(RADIATOR) EAP and LDAP

Hugh Irvine hugh at open.com.au
Tue Jun 7 07:20:57 CDT 2005 

Hello Chris -

You can only use an EAP type that uses PAP with encrypted passwords  
in your LDAP database.

Further, you cannot use a RewriteUsername with MSCHAP-V2, as the full  
username as entered by the user is employed in the authentication.

regards

Hugh


On 7 Jun 2005, at 17:54, Chris Hills wrote:

> Hi
>
> I am trying to get Radiator to authenticate EAP requests, using an  
> LDAP backend with one-way crypted passwords. So far I have the  
> following in my config:-
>
> <Realm ne-worcs.ac.uk>
>
>        RewriteUsername s/^([^@]+).*/$1/
>
>        <AuthBy LDAP2>
>
>                Host xxx
>                Host xxx
>
>                BaseDN o=NEW College,c=UK
>
>                EAPType PEAP, MSCHAP-V2
>                EAPTLS_CertificateType PEM
>                EAPTLS_CAFile /usr/share/ssl/certs/cacert.pem
>                EAPTLS_CertificateFile /usr/share/ssl/certs/radius.pem
>                EAPTLS_PrivateKeyFile /usr/share/ssl/certs/radius.pem
>
>                ServerChecksPassword
>                Debug 255
>
>        </AuthBy>
>
> So far I have been unsuccessful in authenticating any clients. The  
> log shows the following:-
>
> Tue Jun  7 08:46:39 2005: DEBUG: Packet dump:
> *** Received from 172.18.100.14 port 2094 ....
>
> Packet length = 138
> 01 c5 00 8a 25 47 44 4b 78 6f 4d 6c 34 67 2d 37
> 43 28 05 38 01 17 63 68 69 6c 6c 73 40 6e 65 2d
> 77 6f 72 63 73 2e 61 63 2e 75 6b 05 06 00 00 00
> ee 3d 06 00 00 00 0f 04 06 ac 12 64 0e 06 06 00
> 00 00 02 0c 06 00 00 04 00 1f 13 30 30 2d 30 36
> 2d 35 42 2d 45 34 2d 30 45 2d 30 42 4f 1c 02 01
> 00 1a 01 63 68 69 6c 6c 73 40 6e 65 2d 77 6f 72
> 63 73 2e 61 63 2e 75 6b 50 12 ba 80 68 e7 69 9f
> 55 4d 29 cb d0 7b e7 2f e8 0d
> Code:       Access-Request
> Identifier: 197
> Authentic:  %GDKxoMl4g-7C(<5>8
> Attributes:
>        User-Name = "chills at ne-worcs.ac.uk"
>        NAS-Port = 238
>        NAS-Port-Type = Ethernet
>        NAS-IP-Address = 172.18.100.14
>        Service-Type = Framed-User
>        Framed-MTU = 1024
>        Calling-Station-Id = "00-06-5B-E4-0E-0B"
>        EAP-Message = <2><1><0><26><1>chills at ne-worcs.ac.uk
>        Message-Authenticator = <186><128>h<231>i<159>UM)<203><208> 
> {<231>/<232><13>
>
> Tue Jun  7 08:46:39 2005: DEBUG: Handling request with Handler  
> 'Realm=ne-worcs.ac.uk'
> Tue Jun  7 08:46:39 2005: DEBUG: Rewrote user name to chills
> Tue Jun  7 08:46:39 2005: DEBUG:  Deleting session for chills at ne- 
> worcs.ac.uk, 172.18.100.14, 238
> Tue Jun  7 08:46:39 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Jun  7 08:46:39 2005: DEBUG: Handling with EAP: code 2, 1, 26
> Tue Jun  7 08:46:39 2005: DEBUG: Response type 1
> Tue Jun  7 08:46:40 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
> Tue Jun  7 08:46:40 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE,  
> EAP PEAP Challenge
> Tue Jun  7 08:46:40 2005: DEBUG: Access challenged for chills: EAP  
> PEAP Challenge
> Tue Jun  7 08:46:40 2005: DEBUG: Packet dump:
> *** Sending to 172.18.100.14 port 2094 ....
>
> Packet length = 46
> 0b c5 00 2e 7a ac a5 80 58 ae cd dd 90 80 05 36
> 62 98 1e 66 4f 08 01 02 00 06 19 21 50 12 6f 8b
> 4a de 07 35 4d 7f c9 49 41 5e cd 90 ca a0
> Code:       Access-Challenge
> Identifier: 197
> Authentic:  %GDKxoMl4g-7C(<5>8
> Attributes:
>        EAP-Message = <1><2><0><6><25>!
>        Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Jun  7 08:46:41 2005: DEBUG: Packet dump:
> *** Received from 172.18.100.14 port 2094 ....
>
> Packet length = 138
> 01 c5 00 8a 25 47 44 4b 78 6f 4d 6c 34 67 2d 37
> 43 28 05 38 01 17 63 68 69 6c 6c 73 40 6e 65 2d
> 77 6f 72 63 73 2e 61 63 2e 75 6b 05 06 00 00 00
> ee 3d 06 00 00 00 0f 04 06 ac 12 64 0e 06 06 00
> 00 00 02 0c 06 00 00 04 00 1f 13 30 30 2d 30 36
> 2d 35 42 2d 45 34 2d 30 45 2d 30 42 4f 1c 02 01
> 00 1a 01 63 68 69 6c 6c 73 40 6e 65 2d 77 6f 72
> 63 73 2e 61 63 2e 75 6b 50 12 ba 80 68 e7 69 9f
> 55 4d 29 cb d0 7b e7 2f e8 0d
> Code:       Access-Request
> Identifier: 197
> Authentic:  %GDKxoMl4g-7C(<5>8
> Attributes:
>        User-Name = "chills at ne-worcs.ac.uk"
>        NAS-Port = 238
>        NAS-Port-Type = Ethernet
>        NAS-IP-Address = 172.18.100.14
>        Service-Type = Framed-User
>        Framed-MTU = 1024
>        Calling-Station-Id = "00-06-5B-E4-0E-0B"
>        EAP-Message = <2><1><0><26><1>chills at ne-worcs.ac.uk
>        Message-Authenticator = <186><128>h<231>i<159>UM)<203><208> 
> {<231>/<232><13>
>
> Please help!
>
> -- 
> Chris Hills
> IT Services
> North East Worcestershire College
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list