[RADIATOR] WG: Radiator evaluation software downloaded

Heikki Vatiainen hvn at open.com.au
Tue Apr 26 13:28:31 CDT 2011 

On 04/26/2011 02:41 PM, El Abbadi, Ossama wrote:

Hello Ossama,

>> We try to configure and test radiator for our University WLAN
>> Environment. At the moment we have problem with the authentication
>> process via Active Directory. I think that is very standard but I
>> found no example configuration in your documentation.

Are you planning on using EAP-PEAP, EAP-TTLS or maybe some other
protocol? Looks like you have selected PEAP and MSCHAP-V2, so I presume
your preference is PEAP with EAP-MSCHAP-V2 as inner authentication protocol.

In this case you need to have ntlm_auth working first. Please see
goodies/smb.conf.winbindd and Radiator list archives first. For example:
http://www.open.com.au/pipermail/radiator/2010-February/016091.html

In other words, you should be able to run ntlm_auth succesfully from
command line before continuing with Radiator configuration.


>> Our /etc/radius.conf

>> <Realm HS-RW.LOCAL>

Realm should be vwa.hs-rw.local if your usernames end with
@vwa.hs-rw.local like in "elabbadi.ossama at vwa.hs-rw.local".

Your windows domain seems to be HS-RW.LOCAL. This should be specified
when setting up winbind and krb5.conf to get ntlm_auth working. You can
also put it as Doamin and DefaultDomain in Radiator configuration.

Note: Radiator and WLAN authentication protocols use realm to specify
the part that comes after @ sign in the User-Name RADIUS attribute.
Windows authentication uses domain. These two can be the same, or they
can be mapped from one to the other when setting up NTLM authentication.

In the config below you also have:
<Realm Test KRB5>
<Realm Test FILE>
<Realm Test File>

These are probably not needed and are almost impossible to use, since
the username must be something like "user at Test KRB5" to match these.

In summary: you need to get ntlm_auth working first, and then you can
continue with Radiator configuration. The examples in goodies/ directory
in Radiator distribution have many examples of PEAP/EAP-MSCHAP-V2
configuration. See goodies/README for an index.

