(RADIATOR) 802.1x (PEAP w/ MSCHAPV2) to Active Directory with VLAN assignment
Hugh Irvine
hugh at open.com.au
Thu Sep 8 19:27:59 CDT 2005
Hello Virgil -
What version of Radiator are you running?
You should be running the latest Radiator 3.13 plus all patches.
I'm not quite sure what your log files correspond to, so can you
download and install Radiator 3.13 (plus the latest patches) and
retry your tests?
Please provide a bit more detail on what tests the log files
correspond to.
regards
Hugh
On 9 Sep 2005, at 09:13, Virgil wrote:
> Hi all,
>
> The goal is 802.1x for wireless and public wired ports using PEAP and
> MSCHAPv2. Theoretically, this involves the least amount of
> configuration on
> the clients, which are mainly Windows XP.
>
> Successful authentication will also provide a per-user (or Group) VLAN
> assignment, with provision for guest vlan access for non 802.1x
> clients, and
> failed authentication.
>
> Ideally, I'd like to use the userPrincipalName (UPN) authenticate
> against
> Active Directory, with a specified attribute, "pager" in this case,
> for the
> Tunnel-Private-Group-ID.
>
> What I have working so far is EAP-PEAP , with the VLAN assignment.
> This is
> because I'm using AuthBy LSA for MSCHAPV2. But I cannot work out
> how to get
> an LDAP2 AuthAttrDef parameter to work after the EAP challenge.
> I've tried
> adding a second LDAP AuthBy with NoEAP and it doesn't work.
>
> Radiator is running on Windows 2003, on the DC in this case.
> Test clients are currently a Linux machine with xsupplicant
> (xsupplicant-1.0.1-1.1.fc2.rf) and a Windows 2000 SP4 machine.
> Both are
> testing wired mode only at the moment.
>
> Anyone have any suggestions? Or see where I've gone wrong?
>
> Regards
> Virgil
>
> --
> virgil at webcentral.com.au
>
>
>
> Cisco switch config:
>
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
> aaa accounting dot1x default start-stop group radius
> dot1x system-auth-control
> dot1x guest-vlan supplicant
> radius-server host 172.26.100.2 auth-port 1812 acct-port 1813 key
> mysecret
>
> interface FastEthernet0/1
> description ogre 802.1x supplicant
> switchport mode access
> udld port aggressive
> dot1x port-control auto
> dot1x timeout quiet-period 30
> dot1x timeout reauth-period 4000
> dot1x guest-vlan 666
> dot1x reauthentication
> spanning-tree portfast
> !
> interface FastEthernet0/2
> description laptop 802.1x
> switchport mode access
> udld port aggressive
> dot1x port-control auto
> dot1x timeout quiet-period 30
> dot1x timeout reauth-period 4000
> dot1x guest-vlan 666
> dot1x reauthentication
> spanning-tree portfast
>
>
> Radiator configs:
> "VOIP" in the configs, is the domain name, as this server is being
> used by
> another team member.
