[RADIATOR] MSCHAPv2 problem
Colin Byelong
c.byelong at ucl.ac.uk
Thu Feb 26 08:15:09 CST 2009
Hi Hugh,
The successful trace is appended/attached
Thanks
Colin
>
> Hello Colin -
>
> I will need to see a trace 4 debug showing what is happening.
>
> The trace showing just the outer requests and the inner request
> processing shouldn't be too large - you can send them separately if
> you need to.
>
> regards
>
> Hugh
>
>
> On 26 Feb 2009, at 01:13, Colin Byelong wrote:
>
>> Hi,
>>
>> We have been using radiator as part of the Eduroam service, we currently
>> support EAP-TTLS and proxy requests for other realms this has been
>> working for a number of years with only a few problems.
>> I have been asked if we could add EAP-PEAP support, I have configured
>> Radiator on a windows 2003 server to test this and thought I could use
>> Authby LSA.
>> The problem is that if I use username at realm format it fails but if I use
>> username format it works I understand that this is because of the way
>> MSCHAP makes a hash but I thought usernameMatchesWithoutRealm would fix
>> this.
>>
>> Below is the simple config I have been using I have tried to attache
>> the logs for a success and unsuccessful logins but the mail was too big
>>
>> Any help much appreciated
>>
>> Thanks
>>
>> Colin
>>
>> #
>> Foreground
>> LogStdout
>> LogDir .
>> DbDir .
>> #
>> #Logfiles
>> DictionaryFile %D/dictionary,%D/dictionary.cisco
>> #
>> #
>> #
>> #
>> #Use port 1812 for Authentication
>> AuthPort 1812,1645
>> #Use port 1813 for accounting
>> AcctPort 1813,1646
>> Trace 4
>> #
>> #
>> #
>> #
>>
>>
>>
>>
>> #
>> <Client localhost>
>> Secret mysecret
>> DupInterval 0
>> </Client>
>> #
>> <Client DEFAULT>
>> #
>> Secret Goeduroamyourself!
>> DupInterval 0
>> #
>> </Client>
>>
>> #
>> <Handler TunnelledByPEAP=1>
>> #RewriteUsername s/^([^@]+).*/$1/
>> <AuthBy LSA>
>> UsernameMatchesWithoutRealm
>> #RewriteUsername s/^([^@]+).*/$1/
>> # Specifies which Windows Domain is ALWAYS to be used to
>> authenticate
>> # users (even if they specify a different domain in their
>> username).
>> # Empty string means the local machine only
>> # Special characters are supported. Can be an Active
>> # directory domain or a Windows NT domain controller
>> # domain name
>> # Empty string (the default) means the local machine
>> #Domain OPEN
>>
>> # Specifies the Windows Domain to use if the user does not
>> # specify a doain domain in their username.
>> # Special characters are supported. Can be an Active
>> # directory domain or a Windows NT domain controller
>> # domain name
>> # Empty string (the default) means the local machine
>> #DefaultDomain OPEN
>>
>> # This specifies the workstation to the LSA. It might be
>> used tocheck
>> # whether the the user is permitted to log in. If the
>> user has any
>> # workstation logon restrictions, this is the name that it
>> # will be checked against. Defaults to '', which means
>> that
>> # workstation restrictions will not be checked
>> #Workstation WLAN
>>
>> # You can check whether each user is the member of a
>> windows group
>> # with the Group parameter. If more than one Group is
>> specified,then the
>> # user must be a member of at least one of them. Requires
>> Win32::NetAdmin
>> # (which is installed by default with ActivePerl). If no
>> Group
>> # parameters are specified, then Group checks will not be
>> performed.
>> #Group Administrators
>> #Group Domain Users
>>
>> # You can force which domain controller will be used to
>> check group
>> # membership with the DomainController parameter. If no
>> Group parameters
>> # are specified, DomainController will not be used.
>> Defaults to
>> # empty string, meaning AuthBy LSQA will try to find
>> # the controller to use based on the users domain. IF
>> # that fails, then the default controller of the host
>> where this
>> # instance of Radiator is running.
>> #DomainController zulu
>>
>> # If you specify EAPType LEAP, you can also handle
>> # Cisco LEAP with any LSA native authentication
>> EAPType MSCHAP-V2
>> </AuthBy>
>> </Handler>
>> #
>> #
>> <Handler>
>> #RewriteUsername s/^([^@]+).*/$1/
>> <AuthBy FILE>
>> RewriteUsername s/^([^@]+).*/$1/
>> #]UsernameMatchesWithoutRealm
>> Filename /dev/null
>> EAPType PEAP
>> EAPTLS_CAFile %D/certs/sureserverEDU.pem
>> EAPTLS_CertificateFile %D/certs/orps.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile %D/certs/server.key
>> EAPTLS_MaxFragmentSize 1500
>> AutoMPPEKeys
>> EAPAnonymous
>> #EAPTLS_PEAPBrokenV1Label
>> SSLeayTrace 4
>> </AuthBy>
>> </Handler>
>>
>> --
>> -----------------------------------------------------------------------
>>
>>
>> Colin Byelong Email: C.Byelong at ucl.ac.uk
>> Senior Network Development Officer
>> Network Group
>> Information Systems Division
>> University College London
>> Gower Street Phone: 020 7679-2572
>> London WC1E 6BT
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
--
-----------------------------------------------------------------------
Colin Byelong Email: C.Byelong at ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street Phone: 020 7679-2572
London WC1E 6BT
------------------------------------------------------------------------
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: working.txt
URL: <http://www.open.com.au/pipermail/radiator/attachments/20090226/1e323e60/attachment-0001.txt>
More information about the radiator
mailing list