(RADIATOR) PEAP and Filter-ID
Berndt Sevcik
berndt.sevcik at tgm.ac.at
Thu Jan 20 03:00:35 CST 2005
Thanks for the information. We are using TTLS for our Apple Clients.
The Windows Clients are using PEAP. The problem is that a PEAP option
is available on the Mac but it is not working.
When I look at the debug I get an access-accept message:
*** Sending to 10.3.4.5 port 1347 ....
Code: Access-Accept
Identifier: 209
Authentic: ?{<0><0>F"<0><0><25>x<0><0><187><21><0><0>
Attributes:
Filter-Id = "Enterasys:version=1:policy=ITS"
EAP-Message = <3><9><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
MS-MPPE-Send-Key = "<167>93JbD<11>
<22><13><170><243>d<161><7><7>8)<233><240>J<227><223><179>)Q6<20>ENd<253
><206><136><191><163>b<189>Q<155>4><155>$<10><161><15><234>z1"
MS-MPPE-Recv-Key =
"<135><228><213><238>[<24><220>3BT<2><7>N<199><248>fNV<0><243>=<160>r<22
2>'<25><242>buD<18><133><189><154>F<143><174><203><253><211><15><154><18
1>3<10><229><198>}<208>:"
But the communication is not working. It looks like that the apple
client is not accepting the key. The configuration works with the
Windows Supplicant and PEAP without problems. We are using MAC OS X
Version 10.3.7.
Thats the output from the debug:
Some idea about it? Is someone using MAC OS and PEAP? Has someone tipps
for the config?
Thanks
Berndt
Here the last version of my config:
<AuthBy FILE>
Identifier OUTERAuthentication
Filename %D/users
EAPType PEAP,TTLS
EAPTLS_CAFile %D/certificates/cacert.pem
EAPTLS_CertificateFile %D/certificates/edu-pdc02.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/edu-pdc02.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
</AuthBy>
<Handler TunnelledByPEAP=1>
<AuthBy LDAP2>
RewriteUsername s/(.*)\\(.*)/$2/
Identifier LDAPPEAPAuthentication
RcryptKey 2lisNjsRp8sfWLa
Host 10.2.4.22
AuthDN cn=admin,dc=tgm,dc=ac,dc=at
AuthPassword sUpp.rT
BaseDN dc=tgm,dc=ac,dc=at
UsernameAttr uid
PasswordAttr rcryptPassword
AuthAttrDef radiusAuthType,GENERIC,check
ReplyAttr radiusReplyItem
# Debug 255
EAPType MSCHAP-V2
</AuthBy>
</Handler>
<Handler>
RewriteUsername s/(.*)\\(.*)/$2/
AuthBy OUTERAuthentication
# PostProcessingHook
file:"/root/Radiator-3.11/goodies/ttls-berndt.pl"
# AddToReply Filter-Id = Enterasys:version=1:policy=ITS
</Handler>
Am 20.01.2005 um 02:16 schrieb Mike McCauley:
> Hello Berndt,
>
> the problem here is that (at present) reply attributes are not copied
> from the
> inner to the outer request in the case of TTLS-MSCHAPv2.
> This is because the MSCHAPv2 usually requires any inner reply
> attributes, and
> they should not be propagated to the outer request. All other types of
> inner
> request will result in inner reply attributes being copied to the outer
> reply.
>
> Are you able to use anything other than MSCHAPv2 inside your TTLS?
>
> Cheers.
>
>
> On Thursday 20 January 2005 00:44, Berndt Sevcik wrote:
>> A small addendum to my last mail:
>>
>> I tried tt with two different authentication mechanism:
>> PEAP - is working
>> TTLS - is not working
>>
>> Sorry for the error.
>>
>> Has sonemone an idea for TTLS?
>>
>> Regards
>> Berndt
>>
>> Am Mit, den 19.01.2005 schrieb Hugh Irvine um 8:48:
>>> Hello Berndt -
>>>
>>> Have you installed all the latest patches?