>
> Foreground
> LogStdout
> LogDir c:/Program Files/Radiator/logs
> DbDir c:/Program Files/Radiator
>
> Trace 4
>
> AuthPort 1812
> AcctPort 1813
>
> BindAddress 172.26.100.2
> Identifier VOIPDC
>
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> <AuthLog FILE>
> Identifier LogLocal
> Filename %L/authlog
> LogSuccess 1
> LogFailure 1
> </AuthLog>
>
> <AuthLog FILE>
> Identifier NoLog
> Filename %L/blah
> LogSuccess 0
> LogFailure 0
> </AuthLog>
>
> <AuthBy FILE>
> Identifier USERS
> Filename %D/users
> </AuthBy>
>
> <AuthBy FILE>
> Identifier USERS-MD5
> Filename %D/users
> EAPType MD5-Challenge
> </AuthBy>
>
> <AuthBy FILE>
> Identifier USERS-PEAP
> Filename %D/users
> EAPType PEAP
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> SSLeayTrace 4
> </AuthBy>
>
> <AuthBy LSA>
> Identifier VOIP-LSA-MSCHAP
> Domain VOIPDC
> EAPType MSCHAP-V2
> </AuthBy>
>
> <AuthBy LDAP2>
> Identifier VOIP-LDAP
> NoEAP
> Host voipdctest
> FailureBackoffTime 10
> Port 3268
> #RewriteUsername s/^([^@]+).*/$1/
> ServerChecksPassword
> NoDefault
> AutoMPPEKeys
>
> AuthDN cn=Administrator,cn=Users,DC=server-voip,DC=test
> AuthPassword cisco123
> BaseDN cn=Users,DC=server-voip,DC=test
> #UsernameAttr sAMAccountName
> UsernameAttr userPrincipalName
> AuthAttrDef pager,Tunnel-Private-Group-ID,reply
> AddToReplyIfNotExist Tunnel-Type = VLAN,\
> Tunnel-Medium-Type = Ether_802
> </AuthBy>
>
> <AuthBy LDAP2>
> Identifier VOIP-LDAP-PEAP
> EAPType PEAP
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> SSLeayTrace 4
> EAPAnonymous %0
>
> Host voipdctest
> FailureBackoffTime 10
> Port 3268
> #RewriteUsername s/^([^@]+).*/$1/
> ServerChecksPassword
> NoDefault
> AutoMPPEKeys
>
> AuthDN cn=Administrator,cn=Users,DC=server-voip,DC=test
> AuthPassword cisco123
> BaseDN cn=Users,DC=server-voip,DC=test
> #UsernameAttr sAMAccountName
> UsernameAttr userPrincipalName
> </AuthBy>
>
> <AuthBy GROUP>
> Identifier PEAP-INNER
> #AuthByPolicy ContinueUntilReject
> AuthByPolicy ContinueWhileAccept
> AuthBy VOIP-LSA-MSCHAP
> AuthBy VOIP-LDAP
> </AuthBy>
>
>
> <Handler Request-Type = Accounting-Request>
> AuthLog NoLog
> </Handler>
>
> <Handler TunnelledByPEAP=1>
> AuthBy PEAP-INNER
> </Handler>
>
>
> <Handler NAS-IP-Address=/(172.26.100.\d+)/, NAS-Port-Type=Ethernet,
> Service-Type=Framed-User>
> #dot1x auth on visitor switch
>
> AuthBy VOIP-LDAP-PEAP
> RejectHasReason
> AcctLogFileName %L/detail
> </Handler>
>
>
>
> Trace 4 logs attached.
> xsupplicant: log1.txt
>
> win2000 sp4 w/ "user" - ie no realm for UPN: log2.txt
> win2000sp4 with UPN: log3a.txt and log3b.txt
>
>
>
> ....
> default xsupplicant.conf
>
> identity = <BEGIN>test30<END>
> allow_types = eap_mschapv2
>
> # right now you can do any of these methods in PEAP:
> eap-mschapv2 {
> username = <BEGIN_UNAME>test30<END_UNAME>
> password = <BEGIN_PASS>Hello123<END_PASS>
> }
> }
>
> }
>
> [root at ogre etc]# xsupplicant -i eth0 -d 10
> Using default config!
> network_list: all
> Default network: "default"
> Startup command: "echo "some command""
> First_Auth command: "dhclient %i"
> Reauth command: "echo "authenticated user %i""
> Logfile: "/var/log/xsupplicant.log"
> Allow Types: ALL
> ID: "test30 at server-voip.test"
> peap root_cert: "/usr/share/xsupplicant/root.der"
> peap root_dir: "/usr/share/xsupplicant/"
> peap crl_dir: "/usr/share/xsupplicant/"
> peap chunk: 1398
> peap rand: "/dev/urandom"
> Session Resumption = YES
> PEAP Allow Type: MSCHAPV2
> mschapv2 username: "test30"
> mschapv2 password: "Hello123"
> "some command"
>
>
>
>
>
>
>
>
>
> <log1.txt>
> <log2.txt>
> <log3a.txt>
> <log3b.txt>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list