(RADIATOR) Problem with EAP_PEAP
Hugh Irvine
hugh at open.com.au
Thu Oct 5 18:33:28 CDT 2006
Hello Ricardo -
Comments below.
On 6 Oct 2006, at 08:21, Ricardo Martinez wrote:
> Thanks Hugh.
> That really clarify many things. Just a correction, i guess you
> was talking about a "inner" request with the "Handler <Handler
> TunnelledByPEAP=1> " in your last paragraph. ??.
Ooops - quite correct - I meant "inner" request.
> Another question. So, what is the purpose of the <AuthBy FILE> in
> the another Handler (<Handler Realm=wifi-mesh.test.net>)?, do i
> need to check by SQL the user too?.
The AuthBy FILE in the "outer" Handler is only there for the
"anonymous" user - you don't need SQL.
> Now I was wondering about the certificates.
> In the README file from the certificates/ directory it says that
> the certificates included with radiator are only sample
> certificates to test Radiator with various 802.1x authentication
> schemes. And here are my questions.
> - Can i use the OpenSSL to generate my own certificates?
Yes.
> - If the above answer is yes, can i use the script goodies/
> mkcertificate.sh?
Yes.
> - Are secure the certificates generated by my own?
Yes. But they are private certificates, not public certificates as
produced by a public certificate authority.
> - For PEAP i only need a server certificate (the cert-srv.pem
> file). What is the purpose of the cacert.pem file?. Where is the
> public key?.
>
For PEAP Radiator needs the server certificate cert-srv.pm (server
certificate) and cacert.pem (root certificate).
The Windows client machine(s) need the root.der (root "Security
Certificate").
See the instructions in the README for what certificates go where.
regards
Hugh
> I really hope that someone could help me here.!
>
> Thanks again!
>
> Ricardo Martinez.-
>
>
>
>
> -----Mensaje original-----
> De: Hugh Irvine [mailto:hugh at open.com.au]
> Enviado el: miércoles, 04 de octubre de 2006 20:47
> Para: Ricardo Martinez
> CC: radiator at open.com.au
> Asunto: Re: (RADIATOR) Problem with EAP_PEAP
>
>
>
> Hello Ricardo -
>
> EAP authentication involves a sequence of radius requests between a
> client (supplicant) and a radius server, either via a wired NAS or a
> wireless AP.
>
> The initial exchanges are called the "outer" requests, and the final
> request is called the "inner" request.
>
> The object of the exercise is to set up an encrypted tunnel so that
> the username and password can be sent securely.
>
> The details of the various flavours of EAP differ in the "outer"
> requests, but all versions eventually deliver an "inner" request that
> contains the username and password information to be authenticated.
>
> In your example below, the "outer" Handler is <Handler
> TunnelledByPEAP=1> and you can replace the <AuthBy FILE> with an
> <AuthBy SQL> to query the database for the username and password.
>
>
> <Handler TunnelledByPEAP=1>
> <AuthBy SQL>
>
> DBSource .....
>
> DBUsername .....
>
> DBAuth .....
>
> .....
>
> # This tells the PEAP client what types of inner EAP
> requests
> # we will honour
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
>
> hope that helps
>
> regards
>
> Hugh
>
>
> On 5 Oct 2006, at 06:49, Ricardo Martinez wrote:
>
>> Sorry guys...
>> My mistake...
>> I was missing the Digest-MD4 perl module... now it works ok.
>>
>> Anyway i would lit to ask you a couple of questions... i'm newbie
>> with the EAP-PEAP authentication... so i'm wonder if someone can
>> ilustrate me how this authentication works..My goal is to have EAP-
>> PEAP Authentication, but not from a flat users file, instead i want
>> to query my SQL database.
>> What i need to acomplish this?
>>
>> Another question,
>> Ths user and password in the "client"-side, is checked against what
>> Handler?
