(RADIATOR) Possible to have both MAC Address Authentication AND 802.1x (EAP-PEAP) at the same time?
Kheng Teong, Lim
ktlim at uberfusion.com
Thu Jun 16 12:23:13 CDT 2005
We are trying to setup authentication for a Local Wireless LAN using:
- Radiator
- Proxim AP-2000
We want users to authenticate via MAC Address AND 802.1x (EAP-PEAP)
encryption at the same time.
ie: The user's notebook's wlan card must be authorized to connect to the
AP-2000, followed with 802.1x. If either one fails, they don't get
connectivity, they must pass both schemes.
Is this situation possible?
Currently, the user can fail the MAC address check but pass the 802.1x
(EAP-PEAP) authentication/encryption and still have access to the network.
In the sample users file below, the first line is for MAC address check
(User-Password is the secret for Radiator)
[sample users file]
00-02-2d-37-76-e1 User-Password="test123"
wifi User-Password=wifi
[/end]
[sample radius.cfg file]
# eap_peap.cfg
LogStdout
Trace 5
AuthPort 1812
AcctPort 1813
BindAddress 192.168.1.11
# User radiator
# Group radiator
LogDir /var/log/radius
DbDir /etc/radiator
<Client DEFAULT>
Secret test123
DupInterval 2
</Client>
<Handler TunnelledByPEAP=1>
AcctLogFileName %L/detail
<AuthBy FILE>
Filename %D/users
EAPType MSCHAP-V2
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
Filename %D/users
EAPType PEAP
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
SSLeayTrace 4
EAPTLS_PEAPVersion 0
</AuthBy>
</Handler>
[/end]
[sample logfile]
Thu Jun 16 13:15:57 2005: DEBUG: Reading users file /etc/radiator/users
Thu Jun 16 13:15:57 2005: DEBUG: Reading users file /etc/radiator/users
Thu Jun 16 13:15:57 2005: DEBUG: Finished reading configuration file
'/etc/radiator/radius.cfg'
Thu Jun 16 13:15:57 2005: DEBUG: Reading dictionary file
'/etc/radiator/dictionary'
Thu Jun 16 13:15:58 2005: DEBUG: Creating authentication port 0.0.0.0:1812
Thu Jun 16 13:15:58 2005: DEBUG: Creating accounting port 0.0.0.0:1813
Thu Jun 16 13:15:58 2005: NOTICE: Server started: Radiator 3.8 on AAAtlas
Thu Jun 16 13:16:28 2005: DEBUG: Packet dump:
*** Received from 192.168.51.30 port 6001 ....
Packet length = 69
01 47 00 45 cd 34 00 00 36 36 00 00 07 3e 00 00
d9 15 00 00 01 13 30 30 2d 30 32 2d 32 64 2d 33
37 2d 37 36 2d 65 30 02 12 61 45 dc e1 99 c8 10
98 af 85 7d 38 de 0c 08 a1 04 06 c0 a8 33 1e 05
06 00 00 00 00
Code: Access-Request
Identifier: 71
Authentic: <205>4<0><0>66<0><0><7>><0><0><217><21><0><0>
Attributes:
User-Name = "00-02-2d-37-76-e0"
User-Password =
"aE<220><225><153><200><16><152><175><133>}8<222><12><8><161>"
NAS-IP-Address = 192.168.51.30
NAS-Port = 0
Thu Jun 16 13:16:28 2005: DEBUG: Handling request with Handler ''
Thu Jun 16 13:16:28 2005: DEBUG: Deleting session for 00-02-2d-37-76-e0,
192.168.51.30, 0
Thu Jun 16 13:16:28 2005: DEBUG: Handling with Radius::AuthFILE:
Thu Jun 16 13:16:28 2005: DEBUG: Radius::AuthFILE looks for match with
00-02-2d-37-76-e0
Thu Jun 16 13:16:28 2005: INFO: Access rejected for 00-02-2d-37-76-e0: No
such user
Thu Jun 16 13:16:28 2005: DEBUG: Packet dump:
*** Sending to 192.168.51.30 port 6001 ....
Packet length = 36
03 47 00 24 68 20 6d 7c 01 b5 a1 1d 5b 99 c0 f2
d4 13 2f d9 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code: Access-Reject
Identifier: 71
Authentic: <205>4<0><0>66<0><0><7>><0><0><217><21><0><0>
Attributes:
Reply-Message = "Request Denied"
