(RADIATOR) autheticating wireless client through radiator against vms radius server
Hugh Irvine
hugh at open.com.au
Sat Mar 26 11:51:41 CST 2005
Hello John -
Keep in mind that EAP is actually a series of requests that are
exchanged, with only the final one in the sequence being the one that
contains the user credentials. The initial requests are called the
"outer" authentication and the final request is called the "inner"
authentication.
You should probably be using the AuthBy FILE for the "outer"
authentication, and only proxy the "inner" authentication with the
AuthBy RADIUS clause. Something like this (TunnelledByPEAP=1 indicates
the "inner" request):
LogDir /var/log/radius
DbDir /etc/radiator
AuthPort 1812
AcctPort 1813
# User a lower trace level in production systems:
Trace 4
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
# This is where we autneticate a PEAP inner request, which will be an
EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1,User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
<AuthBy RADIUS>
#<AuthBy FILE>
#Filename %D/users
#VMS Radius Server
Host ####.######.edu
Secret ###########
AuthPort 1645
AcctPort 1646
Retries 3
RetryTimeout 5
StripFromReply Framed-IP-Netmask,Framed-Compression
#eap_peap.cfg contents
EAPType MSCHAP-V2
</AuthBy>
</Handler>
<Handler User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
<AuthBy FILE>
Filename %D/users
#eap_peap.cfg contents
EAPType PEAP
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 4
EAPTLS_PEAPVersion 0
</AuthBy>
</Handler>
On 25 Mar 2005, at 20:52, John Pertalion wrote:
> Hello,
>
> I'm having difficulty authenticating a client on a Aruba wireless
> network through Radiator against a VMS based radius server.
>
> I've tried building up from several simpler scenarios and have had
> success. I can't get the last part working. I'm stumped because I'm
> not really sure of what I'm looking at in the logfile. Any
> suggestions are gratefully appreciated.
>
> I can authenticate through Radiator to the VMS based radius server
> using radpwtst on the box running the Radiator server with the
> radius.cfg listed below. It's an adaptation of eap_peap.cfg in the
> ./goodies
>
> I can authenticate from the Aruba switch AAA authentication test
> through Radiator to the VMS based radius server using the same
> radius.cfg
>
> I can authenticate from the client on the Aruba wireless network using
> AuthBy FILE, which is basically the eap_peap.cfg.
>
> I can't authenticate from the client on the wireless network through
> Radiator to the VMS based radius server. I've included a log of this
> unsuccessful attempt below. Also is my radius.cfg and a log of a
> successful login from the AAA authentication test on the wireless
> switch.
>
> I'm fairly new to this, so you may need to point out the obvious.
>
> Thanks,
>
> John Pertalion
> Appalachian State University
> Boone, NC
>
>
> /
> ***********************************************************************
> /
>
> my radius.cfg:
>
> LogDir /var/log/radius
> DbDir /etc/radiator
>
> AuthPort 1812
> AcctPort 1813
>
> # User a lower trace level in production systems:
> Trace 4
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> # This is where we autneticate a PEAP inner request, which will be an
> EAP
> # request. The username of the inner request will be anonymous,
> although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> <Handler TunnelledByPEAP=1,User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
> <AuthBy RADIUS>
> #<AuthBy FILE>
> #Filename %D/users
>
> #VMS Radius Server
> Host ####.######.edu
> Secret ###########
> AuthPort 1645
> AcctPort 1646
> Retries 3
> RetryTimeout 5
> StripFromReply Framed-IP-Netmask,Framed-Compression
>
> #eap_peap.cfg contents
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
> <Handler User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/>
> <AuthBy RADIUS>
> #<AuthBy FILE>
> #Filename %D/users
>
> #VMS Radius Server
> Host ####.######.edu
> Secret ###########
> AuthPort 1645
> AcctPort 1646
> Retries 3
> RetryTimeout 5
> StripFromReply Framed-IP-Netmask,Framed-Compression
>
> #eap_peap.cfg contents
> EAPType PEAP
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_PEAPVersion 0
> </AuthBy>
> </Handler>
>
>
> /
> ***********************************************************************
> /
>
> Log of unsuccessful login from client:
>
> Fri Mar 25 13:23:14 2005: DEBUG: Packet dump:
> *** Received from 152.10.209.2 port 32882 ....
> Code: Access-Request
> Identifier: 26
> Authentic:
> o<158><182><191>X<179><224><196>w<170><138><220>;<146><215>p
> Attributes:
> User-Name = "pertalionaj"
> NAS-IP-Address = 152.10.209.1
> NAS-Port = 1
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "0030651084D0"
> Called-Station-Id = "000B86018580"
> Framed-MTU = 1100
> EAP-Message = <2><1><0><16><1>pertalionaj
> Message-Authenticator =
> <213>]<237><3>{<189>V8<223><134>xc<254>}<19>=
>
> Fri Mar 25 13:23:14 2005: DEBUG: Handling request with Handler
> 'User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/'
> Fri Mar 25 13:23:14 2005: DEBUG: Deleting session for pertalionaj,
> 152.10.209.1, 1
> Fri Mar 25 13:23:14 2005: DEBUG: Handling with Radius::AuthRADIUS
> Fri Mar 25 13:23:14 2005: DEBUG: Packet dump:
> *** Sending to 152.10.1.40 port 1645 ....