>>>
>>> regards
>>>
>>> Hugh
>>>
>>> On 19 Jan 2005, at 18:15, Berndt Sevcik wrote:
>>>> I am using already the latest version of Radiator (3.11).
>>>>
>>>> Berndt
>>>>
>>>> Am 19.01.2005 um 00:51 schrieb Hugh Irvine:
>>>>> Hello Berndt -
>>>>>
>>>>> There is only one Access-Accept returned to the access point.
>>>>>
>>>>> The first Access-Accept is dealt with inside Radiator and causes an
>>>>> Access-Challenge to be sent to the NAS to complete the MS-CHAP
>>>>> authentication.
>>>>>
>>>>> Can you please tell me what version of Radiator you are using? The
>>>>> latest version is Radiator 3.11 plus patches.
>>>>>
>>>>> Please try the latest version and let me know how you get on.
>>>>>
>>>>> regards
>>>>>
>>>>> Hugh
>>>>>
>>>>> On 19 Jan 2005, at 05:16, Berndt Sevcik wrote:
>>>>>> I configured 802.1x authentication with PEAP. Why do I get two
>>>>>> Access
>>>>>> Accept messages?
>>>>>>
>>>>>> I also added with AddToReply an attribute to the answer message
>>>>>> (Filter-Id = "Enterasys:version=1:policy=ITS") which is included
>>>>>> in
>>>>>> the
>>>>>> first access accept message. Why message is investigated by the
>>>>>> access
>>>>>> point? When the last one is interpreted by the access point how
>>>>>> can I
>>>>>> assign the Filter-ID Attribut also to this one?
>>>>>>
>>>>>> I also attached my config at the end.
>>>>>>
>>>>>> Thanks
>>>>>> Berndt
>>>>>>
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG: Handling request with Handler
>>>>>> 'Client-Identifier = IntegerVLANTag'
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG: Deleting session for
>>>>>> berndt.sevcik,
>>>>>> 10.3.4.5,
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG: Handling with Radius::AuthLDAP2:
>>>>>> Tue Jan 18 18:59:57 2005: INFO: Connecting to 10.2.4.22, port 389
>>>>>> Tue Jan 18 18:59:57 2005: INFO: Attempting to bind to LDAP server
>>>>>> 10.2.4.22:389)
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG: LDAP got result for
>>>>>> uid=berndt.sevcik,ou=People,ou=admin,dc=tgm,dc=ac,dc=at
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG: LDAP got rcryptPassword:
>>>>>> {rcrypt}xxxx
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 looks for match
>>>>>> with
>>>>>> berndt.sevcik
>>>>>> Tue Jan 18 18:59:57 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Returned TTLS tunnelled Diameter
>>>>>> Packet
>>>>>> dump:
>>>>>> Code: Access-Accept
>>>>>> Identifier: UNDEF
>>>>>> Authentic:
>>>>>> <235>#<139><214><6><177>7<0><148>5<202><226>2<151><239><29>
>>>>>> Attributes:
>>>>>> MS-CHAP2-Success =
>>>>>> "<147>S=2BD0EAE2485256CD3D22D5184043F195A0B072EE"
>>>>>> MS-MPPE-Send-Key =
>>>>>> "<176><253>$~<171><231><251>x<188>#<167><182><208>H<174><136>Rp<13
>>>>>> 6><
>>>>>> 166>q<253>hS}<155>B<234><243><147><210><147>&<128>"
>>>>>> MS-MPPE-Recv-Key =
>>>>>> "<215><22>Qh<194><128><7><129><2><130><201><202><167><196>7<234><1
>>>>>> 97>
>>>>>> <222><180><1>m$<188><161><184><22><176>or<238><6><176>>T"
>>>>>> Filter-Id = "Enterasys:version=1:policy=ITS"
>>>>>>
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 3, EAP TTLS Inner
>>>>>> authentication challenged
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Access challenged for
>>>>>> berndt.sevcik:
>>>>>> EAP TTLS Inner authentication challenged
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
>>>>>> *** Sending to 10.3.4.5 port 1046 ....
