(RADIATOR) Problem with EAP_PEAP
Ricardo Martinez
rmartinez at redvoiss.net
Fri Oct 6 16:56:58 CDT 2006
Hugh.
Thanks again for your information.
I'm trying to understand how the authentication process work when i use EAP/PEAP with Radiator.
So far it seems very clear, but i want to understand how the certificates and keys are involved in the process.
Do you think that you can explain to me? or maybe give me a wen link where to look at the information?
I'm very confuse with the "OUTER" requests involved in the process.
Another question.
If i'm using my own certificate, signed by me. Do i need to install this certificate in the client or something like that?
Thanks!!
Ricardo.-
-----Mensaje original-----
De: Hugh Irvine [mailto:hugh at open.com.au]
Enviado el: jueves, 05 de octubre de 2006 19:33
Para: Ricardo Martinez
CC: radiator at open.com.au
Asunto: Re: (RADIATOR) Problem with EAP_PEAP
Hello Ricardo -
Comments below.
On 6 Oct 2006, at 08:21, Ricardo Martinez wrote:
> Thanks Hugh.
> That really clarify many things. Just a correction, i guess you
> was talking about a "inner" request with the "Handler <Handler
> TunnelledByPEAP=1> " in your last paragraph. ??.
Ooops - quite correct - I meant "inner" request.
> Another question. So, what is the purpose of the <AuthBy FILE> in
> the another Handler (<Handler Realm=wifi-mesh.test.net>)?, do i
> need to check by SQL the user too?.
The AuthBy FILE in the "outer" Handler is only there for the
"anonymous" user - you don't need SQL.
> Now I was wondering about the certificates.
> In the README file from the certificates/ directory it says that
> the certificates included with radiator are only sample
> certificates to test Radiator with various 802.1x authentication
> schemes. And here are my questions.
> - Can i use the OpenSSL to generate my own certificates?
Yes.
> - If the above answer is yes, can i use the script goodies/
> mkcertificate.sh?
Yes.
> - Are secure the certificates generated by my own?
Yes. But they are private certificates, not public certificates as
produced by a public certificate authority.
> - For PEAP i only need a server certificate (the cert-srv.pem
> file). What is the purpose of the cacert.pem file?. Where is the
> public key?.
>
For PEAP Radiator needs the server certificate cert-srv.pm (server
certificate) and cacert.pem (root certificate).
The Windows client machine(s) need the root.der (root "Security
Certificate").
See the instructions in the README for what certificates go where.
regards
Hugh
> I really hope that someone could help me here.!
>
> Thanks again!
>
> Ricardo Martinez.-
>
>
>
>
> -----Mensaje original-----
> De: Hugh Irvine [mailto:hugh at open.com.au]
> Enviado el: miércoles, 04 de octubre de 2006 20:47
> Para: Ricardo Martinez
> CC: radiator at open.com.au
> Asunto: Re: (RADIATOR) Problem with EAP_PEAP
>
>
>
> Hello Ricardo -
>
> EAP authentication involves a sequence of radius requests between a
> client (supplicant) and a radius server, either via a wired NAS or a
> wireless AP.
>
> The initial exchanges are called the "outer" requests, and the final
> request is called the "inner" request.
>
> The object of the exercise is to set up an encrypted tunnel so that
> the username and password can be sent securely.
>
> The details of the various flavours of EAP differ in the "outer"
> requests, but all versions eventually deliver an "inner" request that
> contains the username and password information to be authenticated.
>
> In your example below, the "outer" Handler is <Handler
> TunnelledByPEAP=1> and you can replace the <AuthBy FILE> with an
> <AuthBy SQL> to query the database for the username and password.
>
>
> <Handler TunnelledByPEAP=1>
> <AuthBy SQL>
>
> DBSource .....
>
> DBUsername .....
>
> DBAuth .....
>
> .....
>
> # This tells the PEAP client what types of inner EAP
> requests
> # we will honour
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
>
> hope that helps
>
> regards
>
> Hugh
>
>
> On 5 Oct 2006, at 06:49, Ricardo Martinez wrote:
>
>> Sorry guys...
>> My mistake...
>> I was missing the Digest-MD4 perl module... now it works ok.
