(RADIATOR) Username in EAP requests

Hugh Irvine hugh at open.com.au
Wed Oct 25 17:11:09 CDT 2006


Hello Peter -

You should remove the EAP parameters from your inner Handler.

The only one you might need is this:


# Inner request
<Handler TunnelledByPEAP=1>
     <AuthBy LDAP2>
         Identifier ldap1
                 Host            ldap1.lshtm.ac.uk
         AuthDN xyz
         AuthPassword xyz
                 BaseDN  o=lshtm
         UsernameAttr cn
                 SSLVerify none
                 UseTLS
        SSLCAFile /etc/radiator/SelfSignedCert.pem
         NoDefault
         RejectEmptyPassword
         HoldServerConnection
         GetNovellUP
         Debug 255
         Version 3
         EAPType MSCHAP-V2
     </AuthBy>
     AuthLog authlog
     RejectHasReason
</Handler>

# Outer request
<Handler Client-Identifier=xxx>
         <AuthBy FILE>
                Filename %D/users.anonymous # just contains one
"anonymous" user
                 EAPType PEAP,TTLS,TLS,MD5,MSCHAP-V2,LEAP
                 EAPTLS_CAFile %D/certificates/x.crt
                 EAPTLS_CertificateFile %D/certificates/y.crt
                 EAPTLS_CertificateType PEM
                 EAPTLS_PrivateKeyFile %D/certificates/y.key
                 EAPTLS_MaxFragmentSize 1000
                 AutoMPPEKeys
                 SSLeayTrace 4
                 EAPTLS_PEAPVersion 0
                EAPAnonymous %0
         </AuthBy>
RejectHasReason
</Handler>


hope that helps

regards

Hugh


On 25 Oct 2006, at 23:16, Peter Bates wrote:

>
> Hello all...
> --  
>
> ---------------------------------------------------------------------- 
> ----------------------------->
> Peter Bates, Systems Support Officer, IT Services.
> London School of Hygiene & Tropical Medicine.
> Telephone:0207-958 8353 / Fax: 0207- 636 9838
>
>>>> On 25/10/06 at 00:54, Hugh Irvine <hugh at open.com.au> wrote:
>
>> Hello Peter -
>>
>> Yes you should have your authentication logging in the "inner"
>> Handler, and you should add "EAPAnonymous %0" in the "outer"
> Handler.
> <snip>
>
> Trying this (admittedly on Radiator 3.14), I get no joy, and I suspect
>
> I've overcomplicated my configuration, mixing together different
> samples from the 'goodies'.
> Although I was using Identifiers, I've expanded them out below:
>
> # Inner request
> <Handler TunnelledByPEAP=1>
> <AuthBy LDAP2>
> Identifier ldap1
>                 Host            ldap1.lshtm.ac.uk
> AuthDN xyz
> AuthPassword xyz
>                 BaseDN  o=lshtm
> UsernameAttr cn
>                 SSLVerify none
>                 UseTLS
>        SSLCAFile /etc/radiator/SelfSignedCert.pem
> NoDefault
> RejectEmptyPassword
> HoldServerConnection
> GetNovellUP
> Debug 255
> Version 3
>                 EAPType PEAP,TTLS,TLS,MD5,MSCHAP-V2,LEAP
>                 EAPTLS_CAFile %D/certificates/x.crt
>                 EAPTLS_CertificateFile %D/certificates/y.crt
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/y.key
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>                 EAPTLS_PEAPVersion 0
> </AuthBy>
> AuthLog authlog
> RejectHasReason
> </Handler>
>
> # Outer request
> <Handler Client-Identifier=xxx>
>         <AuthBy FILE>
>                Filename %D/users.anonymous # just contains one
> "anonymous" user
>                 EAPType PEAP,TTLS,TLS,MD5,MSCHAP-V2,LEAP
>                 EAPTLS_CAFile %D/certificates/x.crt
>                 EAPTLS_CertificateFile %D/certificates/y.crt
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/y.key
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>                 EAPTLS_PEAPVersion 0
>                EAPAnonymous %0
>         </AuthBy>
> RejectHasReason
> </Handler>
>
> I guess the fact I'm repeating all the EAP* stuff isn't correct,
> but if I use the above, adding the 'EAPAnonymous %0' then
> authentication never completes.
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list