(RADIATOR) Problem with Novell Universal Passwords and EAP

Peter Bates Peter.Bates at lshtm.ac.uk
Fri Sep 1 05:44:42 CDT 2006 

Hi there...

I'm a bit perplexed with the following problem
I'm seeing with Radiator 3.14 on RedHat.

Basically, radpwtst works fine, with a user in our Novell eDirectory,
and Universal Passwords enabled.
However, when used with an 802.1x supplicant with PEAP through our
Aruba/Alcatel wireless APs
there is an initial authentication success, and then the connection
drops.

This behaviour is particularly noticeable in the Mac OS X 802.1x client
(Internet Connect).
The connection starts up, and then drops.

If I switch over to using PEAP with AuthByFile and a simple users file,
all is okay.

Here is the configuration I've been using, whittled down (clients and a
few other bits removed)
=========================================================
Foreground
LogStdout
LogDir          .
DbDir           .
Trace           4

AuthPort 1645,1812
AcctPort 1646,1813

<Handler>
       <AuthBy LDAP2>
Host 193.63.251.63
AuthDN cn=radiusadmin,o=ITS_TEST
AuthPassword xxx
BaseDN ou=users,o=ITS_TEST
                UsernameAttr    uid
                NoDefault
                HoldServerConnection
                GetNovellUP
                #Debug 255
                UseTLS
                SSLCAFile /etc/radiator/SelfSignedCert.pem
                SSLVerify none
                Version 3
                # Here we set up all the EAP stuff we need.
                EAPType PEAP,TTLS,TLS,MD5,MSCHAP-V2,LEAP
                EAPTLS_CAFile %D/certificates/IPS-IPSCABUNDLE.crt
                EAPTLS_CertificateFile %D/certificates/barker.crt
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile %D/certificates/barker.key
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
                SSLeayTrace 4
        </AuthBy>
</Handler>
=========================================================

The local radpwtst request results in what I'd expect (returning
various LDAP attributes)
and finally concludes with:

Fri Sep  1 11:18:32 2006: DEBUG: Radius::AuthLDAP2 looks for match with
anstpbat
 [anstpbat]
Fri Sep  1 11:18:32 2006: DEBUG: Radius::AuthLDAP2 ACCEPT: : anstpbat
[anstpbat]
Fri Sep  1 11:18:32 2006: DEBUG: AuthBy LDAP2 result: ACCEPT,
Fri Sep  1 11:18:32 2006: DEBUG: Access accepted for anstpbat

The EAP/wireless request starts with:
Fri Sep  1 11:18:46 2006: ERR: Attribute number 5 (vendor 14823) is not
defined
in your dictionary
Fri Sep  1 11:18:46 2006: ERR: Attribute number 6 (vendor 14823) is not
defined
in your dictionary

I can include the entire logfile if necessary, I was just initially
wondering if this was something
obvious, considering the same physical setup works okay with AuthByFile
(based on the eap_peap.cfg
in the goodies).

Thanks.



--------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, IT Services.
London School of Hygiene & Tropical Medicine.
Telephone:0207-958 8353 / Fax: 0207- 636 9838 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list