(RADIATOR) 802.1x (PEAP w/ MSCHAPV2) to Active Directory with VLAN assignment

Virgil virgil at webcentral.com.au
Thu Sep 8 18:13:25 CDT 2005 

Hi all,

The goal is 802.1x for wireless and public wired ports using PEAP and
MSCHAPv2. Theoretically, this involves the least amount of configuration on
the clients, which are mainly Windows XP.

Successful authentication will also provide a per-user (or Group) VLAN
assignment, with provision for guest vlan access for non 802.1x clients, and
failed authentication.

Ideally, I'd like to use the userPrincipalName (UPN) authenticate against
Active Directory, with a specified attribute, "pager" in this case, for the
Tunnel-Private-Group-ID.

What I have working so far is EAP-PEAP , with the VLAN assignment.  This is
because I'm using AuthBy LSA for MSCHAPV2.  But I cannot work out how to get
an LDAP2 AuthAttrDef parameter to work after the EAP challenge.  I've tried
adding a second LDAP AuthBy with NoEAP and it doesn't work.

Radiator is running on Windows 2003, on the DC in this case.
Test clients are currently a Linux machine with xsupplicant
(xsupplicant-1.0.1-1.1.fc2.rf) and a Windows 2000 SP4 machine.  Both are
testing wired mode only at the moment.

Anyone have any suggestions?  Or see where I've gone wrong?

Regards
Virgil

-- 
virgil at webcentral.com.au



Cisco switch config:

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
dot1x guest-vlan supplicant
radius-server host 172.26.100.2 auth-port 1812 acct-port 1813 key mysecret

interface FastEthernet0/1
 description ogre 802.1x supplicant
 switchport mode access
 udld port aggressive
 dot1x port-control auto
 dot1x timeout quiet-period 30
 dot1x timeout reauth-period 4000
 dot1x guest-vlan 666
 dot1x reauthentication
 spanning-tree portfast
!
interface FastEthernet0/2
 description laptop 802.1x
 switchport mode access
 udld port aggressive
 dot1x port-control auto
 dot1x timeout quiet-period 30
 dot1x timeout reauth-period 4000
 dot1x guest-vlan 666
 dot1x reauthentication
 spanning-tree portfast


Radiator configs:
"VOIP" in the configs, is the domain name, as this server is being used by
another team member.

Foreground
LogStdout
LogDir        c:/Program Files/Radiator/logs
DbDir            c:/Program Files/Radiator

Trace           4

AuthPort        1812
AcctPort        1813

BindAddress     172.26.100.2
Identifier      VOIPDC

<Client DEFAULT>
    Secret    mysecret
    DupInterval 0
</Client>

<AuthLog FILE>
    Identifier  LogLocal
    Filename    %L/authlog
    LogSuccess    1
    LogFailure    1
</AuthLog>

<AuthLog FILE>
    Identifier  NoLog
    Filename    %L/blah
    LogSuccess    0
    LogFailure    0
</AuthLog>

<AuthBy FILE>
    Identifier            USERS
    Filename             %D/users
</AuthBy>

<AuthBy FILE>
    Identifier            USERS-MD5
    Filename             %D/users
    EAPType             MD5-Challenge
</AuthBy>

<AuthBy FILE>
    Identifier            USERS-PEAP
    Filename             %D/users
    EAPType             PEAP
    EAPTLS_CAFile        %D/certificates/demoCA/cacert.pem
    EAPTLS_CertificateFile    %D/certificates/cert-srv.pem
    EAPTLS_CertificateType    PEM
    EAPTLS_PrivateKeyFile    %D/certificates/cert-srv.pem
    EAPTLS_PrivateKeyPassword    whatever
    EAPTLS_MaxFragmentSize    1000
    SSLeayTrace            4
</AuthBy>

<AuthBy LSA>
    Identifier            VOIP-LSA-MSCHAP
    Domain             VOIPDC
    EAPType             MSCHAP-V2
</AuthBy>

