(RADIATOR) 802.1x (PEAP w/ MSCHAPV2) to Active Directory with VLAN assignment

Hugh Irvine hugh at open.com.au
Thu Sep 8 19:27:59 CDT 2005


Hello Virgil -

What version of Radiator are you running?

You should be running the latest Radiator 3.13 plus all patches.

I'm not quite sure what your log files correspond to, so can you  
download and install Radiator 3.13 (plus the latest patches) and  
retry your tests?

Please provide a bit more detail on what tests the log files  
correspond to.

regards

Hugh


On 9 Sep 2005, at 09:13, Virgil wrote:

> Hi all,
>
> The goal is 802.1x for wireless and public wired ports using PEAP and
> MSCHAPv2. Theoretically, this involves the least amount of  
> configuration on
> the clients, which are mainly Windows XP.
>
> Successful authentication will also provide a per-user (or Group) VLAN
> assignment, with provision for guest vlan access for non 802.1x  
> clients, and
> failed authentication.
>
> Ideally, I'd like to use the userPrincipalName (UPN) authenticate  
> against
> Active Directory, with a specified attribute, "pager" in this case,  
> for the
> Tunnel-Private-Group-ID.
>
> What I have working so far is EAP-PEAP , with the VLAN assignment.   
> This is
> because I'm using AuthBy LSA for MSCHAPV2.  But I cannot work out  
> how to get
> an LDAP2 AuthAttrDef parameter to work after the EAP challenge.   
> I've tried
> adding a second LDAP AuthBy with NoEAP and it doesn't work.
>
> Radiator is running on Windows 2003, on the DC in this case.
> Test clients are currently a Linux machine with xsupplicant
> (xsupplicant-1.0.1-1.1.fc2.rf) and a Windows 2000 SP4 machine.   
> Both are
> testing wired mode only at the moment.
>
> Anyone have any suggestions?  Or see where I've gone wrong?
>
> Regards
> Virgil
>
> -- 
> virgil at webcentral.com.au
>
>
>
> Cisco switch config:
>
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
> aaa accounting dot1x default start-stop group radius
> dot1x system-auth-control
> dot1x guest-vlan supplicant
> radius-server host 172.26.100.2 auth-port 1812 acct-port 1813 key  
> mysecret
>
> interface FastEthernet0/1
>  description ogre 802.1x supplicant
>  switchport mode access
>  udld port aggressive
>  dot1x port-control auto
>  dot1x timeout quiet-period 30
>  dot1x timeout reauth-period 4000
>  dot1x guest-vlan 666
>  dot1x reauthentication
>  spanning-tree portfast
> !
> interface FastEthernet0/2
>  description laptop 802.1x
>  switchport mode access
>  udld port aggressive
>  dot1x port-control auto
>  dot1x timeout quiet-period 30
>  dot1x timeout reauth-period 4000
>  dot1x guest-vlan 666
>  dot1x reauthentication
>  spanning-tree portfast
>
>
> Radiator configs:
> "VOIP" in the configs, is the domain name, as this server is being  
> used by
> another team member.
>
> Foreground
> LogStdout
> LogDir        c:/Program Files/Radiator/logs
> DbDir            c:/Program Files/Radiator
>
> Trace           4
>
> AuthPort        1812
> AcctPort        1813
>
> BindAddress     172.26.100.2
> Identifier      VOIPDC
>
> <Client DEFAULT>
>     Secret    mysecret
>     DupInterval 0
> </Client>
>
> <AuthLog FILE>
>     Identifier  LogLocal
>     Filename    %L/authlog
>     LogSuccess    1
>     LogFailure    1
> </AuthLog>
>
> <AuthLog FILE>
>     Identifier  NoLog
>     Filename    %L/blah
>     LogSuccess    0
>     LogFailure    0
> </AuthLog>
>
> <AuthBy FILE>
>     Identifier            USERS
>     Filename             %D/users
> </AuthBy>
>
> <AuthBy FILE>
>     Identifier            USERS-MD5
>     Filename             %D/users
>     EAPType             MD5-Challenge
> </AuthBy>
>
> <AuthBy FILE>
>     Identifier            USERS-PEAP
>     Filename             %D/users
>     EAPType             PEAP
>     EAPTLS_CAFile        %D/certificates/demoCA/cacert.pem
>     EAPTLS_CertificateFile    %D/certificates/cert-srv.pem
>     EAPTLS_CertificateType    PEM
