(RADIATOR) EAP-TTLS and LDAP Success

Chris Hills chills at ne-worcs.ac.uk
Fri Jun 10 04:18:47 CDT 2005 

Hi

I have finally gotten Radiator to authenticate against LDAP using 
EAP-TTLS. Please see the configuration below and a log excerpt.

<Realm ne-worcs.ac.uk>
<AuthBy LDAP2>

        Identifier CheckLDAP

        Host xxx

        BaseDN o=NEW College,c=UK
        AuthDN uid=xxx
        AuthPassword xxx

        UsernameAttr mail
        PasswordAttr ntPassword

        PostSearchHook sub {my $ntpassword = 
$_[3]->get_check->get_attr('User-Password'); 
$_[3]->get_check->change_attr('User-Password', "{nthash}$ntpassword");}

        EAPType PEAP,TTLS,MSCHAP-V2
        EAPTLS_CertificateType PEM
        EAPTLS_CAFile /usr/share/ssl/certs/cacert.pem
        EAPTLS_CertificateFile /usr/share/ssl/certs/radius.pem
        EAPTLS_PrivateKeyFile /usr/share/ssl/certs/radius.pem

        AutoMPPEKeys

        Debug 255

</AuthBy>
</Realm>

<Handler TunnelledByTTLS=1>
        AuthBy  CheckLDAP
</Handler>

<Handler TunnelledByPEAP=1>
        AuthBy  CheckLDAP
</Handler>





Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 3, EAP PEAP Challenge
Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP 
PEAP Challenge
Fri Jun 10 10:05:59 2005: DEBUG: Access challenged for anonymous: EAP 
PEAP Challenge
Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 3, EAP TTLS inner 
authentication redespatched to a Handler
Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP 
TTLS inner authentication redespatched to a Handler
Fri Jun 10 10:05:59 2005: DEBUG: Access challenged for 
xxx at ne-worcs.ac.uk: EAP TTLS inner authentication redespatched to a Handler
Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler 
'Realm=ne-worcs.ac.uk'
Fri Jun 10 10:05:59 2005: DEBUG:  Deleting session for 
xxx at ne-worcs.ac.uk, 172.18.100.14, 238
Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2: CheckLDAP
Fri Jun 10 10:05:59 2005: DEBUG: Handling with EAP: code 2, 6, 79
Fri Jun 10 10:05:59 2005: DEBUG: Response type 21
Fri Jun 10 10:05:59 2005: DEBUG: EAP TTLS data, 3, 6, 5
Fri Jun 10 10:05:59 2005: DEBUG: EAP TTLS inner authentication request 
for anonymous
Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler 
'TunnelledByTTLS=1'
Fri Jun 10 10:05:59 2005: DEBUG:  Deleting session for anonymous, 
172.18.100.14,
Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2: CheckLDAP
Fri Jun 10 10:05:59 2005: DEBUG: Handling with EAP: code 2, 1, 6
Fri Jun 10 10:05:59 2005: DEBUG: Response type 3
Fri Jun 10 10:05:59 2005: INFO: EAP Nak desires type 26
Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP 
MSCHAP-V2 Challenge
Fri Jun 10 10:05:59 2005: DEBUG: Access challenged for anonymous: EAP 
MSCHAP-V2 Challenge
Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 3, EAP TTLS inner 
authentication redespatched to a Handler
Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP 
TTLS inner authentication redespatched to a Handler
Fri Jun 10 10:05:59 2005: DEBUG: Access challenged for 
xxx at ne-worcs.ac.uk: EAP TTLS inner authentication redespatched to a Handler
Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler 
'Realm=ne-worcs.ac.uk'
Fri Jun 10 10:05:59 2005: DEBUG:  Deleting session for 
xxx at ne-worcs.ac.uk, 172.18.100.14, 238
Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2: CheckLDAP
Fri Jun 10 10:05:59 2005: DEBUG: Handling with EAP: code 2, 7, 151
