[RADIATOR] How to configure Radiator to Support both PEAP/MSCHAPv2 and TTLS/PAP?

Hugh Irvine hugh at open.com.au
Wed Oct 8 21:53:41 CDT 2008


Hello Amandio -

It looks to me like at least part of your problem is due to typos in  
your configuration file, as you have commented out lines that  
shouldn't be.

It is much easier to see what is going on without lots of commented  
lines:

.....

<AuthBy RADIUS>
         Host            192.168.62.100
         Secret          **********
         AuthPort        1812
         AcctPort        1813
         EAPType         PEAP,TTLS,TLS,MSCHAPV2,MSCHAP-V2,
         Description     PEAP no SAPIA
         Identifier      PEAPnoSAPIA
         Retries         5
         RetryTimeout    30
         AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=Ether_802,  
Tunnel-Private-Group-ID=247, Class=funcionarios
</AuthBy>

<Handler ConvertedFromEAPMSCHAPV2=1>

         AuthLog peaplog
         StripFromRequest ConvertedFromEAPMSCHAPV2

         AuthBy  PEAPnoSAPIA

</Handler>

<Handler TunnelledByPEAP=1>

         RewriteUsername s/^([^@]+).*/$1/

         <AuthBy FILE>
                 # Dont really need this
                 Filename %D/users

                 # This tells the PEAP client what types of inner EAP  
requests
                 # we will honour
                 EAPType MSCHAP-V2

                 # This flag tells EAPType MSCHAP-V2 to convert the  
inner EAP-MSCHAPV2 request into
                 # an ordinary Radius-MSCHAPV2 request and redespatch  
to to a Handler
                 # that matches ConvertedFromEAPMSCHAPV2=1 (see above)
                 EAP_PEAP_MSCHAP_Convert 1
         </AuthBy>

</Handler>


hope that helps

regards

Hugh


On 7 Oct 2008, at 22:28, Amândio Antunes Gomes Silva wrote:

> Hi all!
>
>
>
> I’ve been trying to configure Radiator to both authenticate clients  
> with TTLS/PAP (which works fine for several years) and PEAP/ 
> MSCHAPV2). The scenario we have here at University of Minho  
> (Portugal) is as follows:
>
>
>
> Server: Radiator 4.3.1 running on Linux (CentOS 5.2)
>
> TTLS Authentication (PAP) is done against an LDAP server (in fact,  
> it’s an LDAP gateway to an ActiveDirectory).
>
> PEAP Authentication is configured to be proxied to an IAS server.
>
> All our AP’s are configured to authenticate against this Radiator  
> server, but, for testing, I’m using an AP that authenticates  
> directly to an IAS server, which accesses directly the same Active  
> Directory that is used by the LDAP gateway.
>
> University of Minho is part of the eduroam project, which means  
> that it belongs to an hierarchy of RADIUS servers that is working  
> fine.
>
>
>
> The tests were made with a PC with Fedora Core 7, using  
> wpa_supplicant (this way I have absolute  control on which AP the  
> PC associates to).
>
>
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list