(RADIATOR) Problem with EAP_PEAP
Hugh Irvine
hugh at open.com.au
Fri Oct 6 17:43:57 CDT 2006
Hello Ricardo -
See section 23 in the Radiator 3.15 reference manual ("doc/ref.html").
The client needs the root certificate for the server certificate that
you are using for Radiator.
There are some useful links here:
http://www.open.com.au/radiator/technical.html#links
and of course Google has lots of useful links too.
regards
Hugh
On 7 Oct 2006, at 07:56, Ricardo Martinez wrote:
> Hugh.
> Thanks again for your information.
> I'm trying to understand how the authentication process work when
> i use EAP/PEAP with Radiator.
> So far it seems very clear, but i want to understand how the
> certificates and keys are involved in the process.
> Do you think that you can explain to me? or maybe give me a wen
> link where to look at the information?
>
> I'm very confuse with the "OUTER" requests involved in the process.
>
> Another question.
> If i'm using my own certificate, signed by me. Do i need to
> install this certificate in the client or something like that?
>
> Thanks!!
>
> Ricardo.-
>
> -----Mensaje original-----
> De: Hugh Irvine [mailto:hugh at open.com.au]
> Enviado el: jueves, 05 de octubre de 2006 19:33
> Para: Ricardo Martinez
> CC: radiator at open.com.au
> Asunto: Re: (RADIATOR) Problem with EAP_PEAP
>
>
>
> Hello Ricardo -
>
> Comments below.
>
> On 6 Oct 2006, at 08:21, Ricardo Martinez wrote:
>
>> Thanks Hugh.
>> That really clarify many things. Just a correction, i guess you
>> was talking about a "inner" request with the "Handler <Handler
>> TunnelledByPEAP=1> " in your last paragraph. ??.
>
> Ooops - quite correct - I meant "inner" request.
>
>> Another question. So, what is the purpose of the <AuthBy FILE> in
>> the another Handler (<Handler Realm=wifi-mesh.test.net>)?, do i
>> need to check by SQL the user too?.
>
> The AuthBy FILE in the "outer" Handler is only there for the
> "anonymous" user - you don't need SQL.
>
>> Now I was wondering about the certificates.
>> In the README file from the certificates/ directory it says that
>> the certificates included with radiator are only sample
>> certificates to test Radiator with various 802.1x authentication
>> schemes. And here are my questions.
>
>> - Can i use the OpenSSL to generate my own certificates?
>
> Yes.
>
>> - If the above answer is yes, can i use the script goodies/
>> mkcertificate.sh?
>
> Yes.
>
>> - Are secure the certificates generated by my own?
>
> Yes. But they are private certificates, not public certificates as
> produced by a public certificate authority.
>
>> - For PEAP i only need a server certificate (the cert-srv.pem
>> file). What is the purpose of the cacert.pem file?. Where is the
>> public key?.
>>
>
> For PEAP Radiator needs the server certificate cert-srv.pm (server
> certificate) and cacert.pem (root certificate).
>
> The Windows client machine(s) need the root.der (root "Security
> Certificate").
>
> See the instructions in the README for what certificates go where.
>
> regards
>
> Hugh
>
>
>> I really hope that someone could help me here.!
>>
>> Thanks again!
>>
>> Ricardo Martinez.-
>>
>>
>>
>>
>> -----Mensaje original-----
>> De: Hugh Irvine [mailto:hugh at open.com.au]
>> Enviado el: miércoles, 04 de octubre de 2006 20:47
>> Para: Ricardo Martinez
>> CC: radiator at open.com.au
>> Asunto: Re: (RADIATOR) Problem with EAP_PEAP
>>
>>
>>
>> Hello Ricardo -
>>
>> EAP authentication involves a sequence of radius requests between a
>> client (supplicant) and a radius server, either via a wired NAS or a
>> wireless AP.
>>
>> The initial exchanges are called the "outer" requests, and the final
>> request is called the "inner" request.
>>
>> The object of the exercise is to set up an encrypted tunnel so that
>> the username and password can be sent securely.
>>
>> The details of the various flavours of EAP differ in the "outer"
>> requests, but all versions eventually deliver an "inner" request that
>> contains the username and password information to be authenticated.
>>
>> In your example below, the "outer" Handler is <Handler
>> TunnelledByPEAP=1> and you can replace the <AuthBy FILE> with an
>> <AuthBy SQL> to query the database for the username and password.
>>
>>
>> <Handler TunnelledByPEAP=1>
>> <AuthBy SQL>
>>
>> DBSource .....
>>
>> DBUsername .....
>>
>> DBAuth .....
>>
>> .....