>>>>>> Code: Access-Challenge
>>>>>> Identifier: 112
>>>>>> Authentic: p:<0><0>/0<0><0><236>0<0><0><4>q<0><0>
>>>>>> Attributes:
>>>>>> EAP-Message =
>>>>>> <1><7><0><227><21><128><0><0><0><217><23><3><1><0><212><168><192><
>>>>>> 137
>>>>>>
>>>>>>> Z<250>_x"<15><252>Is<178>C<198><234><221>''<246><16><131>s<190><2
>>>>>>> 41>
>>>>>>
>>>>>> ;
>>>>>> <192><11>F<204><187><194>btGH<183><219>M<252><7><145><227><19>OW<1
>>>>>> 61>
>>>>>> <230><175><240><205><196><229><11><166><225><13><201><215>3<155>Q<
>>>>>> 141
>>>>>>
>>>>>> <129><246>o<222><218><28>P<155><193>_<134>[<131><13><129>l<173>Q<2
>>>>>> 40>
>>>>>> "Q<200><149><137><181><204><19><13><225><200><254>r<17><11>7<231><
>>>>>> 219
>>>>>>
>>>>>>> +g]<25>
>>>>>>
>>>>>> <14>)<140>u<21><5><13><135><9><253><127><148>x<209>.,b<5>c<174><24
>>>>>> 6><
>>>>>> 147>A]<209>v<1><222><13><8><17>g<169><143>(X!
>>>>>> <15>H<169>9<248>*<141>z?
>>>>>> <219>.<201><168><238><147><235><172><211>b<227><213><237><159><222
>>>>>> ><1
>>>>>> 63><134><186>A<11><243><238>A')<18><177>k_<9>Kr<15><2>l<138>cW<128
>>>>>> >La
>>>>>> <237>j<179><136><29><212><26>d<189><192><169>(<161><206>.<11>?
>>>>>> <229>b
>>>>>> Message-Authenticator =
>>>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>>>
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
>>>>>> *** Received from 10.3.4.5 port 1046 ....
>>>>>> Code: Access-Request
>>>>>> Identifier: 113
>>>>>> Authentic: <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
>>>>>> Attributes:
>>>>>> Message-Authenticator = &{<137>o<187>Dl
>>>>>> <197><235>o7<25>G<8>#
>>>>>> User-Name = "berndt.sevcik"
>>>>>> State = ""
>>>>>> NAS-IP-Address = 10.3.4.5
>>>>>> NAS-Port = 2
>>>>>> NAS-Port-Type = Wireless-IEEE-802-11
>>>>>> Calling-Station-Id = "00-0d-93-89-cc-6f"
>>>>>> Framed-MTU = 1000
>>>>>> EAP-Message = <2><7><0><6><21><0>
>>>>>>
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Handling request with Handler
>>>>>> 'Client-Identifier = IntegerVLANTag'
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Deleting session for
>>>>>> berndt.sevcik,
>>>>>> 10.3.4.5, 2
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Handling with Radius::AuthLDAP2:
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Handling with EAP: code 2, 7, 6
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Response type 21
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: EAP result: 0,
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Access accepted for berndt.sevcik
>>>>>> Tue Jan 18 18:59:58 2005: DEBUG: Packet dump:
>>>>>> *** Sending to 10.3.4.5 port 1046 ....
