[RADIATOR] MSCHAPv2 problem
Hugh Irvine
hugh at open.com.au
Wed Feb 25 16:08:24 CST 2009
Hello Colin -
I will need to see a trace 4 debug showing what is happening.
The trace showing just the outer requests and the inner request
processing shouldn't be too large - you can send them separately if
you need to.
regards
Hugh
On 26 Feb 2009, at 01:13, Colin Byelong wrote:
> Hi,
>
> We have been using radiator as part of the Eduroam service, we
> currently
> support EAP-TTLS and proxy requests for other realms this has been
> working for a number of years with only a few problems.
> I have been asked if we could add EAP-PEAP support, I have configured
> Radiator on a windows 2003 server to test this and thought I could use
> Authby LSA.
> The problem is that if I use username at realm format it fails but if I
> use
> username format it works I understand that this is because of the way
> MSCHAP makes a hash but I thought usernameMatchesWithoutRealm would
> fix
> this.
>
> Below is the simple config I have been using I have tried to attache
> the logs for a success and unsuccessful logins but the mail was too
> big
>
> Any help much appreciated
>
> Thanks
>
> Colin
>
> #
> Foreground
> LogStdout
> LogDir .
> DbDir .
> #
> #Logfiles
> DictionaryFile %D/dictionary,%D/dictionary.cisco
> #
> #
> #
> #
> #Use port 1812 for Authentication
> AuthPort 1812,1645
> #Use port 1813 for accounting
> AcctPort 1813,1646
> Trace 4
> #
> #
> #
> #
>
>
>
>
> #
> <Client localhost>
> Secret mysecret
> DupInterval 0
> </Client>
> #
> <Client DEFAULT>
> #
> Secret Goeduroamyourself!
> DupInterval 0
> #
> </Client>
>
> #
> <Handler TunnelledByPEAP=1>
> #RewriteUsername s/^([^@]+).*/$1/
> <AuthBy LSA>
> UsernameMatchesWithoutRealm
> #RewriteUsername s/^([^@]+).*/$1/
> # Specifies which Windows Domain is ALWAYS to be used to
> authenticate
> # users (even if they specify a different domain in
> their
> username).
> # Empty string means the local machine only
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> # Empty string (the default) means the local machine
> #Domain OPEN
>
> # Specifies the Windows Domain to use if the user does
> not
> # specify a doain domain in their username.
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> # Empty string (the default) means the local machine
> #DefaultDomain OPEN
>
> # This specifies the workstation to the LSA. It might be
> used tocheck
> # whether the the user is permitted to log in. If the
> user has any
> # workstation logon restrictions, this is the name
> that it
> # will be checked against. Defaults to '', which means
> that
> # workstation restrictions will not be checked
> #Workstation WLAN
>
> # You can check whether each user is the member of a
> windows group
> # with the Group parameter. If more than one Group is
> specified,then the
> # user must be a member of at least one of them.
> Requires
> Win32::NetAdmin
> # (which is installed by default with ActivePerl). If no
> Group
> # parameters are specified, then Group checks will not
> be
> performed.
> #Group Administrators
> #Group Domain Users
>
> # You can force which domain controller will be used to
> check group
> # membership with the DomainController parameter. If no
> Group parameters
> # are specified, DomainController will not be used.
> Defaults to
> # empty string, meaning AuthBy LSQA will try to find
> # the controller to use based on the users domain. IF
> # that fails, then the default controller of the host
> where this
> # instance of Radiator is running.
> #DomainController zulu
>
> # If you specify EAPType LEAP, you can also handle
> # Cisco LEAP with any LSA native authentication
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
> #
> #
> <Handler>
> #RewriteUsername s/^([^@]+).*/$1/
> <AuthBy FILE>
> RewriteUsername s/^([^@]+).*/$1/
> #]UsernameMatchesWithoutRealm
> Filename /dev/null
> EAPType PEAP
> EAPTLS_CAFile %D/certs/sureserverEDU.pem
> EAPTLS_CertificateFile %D/certs/orps.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certs/server.key
> EAPTLS_MaxFragmentSize 1500
> AutoMPPEKeys
> EAPAnonymous
> #EAPTLS_PEAPBrokenV1Label
> SSLeayTrace 4
> </AuthBy>
> </Handler>
>
> --
> -----------------------------------------------------------------------
>
>
> Colin Byelong Email: C.Byelong at ucl.ac.uk
> Senior Network Development Officer
> Network Group
> Information Systems Division
> University College London
> Gower Street Phone: 020 7679-2572
> London WC1E 6BT
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list