Fri Jun 10 10:05:59 2005: DEBUG: Response type 21
Fri Jun 10 10:05:59 2005: DEBUG: EAP TTLS data, 3, 7, 6
Fri Jun 10 10:05:59 2005: DEBUG: EAP TTLS inner authentication request 
for anonymous
Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler 
'TunnelledByTTLS=1'
Fri Jun 10 10:05:59 2005: DEBUG:  Deleting session for anonymous, 
172.18.100.14,
Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2: CheckLDAP
Fri Jun 10 10:05:59 2005: DEBUG: Handling with EAP: code 2, 2, 80
Fri Jun 10 10:05:59 2005: DEBUG: Response type 26
Fri Jun 10 10:05:59 2005: INFO: Connecting to xxx, port 389
Fri Jun 10 10:05:59 2005: INFO: Attempting to bind to LDAP server xxx:389
Fri Jun 10 10:05:59 2005: DEBUG: LDAP got result for xxx
Fri Jun 10 10:05:59 2005: DEBUG: LDAP got ntPassword: 
BDCAD6C32FFE87F928E728F7E2
Fri Jun 10 10:05:59 2005: DEBUG: Radius::AuthLDAP2 looks for match with 
xxx at ne-worcs.ac.uk
Fri Jun 10 10:05:59 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: 
Success
Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP 
MSCHAP V2 Challenge: Success
Fri Jun 10 10:05:59 2005: DEBUG: Access challenged for anonymous: EAP 
MSCHAP V2 Challenge: Success
Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 3, EAP TTLS inner 
authentication redespatched to a Handler
Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP 
TTLS inner authentication redespatched to a Handler
Fri Jun 10 10:05:59 2005: DEBUG: Access challenged for 
xxx at ne-worcs.ac.uk: EAP TTLS inner authentication redespatched to a Handler
Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler 
'Realm=ne-worcs.ac.uk'
Fri Jun 10 10:05:59 2005: DEBUG:  Deleting session for 
xxx at ne-worcs.ac.uk, 172.18.100.14, 238
Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2: CheckLDAP
Fri Jun 10 10:05:59 2005: DEBUG: Handling with EAP: code 2, 8, 79
Fri Jun 10 10:05:59 2005: DEBUG: Response type 21
Fri Jun 10 10:05:59 2005: DEBUG: EAP TTLS data, 3, 8, 7
Fri Jun 10 10:05:59 2005: DEBUG: EAP TTLS inner authentication request 
for anonymous
Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler 
'TunnelledByTTLS=1'
Fri Jun 10 10:05:59 2005: DEBUG:  Deleting session for anonymous, 
172.18.100.14,
Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2: CheckLDAP
Fri Jun 10 10:05:59 2005: DEBUG: Handling with EAP: code 2, 3, 6
Fri Jun 10 10:05:59 2005: DEBUG: Response type 26
Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 0,
Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: ACCEPT,
Fri Jun 10 10:05:59 2005: DEBUG: Access accepted for anonymous
Fri Jun 10 10:05:59 2005: DEBUG: EAP result: 0, EAP TTLS inner 
authentication redespatched to a Handler
Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: ACCEPT, EAP TTLS 
inner authentication redespatched to a Handler
Fri Jun 10 10:05:59 2005: DEBUG: Access accepted for xxx at ne-worcs.ac.uk
Fri Jun 10 10:05:59 2005: DEBUG: Handling request with Handler 
'Realm=ne-worcs.ac.uk'
Fri Jun 10 10:05:59 2005: DEBUG:  Adding session for xxx at ne-worcs.ac.uk, 
172.18.100.14, 238
Fri Jun 10 10:05:59 2005: DEBUG: Handling with Radius::AuthLDAP2: CheckLDAP
Fri Jun 10 10:05:59 2005: DEBUG: AuthBy LDAP2 result: ACCEPT,
Fri Jun 10 10:05:59 2005: DEBUG: Accounting accepted

I have tested this successfully with SecureW2 and Windows XP SP2 (using 
PEAP-EAP-MSCHAPv2)

Regards

-- 
Chris Hills
IT Services
North East Worcestershire College

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list