(RADIATOR) PEAP and Filter-ID

Mike McCauley mikem at open.com.au
Wed Jan 19 19:16:57 CST 2005


Hello Berndt,

the problem here is that (at present) reply attributes are not copied from the 
inner to the outer request in the case of TTLS-MSCHAPv2.
This is because the MSCHAPv2 usually requires any inner reply attributes, and 
they should not be propagated to the outer request. All other types of inner 
request will result in inner reply attributes being copied to the outer 
reply.

Are you able to use anything other than MSCHAPv2 inside your TTLS?

Cheers.


On Thursday 20 January 2005 00:44, Berndt Sevcik wrote:
> A small addendum to my last mail:
>
> I tried tt with two different authentication mechanism:
>   PEAP - is working
>   TTLS - is not working
>
> Sorry for the error.
>
> Has sonemone an idea for TTLS?
>
> Regards
> Berndt
>
> Am Mit, den 19.01.2005 schrieb Hugh Irvine um 8:48:
> > Hello Berndt -
> >
> > Have you installed all the latest patches?
> >
> > regards
> >
> > Hugh
> >
> > On 19 Jan 2005, at 18:15, Berndt Sevcik wrote:
> > > I am using already the latest version of Radiator (3.11).
> > >
> > > Berndt
> > >
> > > Am 19.01.2005 um 00:51 schrieb Hugh Irvine:
> > >> Hello Berndt -
> > >>
> > >> There is only one Access-Accept returned to the access point.
> > >>
> > >> The first Access-Accept is dealt with inside Radiator and causes an
> > >> Access-Challenge to be sent to the NAS to complete the MS-CHAP
> > >> authentication.
> > >>
> > >> Can you please tell me what version of Radiator you are using? The
> > >> latest version is Radiator 3.11 plus patches.
> > >>
> > >> Please try the latest version and let me know how you get on.
> > >>
> > >> regards
> > >>
> > >> Hugh
> > >>
> > >> On 19 Jan 2005, at 05:16, Berndt Sevcik wrote:
> > >>> I configured 802.1x authentication with PEAP. Why do I get two Access
> > >>> Accept messages?
> > >>>
> > >>> I also added with AddToReply an attribute to the answer message
> > >>> (Filter-Id = "Enterasys:version=1:policy=ITS") which is included in
> > >>> the
> > >>> first access accept message. Why message is investigated by the
> > >>> access
> > >>> point? When the last one is interpreted by the access point how can I
> > >>> assign the Filter-ID Attribut also to this one?
> > >>>
> > >>> I also attached my config at the end.
> > >>>
> > >>> Thanks
> > >>> Berndt
> > >>>
> > >>> Tue Jan 18 18:59:57 2005: DEBUG: Handling request with Handler
> > >>> 'Client-Identifier = IntegerVLANTag'
> > >>> Tue Jan 18 18:59:57 2005: DEBUG:  Deleting session for berndt.sevcik,
> > >>> 10.3.4.5,
> > >>> Tue Jan 18 18:59:57 2005: DEBUG: Handling with Radius::AuthLDAP2:
> > >>> Tue Jan 18 18:59:57 2005: INFO: Connecting to 10.2.4.22, port 389
> > >>> Tue Jan 18 18:59:57 2005: INFO: Attempting to bind to LDAP server
> > >>> 10.2.4.22:389)
> > >>> Tue Jan 18 18:59:57 2005: DEBUG: LDAP got result for
> > >>> uid=berndt.sevcik,ou=People,ou=admin,dc=tgm,dc=ac,dc=at
> > >>> Tue Jan 18 18:59:57 2005: DEBUG: LDAP got rcryptPassword:
> > >>> {rcrypt}xxxx
> > >>> Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 looks for match
> > >>> with
> > >>> berndt.sevcik
> > >>> Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> > >>> Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
> > >>> Tue Jan 18 18:59:58 2005: DEBUG: Returned TTLS tunnelled Diameter
> > >>> Packet
> > >>> dump:
> > >>> Code:       Access-Accept
> > >>> Identifier: UNDEF
> > >>> Authentic:
> > >>> <235>#<139><214><6><177>7<0><148>5<202><226>2<151><239><29>
> > >>> Attributes:
> > >>>         MS-CHAP2-Success =
