[RADIATOR] MSCHAPv2 problem
Colin Byelong
c.byelong at ucl.ac.uk
Wed Feb 25 08:13:23 CST 2009
Hi,
We have been using radiator as part of the Eduroam service, we currently
support EAP-TTLS and proxy requests for other realms this has been
working for a number of years with only a few problems.
I have been asked if we could add EAP-PEAP support, I have configured
Radiator on a windows 2003 server to test this and thought I could use
Authby LSA.
The problem is that if I use username at realm format it fails but if I use
username format it works I understand that this is because of the way
MSCHAP makes a hash but I thought usernameMatchesWithoutRealm would fix
this.
Below is the simple config I have been using I have tried to attache the
logs for a success and unsuccessful logins but the mail was too big
Any help much appreciated
Thanks
Colin
#
Foreground
LogStdout
LogDir .
DbDir .
#
#Logfiles
DictionaryFile %D/dictionary,%D/dictionary.cisco
#
#
#
#
#Use port 1812 for Authentication
AuthPort 1812,1645
#Use port 1813 for accounting
AcctPort 1813,1646
Trace 4
#
#
#
#
#
<Client localhost>
Secret mysecret
DupInterval 0
</Client>
#
<Client DEFAULT>
#
Secret Goeduroamyourself!
DupInterval 0
#
</Client>
#
<Handler TunnelledByPEAP=1>
#RewriteUsername s/^([^@]+).*/$1/
<AuthBy LSA>
UsernameMatchesWithoutRealm
#RewriteUsername s/^([^@]+).*/$1/
# Specifies which Windows Domain is ALWAYS to be used to
authenticate
# users (even if they specify a different domain in their
username).
# Empty string means the local machine only
# Special characters are supported. Can be an Active
# directory domain or a Windows NT domain controller
# domain name
# Empty string (the default) means the local machine
#Domain OPEN
# Specifies the Windows Domain to use if the user does not
# specify a doain domain in their username.
# Special characters are supported. Can be an Active
# directory domain or a Windows NT domain controller
# domain name
# Empty string (the default) means the local machine
#DefaultDomain OPEN
# This specifies the workstation to the LSA. It might be
used tocheck
# whether the the user is permitted to log in. If the
user has any
# workstation logon restrictions, this is the name that it
# will be checked against. Defaults to '', which means that
# workstation restrictions will not be checked
#Workstation WLAN
# You can check whether each user is the member of a
windows group
# with the Group parameter. If more than one Group is
specified,then the
# user must be a member of at least one of them. Requires
Win32::NetAdmin
# (which is installed by default with ActivePerl). If no
Group
# parameters are specified, then Group checks will not be
performed.
#Group Administrators
#Group Domain Users
# You can force which domain controller will be used to
check group
# membership with the DomainController parameter. If no
Group parameters
# are specified, DomainController will not be used.
Defaults to
# empty string, meaning AuthBy LSQA will try to find
# the controller to use based on the users domain. IF
# that fails, then the default controller of the host
where this
# instance of Radiator is running.
#DomainController zulu
# If you specify EAPType LEAP, you can also handle
# Cisco LEAP with any LSA native authentication
EAPType MSCHAP-V2
</AuthBy>
</Handler>
#
#
<Handler>
#RewriteUsername s/^([^@]+).*/$1/
<AuthBy FILE>
RewriteUsername s/^([^@]+).*/$1/
#]UsernameMatchesWithoutRealm
Filename /dev/null
EAPType PEAP
EAPTLS_CAFile %D/certs/sureserverEDU.pem
EAPTLS_CertificateFile %D/certs/orps.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certs/server.key
EAPTLS_MaxFragmentSize 1500
AutoMPPEKeys
EAPAnonymous
#EAPTLS_PEAPBrokenV1Label
SSLeayTrace 4
</AuthBy>
</Handler>
--
-----------------------------------------------------------------------
Colin Byelong Email: C.Byelong at ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street Phone: 020 7679-2572
London WC1E 6BT
------------------------------------------------------------------------
More information about the radiator
mailing list