(RADIATOR) Guidelines in EAP-TTLS (or PEAP) Setup

Hugh Irvine hugh at open.com.au
Tue Jul 12 18:42:27 CDT 2005 

Hello Neil -

You cannot do what you show below, as the Handlers will never be  
evaluated.

You should do something like this:


<Handler TunnelledByPEAP=1>
         <AuthBy FILE>
                 Filename /usr/local/etc/radius/users
         </AuthBy>
</Handler>

<Handler TunnelledByTTLS=1>
         <AuthBy FILE>
                 Filename /usr/local/etc/radius/users
         </AuthBy>
</Handler>

<Handler>
         AcctLogFileName /var/log/radius/radacct.log.%Y%m%d
         <AuthBy FILE>
                 Filename /usr/local/etc/radius/users
                 EAPType TTLS
                 EAPTLS_CAFile /usr/local/etc/radius/certificates/ 
cacert.pem
                 EAPTLS_CAPath /usr/local/etc/radius/certificates
                 EAPTLS_CertificateType PEM
                 EAPTLS_CertificateFile
/usr/local/etc/radius/certificates/wireless-cert.pem
                 EAPTLS_PrivateKeyFile
/usr/local/etc/radius/certificates/wireless-key.pem
                 EAPTLS_PrivateKeyPassword
                 EAPTLS_MaxFragmentSize 1000
                 AutoMPPEKeys
                 SSLeayTrace 4
         </AuthBy>
</Handler>


regards

Hugh


On 12 Jul 2005, at 09:43, <neil at quiogue.com> <neil at quiogue.com> wrote:

> Hello,
>
> * Apologies as I'm a newbie when it comes to secure wireless  
> configuration. *
>
> I'd like to ask if anyone has any guidelines on setting up EAP-TTLS  
> or EAP-PEAP
> using the HP AP 420 as the access point, Radiator and the standard  
> Windows XP
> wireless configuration.  If I use WPA-PSK (TKIP-AES), I have no  
> problems but then
> again it's just using a pre-shared key which wouldn't do.
>
> The thing I'm not sure of is what to configure on the devices.  The  
> instructions
> given on wireless.utah.edu is a bit outdated as the commands do not  
> work on our
> AP which is using v2.1.0 firmware.  But the configuration is  
> basically WPA
> (TKIP-AES-802.1X) (Mcast: TKIP, Ucast: TKIP+AES).  Or if someone has a
> suggestion, I'm open to it.
>
> Also, on the user flat file, what format is expected for  
> authentication to work.
>  Is a plain format like the one below sufficient enough?
>
> jdoe    User-Password = "passwordhere"
>         Service-Type=Framed-User
>
> Then on the client side when Windows ask for a username/password  
> (as it is
> configured not to connect using the Windows domain password), I  
> just use jdoe
> then the appropriate password with the Realm/Domain left blank.
>
> radius.cfg:
>
> AuthPort 1812
> AcctPort 1813
> Foreground
> # Run as user radius and not as root
> User radius
> DictionaryFile /usr/local/etc/radius/dictionary
> Trace 5
> LogDir /var/log/radius
> LogFile /var/log/radius/radius.log.%Y%m%d
>
> PidFile /var/run/radius/radiusd.pid
>
> <Client DEFAULT>
>         Secret
>         DupInterval 0
>         IgnoreAcctSignature
> </Client>
>
> <Realm DEFAULT>
>         AcctLogFileName /var/log/radius/radacct.log.%Y%m%d
>         <AuthBy FILE>
>                 Filename /usr/local/etc/radius/users
>                 EAPType TTLS
>                 EAPTLS_CAFile /usr/local/etc/radius/certificates/ 
> cacert.pem
>                 EAPTLS_CAPath /usr/local/etc/radius/certificates
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_CertificateFile
> /usr/local/etc/radius/certificates/wireless-cert.pem
>                 EAPTLS_PrivateKeyFile
> /usr/local/etc/radius/certificates/wireless-key.pem
>                 EAPTLS_PrivateKeyPassword
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>         </AuthBy>
> </Realm>
>
> <Handler TunnelledByPEAP=1>
>         <AuthBy FILE>
>                 Filename /usr/local/etc/radius/users
>         </AuthBy>
> </Handler>
>
> <Handler TunnelledByTTLS=1>
>         <AuthBy FILE>
>                 Filename /usr/local/etc/radius/users
>         </AuthBy>
> </Handler>
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list