[RADIATOR] PEAP Unknow Problem

Christian Kratzer ck at cksoft.de
Wed Feb 16 10:36:26 CST 2011 

Hi,

On Wed, 16 Feb 2011, Raúl Tejeda Calero wrote:

> Hi,
>
> I´m still having problems with my PEAP-MSCHAP-V2 configuration.
>
> But the problem seems more complex this time and I don´t sure to understand the process.
>
> The log shows this:
>
> Schema:
> 1) EAPChallenge for mikem
> 2) Access challenged for anonymous: EAP PEAP Challenge
> 3) Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler
> 4)  EAP PEAP inner authentication request for anonymous
> 5) Access challenged for anonymous: EAP MSCHAP-V2 Challenge
> 6)  Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler
> 7) Radius::AuthFILE looks for match with mikem [anonymous]
>    Radius::AuthFILE ACCEPT: : mikem [anonymous]
>    EAP result: 1, EAP MSCHAP-V2 Authentication failure
>
> Thanks for the help.
> Raúl Tejeda
>
> ** Details: **
>
> Radius.cfg:
> ######################################################################################################
> ######################################################################################################
>
> # Basic radius configuration #
>
> # outer auth with just PEAP
> <Handler NAS-IP-Address="<WLC-IP>">
>         <AuthBy FILE>
>                 EAPType PEAP, MSCHAP-V2
>                 Filename %D/users-eap
>                EAPTLS_CAFile %D/certificados/CAxxx.pem
>                EAPTLS_CAPath %D/certificados
>                EAPTLS_CertificateFile %D/certificados/serverxxx.pem
>                EAPTLS_CertificateType PEM
>                EAPTLS_PrivateKeyFile %D/certificados/serverxxx.key
>                EAPTLS_MaxFragmentSize 500
>         </AuthBy>
> </Handler>
>
> # inner auth with MS-CHAP-V2
> <Handler NAS-IP-Address="<WLC-IP>",TunnelledByPEAP=1>
>         <AuthBy FILE>
>                 RewriteUsername s/(.*)\\(.*)/$2/
>                 EAPType MSCHAP-V2
>                 Filename %D/users
>                EAPTLS_CAFile %D/certificados/CAxxx.pem
>                EAPTLS_CertificateFile %D/certificados/serverxxx.pem
>                EAPTLS_CertificateType PEM
>                EAPTLS_PrivateKeyFile %D/certificados/serverxxx.key
>                EAPTLS_MaxFragmentSize 500
>         </AuthBy>
> </Handler>

you might want to do the following:

1. Swap the order of the two handlers so that the more specific TunneledByPEAP handler
    is checked first.  From looking at your logs it seems all requests go
    into your outer auth handler and thus into the wrong AuthBy FILE.

2. Drop the MSCHAP-V2 from your EAPType list in your outer auth handler.
    It is of no use there as there is no MSCHAP in the outer authentication.

3. Drop all the EAPTLS options from your inner auth as they are no use for MSCHAP.

4. Add identifiers to both handlers so you can more easily identify them in your logs.
    Something like  this for the outer handler

 	Identifier EAP-PEAP

    and this for the inner

 	Identifier EAP-MSCHAP-V2

This should get you a bit further. If it still does not work post the
new config and the appropriate log and we should see what is happening.

Greetings
Christian Kratzer
CK Software GmbH

-- 
Christian Kratzer                      CK Software GmbH
Email:   ck at cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer

More information about the radiator mailing list