> Code: Access-Request
> Identifier: 1
> Authentic:
> o<158><182><191>X<179><224><196>w<170><138><220>;<146><215>p
> Attributes:
> User-Name = "pertalionaj"
> NAS-IP-Address = 152.10.209.1
> NAS-Port = 1
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "0030651084D0"
> Called-Station-Id = "000B86018580"
> Framed-MTU = 1100
> EAP-Message = <2><1><0><16><1>pertalionaj
> Message-Authenticator =
> <213>]<237><3>{<189>V8<223><134>xc<254>}<19>=
>
> Fri Mar 25 13:23:14 2005: DEBUG: AuthBy RADIUS result: IGNORE,
> Fri Mar 25 13:23:15 2005: DEBUG: Packet dump:
> *** Received from 152.10.1.40 port 1645 ....
> Code: Access-Reject
> Identifier: 1
> Authentic: <227><131><30>.<142><137><151><8><201>Z#<173>%;<151>a
> Attributes:
>
> Fri Mar 25 13:23:15 2005: DEBUG: Received reply in AuthRADIUS for req
> 1 from 152.10.1.40:1645
> Fri Mar 25 13:23:15 2005: INFO: Access rejected for pertalionaj:
> Proxied
> Fri Mar 25 13:23:15 2005: DEBUG: Packet dump:
> *** Sending to 152.10.209.2 port 32882 ....
> Code: Access-Reject
> Identifier: 26
> Authentic:
> o<158><182><191>X<179><224><196>w<170><138><220>;<146><215>p
> Attributes:
> Reply-Message = "Request Denied"
>
>
> /
> ***********************************************************************
> /
>
> Log of successful login from Aruba Switch:
>
> Fri Mar 25 13:20:02 2005: DEBUG: Packet dump:
> *** Received from 152.10.209.2 port 32882 ....
> Code: Access-Request
> Identifier: 25
> Authentic: H<14><142><231>p<253><3><166>*<14><175>T<0><150><237><200>
> Attributes:
> User-Name = "pertalionaj"
> User-Password =
> "<20>~<198><201><152>nR<172><155>1s<201>P<147><187>w"
> NAS-IP-Address = 152.10.209.1
> NAS-Port = 0
> NAS-Port-Type = Wireless-IEEE-802-11
>
> Fri Mar 25 13:20:02 2005: DEBUG: Handling request with Handler
> 'User-Name = /^[a-zA-Z][a-zA-Z][a-zA-Z]/'
> Fri Mar 25 13:20:02 2005: DEBUG: Deleting session for pertalionaj,
> 152.10.209.1, 0
> Fri Mar 25 13:20:02 2005: DEBUG: Handling with Radius::AuthRADIUS
> Fri Mar 25 13:20:02 2005: DEBUG: AuthBy RADIUS creates new local
> socket '0.0.0.0' for sending requests
> Fri Mar 25 13:20:02 2005: DEBUG: Packet dump:
> *** Sending to 152.10.1.43 port 1645 ....
> Code: Access-Request
> Identifier: 1
> Authentic: H<14><142><231>p<253><3><166>*<14><175>T<0><150><237><200>
> Attributes:
> User-Name = "pertalionaj"
> User-Password =
> "<132>_J<208><163><4><249><27><214>F<244><238>t<<31><179>"
> NAS-IP-Address = 152.10.209.1
> NAS-Port = 0
> NAS-Port-Type = Wireless-IEEE-802-11
>
> Fri Mar 25 13:20:02 2005: DEBUG: AuthBy RADIUS result: IGNORE,
> Fri Mar 25 13:20:02 2005: DEBUG: Packet dump:
> *** Received from 152.10.1.43 port 1645 ....
> Code: Access-Accept
> Identifier: 1
> Authentic: <3>><175><152><170><196><135><141>Dh<151><<221><9>R<27>
> Attributes:
>
> Fri Mar 25 13:20:02 2005: DEBUG: Received reply in AuthRADIUS for req
> 1 from 152.10.1.43:1645
> Fri Mar 25 13:20:02 2005: DEBUG: Access accepted for pertalionaj
> Fri Mar 25 13:20:02 2005: DEBUG: Packet dump:
> *** Sending to 152.10.209.2 port 32882 ....
> Code: Access-Accept
> Identifier: 25
> Authentic: H<14><142><231>p<253><3><166>*<14><175>T<0><150><237><200>
> Attributes:
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list