>     EAPTLS_PrivateKeyFile    %D/certificates/cert-srv.pem
>     EAPTLS_PrivateKeyPassword    whatever
>     EAPTLS_MaxFragmentSize    1000
>     SSLeayTrace            4
> </AuthBy>
>
> <AuthBy LSA>
>     Identifier            VOIP-LSA-MSCHAP
>     Domain             VOIPDC
>     EAPType             MSCHAP-V2
> </AuthBy>
>
> <AuthBy LDAP2>
>     Identifier            VOIP-LDAP
>     NoEAP
>     Host                voipdctest
>     FailureBackoffTime    10
>     Port                3268
>     #RewriteUsername        s/^([^@]+).*/$1/
>     ServerChecksPassword
>     NoDefault
>     AutoMPPEKeys
>
>     AuthDN            cn=Administrator,cn=Users,DC=server-voip,DC=test
>     AuthPassword        cisco123
>     BaseDN            cn=Users,DC=server-voip,DC=test
>     #UsernameAttr        sAMAccountName
>     UsernameAttr        userPrincipalName
>     AuthAttrDef            pager,Tunnel-Private-Group-ID,reply
>     AddToReplyIfNotExist    Tunnel-Type = VLAN,\
>                     Tunnel-Medium-Type = Ether_802
> </AuthBy>
>
> <AuthBy LDAP2>
>     Identifier            VOIP-LDAP-PEAP
>     EAPType             PEAP
>     EAPTLS_CAFile        %D/certificates/demoCA/cacert.pem
>     EAPTLS_CertificateFile    %D/certificates/cert-srv.pem
>     EAPTLS_CertificateType    PEM
>     EAPTLS_PrivateKeyFile    %D/certificates/cert-srv.pem
>     EAPTLS_PrivateKeyPassword    whatever
>     EAPTLS_MaxFragmentSize    1000
>     SSLeayTrace            4
>     EAPAnonymous        %0
>
>     Host                voipdctest
>     FailureBackoffTime    10
>     Port                3268
>     #RewriteUsername        s/^([^@]+).*/$1/
>     ServerChecksPassword
>     NoDefault
>     AutoMPPEKeys
>
>     AuthDN            cn=Administrator,cn=Users,DC=server-voip,DC=test
>     AuthPassword        cisco123
>     BaseDN            cn=Users,DC=server-voip,DC=test
>     #UsernameAttr        sAMAccountName
>     UsernameAttr        userPrincipalName
> </AuthBy>
>
> <AuthBy GROUP>
>     Identifier            PEAP-INNER
>     #AuthByPolicy        ContinueUntilReject
>     AuthByPolicy        ContinueWhileAccept
>     AuthBy            VOIP-LSA-MSCHAP
>     AuthBy            VOIP-LDAP
> </AuthBy>
>
>
> <Handler Request-Type = Accounting-Request>
>     AuthLog            NoLog
> </Handler>
>
> <Handler TunnelledByPEAP=1>
>         AuthBy            PEAP-INNER
> </Handler>
>
>
> <Handler NAS-IP-Address=/(172.26.100.\d+)/, NAS-Port-Type=Ethernet,
> Service-Type=Framed-User>
> #dot1x auth on visitor switch
>
>     AuthBy            VOIP-LDAP-PEAP
>     RejectHasReason
>     AcctLogFileName        %L/detail
> </Handler>
>
>
>
> Trace 4 logs attached.
> xsupplicant: log1.txt
>
> win2000 sp4 w/ "user" - ie no realm for UPN: log2.txt
> win2000sp4 with UPN: log3a.txt and log3b.txt
>
>
>
> ....
> default xsupplicant.conf
>
>     identity = <BEGIN>test30<END>
>     allow_types = eap_mschapv2
>
>       # right now you can do any of these methods in PEAP:
>       eap-mschapv2 {
>         username = <BEGIN_UNAME>test30<END_UNAME>
>         password = <BEGIN_PASS>Hello123<END_PASS>
>       }
>   }
>
> }
>
> [root at ogre etc]# xsupplicant -i eth0 -d 10
> Using default config!
> network_list: all
> Default network: "default"
> Startup command: "echo "some command""
> First_Auth command: "dhclient %i"
> Reauth command: "echo "authenticated user %i""
> Logfile: "/var/log/xsupplicant.log"
> Allow Types: ALL
> ID: "test30 at server-voip.test"
> peap root_cert: "/usr/share/xsupplicant/root.der"
> peap root_dir: "/usr/share/xsupplicant/"
> peap crl_dir: "/usr/share/xsupplicant/"
> peap chunk: 1398
> peap rand: "/dev/urandom"
> Session Resumption = YES
> PEAP Allow Type: MSCHAPV2
> mschapv2 username: "test30"
> mschapv2 password: "Hello123"
> "some command"
>
>
>
>
>
>
>
>
>
> <log1.txt>
> <log2.txt>
> <log3a.txt>
> <log3b.txt>
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list