(RADIATOR) EAP and LDAP

Chris Hills chills at ne-worcs.ac.uk
Tue Jun 7 09:03:37 CDT 2005 

Hugh Irvine wrote:

>
> Hello Chris -
>
> You can only use an EAP type that uses PAP with encrypted passwords  
> in your LDAP database.
>
> Further, you cannot use a RewriteUsername with MSCHAP-V2, as the full  
> username as entered by the user is employed in the authentication.
>
> regards
>
> Hugh


Hugh

I have modified my configuration as follows:-

<Realm ne-worcs.ac.uk>

        RewriteUsername s/^([^@]+).*/$1/

        <AuthBy LDAP2>

                Host xxx
                BaseDN o=NEW College,c=UK

                EAPType TTLS
                EAPTLS_CertificateType PEM
                EAPTLS_CAFile /usr/share/ssl/certs/cacert.pem
                EAPTLS_CertificateFile /usr/share/ssl/certs/radius.pem
                EAPTLS_PrivateKeyFile /usr/share/ssl/certs/radius.pem

                ServerChecksPassword
                Debug 255

        </AuthBy>

</Realm>

However, I have still been unsuccessful in getting it to work (I have 
read through the manual, the faq, the goodies and the list archive).

On the client I am using SecureW2 (on XPSP2) configured to use PAP. The 
log from radiator is as follows:-

Tue Jun  7 14:45:49 2005: DEBUG: Packet dump:
*** Received from 172.18.100.14 port 2094 ....
Code:       Access-Request
Identifier: 243
Authentic:  :s<16>6<29>Hk^j<23><16><30>R<31><9>n
Attributes:
        User-Name = "chills at ne-worcs.ac.uk"
        NAS-Port = 238
        NAS-Port-Type = Ethernet
        NAS-IP-Address = 172.18.100.14
        Service-Type = Framed-User
        Framed-MTU = 1024
        Calling-Station-Id = "00-06-5B-E4-0E-0B"
        EAP-Message = <2><0><0><26><1>chills at ne-worcs.ac.uk
        Message-Authenticator = 
e<217><205>;<246><8><186>[B<182><238><255><27><231><5><242>

Tue Jun  7 14:45:49 2005: DEBUG: Handling request with Handler 
'Realm=ne-worcs.ac.uk'
Tue Jun  7 14:45:49 2005: DEBUG: Rewrote user name to chills
Tue Jun  7 14:45:49 2005: DEBUG:  Deleting session for 
chills at ne-worcs.ac.uk, 172.18.100.14, 238
Tue Jun  7 14:45:49 2005: DEBUG: Handling with Radius::AuthLDAP2:
Tue Jun  7 14:45:49 2005: DEBUG: Handling with EAP: code 2, 0, 26
Tue Jun  7 14:45:49 2005: DEBUG: Response type 1
Tue Jun  7 14:45:49 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
Tue Jun  7 14:45:49 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP 
TTLS Challenge
Tue Jun  7 14:45:49 2005: DEBUG: Access challenged for chills: EAP TTLS 
Challenge
Tue Jun  7 14:45:49 2005: DEBUG: Packet dump:
*** Sending to 172.18.100.14 port 2094 ....
Code:       Access-Challenge
Identifier: 243
Authentic:  :s<16>6<29>Hk^j<23><16><30>R<31><9>n
Attributes:
        EAP-Message = <1><1><0><6><21>
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Regards

-- 
Chris Hills
IT Services
North East Worcestershire College

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list