(RADIATOR) Strange behavior with PEAP

Mike McCauley mikem at open.com.au
Tue Apr 29 16:27:06 CDT 2008 

Hello Pascal,

You may need to use some combination of 
EAPTLS_PEAPVersion 0
or
EAPTLS_PEAPVersion 1
and
EAPTLS_PEAPBrokenV1Label
to make it work for all your clients.

Cheers.

On Wednesday 30 April 2008 06:28, Pascal Beauregard wrote:
> Hi,
>
> I am trying to make PEAP work with Radiator 4.2. Strangely, in my setup,
> PEAP work fine with WZC but it's not working with my Intel client on my
> laptop and with a 7921 Cisco IP phone.
>
> Here is the results of my testing so far.
>
> 1. WZC using my laptop and my Intel wireless card works great with EAP-TTLS
> and PEAP.
> 2. My Intel client (I upgrade the driver of the card and the client this
> week) works only in EAP-TTLS mode (not PEAP).
> 3. A Cisco wireless IP Phone 7921 that I am trying to authenticate to the
> wireless network in PEAP fail.
>
> In fact in PEAP, both the Intel client and the 7921 succeed to
> authenticate. Radiator sends the Access-Accept with the keys, but the
> client (7921 or the Intel client) cannot obtain an Ip address from the DHCP
> server. I have tried to set a static IP on the wireless card of my laptop
> and try to ping the default gatway of the wireless network with no success.
>
> It's like if all the authentication process succeed but the encryption key
> transmitted does not match between the AP and the client.
>
> I also have to add that I have tried on wireless network from 2 different
> vendors (Colubris and Cisco) with the same result.
>
> Thanks!
>
>
> #radius_cta.cfg
>
> <Handler TunnelledByPEAP=1>
>         WtmpFileName %L/wtmp
>         AcctLogFileName %L/accounting
>
>         <AuthBy FILE>
>                 Filename /etc/radiator/ctabrp/usersdb
>                 EAPType MSCHAP-V2
>         </AuthBy>
>
> AuthLog Defaut
>
> </Handler>
>
>
>
>
> #SSID - WLAN_CISCO_TEST
> # ===---------------------------------------------
> <Handler Called-Station-Id = /.*CTA_Sans_fil/ >
>         WtmpFileName %L/wtmp
>         AcctLogFileName %L/accounting
>         <AuthBy FILE>
>                 Filename /etc/radiator/eaptest/eapanonymoususer
>                 #type de EAP supporte
>                 EAPType TTLS, PEAP
>                 #l'emplacemenet du certificat CA
>                 EAPTLS_CAFile
> /etc/radiator/SelfCert/radius_testCA.sti.usherbrooke.ca.pem
>                 #l'emplacement du certificat du serveur
>                 EAPTLS_CertificateFile
> /etc/radiator/SelfCert/cas2.sti.usherbrooke.ca.pem
>                 EAPTLS_CertificateType PEM
>                 #l'emplacement du fichier de cle privee du serveur
>                 EAPTLS_PrivateKeyFile
> /etc/radiator/SelfCert/cas2.sti.usherbrooke.ca.key
>                 EAPTLS_PrivateKeyPassword radiusCA
>                 EAPTLS_MaxFragmentSize 1000
>                 EAPAnonymous %0
>                 AutoMPPEKeys
>                 SSLeayTrace 4
>         </AuthBy>
>         AuthLog Defaut
> </Handler>
>
> #
> ## CTA LDAP Users
> #
> <Handler User-Name=/^[a-zA-Z]{4}[0-9]{4}$/,NAS-Identifier =
> "P1-1012-WL4402A">
>         MaxSessions 2
>         WtmpFileName %L/wtmp
>         AcctLogFileName %L/accounting
> <AuthBy GROUP>
>      AuthByPolicy ContinueUntilAccept
>
>         <AuthBy LDAP2>
>                 Host ldapr1.usherbrooke.ca
>                 AuthDN uid=lectureparradius,ou=autres,dc=usherbrooke,dc=ca
>                 AuthPassword kBub68Rc
>                 BaseDN dc=usherbrooke,dc=ca
>                 Scope sub
>                 ServerChecksPassword
>                 UseTLS
>                 SSLVerify none
>                 SSLCAFile /usr/share/ssl/certs/ca-bundle.crt
>                 Debug 255
>         </AuthBy>
>
>         <AuthBy LDAP2>
>                 Host ldapr2.usherbrooke.ca
>                 AuthDN uid=lectureparradius,ou=autres,dc=usherbrooke,dc=ca
>                 AuthPassword kBub68Rc
>                 BaseDN dc=usherbrooke,dc=ca
>                 Scope sub
>                 ServerChecksPassword
>                 UseTLS
>                 SSLVerify none
>                 SSLCAFile /usr/share/ssl/certs/ca-bundle.crt
>                 Debug 255
>          </AuthBy>
> </AuthBy>
>
> AuthLog Defaut
>
> </Handler>
>
>
>
> #
> # Accounting Handler CTA
> #
> <Handler Called-Station-Id = "10.51.31.240",NAS-IP-Address = 10.51.31.240,
> Acct-Status-Type = Start|Alive>
>         WtmpFileName %L/wtmp
>         AcctLogFileName %L/accounting
>         <AuthBy INTERNAL>
>             AuthResult ACCEPT
>             AcctStartResult ACCEPT
>             AcctStopResult  ACCEPT
>             DefaultResult   ACCEPT
>          </AuthBy>
>         AuthLog Defaut
> </Handler>
>
> Pascal Beauregard
> Analyste en télécommunications
> Université de Sherbrooke
> (819)821-7770
> www.usherbrooke.ca <http://www.usherbrooke.ca/>

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list