>>
>> Anyway i would lit to ask you a couple of questions... i'm newbie
>> with the EAP-PEAP authentication... so i'm wonder if someone can
>> ilustrate me how this authentication works..My goal is to have EAP-
>> PEAP Authentication, but not from a flat users file, instead i want
>> to query my SQL database.
>> What i need to acomplish this?
>>
>> Another question,
>> Ths user and password in the "client"-side, is checked against what
>> Handler?
>> <Handler TunnelledByPEAP=1>
>> <AuthBy FILE>
>> Filename %D/users_eap
>>
>> # This tells the PEAP client what types of inner
>> EAP requests
>> # we will honour
>> EAPType MSCHAP-V2
>> </AuthBy>
>> </Handler>
>>
>>
>> <Handler Realm=wifi-mesh.test.net>
>> <AuthBy FILE>
>> Filename %D/users_eap
>>
>> .....
>>
>> So, if i want to use SQL querys with my DB, where i need to do
>> this? in the Handler TunnelledByPEAP or the Handler Real=wifi-
>> mesh.test.net?
>>
>> Hope that someone could give me some guidelines..
>> Thanks!!
>>
>> Ricardo Martinez.-
>>
>> -----Mensaje original-----
>> De: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]
>> En nombre de Ricardo Martinez
>> Enviado el: miércoles, 04 de octubre de 2006 15:26
>> Para: radiator at open.com.au
>> Asunto: (RADIATOR) Problem with EAP_PEAP
>>
>> Hello list.
>> I'm getting this error for eap peap. What i'm doing wrong?
>>
>> Code: Access-Request
>> Identifier: UNDEF
>> Authentic: M[t<151><238><194><7>7|N<9>{<218>-6)
>> Attributes:
>> EAP-Message = <2><6><0><5><1>test
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> User-Name = "anonymous"
>> NAS-IP-Address = 10.10.10.80
>> NAS-Identifier = "Strix_E1C762F0275"
>> NAS-Port = 1
>> Calling-Station-Id = "00-14-BF-FE-67-33"
>>
>> Wed Oct 4 15:07:49 2006: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1'
>> Wed Oct 4 15:07:49 2006: DEBUG: Deleting session for ,
>> 10.10.10.80, 1
>> Wed Oct 4 15:07:49 2006: DEBUG: Handling with Radius::AuthFILE:
>> Wed Oct 4 15:07:49 2006: DEBUG: Handling with EAP: code 2, 6, 5
>> Wed Oct 4 15:07:49 2006: DEBUG: Response type 1
>> Wed Oct 4 15:07:49 2006: ERR: Could not load EAP module
>> Radius::EAP_26: Can't locate Digest/MD4.pm in @INC (@INC
>> contains: . /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/
>> perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /
>> usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/
>> perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/
>> vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/
>> i386-linux-thread-multi /usr/lib/perl5/5.8.0 .) at Radius/MSCHAP.pm
>> line 47.
>>
>> BEGIN failed--compilation aborted at Radius/MSCHAP.pm line 47.
>> Compilation failed in require at Radius/EAP_26.pm line 14.
>> BEGIN failed--compilation aborted at Radius/EAP_26.pm line 14.
>> Compilation failed in require at (eval 91) line 3.
>>
>> Wed Oct 4 15:07:49 2006: DEBUG: EAP result: 1, Unsupported default
>> EAP Response/Identity 26
>> Wed Oct 4 15:07:49 2006: DEBUG: AuthBy FILE result: REJECT,
>> Unsupported default EAP Response/Identity 26
>> Wed Oct 4 15:07:49 2006: INFO: Access rejected for anonymous:
>> Unsupported default EAP Response/Identity 26
>> Wed Oct 4 15:07:49 2006: DEBUG: EAP result: 3, EAP PEAP inner
>> authentication redespatched to a Handler
>> Wed Oct 4 15:07:49 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>> PEAP inner authentication redespatched to a Handler
>> Wed Oct 4 15:07:49 2006: DEBUG: Access challenged for linksys at wifi-
>> mesh.test.net: EAP PEAP inner authentication redespatched to a
>> Handler
>>
>>
>> I installed all the additional "modules" required to work with
>> eap_peap
>>
>>
>> # Requires Net_SSLeay.pm-1.21 or later from CPAN.