>>
>> # This tells the PEAP client what types of inner EAP
>> requests
>> # we will honour
>> EAPType MSCHAP-V2
>> </AuthBy>
>> </Handler>
>>
>>
>> hope that helps
>>
>> regards
>>
>> Hugh
>>
>>
>> On 5 Oct 2006, at 06:49, Ricardo Martinez wrote:
>>
>>> Sorry guys...
>>> My mistake...
>>> I was missing the Digest-MD4 perl module... now it works ok.
>>>
>>> Anyway i would lit to ask you a couple of questions... i'm newbie
>>> with the EAP-PEAP authentication... so i'm wonder if someone can
>>> ilustrate me how this authentication works..My goal is to have EAP-
>>> PEAP Authentication, but not from a flat users file, instead i want
>>> to query my SQL database.
>>> What i need to acomplish this?
>>>
>>> Another question,
>>> Ths user and password in the "client"-side, is checked against what
>>> Handler?
>>> <Handler TunnelledByPEAP=1>
>>> <AuthBy FILE>
>>> Filename %D/users_eap
>>>
>>> # This tells the PEAP client what types of inner
>>> EAP requests
>>> # we will honour
>>> EAPType MSCHAP-V2
>>> </AuthBy>
>>> </Handler>
>>>
>>>
>>> <Handler Realm=wifi-mesh.test.net>
>>> <AuthBy FILE>
>>> Filename %D/users_eap
>>>
>>> .....
>>>
>>> So, if i want to use SQL querys with my DB, where i need to do
>>> this? in the Handler TunnelledByPEAP or the Handler Real=wifi-
>>> mesh.test.net?
>>>
>>> Hope that someone could give me some guidelines..
>>> Thanks!!
>>>
>>> Ricardo Martinez.-
>>>
>>> -----Mensaje original-----
>>> De: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]
>>> En nombre de Ricardo Martinez
>>> Enviado el: miércoles, 04 de octubre de 2006 15:26
>>> Para: radiator at open.com.au
>>> Asunto: (RADIATOR) Problem with EAP_PEAP
>>>
>>> Hello list.
>>> I'm getting this error for eap peap. What i'm doing wrong?
>>>
>>> Code: Access-Request
>>> Identifier: UNDEF
>>> Authentic: M[t<151><238><194><7>7|N<9>{<218>-6)
>>> Attributes:
>>> EAP-Message = <2><6><0><5><1>test
>>> Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>> User-Name = "anonymous"
>>> NAS-IP-Address = 10.10.10.80
>>> NAS-Identifier = "Strix_E1C762F0275"
>>> NAS-Port = 1
>>> Calling-Station-Id = "00-14-BF-FE-67-33"
>>>
>>> Wed Oct 4 15:07:49 2006: DEBUG: Handling request with Handler
>>> 'TunnelledByPEAP=1'
>>> Wed Oct 4 15:07:49 2006: DEBUG: Deleting session for ,
>>> 10.10.10.80, 1
>>> Wed Oct 4 15:07:49 2006: DEBUG: Handling with Radius::AuthFILE:
>>> Wed Oct 4 15:07:49 2006: DEBUG: Handling with EAP: code 2, 6, 5
>>> Wed Oct 4 15:07:49 2006: DEBUG: Response type 1
>>> Wed Oct 4 15:07:49 2006: ERR: Could not load EAP module
>>> Radius::EAP_26: Can't locate Digest/MD4.pm in @INC (@INC
>>> contains: . /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/
>>> perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /
>>> usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/
>>> perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/
>>> vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.0/
>>> i386-linux-thread-multi /usr/lib/perl5/5.8.0 .) at Radius/MSCHAP.pm
>>> line 47.
>>>
>>> BEGIN failed--compilation aborted at Radius/MSCHAP.pm line 47.
>>> Compilation failed in require at Radius/EAP_26.pm line 14.
>>> BEGIN failed--compilation aborted at Radius/EAP_26.pm line 14.
>>> Compilation failed in require at (eval 91) line 3.
>>>
>>> Wed Oct 4 15:07:49 2006: DEBUG: EAP result: 1, Unsupported default
>>> EAP Response/Identity 26
>>> Wed Oct 4 15:07:49 2006: DEBUG: AuthBy FILE result: REJECT,
>>> Unsupported default EAP Response/Identity 26
>>> Wed Oct 4 15:07:49 2006: INFO: Access rejected for anonymous:
>>> Unsupported default EAP Response/Identity 26
>>> Wed Oct 4 15:07:49 2006: DEBUG: EAP result: 3, EAP PEAP inner
>>> authentication redespatched to a Handler
>>> Wed Oct 4 15:07:49 2006: DEBUG: AuthBy FILE result: CHALLENGE, EAP
>>> PEAP inner authentication redespatched to a Handler
>>> Wed Oct 4 15:07:49 2006: DEBUG: Access challenged for linksys at wifi-
>>> mesh.test.net: EAP PEAP inner authentication redespatched to a
>>> Handler
>>>
>>>
>>> I installed all the additional "modules" required to work with
>>> eap_peap
>>>
>>>
>>> # Requires Net_SSLeay.pm-1.21 or later from CPAN.
