[RADIATOR] Adding Class Attribute to access response

Hugh Irvine hugh at open.com.au
Wed Feb 18 15:44:47 CST 2009 

Hello Richard -

Your problem is due to you having two <Handler Realm=dit.ie> clauses.

The first one is catching the requests.

There are a number of example, working configuration files in the  
Radiator 4.3.1 distribution in "goodies/eap_*.cfg".

See especially "goodies/eap_peap.cfg".

Also note the prerequisites listed in the comment block at the  
beginning of the file, which must be installed first.

regards

Hugh



On 19 Feb 2009, at 04:51, Richard Dunne wrote:

> Active dir/ radius
>
> Hi all
>
> Im rebuilding my radius setup.
> I have a new server and trying to get eAP-PEAP working again.
> I want to get to a point where i can use it to log in a user using  
> WPA and
> AES or TKIp
> Using active dir via radius,
>
> At the monument I cant get the users file to even work,
> Below is my config and log  file.
> The main problem is Wed Feb 18 17:16:57 2009: DEBUG: AuthBy FILE  
> result:
> REJECT, EAP authentication is not permitted.
> Wed Feb 18 17:16:57 2009: INFO: Access rejected for kk at dit.ie: EAP
> authentication is not permitted.
> Wed Feb 18 17:16:57 2009: DEBUG: Packet dump:
> *** Sending to 147.252.2.112 port 2051 .....
> Im all this all day. And just cant see it
>
> If any one has this working can you send on the files . I cant get  
> my head
> around inner and outher auth
>
> Thaks
>
> Richard
>
> Config
> Foreground
> LogStdout
> AuthPort 1645,1812,1813
> DictionaryFile  /etc/radiator/dictionary,/etc/radiator/ 
> dictionary.cisco
> LogDir /var/log/radius
> DbDir   /etc/radiator/
> # User a lower trace level in production systems:
> Trace           5
>
> #AuthPort 1812
> #AcctPort 1813
> #LogDir /var/log/radius
> #DbDir /etc/radiator
> #Trace           5
> #DictionaryFile  /etc/radiator/dictionary,/etc/radiator/ 
> dictionary.cisco
> <Client DEFAULT>
>        Secret  mysecret
>        DupInterval 0
> </Client>
> <Client 147.252.2.112>
>        Secret hello
>        DupInterval 0
> </Client>
> <Client 192.168.1.1>
>        Secret hello
>        DupInterval 0
> </Client>
>
>
> <Handler Realm=dit.ie>
>        <AuthBy FILE>
>                Filename users
>        </AuthBy>
> </Handler>
> <Handler Realm=dit.ie>
>
>        <AuthBy FILE>
>                Filename users
> EAPType PEAP,TTLS,TLS,MSCHAP-V2,MD5,MD5-Challenge,PAP,GTC
> #EAPType TTLS, PEAP, MSCHAP-V2
> EAPTLS_CAFile %D/certificates/cacert.pem
> EAPTLS_CertificateFile %D/certificates/server_cert.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/server_key.pem
>        EAPTLS_MaxFragmentSize 1024
> EAPAnonymous anonymous at default
> AutoMPPEKeysIdentifier: 5
> Authentic:  n}<144>H<138>E<211><158>s<12>E5k<0>VF
> Attributes:
>        User-Name = "kk at dit.ie"
>        NAS-IP-Address = 192.168.1.1
>        NAS-Port = 0
>        Called-Station-Id = "00-1E-E5-97-1A-00:rdunne"
>        Calling-Station-Id = "00-1C-BF-7B-14-B2"
>        Framed-MTU = 1400
>        NAS-Port-Type = Wireless-IEEE-802-11
>        Connect-Info = "CONNECT 11Mbps 802.11b"
>        EAP-Message = <2><0><0><14><1>kk at dit.ie
>        Message-Authenticator =
> k<27><209>V<213><242>A<232><20><201><157><15><11><141><152><183>
>
> Wed Feb 18 17:16:57 2009: DEBUG: Handling request with Handler
> 'Realm=dit.ie'
> Wed Feb 18 17:16:57 2009: DEBUG:  Deleting session for kk at dit.ie,
> 192.168.1.1, 0
> Wed Feb 18 17:16:57 2009: DEBUG: Handling with Radius::AuthFILE:
> Wed Feb 18 17:16:57 2009: DEBUG: Handling with EAP: code 2, 0, 14, 1
> Wed Feb 18 17:16:57 2009: DEBUG: Response type 1
> Wed Feb 18 17:16:57 2009: DEBUG: EAP result: 1, EAP authentication  
> is not
> permitted.
> Wed Feb 18 17:16:57 2009: DEBUG: AuthBy FILE result: REJECT, EAP
> authentication is not permitted.
> Wed Feb 18 17:16:57 2009: INFO: Access rejected for kk at dit.ie: EAP
> authentication is not permitted.
> Wed Feb 18 17:16:57 2009: DEBUG: Packet dump:
> *** Sending to 147.252.2.112 port 2051 ....
>
> Packet length = 36
> 03 05 00 24 40 6a 11 4a 01 67 4e 0f df 29 ec b7
> 73 b5 da be 12 10 52 65 71 75 65 73 74 20 44 65
> 6e 69 65 64
> Code:       Access-Reject
> Identifier: 5
> Authentic:  @j<17>J<1>gN<15><223>)<236><183>s<181><218><190>
> Attributes:
>        Reply-Message = "Request Denied"
> AddToReply Service-Type = Framed-User,\
>                        Framed-Protocol = PPP,\
>                        Framed-IP-Netmask = 255.255.255.255,\
>                        Framed-Routing = None,\
>                        Framed-MTU = 1500,\
>                        Framed-Compression = Van-Jacobson-TCP-IP
>        </AuthBy>
>
>
> LOG
>
>
>
> This message has been scanned for content and viruses by the DIT  
> Information Services E-Mail Scanning Service, and is believed to be  
> clean. http://www.dit.ie



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list