>> # Requires openssl 0.9.7beta3 or later from www.openssl.org
>> # Requires Digest-HMAC from CPAN
>> # Requires Digest-SHA1 from CPAN
>>
>>
>> This is part of my configuration :
>>
>> <Client 10.10.10.80>
>> Secret smartkey
>> AddToRequest NAS-IP-Address=%c
>> DefaultRealm wifi-mesh.tests.net
>> DupInterval 0
>> </Client>
>>
>> ......
>>
>> <Handler TunnelledByPEAP=1>
>> <AuthBy FILE>
>> Filename %D/users_eap
>>
>> # This tells the PEAP client what types of inner
>> EAP requests
>> # we will honour
>> EAPType MSCHAP-V2
>> </AuthBy>
>> </Handler>
>>
>>
>> <Handler Realm=wifi-mesh.test.net>
>> <AuthBy FILE>
>> # The username of the outer authentication
>> # must be in this file to get anywhere. In this
>> example,
>> # it requires an entry for 'anonymous' which is the
>> standard username
>> # in the outer requests, and it also requires an
>> entry for the
>> # actual user name who is trying to connect (ie the
>> 'Login name' entered
>> # in the Funk Odyssey 'Edit Profile Properties' page
>> Filename %D/users_eap
>>
>> # EAPType sets the EAP type(s) that Radiator will
>> honour.
>> # Options are: MD5-Challenge, One-Time-Password
>> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
>> # Multiple types can be comma separated. With the
>> default (most
>> # preferred) type given first
>> EAPType PEAP
>>
>> # EAPTLS_CAFile is the name of a file of CA
>> certificates
>> # in PEM format. The file can contain several CA
>> certificates
>> # Radiator will first look in EAPTLS_CAFile then in
>> # EAPTLS_CAPath, so there usually is no need to set
>> both
>> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>>
>> # EAPTLS_CertificateFile is the name of a file
>> containing
>> # the servers certificate. EAPTLS_CertificateType
>> # specifies the type of the file. Can be PEM or ASN1
>> # defaults to ASN1
>> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>> EAPTLS_CertificateType PEM
>>
>> # EAPTLS_PrivateKeyFile is the name of the file
>> containing
>> # the servers private key. It is sometimes in the
>> same file
>> # as the server certificate (EAPTLS_CertificateFile)
>> # If the private key is encrypted (usually the case)
>> # then EAPTLS_PrivateKeyPassword is the key to
>> descrypt it
>> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>> EAPTLS_PrivateKeyPassword whatever
>>
>> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
>> # size that will be replied by Radiator. It must be
>> small
>> # enough to fit in a single Radius request (ie less
>> than 4096)
>> # and still leave enough space for other attributes
>> # Aironet APs seem to need a smaller MaxFragmentSize
>> # (eg 1024) than the default of 2048. Others need
>> even smaller sizes.
>> EAPTLS_MaxFragmentSize 1000
>>
>> # Some clients, depending on their configuration,
>> may require you to specify
>> # MPPE send and receive keys. This _will_ be
>> required if you select
>> # 'Keys will be generated automatically for data
>> privacy' in the Funk Odyssey
>> # client Network Properties dialog.
>> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-
>> Recv-Key
>> # in the final Access-Accept
>> AutoMPPEKeys
>>
>> # You can enable some warning messages from the
>> Net::SSLeay
>> # module by setting SSLeayTrace to an integer from
>> 1 to 4
>> # 1=ciphers, 2=trace, 3=dump data
>> SSLeayTrace 4
>>
>>
>> # You can control which version of the draft PEAP
>> protocol to honour
>> # with EAPTLS_PEAPVersion. Defaults to 1. Set it to
>> 0 for unusual clients,
>> # such as Funk Odyssey Client 2.22 or later.
>> EAPTLS_PEAPVersion 0
>>
>> </AuthBy>
>> <AuthBy INTERNAL>
>> DefaultResult REJECT
>> </AuthBy>
>> </Handler>
>>
>>
>> This is the user_eap file
>>
>> test User-Password = "hhh"
>>
>> Hope that someone can help me
>> Thanks
>>
>> Ricardo Martinez.-
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list