>> <Handler TunnelledByPEAP=1>
>> <AuthBy FILE>
>> Filename %D/users_eap
>>
>> # This tells the PEAP client what types of inner
>> EAP requests
>> # we will honour
>> EAPType MSCHAP-V2
>> </AuthBy>
>> </Handler>
>>
>>
>> <Handler Realm=wifi-mesh.test.net>
>> <AuthBy FILE>
>> Filename %D/users_eap
>>
>> .....
>>
>> So, if i want to use SQL querys with my DB, where i need to do
>> this? in the Handler TunnelledByPEAP or the Handler Real=wifi-
>> mesh.test.net?
>>
>> Hope that someone could give me some guidelines..
>> Thanks!!
>>
>> Ricardo Martinez.-
>>
>> -----Mensaje original-----
>> De: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]
>> En nombre de Ricardo Martinez
>> Enviado el: miércoles, 04 de octubre de 2006 15:26
>> Para: radiator at open.com.au
>> Asunto: (RADIATOR) Problem with EAP_PEAP
>>
>> Hello list.
>> I'm getting this error for eap peap. What i'm doing wrong?
>>
>> Code: Access-Request
>> Identifier: UNDEF
>> Authentic: M[t<151><238><194><7>7|N<9>{<218>-6)
>> Attributes:
>> EAP-Message = <2><6><0><5><1>test
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> User-Name = "anonymous"
>> NAS-IP-Address = 10.10.10.80
>> NAS-Identifier = "Strix_E1C762F0275"
>> NAS-Port = 1
>> Calling-Station-Id = "00-14-BF-FE-67-33"
>>
>> Wed Oct 4 15:07:49 2006: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1'
>> Wed Oct 4 15:07:49 2006: DEBUG: Deleting session for ,
>> 10.10.10.80, 1
>> Wed Oct 4 15:07:49 2006: DEBUG: Handling with Radius::AuthFILE:
>> Wed Oct 4 15:07:49 2006: DEBUG: Handling with EAP: code 2, 6, 5
>> Wed Oct 4 15:07:49 2006: DEBUG: Response type 1
>> Wed Oct 4 15:07:49 2006: ERR: Could not load EAP module
>> Radius::EAP_26: Can't locate Digest/MD4.pm in @INC (@INC
>> contains: . /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/
>> perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /
>> usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/
>> perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/
>> vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/
>> i386-linux-thread-multi /usr/lib/perl5/5.8.0 .) at Radius/MSCHAP.pm
>> line 47.
>>
>> BEGIN failed--compilation aborted at Radius/MSCHAP.pm line 47.
>> Compilation failed in require at Radius/EAP_26.pm line 14.
>> BEGIN failed--compilation aborted at Radius/EAP_26.pm line 14.
>> Compilation failed in require at (eval 91) line 3.
>>
>> Wed Oct 4 15:07:49 2006: DEBUG: EAP result: 1, Unsupported default
>> EAP Response/Identity 26
>> Wed Oct 4 15:07:49 2006: DEBUG: AuthBy FILE result: REJECT,
>> Unsupported default EAP Response/Identity 26
>> Wed Oct 4 15:07:49 2006: INFO: Access rejected for anonymous:
>> Unsupported default EAP Response/Identity 26
>> Wed Oct 4 15:07:49 2006: DEBUG: EAP result: 3, EAP PEAP inner
>> authentication redespatched to a Handler
>> Wed Oct 4 15:07:49 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>> PEAP inner authentication redespatched to a Handler
>> Wed Oct 4 15:07:49 2006: DEBUG: Access challenged for linksys at wifi-
>> mesh.test.net: EAP PEAP inner authentication redespatched to a
>> Handler
>>
>>
>> I installed all the additional "modules" required to work with
>> eap_peap
>>
>>
>> # Requires Net_SSLeay.pm-1.21 or later from CPAN.
