[RADIATOR] PEAP/EAP MSCHAPV2 with WPA configuration
Khurram Masood
khurram.groups at gmail.com
Tue Jul 7 04:33:40 CDT 2009
Hello Hugh
I am having a problem configuring the radiator for securing my WiFi
network. Following are the necessary details
Access point security protocol: WPA with AES
Client : XP SP3 with PEAP/EAP MSCHAP-V2
Other Info : Using DHCP for the clients although the AP has
static IP addresse.
Problem : Unable to authenticate the user.
Config file:
# Example Radiator configuration file that allows you to
# authenticate from an SQL database.
# With Radiator you can interface with almost any databse schema,
# and there are many more configurable parameters that allow you
# to control database fallback, select statements, column names
# and arrangements etc etc etc.
# See the reference manual for more details.
# This is a very simple exmaple to get you started. It will
# work with the tables created by the goodies/*.sql scripts.
#
# You should consider this file to be a starting point only
# $Id: sql.cfg,v 1.4 2000/03/21 01:25:16 mikem Exp $
Foreground
LogStdout
LogDir .
DbDir .
Trace 4
AuthPort 1645
AcctPort 1646
# You will probably want to change this to suit your site.
<Client 10.100.0.2>
Secret abc
DupInterval 4
</Client>
<Client DEFAULT>
Secret xyz
DupInterval 4
</Client>
# You can put client details in a database table
# and get their details from there with something like this:
# This will authenticate users from SUBSCRIBERS
<Handler TunnelledByPEAP=1>
<AuthBy FILE>
Filename %D/users
# This tells the PEAP client what types of inner EAP requests
# we will honour
EAPType PEAP,TTLS,TLS,MSCHAP-V2,MD5,MD5-Challenge
</AuthBy>
</Handler>
<Realm WIFI>
<AuthBy FILE>
Filename /home/oracle/Radiator-3.12/wifi_users
EAPType PEAP,TTLS,TLS,MSCHAP-V2,MD5,MD5-Challenge
EAPTLS_CAFile
/home/oracle/Radiator-3.12/certificates/demoCA/cacert.pem
EAPTLS_CAPath
EAPTLS_CertificateFile
/home/oracle/Radiator-3.12/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile
/home/oracle/Radiator-3.12/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
AutoMPPEKeys
EAPTLS_PEAPVersion 0
</AuthBy>
</Realm>
<Realm DEFAULT>
AuthByPolicy ContinueWhileAccept
PasswordLogFileName %L/password_log
MaxSessions 1
<AuthBy SQL>
# Adjust DBSource, DBUsername, DBAuth to suit your DB
DBSource dbi:Oracle:orcl
DBUsername abc
DBAuth xyz
AuthSelect select password from subaccounts where ((active=1
or (active=0
and freeaccess=1)) and login=concat('%n',
'l') and nas=substr('%N',1,3) and locked=0) or (active=1 and
login=concat('%n','d')
and nas =substr('%N',1,3) and locked=0)
# You may want to tailor these for your ACCOUNTING table
# You can add your own columns to store whatever you like
AccountingTable CALLS
DateFormat %Y-%m-%d %H:%M:%S
AcctSQLStatement insert into
calls(calldate,username,acctsessionid,acctsessiontime,acctterminatecause,nasidentifier,f
ramedaddress,callstationid) values(to_date('%Y-%m-%d %H:%M:%S','yyyy-mm-dd
hh24:mi:ss'),'%{User-Name}','%{Acct-Session-Id}',%
{Acct-Session-Time},'%{Acct-Terminate-Cause}','%N','%{Framed-IP-Address}','%{Calling-Station-Id}')
# AcctSQLStatement insert into
calls(calldate,username,acctstatustype,acctsessionid,acctsessiontime,nasidentifier,naspo
rt) values(to_date('%Y-%m-%d %H:%M:%S','yyyy-mm-dd
hh24:mi:ss'),'%{User-Name}','%{Acct-Status-Type}','%{Acct-Session-Id}',%{A
cct-Session-Time},'%N',%{NAS-Port})
AccountingStopsOnly
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP, \
Framed-IP-Netmask = 255.255.255.0, \
Framed-Routing = None, \
Acct-Terminate-Cause = %{Reply:Acct-Terminate-Cause}, \
Framed-MTU = 1500, \
Framed-Compression = Van-Jacobson-TCP-IP, \
# Idle-Timeout = 600 As on 4th Nov 2006 disabled on instruction
of MI by Faisl
Qadri
</AuthBy>
</Realm>
<SessionDatabase SQL>
DBSource dbi:Oracle:orcl
DBUsername abc
DBAuth xyz
AddQuery update serverports set
username='%n',acctstatustype='%{Acct-Status-Type}',framedaddress='%{Framed-IP-
Address}',callstationid='%{Calling-Station-Id}',calldate=to_date('%Y-%m-%d
%H:%M:%S','yyyy-mm-dd HH24:MI:SS') where port=%{NA
S-Port} and substr(ipaddress,1,2)=substr('%N',1,2)
DeleteQuery update serverports set acctstatustype='Stop' where
port=%{NAS-Port} and substr(ipaddress,1,2)=substr('%N
',1,2)
ClearNasQuery update serverports set acctstatustype='Stop' where
substr(ipaddress,1,2)=substr('%N',1,2)
</SessionDatabase SQL>
-----------------------------------------------------------------------
Level 4 Debug trace:
*** Received from 192.168.22.99 port 1027 ....
Code: Access-Request
Identifier: 0
Authentic: t<222>l<137>U<156>Gj<17>}<7><170>\<152><7>k
Attributes:
Message-Authenticator = <2><139>?<241><10><176><178>Q:`<160>";r,$
Service-Type = Framed-User
User-Name = "mfqadri at WIFI"
Framed-MTU = 1488
Called-Station-Id = "00-1E-58-A9-E7-3D:dlink"
Calling-Station-Id = "00-18-F8-2E-5B-B3"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-IEEE-802-11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = <2><0><0><17><1>mfqadri at WIFI
NAS-IP-Address = 192.168.22.99
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Mon Jul 6 16:17:10 2009: DEBUG: Handling request with Handler 'Realm=WIFI'
Mon Jul 6 16:17:10 2009: DEBUG: Deleting session for mfqadri at WIFI,
192.168.22.99, 1
Mon Jul 6 16:17:10 2009: DEBUG: do query is: 'update serverports set
acctstatustype='Stop' where port=1 and substr(ipaddress
,1,2)=substr('192.168.22.99',1,2)':
Mon Jul 6 16:17:10 2009: DEBUG: Handling with Radius::AuthFILE:
Mon Jul 6 16:17:10 2009: DEBUG: Handling with EAP: code 2, 0, 17
Mon Jul 6 16:17:10 2009: DEBUG: Response type 1
Mon Jul 6 16:17:10 2009: DEBUG: EAP result: 3, EAP PEAP Challenge
Mon Jul 6 16:17:10 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP
PEAP Challenge
Mon Jul 6 16:17:10 2009: DEBUG: Access challenged for mfqadri at WIFI:
EAP PEAP Challenge
Mon Jul 6 16:17:10 2009: DEBUG: Packet dump:
*** Sending to 192.168.22.99 port 1027 ....
Code: Access-Challenge
Identifier: 0
Authentic: t<222>l<137>U<156>Gj<17>}<7><170>\<152><7>k
Attributes:
EAP-Message = <1><1><0><6><25>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Mon Jul 6 16:17:10 2009: DEBUG: Packet dump:
*** Received from 192.168.22.99 port 1027 ....
Code: Access-Request
Identifier: 1
Authentic: <24>$E<6><21><190>v<143>f<173>(FYC<0>@
Attributes:
Message-Authenticator =
<195><23><144>t<230><162><149><247><209><213>VZ<225>p"<150>
Service-Type = Framed-User
User-Name = "mfqadri at WIFI"
Framed-MTU = 1488
Called-Station-Id = "00-1E-58-A9-E7-3D:dlink"
Calling-Station-Id = "00-18-F8-2E-5B-B3"
NAS-Identifier = "D-Link Access Point"
NAS-Port-Type = Wireless-IEEE-802-11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
<2><1><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>JQ<207><214>2<240><204><224><133>i<193><132>
<176><26><198><23>h<251>B<23><191><3>;W]<160><162><154><232><187>*<154><0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6
><0><19><0><18><0>c<1><0>
NAS-IP-Address = 192.168.22.99
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Mon Jul 6 16:17:10 2009: DEBUG: Handling request with Handler 'Realm=WIFI'
Mon Jul 6 16:17:10 2009: DEBUG: Deleting session for mfqadri at WIFI,
192.168.22.99, 1
Mon Jul 6 16:17:10 2009: DEBUG: do query is: 'update serverports set
acctstatustype='Stop' where port=1 and substr(ipaddress
,1,2)=substr('192.168.22.99',1,2)':
Mon Jul 6 16:17:10 2009: DEBUG: Handling with Radius::AuthFILE:
Mon Jul 6 16:17:10 2009: DEBUG: Handling with EAP: code 2, 1, 80
Mon Jul 6 16:17:10 2009: DEBUG: Response type 25
Mon Jul 6 16:17:10 2009: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
Mon Jul 6 16:17:10 2009: DEBUG: EAP result: 3, EAP PEAP Challenge
Mon Jul 6 16:17:10 2009: DEBUG: AuthBy FILE result: CHALLENGE, EAP
PEAP Challenge
Mon Jul 6 16:17:10 2009: DEBUG: Access challenged for mfqadri at WIFI:
EAP PEAP Challenge
Mon Jul 6 16:17:10 2009: DEBUG: Packet dump:
*** Sending to 192.168.22.99 port 1027 ....
Code: Access-Challenge
Identifier: 1
Authentic: <24>$E<6><21><190>v<143>f<173>(FYC<0>@
Attributes:
EAP-Message =
<1><2><5><218><25><192><0><0><8>P<22><3><1><0>J<2><0><0>F<3><1>JQ<221>6<223>5C<192><254><128><222><250>
p<223>B<230><246><143>j8z<177><226>v<20><241><2><198><219><196>/<144>
<156><27>#<9><215>Qq<131>0q<182><196>(<23><147><159>3<2
11><178><178><159>U<158><1><251><142><154><27><212>A<144><139><0><4><0><22><3><1><7><27><11><0><7><23><0><7><20><0><2><209>0<
130><2><205>0<130><2>6<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4>
<6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in
production)1 0<30><6><9>*<134>H<134><247><13><1><9
><1><22><17>mikem at open.com.au0<30><23><13>040316080209Z<23><13>060316080209Z0u1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>
U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<24>0<22><6><3>U<4><10><19><15>My
Test
Company1%0#<6><3>U<4><3><19><28>test.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1>
EAP-Message =
<1><5><0><3><129><141><0>0<129><137><2><129><129><0><216>4<7><6><214><234>/<241>.9<209><250>\y<1><149>[
<215><24>e<133><15><223>d<176><132>Z<222>#<234><12>%<133>aF<28><20><24><218><160><197><239><237><136><222><218><138><6><19><2
47>}*3B<155><24>TE<18><240><194><220><164><183>9<192><176>/<16>HI<220><169>vN<215>)<31><207><24><157><230>G<186>)<246>J<195><
171><154><249><220>v<17><159><2>x<29><136><148>:b<170><254><4><207><183><144><210><251>+<233><135>0<212>Y<207><158>N<226><136
><12><132><143><250><182><218>W<2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6>
<9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>n<23><196><159>c<165><188>>q<129>X<13>=l?<174><155><170><162><189><20>
<25>az<19>o<202><250>|B8N<209><225><253>?hv<170><193><235><2>b<16><201>}<250>,<181>q<154>%<182><29><179>p<211><248>oba<
EAP-Message =
JP<13>p<12>+<154><199>1<16><208><138><21><141>'wrX<214>NUW<231><173><25>w<215><13><152><154>T<218><8><2
46><202>.<177>9s*<220><219>n"Gu<188><254><206>U?<214>)<181>I2^<157><225><174><232>2e<185>k<131><0><4>=0<130><4>90<130><3><162
><160><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15
><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<
31><6><3>U<4><11><19><24>Test Certificate
Section1/0-<6><3>U<4><3><19>&OSC Test CA
(do not
EAP-Message = use in production)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>0403
16080125Z<23><13>060316080125Z0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3
>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo
Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Se
ction1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in productio
EAP-Message = n)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<129><159>0<13><6><9>*<134>H<134
><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><204><181>%Q<192>7g0<140><153>0xg<240><152><248><199><214
><253>W<7><220>|fd<163><137>%F<216><220><148><230><6><18>ie<144>'<244>P<8>DxJ<138>n<203>k8<164><239><179>H<237>K<182>mo<155><
145><138><143><136><127><230><<9>l<172><210><205><136><162><29>)1<4><206><11>g<163><226>i@<206>o<210>,<185><173><234><3>^4<22
1><252><168>H<178><158><25><235><152><250>g<199><172><250>uSr<156><205>P<150>O<197><240>=a<255>_<209><12><163><0>U<2><3><1><0
><1><163><130><1>+0<130><1>'0<29><6><3>U<29><14><4><22><4><20><23><2><196>#<233><210>F0D<173>f]r<193>H?
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Mon Jul 6 16:17:13 2009: DEBUG: Packet dump:
*** Received from 192.168.22.99 port 1027 ....
Code: UNDEF
Identifier: 63
Authentic: <24>$E<6><21><190>v<143>f<173>(FYC<0>@
Attributes:
EAP-Message =
<1><2><5><218><25><192><0><0><8>P<22><3><1><0>J<2><0><0>F<3><1>JQ<221>6<223>5C<192><254><128><222><250>
p<223>B<230><246><143>j8z<177><226>v<20><241><2><198><219><196>/<144>
<156><27>#<9><215>Qq<131>0q<182><196>(<23><147><159>3<2
11><178><178><159>U<158><1><251><142><154><27><212>A<144><139><0><4><0><22><3><1><7><27><11><0><7><23><0><7><20><0><2><209>0<
130><2><205>0<130><2>6<160><3><2><1><2><2><1><2>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4>
<6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Sec
EAP-Message = tion1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in
production)1 0<30><6><9>*<134>H<134><247><13><1><9
><1><22><17>mikem at open.com.au0<30><23><13>040316080209Z<23><13>060316080209Z0u1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>
U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<24>0<22><6><3>U<4><10><19><15>My
Test Company1%0#<6><3>U<4><3>
<19><28>test.server.some.company.com0<129><159>0<13><6><9>*<134>H<134><247><13><1><1>
EAP-Message =
<1><5><0><3><129><141><0>0<129><137><2><129><129><0><216>4<7><6><214><234>/<241>.9<209><250>\y<1><149>[
<215><24>e<133><15><223>d<176><132>Z<222>#<234><12>%<133>aF<28><20><24><218><160><197><239><237><136><222><218><138><6><19><247>}*3B<155><24>TE<18><240><194><220><164><183>9<192><176>/<16>HI<220><169>vN<215>)<31><207><24><157><230>G<186>)<246>J<195><
171><154><249><220>v<17><159><2>x<29><136><148>:b<170><254><4><207><183><144><210><251>+<233><135>0<212>Y<207><158>N<226><136
><12><132><143><250><182><218>W<2><3><1><0><1><163><23>0<21>0<19><6><3>U<29>%<4><12>0<10><6><8>+<6><1><5><5><7><3><1>0<13><6>
<9>*<134>H<134><247><13><1><1><4><5><0><3><129><129><0>n<23><196><159>c<165><188>>q<129>X<13>=l?<174><155><170><162><189><20>
<25>az<19>o<202><250>|B8N<209><225><253>?hv<170><193><235><2>b<16><201>}<250>,<181>q<154>%<182><29><179>p<211><248>oba<
EAP-Message =
JP<13>p<12>+<154><199>1<16><208><138><21><141>'wrX<214>NUW<231><173><25>w<215><13><152><154>T<218><8><2
46><202>.<177>9s*<220><219>n"Gu<188><254><206>U?<214>)<181>I2^<157><225><174><232>2e<185>k<131><0><4>=0<130><4>90<130><3><162
><160><3><2><1><2><2><1><0>0<13><6><9>*<134>H<134><247><13><1><1><4><5><0>0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15
><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC
Demo Certificates1!0<
31><6><3>U<4><11><19><24>Test Certificate
Section1/0-<6><3>U<4><3><19>&OSC Test CA
(do not
EAP-Message = use in production)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<30><23><13>0403
16080125Z<23><13>060316080125Z0<129><202>1<11>0<9><6><3>U<4><6><19><2>AU1<17>0<15><6><3>U<4><8><19><8>Victoria1<18>0<16><6><3
>U<4><7><19><9>Melbourne1<30>0<28><6><3>U<4><10><19><21>OSC Demo
Certificates1!0<31><6><3>U<4><11><19><24>Test Certificate Se
ction1/0-<6><3>U<4><3><19>&OSC Test CA (do not use in productio
EAP-Message = n)1
0<30><6><9>*<134>H<134><247><13><1><9><1><22><17>mikem at open.com.au0<129><159>0<13><6><9>*<134>H<134
><247><13><1><1><1><5><0><3><129><141><0>0<129><137><2><129><129><0><204><181>%Q<192>7g0<140><153>0xg<240><152><248><199><214
><253>W<7><220>|fd<163><137>%F<216><220><148><230><6><18>ie<144>'<244>P<8>DxJ<138>n<203>k8<164><239><179>H<237>K<182>mo<155><
145><138><143><136><127><230><<9>l<172><210><205><136><162><29>)1<4><206><11>g<163><226>i@<206>o<210>,<185><173><234><3>^4<22
1><252><168>H<178><158><25><235><152><250>g<199><172><250>uSr<156><205>P<150>O<197><240>=a<255>_<209><12><163><0>U<2><3><1><0
><1><163><130><1>+0<130><1>'0<29><6><3>U<29><14><4><22><4><20><23><2><196>#<233><210>F0D<173>f]r<193>H?
Message-Authenticator =
<6>9<27><229><183><152>S<159><249><248><229>~1<253><136><135>
Mon Jul 6 16:17:13 2009: WARNING: Bad EAP Message-Authenticator
Mon Jul 6 16:17:13 2009: WARNING: Bad authenticator in request from
192.168.22.99
(192.168.22.99)
Mon Jul 6 16:17:14 2009: ERR: Attribute number 35 (vendor 311) is not
defined in
your dictionary
Mon Jul 6 16:17:14 2009: ERR: Attribute number 34 (vendor 311) is not
defined in
your dictionary
Mon Jul 6 16:17:14 2009: DEBUG: Packet dump:
Looking forward for your reply.
Regards
Khurram Masood
khurram.groups at gmail.com
More information about the radiator
mailing list