[RADIATOR] Adding Class Attribute to access response

Richard Dunne richard.dunne at dit.ie
Wed Feb 18 11:51:27 CST 2009


Active dir/ radius

Hi all

Im rebuilding my radius setup. 
I have a new server and trying to get eAP-PEAP working again.
I want to get to a point where i can use it to log in a user using WPA and
AES or TKIp
Using active dir via radius,

At the monument I cant get the users file to even work,
Below is my config and log  file. 
The main problem is Wed Feb 18 17:16:57 2009: DEBUG: AuthBy FILE result:
REJECT, EAP authentication is not permitted.
Wed Feb 18 17:16:57 2009: INFO: Access rejected for kk at dit.ie: EAP
authentication is not permitted.
Wed Feb 18 17:16:57 2009: DEBUG: Packet dump:
*** Sending to 147.252.2.112 port 2051 .....
Im all this all day. And just cant see it 

If any one has this working can you send on the files . I cant get my head
around inner and outher auth

Thaks

Richard 

Config
Foreground
LogStdout
AuthPort 1645,1812,1813
DictionaryFile  /etc/radiator/dictionary,/etc/radiator/dictionary.cisco
LogDir /var/log/radius
DbDir   /etc/radiator/
# User a lower trace level in production systems:
Trace           5

#AuthPort 1812
#AcctPort 1813
#LogDir /var/log/radius
#DbDir /etc/radiator
#Trace           5
#DictionaryFile  /etc/radiator/dictionary,/etc/radiator/dictionary.cisco
<Client DEFAULT>
        Secret  mysecret
        DupInterval 0
</Client>
<Client 147.252.2.112>
        Secret hello
        DupInterval 0
</Client>
<Client 192.168.1.1>
        Secret hello
        DupInterval 0
</Client>


<Handler Realm=dit.ie>
        <AuthBy FILE>
                Filename users
        </AuthBy>
</Handler>
<Handler Realm=dit.ie>

        <AuthBy FILE>
                Filename users
EAPType PEAP,TTLS,TLS,MSCHAP-V2,MD5,MD5-Challenge,PAP,GTC
#EAPType TTLS, PEAP, MSCHAP-V2
EAPTLS_CAFile %D/certificates/cacert.pem
EAPTLS_CertificateFile %D/certificates/server_cert.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/server_key.pem
        EAPTLS_MaxFragmentSize 1024
EAPAnonymous anonymous at default
AutoMPPEKeysIdentifier: 5
Authentic:  n}<144>H<138>E<211><158>s<12>E5k<0>VF
Attributes:
        User-Name = "kk at dit.ie"
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 0
        Called-Station-Id = "00-1E-E5-97-1A-00:rdunne"
        Calling-Station-Id = "00-1C-BF-7B-14-B2"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = <2><0><0><14><1>kk at dit.ie
        Message-Authenticator =
k<27><209>V<213><242>A<232><20><201><157><15><11><141><152><183>

Wed Feb 18 17:16:57 2009: DEBUG: Handling request with Handler
'Realm=dit.ie'
Wed Feb 18 17:16:57 2009: DEBUG:  Deleting session for kk at dit.ie,
192.168.1.1, 0
Wed Feb 18 17:16:57 2009: DEBUG: Handling with Radius::AuthFILE: 
Wed Feb 18 17:16:57 2009: DEBUG: Handling with EAP: code 2, 0, 14, 1
Wed Feb 18 17:16:57 2009: DEBUG: Response type 1
Wed Feb 18 17:16:57 2009: DEBUG: EAP result: 1, EAP authentication is not
permitted.
Wed Feb 18 17:16:57 2009: DEBUG: AuthBy FILE result: REJECT, EAP
authentication is not permitted.
Wed Feb 18 17:16:57 2009: INFO: Access rejected for kk at dit.ie: EAP
authentication is not permitted.
Wed Feb 18 17:16:57 2009: DEBUG: Packet dump:
*** Sending to 147.252.2.112 port 2051 ....

Packet length = 36
03 05 00 24 40 6a 11 4a 01 67 4e 0f df 29 ec b7
73 b5 da be 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code:       Access-Reject
Identifier: 5
Authentic:  @j<17>J<1>gN<15><223>)<236><183>s<181><218><190>
Attributes:
        Reply-Message = "Request Denied"
AddToReply Service-Type = Framed-User,\
                        Framed-Protocol = PPP,\
                        Framed-IP-Netmask = 255.255.255.255,\
                        Framed-Routing = None,\
                        Framed-MTU = 1500,\
                        Framed-Compression = Van-Jacobson-TCP-IP
        </AuthBy>


LOG 



This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie



More information about the radiator mailing list