><207><148><210>I
> >>> s<169><150><175>Kp#<201><236><151>W"
> >>> MS-MPPE-Recv-Key =
> >>> "<167><246>R<181>v<157><22><14><132>pDQ<219><186>k~<175><255>>q<151>Q
> >>> H<237><133>8<14>%),<217>{<209><157><202><129>.<245><138>-
> >>> <190><7><222><19><31>k<<223>&<199>"
> >>> EAP-Message = <3><7><0><4>
> >>> Message-Authenticator =
> >>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> >>>
> >>> My config:
> >>>
> >>> # Foreground
> >>> LogStdout
> >>> LogDir /var/log/radiator
> >>> LogFile %L/radiator.log
> >>>
> >>> DbDir /etc/radiator
> >>> PidFile /var/run/radiusd.pid
> >>> Trace 4
> >>>
> >>> AuthPort 1645
> >>> AcctPort 1646
> >>>
> >>> <Client 10.3.4.5>
> >>> Secret secret
> >>> Identifier IntegerVLANTag
> >>> </Client>
> >>>
> >>> <Handler Client-Identifier = IntegerVLANTag>
> >>> <AuthBy LDAP2>
> >>> EAPType PEAP,TTLS
> >>> EAPTLS_CAFile %D/certificates/cacert.pem
> >>> EAPTLS_CertificateFile %D/certificates/edu-pdc02.pem
> >>> EAPTLS_CertificateType PEM
> >>> EAPTLS_PrivateKeyFile %D/certificates/edu-pdc02.pem
> >>> EAPTLS_PrivateKeyPassword whatever
> >>> EAPTLS_MaxFragmentSize 1000
> >>> AutoMPPEKeys
> >>> #RewriteUsername s/(.*)\\(.*)/$2/
> >>> RcryptKey whatever
> >>> Host 10.2.4.22
> >>> AuthDN cn=admin,dc=tgm,dc=ac,dc=at
> >>> AuthPassword whatever
> >>> BaseDN dc=tgm,dc=ac,dc=at
> >>> UsernameAttr uid
> >>> PasswordAttr rcryptPassword
> >>> AuthAttrDef radiusAuthType,GENERIC,check
> >>> #ReplyAttr radiusReplyItem
> >>> Debug 255
> >>> AddToReply Filter-Id = Enterasys:version=1:policy=ITS
> >>> </AuthBy>
> >>> # PostAuthHook file:"%D/hooks/vlan-ascii-to-binary-postauth"
> >>> </Handler>
> >>>
> >>>
> >>>
> >>> --
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>>
> >>>
> >>
> >> NB:
> >>
> >> Have you read the reference manual ("doc/ref.html")?
> >> Have you searched the mailing list archive
> >> (www.open.com.au/archives/radiator)?
> >> Have you had a quick look on Google (www.google.com)?
> >> Have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> -
> >> Nets: internetwork inventory and management - graphical, extensible,
> >> flexible with hardware, software, platform and database independence.
> >> -
> >> CATool: Private Certificate Authority for Unix and Unix-like systems.
> >>
> >>
> > -----------------------------------------
> > TGM - Die Schule der Technik
> > IT-Service
> > A-1200 Wien, Wexstr. 19-23
> > Tel. +43(1)33126/316 Fax: +43(1)33126/154
> > E-Mail: berndt.sevcik at tgm.ac.at
> > -----------------------------------------
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list