[RADIATOR] How to configure Radiator to Support both PEAP/MSCHAPv2 and TTLS/PAP?

Amândio Antunes Gomes Silva amandio at scom.uminho.pt
Mon Oct 13 06:19:08 CDT 2008 

Hi Hugh,

As you suggested, I removed all comments from config file, and configured the Radiator as you wrote in your message, but the results are still the same. The reason why I have so many comments is that I can quickly change from a config to another - I know that's easy to let some comments uncommented, and vice-versa, which can cause the problem, but I may say that I'm very used to this kind of operation and I don't think the problem resides here. Have you further analyzed the logs I sent in the original message? What conclusions have you reached?

Another issue with the Radiator version we are running now (4.3.1) is that in order to EAP authentication (TTLS/PAP) we had to put 'NoEAP' in the auth clauses, otherwise the authentication fails with the message 'EAP authentication is not permitted.'. Any special reason why this happens? 

Thank you in advance,

Amândio Silva (University of Minho, Braga, Portugal)

-----Mensagem original-----
De: Hugh Irvine [mailto:hugh at open.com.au] 
Enviada: quinta-feira, 9 de Outubro de 2008 03:54
Para: Amândio Antunes Gomes Silva
Cc: radiator at open.com.au
Assunto: Re: [RADIATOR] How to configure Radiator to Support both PEAP/MSCHAPv2 and TTLS/PAP?


Hello Amandio -

It looks to me like at least part of your problem is due to typos in  
your configuration file, as you have commented out lines that  
shouldn't be.

It is much easier to see what is going on without lots of commented  
lines:

.....

<AuthBy RADIUS>
         Host            192.168.62.100
         Secret          **********
         AuthPort        1812
         AcctPort        1813
         EAPType         PEAP,TTLS,TLS,MSCHAPV2,MSCHAP-V2,
         Description     PEAP no SAPIA
         Identifier      PEAPnoSAPIA
         Retries         5
         RetryTimeout    30
         AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=Ether_802,  
Tunnel-Private-Group-ID=247, Class=funcionarios
</AuthBy>

<Handler ConvertedFromEAPMSCHAPV2=1>

         AuthLog peaplog
         StripFromRequest ConvertedFromEAPMSCHAPV2

         AuthBy  PEAPnoSAPIA

</Handler>

<Handler TunnelledByPEAP=1>

         RewriteUsername s/^([^@]+).*/$1/

         <AuthBy FILE>
                 # Dont really need this
                 Filename %D/users

                 # This tells the PEAP client what types of inner EAP  
requests
                 # we will honour
                 EAPType MSCHAP-V2

                 # This flag tells EAPType MSCHAP-V2 to convert the  
inner EAP-MSCHAPV2 request into
                 # an ordinary Radius-MSCHAPV2 request and redespatch  
to to a Handler
                 # that matches ConvertedFromEAPMSCHAPV2=1 (see above)
                 EAP_PEAP_MSCHAP_Convert 1
         </AuthBy>

</Handler>


hope that helps

regards

Hugh


On 7 Oct 2008, at 22:28, Amândio Antunes Gomes Silva wrote:

> Hi all!
>
>
>
> I've been trying to configure Radiator to both authenticate clients  
> with TTLS/PAP (which works fine for several years) and PEAP/ 
> MSCHAPV2). The scenario we have here at University of Minho  
> (Portugal) is as follows:
>
>
>
> Server: Radiator 4.3.1 running on Linux (CentOS 5.2)
>
> TTLS Authentication (PAP) is done against an LDAP server (in fact,  
> it's an LDAP gateway to an ActiveDirectory).
>
> PEAP Authentication is configured to be proxied to an IAS server.
>
> All our AP's are configured to authenticate against this Radiator  
> server, but, for testing, I'm using an AP that authenticates  
> directly to an IAS server, which accesses directly the same Active  
> Directory that is used by the LDAP gateway.
>
> University of Minho is part of the eduroam project, which means  
> that it belongs to an hierarchy of RADIUS servers that is working  
> fine.
>
>
>
> The tests were made with a PC with Fedora Core 7, using  
> wpa_supplicant (this way I have absolute  control on which AP the  
> PC associates to).
>
>
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list