> > >>> "<147>S=2BD0EAE2485256CD3D22D5184043F195A0B072EE"
> > >>>         MS-MPPE-Send-Key =
> > >>> "<176><253>$~<171><231><251>x<188>#<167><182><208>H<174><136>Rp<136><
> > >>> 166>q<253>hS}<155>B<234><243><147><210><147>&<128>"
> > >>>         MS-MPPE-Recv-Key =
> > >>> "<215><22>Qh<194><128><7><129><2><130><201><202><167><196>7<234><197>
> > >>> <222><180><1>m$<188><161><184><22><176>or<238><6><176>>T"
> > >>>         Filter-Id = "Enterasys:version=1:policy=ITS"
> > >>>
> > >>> Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 3, EAP TTLS Inner
> > >>> authentication challenged
> > >>> Tue Jan 18 18:59:58 2005: DEBUG: Access challenged for berndt.sevcik:
> > >>> EAP TTLS Inner authentication challenged
> > >>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
> > >>> *** Sending to 10.3.4.5 port 1046 ....
> > >>> Code:       Access-Challenge
> > >>> Identifier: 112
> > >>> Authentic:  p:<0><0>/0<0><0><236>0<0><0><4>q<0><0>
> > >>> Attributes:
> > >>>         EAP-Message =
> > >>> <1><7><0><227><21><128><0><0><0><217><23><3><1><0><212><168><192><137
> > >>>
> > >>> >Z<250>_x"<15><252>Is<178>C<198><234><221>''<246><16><131>s<190><241>
> > >>>
> > >>> ;
> > >>> <192><11>F<204><187><194>btGH<183><219>M<252><7><145><227><19>OW<161>
> > >>> <230><175><240><205><196><229><11><166><225><13><201><215>3<155>Q<141
> > >>>
> > >>> <129><246>o<222><218><28>P<155><193>_<134>[<131><13><129>l<173>Q<240>
> > >>> "Q<200><149><137><181><204><19><13><225><200><254>r<17><11>7<231><219
> > >>>
> > >>> >+g]<25>
> > >>>
> > >>> <14>)<140>u<21><5><13><135><9><253><127><148>x<209>.,b<5>c<174><246><
> > >>> 147>A]<209>v<1><222><13><8><17>g<169><143>(X!
> > >>> <15>H<169>9<248>*<141>z?
> > >>> <219>.<201><168><238><147><235><172><211>b<227><213><237><159><222><1
> > >>> 63><134><186>A<11><243><238>A')<18><177>k_<9>Kr<15><2>l<138>cW<128>La
> > >>> <237>j<179><136><29><212><26>d<189><192><169>(<161><206>.<11>?<229>b
> > >>>         Message-Authenticator =
> > >>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > >>>
> > >>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
> > >>> *** Received from 10.3.4.5 port 1046 ....
> > >>> Code:       Access-Request
> > >>> Identifier: 113
> > >>> Authentic:  <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
> > >>> Attributes:
> > >>>         Message-Authenticator = &{<137>o<187>Dl <197><235>o7<25>G<8>#
> > >>>         User-Name = "berndt.sevcik"
> > >>>         State = ""
> > >>>         NAS-IP-Address = 10.3.4.5
> > >>>         NAS-Port = 2
> > >>>         NAS-Port-Type = Wireless-IEEE-802-11
> > >>>         Calling-Station-Id = "00-0d-93-89-cc-6f"
> > >>>         Framed-MTU = 1000
> > >>>         EAP-Message = <2><7><0><6><21><0>
> > >>>
> > >>> Tue Jan 18 18:59:58 2005: DEBUG: Handling request with Handler
> > >>> 'Client-Identifier = IntegerVLANTag'
> > >>> Tue Jan 18 18:59:58 2005: DEBUG:  Deleting session for berndt.sevcik,
> > >>> 10.3.4.5, 2
> > >>> Tue Jan 18 18:59:58 2005: DEBUG: Handling with Radius::AuthLDAP2:
> > >>> Tue Jan 18 18:59:58 2005: DEBUG: Handling with EAP: code 2, 7, 6
> > >>> Tue Jan 18 18:59:58 2005: DEBUG: Response type 21
> > >>> Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 0,
> > >>> Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
> > >>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
> > >>> *** Sending to 10.3.4.5 port 1046 ....
> > >>> Code:       Access-Accept
> > >>> Identifier: 113
> > >>> Authentic:  <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
> > >>> Attributes:
> > >>>         MS-MPPE-Send-Key =
