[RADIATOR] PEAP problem: EAP result: 1, EAP authentication is not permitted

Christian Kratzer ck-lists at cksoft.de
Mon Feb 7 10:56:43 CST 2011 

Hi,

On Mon, 7 Feb 2011, Raúl Tejeda Calero wrote:

> Hi everyone,
>
> I have another trouble with my radiator configuration.
>
> I ´m trying to connect my winxp client with PeAP (without "validate server certificate"), I have entered one valid user (mikem-fred 4 example) and the log shows:
>
> Mon Feb  7 15:28:39 2011: DEBUG: Packet dump:
> *** Received from <ip>port 32768 ....
> Code:       Access-Request
> Identifier: 74
> Authentic:  <175><136><30><157>sd<241><177><223><155><160>$s<228>o<129>
> Attributes:
> 	User-Name = "mikem"
> 	Calling-Station-Id = "xx"
> 	Called-Station-Id = "xx:Prueba"
> 	NAS-Port = 13
> 	NAS-IP-Address = xxx.yyy.zzz.www
> 	NAS-Identifier = "WLC-1"
> 	Airespace-WLAN-Id = 4
> 	Service-Type = Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	Tunnel-Type = 0:VLAN
> 	Tunnel-Medium-Type = 0:802
> 	Tunnel-Private-Group-ID = 509
> 	EAP-Message = <2><2><0><10><1>mikem
> 	Message-Authenticator = l<218>k<160><31><206><177><4>E<208><234><171>f<195><137>"
>
> Mon Feb  7 15:28:39 2011: DEBUG: Handling request with Handler 'NAS-IP-Address=xxx.yyy.zzz.www', Identifier ''
> Mon Feb  7 15:28:39 2011: DEBUG: Rewrote user name to mikem
> Mon Feb  7 15:28:39 2011: DEBUG:  Deleting session for mikem, <ip>, 13
> Mon Feb  7 15:28:39 2011: DEBUG: Handling with Radius::AuthFILE:
> Mon Feb  7 15:28:39 2011: DEBUG: Handling with EAP: code 2, 2, 10, 1
> Mon Feb  7 15:28:39 2011: DEBUG: Response type 1
> Mon Feb  7 15:28:39 2011: DEBUG: EAP result: 1, EAP authentication is not permitted.
> Mon Feb  7 15:28:39 2011: DEBUG: AuthBy FILE result: REJECT, EAP authentication is not permitted.
> Mon Feb  7 15:28:39 2011: INFO: Access rejected for mikem: EAP authentication is not permitted.
> Mon Feb  7 15:28:39 2011: DEBUG: Packet dump:
> *** Sending to 10.223.0.4 port 32768 ....
> Code:       Access-Reject
> Identifier: 74
> Authentic:  <2>N<9>4<26><237><212>A<231><249><15>T$<129><152>[
> Attributes:
> 	Reply-Message = "Request Denied"


you need to have a dummy user anonymous in your users file for the first stage
of outer authentication for any tunnelled eap method to work.

The sample radiator users file has this:

 	# For testing various EAP protocols. The Password can never be matched
 	anonymous Encrypted-Password=nevermatch

I like to use a simple

 	anoymous

in a separate users-file used only for the outer authentication.

> My running config is something like this:
<snipp/>
> #<Handler TunnelledByPEAP=1>
> <Handler NAS-IP-Address="WLC-Address">
>
> 	RewriteUsername s/(.*)\\(.*)/$2/
>
>
> 	<AuthBy FILE>
>
> 		<AuthBy FILE>
> 		Filename %D/users
>
> 		EAPType MSCHAP-V2, PEAP
> #		EAPTLS_CAFile %D/certificados/ca.pem
> #		EAPTLS_CertificateFile %D/certificados/serv.pem
> #		EAPTLS_CertificateType PEM
> #		EAPTLS_PrivateKeyFile %D/certificados/serv.key
> #		EAPTLS_MaxFragmentSize 500
> 	</AuthBy>
> </Handler>
>
> Another problem (or the same, i don´t know) is the following:



>
> If I use the handler "tunneledByPEAP=1", radiator says: Mon Feb  7 15:25:56 2011: WARNING: Could not find a handler for mikem: request is ignored

you cannot have just a single handler with tunneledByPEAP=1.  Either you
combine inner and outer auth into a single handler like you have now
or you split them up into two handlers like for example:


-- radius.cfg --
# inner auth with MS-CHAP-V2
<Handler NAS-IP-Address="WLC-Address",TunnelledByPEAP=1>
  	<AuthBy FILE>
 		RewriteUsername s/(.*)\\(.*)/$2/
  		EAPType MSCHAP-V2
  		Filename %D/users
 	<AuthBy/>
</Handler>

# outer auth with just PEAP
<Handler NAS-IP-Address="WLC-Address">
  	<AuthBy FILE>
  		EAPType PEAP
  		Filename %D/users-eap
 	<AuthBy/>
</Handler>
-- radius.cfg --


-- users-eap --
anonymous

-- users-eap --


Also notice that I have put the RewriteUsername inside the AuthBy FILE with the MSCHAP-V2.

As all chap variants include the username in calculating the challenge
any rewrites can break your chap.  I believe EAP-MSCHAP has special code
to leave the identity intact dispite rewriting the username for the
lookup.  Not sure that it works under all conditions though.

You might want to leave out rewriting at least until you get the config
to work first.

> Thus, my access-request seems not tunneled by PeaP, perhaps I have configured PeAP in my WLAN and client.

the trace shows that your client is attempting eap.

Greetings
Christian


>
> Thanks for your help,
>
> Regards,
> Raúl Tejeda
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>

-- 
Christian Kratzer                      CK Software GmbH
Email:   ck at cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer

More information about the radiator mailing list