(RADIATOR) PEAP with LDAP problem
R.H.Hoek
r.h.hoek at utwente.nl
Mon Oct 30 08:56:49 CST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear Hugh/Mike and others,
We are running an wireless-lan with TTLS authentication. It runs
fine with Radiator.
We also wants to add PEAP authentication. But I can't manage to get
it running in combination with LDAP and the use of 'users-file'. In
our LDAP server we store cleartext passwords with rcrypt.
There goes something wrong in the mschapv2 challenge: "no such user"
When I authenticate with account stored in a users-file (hoekroel)
all runs well.
What's wrong with my config?
This the error log:
Mon Oct 30 14:07:43 2006: DEBUG: Handling request with Handler
'Realm=utwente.nl,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1'
Mon Oct 30 14:07:43 2006: DEBUG: Handling with Radius::AuthFILE:
Mon Oct 30 14:07:43 2006: DEBUG: Handling with EAP: code 2, 11, 74
Mon Oct 30 14:07:43 2006: DEBUG: Response type 26
Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
Mon Oct 30 14:07:43 2006: DEBUG: Reading users file
/etc/radiator//users-wlanpeap
Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE looks for match
with m7642037 [anonymous at utwente.nl]
Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE REJECT: No such
user: m7642037 [anonymous at utwente.nl]
Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE looks for match
with DEFAULT [anonymous at utwente.nl]
Mon Oct 30 14:07:43 2006: DEBUG: Handling with Radius::AuthLDAP2:
productieoid-peap
Mon Oct 30 14:07:43 2006: DEBUG: Handling with EAP: code 2, 11, 74
Mon Oct 30 14:07:43 2006: DEBUG: Response type 26
Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
Mon Oct 30 14:07:43 2006: INFO: Connecting to
oralx065.civ.utwente.nl:389
Mon Oct 30 14:07:43 2006: INFO: Attempting to bind to LDAP server
oralx065.civ.utwente.nl:389
Mon Oct 30 14:07:43 2006: DEBUG: LDAP got result for uid=m7642037,
ou=Employees, cn=Users, o=university of twente,c=nl
Mon Oct 30 14:07:43 2006: DEBUG: LDAP got chappassword:
{rcrypt}K+qOU/D4aEHTAcGBrzsMhUtH
Mon Oct 30 14:07:43 2006: DEBUG: LDAP got orclisenabled: ENABLED
Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthLDAP2 looks for match
with m7642037 [anonymous at utwente.nl]
Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthLDAP2 ACCEPT: :
m7642037 [anonymous at utwente.nl]
Mon Oct 30 14:07:43 2006: DEBUG: EAP result: 3, EAP MSCHAP V2
Challenge: Success
Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE CHALLENGE: EAP
MSCHAP V2 Challenge: Success: DEFAULT [anonymous at utwente.nl]
Mon Oct 30 14:07:43 2006: DEBUG: EAP result: 1, EAP MSCHAP V2
failed: no such user m7642037
Mon Oct 30 14:07:43 2006: DEBUG: AuthBy FILE result: REJECT, EAP
MSCHAP V2 failed: no such user m7642037
Mon Oct 30 14:07:43 2006: INFO: Access rejected for
anonymous at utwente.nl: EAP MSCHAP V2 failed: no such user m7642037
Mon Oct 30 14:07:43 2006: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Reject
This a part of the config:
# the outer authentication
<Handler Realm=utwente.nl,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByTTLS=0>
<AuthBy FILE>
EAPType TTLS, PEAP
EAPTLS_CAFile /****/CAs/CAs.pem
EAPTLS_CAPath /****/CAs
EAPTLS_CertificateFile /****/certificate.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /****/privatekey.pem
EAPTLS_PrivateKeyPassword *****
EAPTLS_MaxFragmentSize 1024
EAPTLS_SessionResumption 1
EAPTLS_SessionResumptionLimit 900
AutoMPPEKeys
SSLeayTrace 4
EAPAnonymous anonymous at utwente.nl
</AuthBy>
</Handler>
# the innerauthentication for PEAP
<Handler Realm=utwente.nl,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
AuthByPolicy ContinueUntilAccept
<AuthBy FILE>
# Stripoff de realm
RewriteUsername s/^([^@]+).*/$1/
# Stripoff leading whitespaces en zo
RewriteUsername s/^\s*//
# Stripoff trailing whitespaces en zo
RewriteUsername s/\s*$//
Filename %D/users-wlanpeap
# This tells the PEAP client what types of inner EAP
# requests we will honour
EAPType MSCHAP-V2
</AuthBy>
</Handler>
<AuthBy LDAP2>
Identifier productieoid-peap
Version 2
# Productie OID
Host *****.utwente.nl
AuthDN cn=****
AuthPassword *****
BaseDN o="university of twente",c=nl
RcryptKey *****
# Stripoff de realm
RewriteUsername s/^([^@]+).*/$1/
# Stripoff leading whitespaces en zo
RewriteUsername s/^\s*//
# Stripoff trailing whitespaces en zo
RewriteUsername s/\s*$//
UsernameAttr uid
PasswordAttr chappassword
AuthAttrDef orclisenabled, OIDactive, request
</AuthBy>
users-wlapeap file:
DEFAULT Auth-Type = productieoid-peap,
OIDactive=ENABLED
Tunnel-Type = 1:VLAN,
Tunnel-Medium-Type = 1:Ether_802,
Tunnel-Private-Group-ID = 1:125,
Session-Timeout = "1200"
hoekroel User-Password = xxxx
Tunnel-Type = 1:VLAN,
Tunnel-Medium-Type = 1:Ether_802,
Tunnel-Private-Group-ID = 1:125,
Session-Timeout = "1200"
- --
Groeten,
Roel H.Hoek, Netwerkbeheer
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
kmr SP 422, telefoon: 053 - 489 4598, fax: 053 - 489 2383
e-mail: r.h.hoek at utwente.nl http://www.utwente.nl/itbe
IM-Jabber: rhhoek at gmail.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFRhKwJwlRSGnYBcYRAn3PAJ9Kec3jvRcCYPVelwFS29YlvmLr+gCgi5uF
Zk8Mh/IkM60nBCIsnYmbCk0=
=LabY
-----END PGP SIGNATURE-----
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list