Best regards,
Heikki


>>         AcctLogFileName %L/hs-rw.detail
>>         AuthByPolicy ContinueWhileIgnore
>>
>>         <AuthBy NTLM>
>>                 CachePasswordExpiry 86400
>>                 DefaultDomain hs-rw.local
>>                 Domain hs-rw.local
>>                 DomainFormat %0
>>                 EAPAnonymous anonymous
>>                 EAPContextTimeout 1000
>>                 EAPFAST_PAC_Lifetime 7776000
>>                 EAPFAST_PAC_Reprovision 2592000
>>                 EAPTLS_CAFile /etc/radiator/certs/ca.pem
>>                 EAPTLS_CAPath /etc/radiator/certs/
>>                 EAPTLS_CertificateFile /etc/radiator/certs/server.pem
>>                 EAPTLS_CertificateType PEM
>>                 EAPTLS_MaxFragmentSize 2048
>>                 EAPTLS_PEAPVersion 1
>>                 EAPTLS_PrivateKeyFile /etc/radiator/certs/server.key
>>                 EAPTLS_SessionResumption 1
>>                 EAPTLS_SessionResumptionLimit 43200
>>                 EAPTLS_VerifyDepth 1
>>                 EAPType PEAP
>>                 EAPType MSCHAP-V2
>>                 NoDefault 1
>>                 NtlmAuthProg /usr/bin/ntlm_auth
>> --helper-protocol=ntlm-server-1
>>                 PasswordPrompt password
>>                 SIPDigestRealm DefaultSipRealm
>>                 UsernameFormat %0
>>         </AuthBy>
>> </Realm>
>>
>>
>> <Realm Test KRB5>
>>         AuthByPolicy ContinueWhileIgnore
>>
>>         <AuthBy KRB5>
>>                 CachePasswordExpiry 86400
>>                 EAPAnonymous anonymous
>>                 EAPContextTimeout 1000
>>                 EAPFAST_PAC_Lifetime 7776000
>>                 EAPFAST_PAC_Reprovision 2592000
>>                 EAPTLS_MaxFragmentSize 2048
>>                 EAPTLS_PEAPVersion 1
>>                 EAPTLS_SessionResumption 1
>>                 EAPTLS_SessionResumptionLimit 43200
>>                 EAPTLS_VerifyDepth 1
>>                 KrbRealm HS-RW.LOCAL
>>                 KrbServer srv100rdc01.hs-rw.local
>>                 KrbService radius
>>                 NoDefault 1
>>                 PasswordPrompt password
>>                 SIPDigestRealm DefaultSipRealm
>>         </AuthBy>
>> </Realm>
>>
>> <Realm Test FILE>
>>         AuthByPolicy ContinueWhileIgnore
>>
>>         <AuthBy FILE>
>>                 CachePasswordExpiry 86400
>>                 EAPAnonymous anonymous
>>                 EAPContextTimeout 1000
>>                 EAPFAST_PAC_Lifetime 7776000
>>                 EAPFAST_PAC_Reprovision 2592000
>>                 EAPTLS_MaxFragmentSize 2048
>>                 EAPTLS_PEAPVersion 1
>>                 EAPTLS_SessionResumption 1
>>                 EAPTLS_SessionResumptionLimit 43200
>>                 EAPTLS_VerifyDepth 1
>> 	EAPTLS_SessionResumption 1
>>                 EAPTLS_SessionResumptionLimit 43200
>>                 EAPTLS_VerifyDepth 1
>>                 Filename %D/users
>>                 PasswordPrompt password
>>                 SIPDigestRealm DefaultSipRealm
>>         </AuthBy>
>> </Realm>
>>
>> <Realm File>
>>         AuthByPolicy ContinueWhileIgnore
>>
>>         <AuthBy FILE>
>>                 CachePasswordExpiry 86400
>>                 EAPAnonymous anonymous
>>                 EAPContextTimeout 1000
>>                 EAPFAST_PAC_Lifetime 7776000
>>                 EAPFAST_PAC_Reprovision 2592000
>>                 EAPTLS_MaxFragmentSize 2048
>>                 EAPTLS_PEAPVersion 1
>>                 EAPTLS_SessionResumption 1
>>                 EAPTLS_SessionResumptionLimit 43200
>>                 EAPTLS_VerifyDepth 1
>>                 Filename %D/users
>>                 PasswordPrompt password
>>                 SIPDigestRealm DefaultSipRealm
>>         </AuthBy>
>> </Realm>
>>
>> --------------
>>
>> Logfile:
>>
>> --------------
>>
>> Wed Apr 20 14:40:56 2011: DEBUG: Packet dump:
>> *** Received from 10.1.2.86 port 1645 ....
>>
>> Packet length = 186
>> 01 ef 00 ba 4e be ff c7 e8 ef 30 9f 63 5e 9b f5 bc 6f 9b 76 01 21 65 
>> 6c 61 62 62 61 64 69 2e 6f
>> 73 73 61 6d 61 40 76 77 61 2e 68 73 2d 72 77 2e 6c 6f 63 61 6c 0c 06 
>> 00 00 05 78 1e 10 62 34 61
>> 34 2e 65 33 31 66 2e 61 62 62 30 1f 10 30 30 32
>> 34 2e 64 36 61 65 2e 35 63 36 36 06 06 00 00 00
>> 01 50 12 1f 0a 8d 10 ea 63 c7 58 02 40 4c 73 3f
>> 53 63 a1 4f 26 02 02 00 24 01 65 6c 61 62 62 61
>> 64 69 2e 6f 73 73 61 6d 61 40 76 77 61 2e 68 73 2d 72 77 2e 6c 6f 63 
>> 61 6c 3d 06 00 00 00 13 05
>> 06 00 00 1c 13 57 06 37 31 38 37 04 06 0a 01 02
>> 56 20 09 6d 68 2d 61 70 31 37
>> Code:       Access-Request
>> Identifier: 239
>> Authentic:  N<190><255><199><232><239>0<159>c^<155><245><188>o<155>v
>> Attributes:
>>         User-Name = "elabbadi.ossama at vwa.hs-rw.local"
>>         Framed-MTU = 1400
>>         Called-Station-Id = "b4a4.e31f.abb0"
>>         Calling-Station-Id = "0024.d6ae.5c66"
>>         Service-Type = Login-User
>>         Message-Authenticator =
>> <31><10><141><16><234>c<199>X<2>@Ls?Sc<161>
>>         EAP-Message = <2><2><0>$<1>elabbadi.ossama at vwa.hs-rw.local
>>         NAS-Port-Type = Wireless-IEEE-802-11
>>         NAS-Port = 7187
>>         NAS-Port-Id = "7187"
>>         NAS-IP-Address = 10.1.2.86
>>         NAS-Identifier = "mh-ap17"
>>
>> Wed Apr 20 14:40:56 2011: WARNING: Could not find a handler for
>> elabbadi.ossama at vwa.hs-rw.local: request is ignored


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list