>>>>>> Code: Access-Accept
>>>>>> Identifier: 113
>>>>>> Authentic: <137>e<0><0><183><0><0><0>0<15><0><0><176>q<0><0>
>>>>>> Attributes:
>>>>>> MS-MPPE-Send-Key =
>>>>>> "<147><164>q<158><167>bS<239><191><152><155><225>kB<170><192>8X<20
>>>>>> 0><
>>>>>> 220>$<195><203><210>I(Z]<5><159>f<253><217><184><138><207><148><21
>>>>>> 0>I
>>>>>> s<169><150><175>Kp#<201><236><151>W"
>>>>>> MS-MPPE-Recv-Key =
>>>>>> "<167><246>R<181>v<157><22><14><132>pDQ<219><186>k~<175><255>>q<15
>>>>>> 1>Q
>>>>>> H<237><133>8<14>%),<217>{<209><157><202><129>.<245><138>-
>>>>>> <190><7><222><19><31>k<<223>&<199>"
>>>>>> EAP-Message = <3><7><0><4>
>>>>>> Message-Authenticator =
>>>>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>>>
>>>>>> My config:
>>>>>>
>>>>>> # Foreground
>>>>>> LogStdout
>>>>>> LogDir /var/log/radiator
>>>>>> LogFile %L/radiator.log
>>>>>>
>>>>>> DbDir /etc/radiator
>>>>>> PidFile /var/run/radiusd.pid
>>>>>> Trace 4
>>>>>>
>>>>>> AuthPort 1645
>>>>>> AcctPort 1646
>>>>>>
>>>>>> <Client 10.3.4.5>
>>>>>> Secret secret
>>>>>> Identifier IntegerVLANTag
>>>>>> </Client>
>>>>>>
>>>>>> <Handler Client-Identifier = IntegerVLANTag>
>>>>>> <AuthBy LDAP2>
>>>>>> EAPType PEAP,TTLS
>>>>>> EAPTLS_CAFile %D/certificates/cacert.pem
>>>>>> EAPTLS_CertificateFile %D/certificates/edu-pdc02.pem
>>>>>> EAPTLS_CertificateType PEM
>>>>>> EAPTLS_PrivateKeyFile %D/certificates/edu-pdc02.pem
>>>>>> EAPTLS_PrivateKeyPassword whatever
>>>>>> EAPTLS_MaxFragmentSize 1000
>>>>>> AutoMPPEKeys
>>>>>> #RewriteUsername s/(.*)\\(.*)/$2/
>>>>>> RcryptKey whatever
>>>>>> Host 10.2.4.22
>>>>>> AuthDN cn=admin,dc=tgm,dc=ac,dc=at
>>>>>> AuthPassword whatever
>>>>>> BaseDN dc=tgm,dc=ac,dc=at
>>>>>> UsernameAttr uid
>>>>>> PasswordAttr rcryptPassword
>>>>>> AuthAttrDef radiusAuthType,GENERIC,check
>>>>>> #ReplyAttr radiusReplyItem
>>>>>> Debug 255
>>>>>> AddToReply Filter-Id = Enterasys:version=1:policy=ITS
>>>>>> </AuthBy>
>>>>>> # PostAuthHook file:"%D/hooks/vlan-ascii-to-binary-postauth"
>>>>>> </Handler>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>> Announcements on radiator-announce at open.com.au
>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>
>>>>> NB:
>>>>>
>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>> Have you searched the mailing list archive
>>>>> (www.open.com.au/archives/radiator)?
>>>>> Have you had a quick look on Google (www.google.com)?
>>>>> Have you included a copy of your configuration file (no secrets),
>>>>> together with a trace 4 debug showing what is happening?
>>>>>
>>>>> --
>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>> server
>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>> -
>>>>> Nets: internetwork inventory and management - graphical,
>>>>> extensible,
>>>>> flexible with hardware, software, platform and database
>>>>> independence.
>>>>> -
>>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>>> systems.
>>>>
>>>> -----------------------------------------
>>>> TGM - Die Schule der Technik
>>>> IT-Service
>>>> A-1200 Wien, Wexstr. 19-23
>>>> Tel. +43(1)33126/316 Fax: +43(1)33126/154
>>>> E-Mail: berndt.sevcik at tgm.ac.at
>>>> -----------------------------------------
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
-----------------------------------------
TGM - Die Schule der Technik
IT-Service
A-1200 Wien, Wexstr. 19-23
Tel. +43(1)33126/316 Fax: +43(1)33126/154
E-Mail: berndt.sevcik at tgm.ac.at
-----------------------------------------
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list