>>> # Requires openssl 0.9.7beta3 or later from www.openssl.org
>>> # Requires Digest-HMAC from CPAN
>>> # Requires Digest-SHA1 from CPAN
>>>
>>>
>>> This is part of my configuration :
>>>
>>> <Client 10.10.10.80>
>>> Secret smartkey
>>> AddToRequest NAS-IP-Address=%c
>>> DefaultRealm wifi-mesh.tests.net
>>> DupInterval 0
>>> </Client>
>>>
>>> ......
>>>
>>> <Handler TunnelledByPEAP=1>
>>> <AuthBy FILE>
>>> Filename %D/users_eap
>>>
>>> # This tells the PEAP client what types of inner
>>> EAP requests
>>> # we will honour
>>> EAPType MSCHAP-V2
>>> </AuthBy>
>>> </Handler>
>>>
>>>
>>> <Handler Realm=wifi-mesh.test.net>
>>> <AuthBy FILE>
>>> # The username of the outer authentication
>>> # must be in this file to get anywhere. In this
>>> example,
>>> # it requires an entry for 'anonymous' which is the
>>> standard username
>>> # in the outer requests, and it also requires an
>>> entry for the
>>> # actual user name who is trying to connect (ie the
>>> 'Login name' entered
>>> # in the Funk Odyssey 'Edit Profile Properties' page
>>> Filename %D/users_eap
>>>
>>> # EAPType sets the EAP type(s) that Radiator will
>>> honour.
>>> # Options are: MD5-Challenge, One-Time-Password
>>> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
>>> # Multiple types can be comma separated. With the
>>> default (most
>>> # preferred) type given first
>>> EAPType PEAP
>>>
>>> # EAPTLS_CAFile is the name of a file of CA
>>> certificates
>>> # in PEM format. The file can contain several CA
>>> certificates
>>> # Radiator will first look in EAPTLS_CAFile then in
>>> # EAPTLS_CAPath, so there usually is no need to set
>>> both
>>> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>>>
>>> # EAPTLS_CertificateFile is the name of a file
>>> containing
>>> # the servers certificate. EAPTLS_CertificateType
>>> # specifies the type of the file. Can be PEM or ASN1
>>> # defaults to ASN1
>>> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>>> EAPTLS_CertificateType PEM
>>>
>>> # EAPTLS_PrivateKeyFile is the name of the file
>>> containing
>>> # the servers private key. It is sometimes in the
>>> same file
>>> # as the server certificate (EAPTLS_CertificateFile)
>>> # If the private key is encrypted (usually the case)
>>> # then EAPTLS_PrivateKeyPassword is the key to
>>> descrypt it
>>> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>>> EAPTLS_PrivateKeyPassword whatever
>>>
>>> # EAPTLS_MaxFragmentSize sets the maximum TLS
>>> fragemt
>>> # size that will be replied by Radiator. It must be
>>> small
>>> # enough to fit in a single Radius request (ie less
>>> than 4096)
>>> # and still leave enough space for other attributes
>>> # Aironet APs seem to need a smaller MaxFragmentSize
>>> # (eg 1024) than the default of 2048. Others need
>>> even smaller sizes.
>>> EAPTLS_MaxFragmentSize 1000
>>>
>>> # Some clients, depending on their configuration,
>>> may require you to specify
>>> # MPPE send and receive keys. This _will_ be
>>> required if you select
>>> # 'Keys will be generated automatically for data
>>> privacy' in the Funk Odyssey
>>> # client Network Properties dialog.
>>> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-
>>> Recv-Key
>>> # in the final Access-Accept
>>> AutoMPPEKeys
>>>
>>> # You can enable some warning messages from the
>>> Net::SSLeay
>>> # module by setting SSLeayTrace to an integer from
>>> 1 to 4
>>> # 1=ciphers, 2=trace, 3=dump data
>>> SSLeayTrace 4
>>>
>>>
>>> # You can control which version of the draft PEAP
>>> protocol to honour
>>> # with EAPTLS_PEAPVersion. Defaults to 1. Set it to
>>> 0 for unusual clients,
>>> # such as Funk Odyssey Client 2.22 or later.
>>> EAPTLS_PEAPVersion 0
>>>
>>> </AuthBy>
>>> <AuthBy INTERNAL>
>>> DefaultResult REJECT
>>> </AuthBy>
>>> </Handler>
>>>
>>>
>>> This is the user_eap file
>>>
>>> test User-Password = "hhh"
>>>
>>> Hope that someone can help me
>>> Thanks
>>>
>>> Ricardo Martinez.-
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/
>> radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list