<AuthBy LDAP2>
    Identifier            VOIP-LDAP
    NoEAP
    Host                voipdctest
    FailureBackoffTime    10
    Port                3268
    #RewriteUsername        s/^([^@]+).*/$1/
    ServerChecksPassword
    NoDefault
    AutoMPPEKeys

    AuthDN            cn=Administrator,cn=Users,DC=server-voip,DC=test
    AuthPassword        cisco123
    BaseDN            cn=Users,DC=server-voip,DC=test
    #UsernameAttr        sAMAccountName
    UsernameAttr        userPrincipalName
    AuthAttrDef            pager,Tunnel-Private-Group-ID,reply
    AddToReplyIfNotExist    Tunnel-Type = VLAN,\
                    Tunnel-Medium-Type = Ether_802
</AuthBy>

<AuthBy LDAP2>
    Identifier            VOIP-LDAP-PEAP
    EAPType             PEAP
    EAPTLS_CAFile        %D/certificates/demoCA/cacert.pem
    EAPTLS_CertificateFile    %D/certificates/cert-srv.pem
    EAPTLS_CertificateType    PEM
    EAPTLS_PrivateKeyFile    %D/certificates/cert-srv.pem
    EAPTLS_PrivateKeyPassword    whatever
    EAPTLS_MaxFragmentSize    1000
    SSLeayTrace            4
    EAPAnonymous        %0

    Host                voipdctest
    FailureBackoffTime    10
    Port                3268
    #RewriteUsername        s/^([^@]+).*/$1/
    ServerChecksPassword
    NoDefault
    AutoMPPEKeys

    AuthDN            cn=Administrator,cn=Users,DC=server-voip,DC=test
    AuthPassword        cisco123
    BaseDN            cn=Users,DC=server-voip,DC=test
    #UsernameAttr        sAMAccountName
    UsernameAttr        userPrincipalName
</AuthBy>

<AuthBy GROUP>
    Identifier            PEAP-INNER
    #AuthByPolicy        ContinueUntilReject
    AuthByPolicy        ContinueWhileAccept
    AuthBy            VOIP-LSA-MSCHAP
    AuthBy            VOIP-LDAP
</AuthBy>


<Handler Request-Type = Accounting-Request>
    AuthLog            NoLog
</Handler>

<Handler TunnelledByPEAP=1>
        AuthBy            PEAP-INNER
</Handler>


<Handler NAS-IP-Address=/(172.26.100.\d+)/, NAS-Port-Type=Ethernet,
Service-Type=Framed-User>
#dot1x auth on visitor switch

    AuthBy            VOIP-LDAP-PEAP
    RejectHasReason
    AcctLogFileName        %L/detail
</Handler>



Trace 4 logs attached.
xsupplicant: log1.txt

win2000 sp4 w/ "user" - ie no realm for UPN: log2.txt
win2000sp4 with UPN: log3a.txt and log3b.txt



....
default xsupplicant.conf

    identity = <BEGIN>test30<END>
    allow_types = eap_mschapv2

      # right now you can do any of these methods in PEAP:
      eap-mschapv2 {
        username = <BEGIN_UNAME>test30<END_UNAME>
        password = <BEGIN_PASS>Hello123<END_PASS>
      }
  }

}

[root at ogre etc]# xsupplicant -i eth0 -d 10
Using default config!
network_list: all
Default network: "default"
Startup command: "echo "some command""
First_Auth command: "dhclient %i"
Reauth command: "echo "authenticated user %i""
Logfile: "/var/log/xsupplicant.log"
Allow Types: ALL
ID: "test30 at server-voip.test"
peap root_cert: "/usr/share/xsupplicant/root.der"
peap root_dir: "/usr/share/xsupplicant/"
peap crl_dir: "/usr/share/xsupplicant/"
peap chunk: 1398
peap rand: "/dev/urandom"
Session Resumption = YES
PEAP Allow Type: MSCHAPV2
mschapv2 username: "test30"
mschapv2 password: "Hello123"
"some command"








-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log1.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050909/fd01f60b/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log2.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050909/fd01f60b/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log3a.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050909/fd01f60b/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log3b.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050909/fd01f60b/attachment-0003.txt>

More information about the radiator mailing list