(RADIATOR) EAP and LDAP
Hugh Irvine
hugh at open.com.au
Tue Jun 7 18:30:52 CDT 2005
Hello Chris -
Thanks for the additional information.
What now appears to be happening is Radiator is sending back a TTLS
challenge, but the access point (or the client) sends nothing further.
I think you will now need to check the client and/or access point.
regards
Hugh
On 8 Jun 2005, at 00:03, Chris Hills wrote:
> Hugh Irvine wrote:
>
>
>>
>> Hello Chris -
>>
>> You can only use an EAP type that uses PAP with encrypted
>> passwords in your LDAP database.
>>
>> Further, you cannot use a RewriteUsername with MSCHAP-V2, as the
>> full username as entered by the user is employed in the
>> authentication.
>>
>> regards
>>
>> Hugh
>>
>
>
> Hugh
>
> I have modified my configuration as follows:-
>
> <Realm ne-worcs.ac.uk>
>
> RewriteUsername s/^([^@]+).*/$1/
>
> <AuthBy LDAP2>
>
> Host xxx
> BaseDN o=NEW College,c=UK
>
> EAPType TTLS
> EAPTLS_CertificateType PEM
> EAPTLS_CAFile /usr/share/ssl/certs/cacert.pem
> EAPTLS_CertificateFile /usr/share/ssl/certs/radius.pem
> EAPTLS_PrivateKeyFile /usr/share/ssl/certs/radius.pem
>
> ServerChecksPassword
> Debug 255
>
> </AuthBy>
>
> </Realm>
>
> However, I have still been unsuccessful in getting it to work (I
> have read through the manual, the faq, the goodies and the list
> archive).
>
> On the client I am using SecureW2 (on XPSP2) configured to use PAP.
> The log from radiator is as follows:-
>
> Tue Jun 7 14:45:49 2005: DEBUG: Packet dump:
> *** Received from 172.18.100.14 port 2094 ....
> Code: Access-Request
> Identifier: 243
> Authentic: :s<16>6<29>Hk^j<23><16><30>R<31><9>n
> Attributes:
> User-Name = "chills at ne-worcs.ac.uk"
> NAS-Port = 238
> NAS-Port-Type = Ethernet
> NAS-IP-Address = 172.18.100.14
> Service-Type = Framed-User
> Framed-MTU = 1024
> Calling-Station-Id = "00-06-5B-E4-0E-0B"
> EAP-Message = <2><0><0><26><1>chills at ne-worcs.ac.uk
> Message-Authenticator = e<217><205>;<246><8><186>
> [B<182><238><255><27><231><5><242>
>
> Tue Jun 7 14:45:49 2005: DEBUG: Handling request with Handler
> 'Realm=ne-worcs.ac.uk'
> Tue Jun 7 14:45:49 2005: DEBUG: Rewrote user name to chills
> Tue Jun 7 14:45:49 2005: DEBUG: Deleting session for chills at ne-
> worcs.ac.uk, 172.18.100.14, 238
> Tue Jun 7 14:45:49 2005: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Jun 7 14:45:49 2005: DEBUG: Handling with EAP: code 2, 0, 26
> Tue Jun 7 14:45:49 2005: DEBUG: Response type 1
> Tue Jun 7 14:45:49 2005: DEBUG: EAP result: 3, EAP TTLS Challenge
> Tue Jun 7 14:45:49 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE,
> EAP TTLS Challenge
> Tue Jun 7 14:45:49 2005: DEBUG: Access challenged for chills: EAP
> TTLS Challenge
> Tue Jun 7 14:45:49 2005: DEBUG: Packet dump:
> *** Sending to 172.18.100.14 port 2094 ....
> Code: Access-Challenge
> Identifier: 243
> Authentic: :s<16>6<29>Hk^j<23><16><30>R<31><9>n
> Attributes:
> EAP-Message = <1><1><0><6><21>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Regards
>
> --
> Chris Hills
> IT Services
> North East Worcestershire College
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list