(RADIATOR) Problem with EAP_PEAP
Hugh Irvine
hugh at open.com.au
Wed Oct 4 19:47:02 CDT 2006
Hello Ricardo -
EAP authentication involves a sequence of radius requests between a
client (supplicant) and a radius server, either via a wired NAS or a
wireless AP.
The initial exchanges are called the "outer" requests, and the final
request is called the "inner" request.
The object of the exercise is to set up an encrypted tunnel so that
the username and password can be sent securely.
The details of the various flavours of EAP differ in the "outer"
requests, but all versions eventually deliver an "inner" request that
contains the username and password information to be authenticated.
In your example below, the "outer" Handler is <Handler
TunnelledByPEAP=1> and you can replace the <AuthBy FILE> with an
<AuthBy SQL> to query the database for the username and password.
<Handler TunnelledByPEAP=1>
<AuthBy SQL>
DBSource .....
DBUsername .....
DBAuth .....
.....
# This tells the PEAP client what types of inner EAP
requests
# we will honour
EAPType MSCHAP-V2
</AuthBy>
</Handler>
hope that helps
regards
Hugh
On 5 Oct 2006, at 06:49, Ricardo Martinez wrote:
> Sorry guys...
> My mistake...
> I was missing the Digest-MD4 perl module... now it works ok.
>
> Anyway i would lit to ask you a couple of questions... i'm newbie
> with the EAP-PEAP authentication... so i'm wonder if someone can
> ilustrate me how this authentication works..My goal is to have EAP-
> PEAP Authentication, but not from a flat users file, instead i want
> to query my SQL database.
> What i need to acomplish this?
>
> Another question,
> Ths user and password in the "client"-side, is checked against what
> Handler?
> <Handler TunnelledByPEAP=1>
> <AuthBy FILE>
> Filename %D/users_eap
>
> # This tells the PEAP client what types of inner
> EAP requests
> # we will honour
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
>
> <Handler Realm=wifi-mesh.test.net>
> <AuthBy FILE>
> Filename %D/users_eap
>
> .....
>
> So, if i want to use SQL querys with my DB, where i need to do
> this? in the Handler TunnelledByPEAP or the Handler Real=wifi-
> mesh.test.net?
>
> Hope that someone could give me some guidelines..
> Thanks!!
>
> Ricardo Martinez.-
>
> -----Mensaje original-----
> De: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]
> En nombre de Ricardo Martinez
> Enviado el: miércoles, 04 de octubre de 2006 15:26
> Para: radiator at open.com.au
> Asunto: (RADIATOR) Problem with EAP_PEAP
>
> Hello list.
> I'm getting this error for eap peap. What i'm doing wrong?
>
> Code: Access-Request
> Identifier: UNDEF
> Authentic: M[t<151><238><194><7>7|N<9>{<218>-6)
> Attributes:
> EAP-Message = <2><6><0><5><1>test
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> User-Name = "anonymous"
> NAS-IP-Address = 10.10.10.80
> NAS-Identifier = "Strix_E1C762F0275"
> NAS-Port = 1
> Calling-Station-Id = "00-14-BF-FE-67-33"
>
> Wed Oct 4 15:07:49 2006: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Wed Oct 4 15:07:49 2006: DEBUG: Deleting session for ,
> 10.10.10.80, 1
> Wed Oct 4 15:07:49 2006: DEBUG: Handling with Radius::AuthFILE:
> Wed Oct 4 15:07:49 2006: DEBUG: Handling with EAP: code 2, 6, 5
> Wed Oct 4 15:07:49 2006: DEBUG: Response type 1
> Wed Oct 4 15:07:49 2006: ERR: Could not load EAP module
> Radius::EAP_26: Can't locate Digest/MD4.pm in @INC (@INC
> contains: . /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/
> perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /
> usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/
> perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/
> vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/
> i386-linux-thread-multi /usr/lib/perl5/5.8.0 .) at Radius/MSCHAP.pm
> line 47.
>
> BEGIN failed--compilation aborted at Radius/MSCHAP.pm line 47.
> Compilation failed in require at Radius/EAP_26.pm line 14.