>> # Requires openssl 0.9.7beta3 or later from www.openssl.org
>> # Requires Digest-HMAC from CPAN
>> # Requires Digest-SHA1 from CPAN
>>
>>
>> This is part of my configuration :
>>
>> <Client 10.10.10.80>
>> Secret smartkey
>> AddToRequest NAS-IP-Address=%c
>> DefaultRealm wifi-mesh.tests.net
>> DupInterval 0
>> </Client>
>>
>> ......
>>
>> <Handler TunnelledByPEAP=1>
>> <AuthBy FILE>
>> Filename %D/users_eap
>>
>> # This tells the PEAP client what types of inner
>> EAP requests
>> # we will honour
>> EAPType MSCHAP-V2
>> </AuthBy>
>> </Handler>
>>
>>
>> <Handler Realm=wifi-mesh.test.net>
>> <AuthBy FILE>
>> # The username of the outer authentication
>> # must be in this file to get anywhere. In this
>> example,
>> # it requires an entry for 'anonymous' which is the
>> standard username
>> # in the outer requests, and it also requires an
>> entry for the
>> # actual user name who is trying to connect (ie the
>> 'Login name' entered
>> # in the Funk Odyssey 'Edit Profile Properties' page
>> Filename %D/users_eap
>>
>> # EAPType sets the EAP type(s) that Radiator will
>> honour.
>> # Options are: MD5-Challenge, One-Time-Password
>> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
>> # Multiple types can be comma separated. With the
>> default (most
>> # preferred) type given first
>> EAPType PEAP
>>
>> # EAPTLS_CAFile is the name of a file of CA
>> certificates
>> # in PEM format. The file can contain several CA
>> certificates
>> # Radiator will first look in EAPTLS_CAFile then in
>> # EAPTLS_CAPath, so there usually is no need to set
>> both
>> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>>
>> # EAPTLS_CertificateFile is the name of a file
>> containing
>> # the servers certificate. EAPTLS_CertificateType
>> # specifies the type of the file. Can be PEM or ASN1
>> # defaults to ASN1
>> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>> EAPTLS_CertificateType PEM
>>
>> # EAPTLS_PrivateKeyFile is the name of the file
>> containing
>> # the servers private key. It is sometimes in the
>> same file
>> # as the server certificate (EAPTLS_CertificateFile)
>> # If the private key is encrypted (usually the case)
>> # then EAPTLS_PrivateKeyPassword is the key to
>> descrypt it
>> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>> EAPTLS_PrivateKeyPassword whatever
>>
>> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
>> # size that will be replied by Radiator. It must be
>> small
>> # enough to fit in a single Radius request (ie less
>> than 4096)
>> # and still leave enough space for other attributes
>> # Aironet APs seem to need a smaller MaxFragmentSize
>> # (eg 1024) than the default of 2048. Others need
>> even smaller sizes.
>> EAPTLS_MaxFragmentSize 1000
>>
>> # Some clients, depending on their configuration,
>> may require you to specify
>> # MPPE send and receive keys. This _will_ be
>> required if you select
>> # 'Keys will be generated automatically for data
>> privacy' in the Funk Odyssey
>> # client Network Properties dialog.
>> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-
>> Recv-Key
>> # in the final Access-Accept
>> AutoMPPEKeys
>>
>> # You can enable some warning messages from the
>> Net::SSLeay
>> # module by setting SSLeayTrace to an integer from
>> 1 to 4
>> # 1=ciphers, 2=trace, 3=dump data
>> SSLeayTrace 4
>>
>>
>> # You can control which version of the draft PEAP
>> protocol to honour
>> # with EAPTLS_PEAPVersion. Defaults to 1. Set it to
>> 0 for unusual clients,
>> # such as Funk Odyssey Client 2.22 or later.
>> EAPTLS_PEAPVersion 0
>>
>> </AuthBy>
>> <AuthBy INTERNAL>
>> DefaultResult REJECT
>> </AuthBy>
>> </Handler>
>>
>>
>> This is the user_eap file
>>
>> test User-Password = "hhh"
>>
>> Hope that someone can help me
>> Thanks
>>
>> Ricardo Martinez.-
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list