[RADIATOR] How to configure Radiator to Support both PEAP/MSCHAPv2 and TTLS/PAP?
Hugh Irvine
hugh at open.com.au
Mon Oct 13 18:08:45 CDT 2008
Hello Amandio -
Could you please send me a copy of the full configuration file you
are testing, together with the corresponding trace 4 debug?
I couldn't tell from the debug you sent previously what was
happening, as it looked to me like the commented lines were confusing
the Radiator parser.
There was a change in Radiator 4.3.1 to allow finer grained control
of combinations of EAP/non-EAP AuthBy clauses.
Can you show me exactly what used to work and what now does not work?
regards
Hugh
On 13 Oct 2008, at 22:19, Amândio Antunes Gomes Silva wrote:
> Hi Hugh,
>
> As you suggested, I removed all comments from config file, and
> configured the Radiator as you wrote in your message, but the
> results are still the same. The reason why I have so many comments
> is that I can quickly change from a config to another - I know
> that's easy to let some comments uncommented, and vice-versa, which
> can cause the problem, but I may say that I'm very used to this
> kind of operation and I don't think the problem resides here. Have
> you further analyzed the logs I sent in the original message? What
> conclusions have you reached?
>
> Another issue with the Radiator version we are running now (4.3.1)
> is that in order to EAP authentication (TTLS/PAP) we had to put
> 'NoEAP' in the auth clauses, otherwise the authentication fails
> with the message 'EAP authentication is not permitted.'. Any
> special reason why this happens?
>
> Thank you in advance,
>
> Amândio Silva (University of Minho, Braga, Portugal)
>
> -----Mensagem original-----
> De: Hugh Irvine [mailto:hugh at open.com.au]
> Enviada: quinta-feira, 9 de Outubro de 2008 03:54
> Para: Amândio Antunes Gomes Silva
> Cc: radiator at open.com.au
> Assunto: Re: [RADIATOR] How to configure Radiator to Support both
> PEAP/MSCHAPv2 and TTLS/PAP?
>
>
> Hello Amandio -
>
> It looks to me like at least part of your problem is due to typos in
> your configuration file, as you have commented out lines that
> shouldn't be.
>
> It is much easier to see what is going on without lots of commented
> lines:
>
> .....
>
> <AuthBy RADIUS>
> Host 192.168.62.100
> Secret **********
> AuthPort 1812
> AcctPort 1813
> EAPType PEAP,TTLS,TLS,MSCHAPV2,MSCHAP-V2,
> Description PEAP no SAPIA
> Identifier PEAPnoSAPIA
> Retries 5
> RetryTimeout 30
> AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=Ether_802,
> Tunnel-Private-Group-ID=247, Class=funcionarios
> </AuthBy>
>
> <Handler ConvertedFromEAPMSCHAPV2=1>
>
> AuthLog peaplog
> StripFromRequest ConvertedFromEAPMSCHAPV2
>
> AuthBy PEAPnoSAPIA
>
> </Handler>
>
> <Handler TunnelledByPEAP=1>
>
> RewriteUsername s/^([^@]+).*/$1/
>
> <AuthBy FILE>
> # Dont really need this
> Filename %D/users
>
> # This tells the PEAP client what types of inner EAP
> requests
> # we will honour
> EAPType MSCHAP-V2
>
> # This flag tells EAPType MSCHAP-V2 to convert the
> inner EAP-MSCHAPV2 request into
> # an ordinary Radius-MSCHAPV2 request and redespatch
> to to a Handler
> # that matches ConvertedFromEAPMSCHAPV2=1 (see above)
> EAP_PEAP_MSCHAP_Convert 1
> </AuthBy>
>
> </Handler>
>
>
> hope that helps
>
> regards
>
> Hugh
>
>
> On 7 Oct 2008, at 22:28, Amândio Antunes Gomes Silva wrote:
>
>> Hi all!
>>
>>
>>
>> I've been trying to configure Radiator to both authenticate clients
>> with TTLS/PAP (which works fine for several years) and PEAP/
>> MSCHAPV2). The scenario we have here at University of Minho
>> (Portugal) is as follows:
>>
>>
>>
>> Server: Radiator 4.3.1 running on Linux (CentOS 5.2)
>>
>> TTLS Authentication (PAP) is done against an LDAP server (in fact,
>> it's an LDAP gateway to an ActiveDirectory).
>>
>> PEAP Authentication is configured to be proxied to an IAS server.
>>
>> All our AP's are configured to authenticate against this Radiator
>> server, but, for testing, I'm using an AP that authenticates
>> directly to an IAS server, which accesses directly the same Active
>> Directory that is used by the LDAP gateway.
>>
>> University of Minho is part of the eduroam project, which means
>> that it belongs to an hierarchy of RADIUS servers that is working
>> fine.
>>
>>
>>
>> The tests were made with a PC with Fedora Core 7, using
>> wpa_supplicant (this way I have absolute control on which AP the
>> PC associates to).
>>
>>
>>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list