> BEGIN failed--compilation aborted at Radius/EAP_26.pm line 14.
> Compilation failed in require at (eval 91) line 3.
>
> Wed Oct 4 15:07:49 2006: DEBUG: EAP result: 1, Unsupported default
> EAP Response/Identity 26
> Wed Oct 4 15:07:49 2006: DEBUG: AuthBy FILE result: REJECT,
> Unsupported default EAP Response/Identity 26
> Wed Oct 4 15:07:49 2006: INFO: Access rejected for anonymous:
> Unsupported default EAP Response/Identity 26
> Wed Oct 4 15:07:49 2006: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Wed Oct 4 15:07:49 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP
> PEAP inner authentication redespatched to a Handler
> Wed Oct 4 15:07:49 2006: DEBUG: Access challenged for linksys at wifi-
> mesh.test.net: EAP PEAP inner authentication redespatched to a Handler
>
>
> I installed all the additional "modules" required to work with
> eap_peap
>
>
> # Requires Net_SSLeay.pm-1.21 or later from CPAN.
> # Requires openssl 0.9.7beta3 or later from www.openssl.org
> # Requires Digest-HMAC from CPAN
> # Requires Digest-SHA1 from CPAN
>
>
> This is part of my configuration :
>
> <Client 10.10.10.80>
> Secret smartkey
> AddToRequest NAS-IP-Address=%c
> DefaultRealm wifi-mesh.tests.net
> DupInterval 0
> </Client>
>
> ......
>
> <Handler TunnelledByPEAP=1>
> <AuthBy FILE>
> Filename %D/users_eap
>
> # This tells the PEAP client what types of inner
> EAP requests
> # we will honour
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
>
> <Handler Realm=wifi-mesh.test.net>
> <AuthBy FILE>
> # The username of the outer authentication
> # must be in this file to get anywhere. In this
> example,
> # it requires an entry for 'anonymous' which is the
> standard username
> # in the outer requests, and it also requires an
> entry for the
> # actual user name who is trying to connect (ie the
> 'Login name' entered
> # in the Funk Odyssey 'Edit Profile Properties' page
> Filename %D/users_eap
>
> # EAPType sets the EAP type(s) that Radiator will
> honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the
> default (most
> # preferred) type given first
> EAPType PEAP
>
> # EAPTLS_CAFile is the name of a file of CA
> certificates
> # in PEM format. The file can contain several CA
> certificates
> # Radiator will first look in EAPTLS_CAFile then in
> # EAPTLS_CAPath, so there usually is no need to set
> both
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>
> # EAPTLS_CertificateFile is the name of a file
> containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
>
> # EAPTLS_PrivateKeyFile is the name of the file
> containing
> # the servers private key. It is sometimes in the
> same file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to
> descrypt it
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be
> small
> # enough to fit in a single Radius request (ie less
> than 4096)
> # and still leave enough space for other attributes
> # Aironet APs seem to need a smaller MaxFragmentSize
> # (eg 1024) than the default of 2048. Others need
> even smaller sizes.
> EAPTLS_MaxFragmentSize 1000
>
> # Some clients, depending on their configuration,
> may require you to specify
> # MPPE send and receive keys. This _will_ be
> required if you select
> # 'Keys will be generated automatically for data
> privacy' in the Funk Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-
> Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can enable some warning messages from the
> Net::SSLeay
> # module by setting SSLeayTrace to an integer from
> 1 to 4
> # 1=ciphers, 2=trace, 3=dump data
> SSLeayTrace 4
>
>
> # You can control which version of the draft PEAP
> protocol to honour
> # with EAPTLS_PEAPVersion. Defaults to 1. Set it to
> 0 for unusual clients,
> # such as Funk Odyssey Client 2.22 or later.
> EAPTLS_PEAPVersion 0
>
> </AuthBy>
> <AuthBy INTERNAL>
> DefaultResult REJECT
> </AuthBy>
> </Handler>
>
>
> This is the user_eap file
>
> test User-Password = "hhh"
>
> Hope that someone can help me
> Thanks
>
> Ricardo Martinez.-
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list