~~~some parts snipped~~~
Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
*** Received from 192.168.51.30 port 6001 ....
Packet length = 157
01 50 00 9d 59 38 00 00 7b 3b 00 00 03 3f 00 00
e6 71 00 00 01 06 77 69 66 69 04 06 c0 a8 33 1e
1e 13 30 30 2d 32 30 2d 61 36 2d 34 39 2d 32 31
2d 35 38 1f 13 30 30 2d 30 32 2d 32 64 2d 33 37
2d 37 36 2d 65 30 20 1a 4f 52 69 4e 4f 43 4f 2d
41 50 2d 32 30 30 30 2d 34 39 2d 32 31 2d 35 38
0c 06 00 00 05 78 3d 06 00 00 00 13 4f 1f 02 0a
00 1d 19 00 17 03 01 00 12 f0 e0 c7 94 70 1f 60
1f cd fc 24 69 04 78 e7 bb 6f ee 50 12 fb 9a 0b
43 d7 b8 b0 96 d9 d1 82 ef 8b 48 f3 de
Code: Access-Request
Identifier: 80
Authentic: Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
Attributes:
User-Name = "wifi"
NAS-IP-Address = 192.168.51.30
Called-Station-Id = "00-20-a6-49-21-58"
Calling-Station-Id = "00-02-2d-37-76-e0"
NAS-Identifier = "ORiNOCO-AP-2000-49-21-58"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
EAP-Message =
<2><10><0><29><25><0><23><3><1><0><18><240><224><199><148>p<31>`<31><205><25
2>$i<4>x<231><187>o<238>
Message-Authenticator =
<251><154><11>C<215><184><176><150><217><209><130><239><139>H<243><222>
Thu Jun 16 13:16:30 2005: DEBUG: Handling request with Handler ''
Thu Jun 16 13:16:30 2005: DEBUG: Deleting session for wifi, 192.168.51.30,
Thu Jun 16 13:16:30 2005: DEBUG: Handling with Radius::AuthFILE:
Thu Jun 16 13:16:30 2005: DEBUG: Handling with EAP: code 2, 10, 29
Thu Jun 16 13:16:30 2005: DEBUG: Response type 25
Thu Jun 16 13:16:30 2005: DEBUG: EAP PEAP inner authentication request for
anonymous
Thu Jun 16 13:16:30 2005: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <186><196><12><20><19><211>(m[B<170><23><14><216><226><140>
Attributes:
EAP-Message = <2><10><0><2><26><3>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = "anonymous"
NAS-IP-Address = 192.168.51.30
NAS-Identifier = "ORiNOCO-AP-2000-49-21-58"
Calling-Station-Id = "00-02-2d-37-76-e0"
Thu Jun 16 13:16:30 2005: DEBUG: Handling request with Handler
'TunnelledByPEAP=1'
Thu Jun 16 13:16:30 2005: DEBUG: Deleting session for , 192.168.51.30,
Thu Jun 16 13:16:30 2005: DEBUG: Handling with Radius::AuthFILE:
Thu Jun 16 13:16:30 2005: DEBUG: Handling with EAP: code 2, 10, 2
Thu Jun 16 13:16:30 2005: DEBUG: Response type 26
Thu Jun 16 13:16:30 2005: DEBUG: EAP result: 0,
Thu Jun 16 13:16:30 2005: DEBUG: Access accepted for anonymous
Thu Jun 16 13:16:30 2005: DEBUG: EAP result: 3, EAP PEAP inner
authentication redespatched to a Handler
Thu Jun 16 13:16:30 2005: DEBUG: Access challenged for wifi: EAP PEAP inner
authentication redespatched to a Handler
Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
*** Sending to 192.168.51.30 port 6001 ....
Packet length = 78
0b 50 00 4e 89 27 13 11 5a 52 f1 4a 15 09 3e b4
3f 33 37 d0 4f 28 01 0b 00 26 19 00 17 03 01 00
1b fd fd 64 3a 50 58 2f 02 72 9c 42 f8 84 34 2f
70 2b f0 8f 0d f5 7b fd ec 31 bd 75 50 12 b5 1c
93 af 20 42 da 4f 9f 38 e2 9a c0 be 2e 0f
Code: Access-Challenge
Identifier: 80
Authentic: Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
Attributes:
EAP-Message =
<1><11><0>&<25><0><23><3><1><0><27><253><253>d:PX/<2>r<156>B<248><132>4/p+<2
40><143><13><245>{<253><236>1<189>u
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
*** Received from 192.168.51.30 port 6001 ....
Packet length = 166
01 51 00 a6 59 38 00 00 7b 3b 00 00 03 3f 00 00
e6 71 00 00 01 06 77 69 66 69 04 06 c0 a8 33 1e
1e 13 30 30 2d 32 30 2d 61 36 2d 34 39 2d 32 31
2d 35 38 1f 13 30 30 2d 30 32 2d 32 64 2d 33 37
2d 37 36 2d 65 30 20 1a 4f 52 69 4e 4f 43 4f 2d
41 50 2d 32 30 30 30 2d 34 39 2d 32 31 2d 35 38
0c 06 00 00 05 78 3d 06 00 00 00 13 4f 28 02 0b
00 26 19 00 17 03 01 00 1b 51 46 68 8d fb f7 be
7b 40 4a dc e3 9f 8f b0 f4 02 b6 63 02 55 00 b3
78 71 02 f4 50 12 96 c3 74 90 2d b5 e1 b3 80 b3
9f 5c 56 7b 0a fa
Code: Access-Request
Identifier: 81
Authentic: Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
Attributes:
User-Name = "wifi"
NAS-IP-Address = 192.168.51.30
Called-Station-Id = "00-20-a6-49-21-58"
Calling-Station-Id = "00-02-2d-37-76-e0"
NAS-Identifier = "ORiNOCO-AP-2000-49-21-58"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
EAP-Message =
<2><11><0>&<25><0><23><3><1><0><27>QFh<141><251><247><190>{@J<220><227><159>
<143><176><244><2><182>c<2>U<0><179>xq<2><244>
Message-Authenticator =
<150><195>t<144>-<181><225><179><128><179><159>\V{<10><250>
Thu Jun 16 13:16:30 2005: DEBUG: Handling request with Handler ''
Thu Jun 16 13:16:30 2005: DEBUG: Deleting session for wifi, 192.168.51.30,
Thu Jun 16 13:16:30 2005: DEBUG: Handling with Radius::AuthFILE:
Thu Jun 16 13:16:30 2005: DEBUG: Handling with EAP: code 2, 11, 38
Thu Jun 16 13:16:30 2005: DEBUG: Response type 25
Thu Jun 16 13:16:30 2005: DEBUG: EAP result: 0,
Thu Jun 16 13:16:30 2005: DEBUG: Access accepted for wifi
Thu Jun 16 13:16:30 2005: DEBUG: Packet dump:
*** Sending to 192.168.51.30 port 6001 ....
Packet length = 160
02 51 00 a0 eb bd e9 e4 20 93 07 7a 8f 78 69 a2
4f 4a 6b d0 4f 06 03 0b 00 04 50 12 3a 1c a6 3b
3b 0e f4 5d 40 c8 7b 62 3d 83 91 c1 1a 3a 00 00
01 37 10 34 a7 dc e4 91 cc d0 9c d9 75 bf 2c 70
ef 4c 0b 2d 73 86 bf 2c dc e3 23 d3 22 e6 d5 d5
e4 47 7a bc a7 15 46 1c c9 92 62 70 bd f6 b7 af
25 0b 36 66 1d 66 1a 3a 00 00 01 37 11 34 a5 af
7a e8 0a ed d5 08 c8 70 71 7b 68 d6 56 1f 81 f6
e6 78 1b 76 8e 48 83 a7 85 8e bf 02 11 74 e5 a1
ba b3 e3 2f d7 33 b1 0f 2b 79 08 0b a0 2f 7e b2
Code: Access-Accept
Identifier: 81
Authentic: Y8<0><0>{;<0><0><3>?<0><0><230>q<0><0>
Attributes:
EAP-Message = <3><11><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
MS-MPPE-Send-Key =
"<167><220><228><145><204><208><156><217>u<191>,p<239>L<11>-s<134><191>,<220
><227>#<211>"<230><213><213><228>Gz<188><167><21>F<28><201><146>bp<189><246>
<183><175>%<11>6f$
MS-MPPE-Recv-Key =
"<165><175>z<232><10><237><213><8><200>pq{h<214>V<31><129><246><230>x<27>v<1
42>H<131><167><133><142><191><2><17>t<229><161><186><179><227>/<215>3<177><1
5>+y<8><11><160>/$
[/end]
Thanks in advance.
--
Warm Regards,
Kheng Teong, Lim
Chief Information Officer
UberFusion Sdn. Bhd.
-----------------------------------------------------------
UberFusion Sdn. Bhd.
No. 119, (3rd Floor) Jalan SS6/12,
Kelana Jaya Urban Centre,
47301 Petaling Jaya,
Selangor Darul Ehsan, MALAYSIA.
Tel: 03-7880 6580 / Fax: 03-7880 6590
http://www.uberfusion.com <http://www.uberfusion.com/>
------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050617/3df91325/attachment.html>
More information about the radiator
mailing list