> > >>> "<147><164>q<158><167>bS<239><191><152><155><225>kB<170><192>8X<200><
> > >>> 220>$<195><203><210>I(Z]<5><159>f<253><217><184><138><207><148><210>I
> > >>> s<169><150><175>Kp#<201><236><151>W"
> > >>>         MS-MPPE-Recv-Key =
> > >>> "<167><246>R<181>v<157><22><14><132>pDQ<219><186>k~<175><255>>q<151>Q
> > >>> H<237><133>8<14>%),<217>{<209><157><202><129>.<245><138>-
> > >>> <190><7><222><19><31>k<<223>&<199>"
> > >>>         EAP-Message = <3><7><0><4>
> > >>>         Message-Authenticator =
> > >>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > >>>
> > >>> My config:
> > >>>
> > >>> # Foreground
> > >>> LogStdout
> > >>> LogDir          /var/log/radiator
> > >>> LogFile         %L/radiator.log
> > >>>
> > >>> DbDir           /etc/radiator
> > >>> PidFile         /var/run/radiusd.pid
> > >>> Trace           4
> > >>>
> > >>> AuthPort 1645
> > >>> AcctPort 1646
> > >>>
> > >>> <Client 10.3.4.5>
> > >>>         Secret  secret
> > >>>         Identifier IntegerVLANTag
> > >>> </Client>
> > >>>
> > >>> <Handler Client-Identifier = IntegerVLANTag>
> > >>> <AuthBy LDAP2>
> > >>>     EAPType PEAP,TTLS
> > >>>     EAPTLS_CAFile %D/certificates/cacert.pem
> > >>>     EAPTLS_CertificateFile %D/certificates/edu-pdc02.pem
> > >>>     EAPTLS_CertificateType PEM
> > >>>     EAPTLS_PrivateKeyFile %D/certificates/edu-pdc02.pem
> > >>>     EAPTLS_PrivateKeyPassword whatever
> > >>>     EAPTLS_MaxFragmentSize 1000
> > >>>     AutoMPPEKeys
> > >>>     #RewriteUsername s/(.*)\\(.*)/$2/
> > >>>     RcryptKey   whatever
> > >>>     Host                10.2.4.22
> > >>>     AuthDN              cn=admin,dc=tgm,dc=ac,dc=at
> > >>>     AuthPassword        whatever
> > >>>     BaseDN              dc=tgm,dc=ac,dc=at
> > >>>     UsernameAttr        uid
> > >>>     PasswordAttr        rcryptPassword
> > >>>     AuthAttrDef         radiusAuthType,GENERIC,check
> > >>>     #ReplyAttr       radiusReplyItem
> > >>>     Debug 255
> > >>>     AddToReply Filter-Id = Enterasys:version=1:policy=ITS
> > >>> </AuthBy>
> > >>>   #  PostAuthHook file:"%D/hooks/vlan-ascii-to-binary-postauth"
> > >>> </Handler>
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> Archive at http://www.open.com.au/archives/radiator/
> > >>> Announcements on radiator-announce at open.com.au
> > >>> To unsubscribe, email 'majordomo at open.com.au' with
> > >>> 'unsubscribe radiator' in the body of the message.
> > >>
> > >> NB:
> > >>
> > >> Have you read the reference manual ("doc/ref.html")?
> > >> Have you searched the mailing list archive
> > >> (www.open.com.au/archives/radiator)?
> > >> Have you had a quick look on Google (www.google.com)?
> > >> Have you included a copy of your configuration file (no secrets),
> > >> together with a trace 4 debug showing what is happening?
> > >>
> > >> --
> > >> Radiator: the most portable, flexible and configurable RADIUS server
> > >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > >> -
> > >> Nets: internetwork inventory and management - graphical, extensible,
> > >> flexible with hardware, software, platform and database independence.
> > >> -
> > >> CATool: Private Certificate Authority for Unix and Unix-like systems.
> > >
> > >  -----------------------------------------
> > >  TGM - Die Schule der Technik
> > >  IT-Service
> > >  A-1200 Wien, Wexstr. 19-23
> > >  Tel. +43(1)33126/316 Fax: +43(1)33126/154
> > >  E-Mail: berndt.sevcik at tgm.ac.at
> > >  -----------------------------------------
> > >
> > > --
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive
> > (www.open.com.au/archives/radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list