(RADIATOR) Radiator, Solaris, ActiveDirectory and WindowsXP

Fri Jul 22 10:34:21 CDT 2005

Hi,

I am currently doing some testing for IEEE802.1x and so trying to
establish authentication between a laptop running Windows XP SP2 and a
ActiveDirectory server via our Radiator server.  So far we have user
authentication working using MD5-Challenge and the radiator user
files.  Now I would like to hook it up to ActiveDirectory.  Since the
Radiator server is running Solaris I gather the best option here is to
use AuthBy LDAP2 and EAP-TTLS with an inner request using PAP.

Unfortunetly the setup I have so far is failing to authenticate
properly.  The log file shows:

Fri Jul 22 15:14:22 2005: DEBUG: Handling request with Handler
'Client-Identifier="3com", Realm= '
Fri Jul 22 15:14:22 2005: INFO: Access rejected for anonymous: Could
not handle an EAP request

I have a handler for the initial TTLS request that looks like this:

<Handler Client-Identifier="3com", Realm= >
        Identifier      3comTTLShandler
        <AuthBy FILE>
                Filename        %D/users
                EAPType TTLS
                EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
                EAPTLS_CertificateFile %D/certificates/cert-srv.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
                EAPTLS_PrivateKeyPassword whatever
        </AuthBy>
        <Log FILE>
                Identifier      3comDebugLog
                Filename        %L/3comradiusd.debug
                Trace           4
        </Log>
</Handler>

With the certificates directory copied from the tarball and also add
to the windows client.  I also added the anonymous user.  I have
another handler below that should sort out the inner request.

<Handler Client-Identifier="3com", Realm= TunnelledByTTLS=1>
        Identifier      3comhandler
        UsernameCharset a-zA-Z0-9\.-_
        RewriteUsername tr/[A-Z]/[a-z]/
        AuthBy          3comITSAuth
        AuthLog         authlog
        AuthLog         authsyslog
        RejectHasReason
        <Log FILE>
                Identifier      3comDebugLog2
                Filename        %L/3comradiusd.debug
                Trace           4
        </Log>
</Handler>

The AuthBy points to this block where LDAPServer is another AuthBy
block describing our LDAPServer properties, which have been proven to
work.:

<AuthBy LDAP2>
        Identifier       3comITSAuth
        EAPType     PAP
        AuthBy        LDAPServer
</AuthBy>

One thing I have noticed on top of the above error I have seen this
being repeated from the output of dmesg.

Jul 22 16:29:27 blofeld.net.strath.ac.uk
/usr/perl5/5.6.1/bin/radiusd[23491]: Could not handle an EAP request:
Can't locate object method "response_identity" via package
"Radius::EAP_21" (perhaps you forgot to load "Radius::EAP_21"?) at
/usr/perl5/site_perl/5.6.1/Radius/EAP.pm line 143.

I also read I may require the packages SSLeay and Digest::MD4?  Does
anyone have any pointers which may put me back on the right track or
at least fix the current problems?

Thanks all
Chris

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.