[RADIATOR] PEAP Unknow Problem
Heikki Vatiainen
hvn at open.com.au
Wed Feb 16 15:34:53 CST 2011
On 02/16/2011 07:58 PM, Raúl Tejeda Calero wrote:
> It looks better, but don´t work. Now, the challenge pass-through to the MSCHAP-V2 Handler, but it shows the same error message:
Christian already took care of most issues, I'll try to continue.
You are currently using RewriteUsername. That may cause problems if
Radiator and the client calculate MSCHAPv2 challenges and responses
using different (original and rewritten) usernames.
However, it looks like you are using mikem as the username and it does
not get changed. Or is mikem exactly what you use with your client? You
may try commenting out RewriteUsername while you do testing.
About your clients file. If you really had this:
mikem user-password = xxxxx
you would get an error since user-name is not written as User-Password.
The error would be something like this: "Check item user-password
expression 'password' does not match '' in request" for a line like this
in the users file:
mikem user-password = "password"
> ++++++++++++
> Handling request with Handler 'NAS-IP-Address="<WLC-IP>",TunnelledByPEAP=1', Identifier 'EAP-MSCHAP-V2'
> Deleting session for anonymous, <WLC-IP>, 13
> Handling with Radius::AuthFILE:
> Handling with EAP: code 2, 12, 60, 26
> Response type 26
> Rewrote identity to mikem
> Reading users file /etc/radiator/users
> Radius::AuthFILE looks for match with mikem [anonymous]
> Radius::AuthFILE ACCEPT: : mikem [anonymous]
> EAP result: 1, EAP MSCHAP-V2 Authentication failure
> AuthBy FILE result: REJECT, EAP MSCHAP-V2 Authentication failure
> Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure
> +++++++++++++
>
> Regards,
> Raúl Tejeda
>
> Radius.cfg:
> ######################################################################################################
> ######################################################################################################
>
> #basic configuration
> # inner auth with MS-CHAP-V2
> <Handler NAS-IP-Address="<IP-WLC>",TunnelledByPEAP=1>
> Identifier EAP-MSCHAP-V2
> <AuthBy FILE>
> RewriteUsername s/(.*)\\(.*)/$2/
> EAPType MSCHAP-V2
> Filename %D/users
> # EAPTLS_CAFile %D/certificados/CA.pem
> # EAPTLS_CertificateFile %D/certificados/serv.pem
> # EAPTLS_CertificateType PEM
> # EAPTLS_PrivateKeyFile %D/certificados/serv.key
> # EAPTLS_MaxFragmentSize 500
> </AuthBy>
> </Handler>
>
> # outer auth with just PEAP
> <Handler NAS-IP-Address="<IP-WLC>">
> Identifier EAP-PEAP
> <AuthBy FILE>
> EAPType PEAP
> Filename %D/users-eap
> EAPTLS_CAFile %D/certificados/CA.pem
> EAPTLS_CAPath %D/certificados
> EAPTLS_CertificateFile %D/certificados/Serv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificados/Serv.key
> EAPTLS_MaxFragmentSize 500
> </AuthBy>
> </Handler>
>
>
> Log Detail:
>
> ######################################################################################################
> ######################################################################################################
>
> Wed Feb 16 18:19:58 2011: NOTICE: SIGTERM received: stopping
> Wed Feb 16 18:19:58 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
> Wed Feb 16 18:19:58 2011: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
> Wed Feb 16 18:19:58 2011: DEBUG: Creating authentication port <RAD-IP>:1812
> Wed Feb 16 18:19:58 2011: DEBUG: Creating accounting port <RAD-IP>:1813
> Wed Feb 16 18:19:58 2011: NOTICE: Server started: Radiator 4.7 on <RAD-SERV>
> Wed Feb 16 18:20:17 2011: DEBUG: Packet dump:
> *** Received from <WLC-IP> port 32768 ....
> Code: Access-Request
> Identifier: 122
> Authentic: <231>\*<142>f<141>O<224><176><206>k<183>{<212>K<27>
> Attributes:
> User-Name = "mikem"
> Calling-Station-Id = "<PC-MAC>"
> Called-Station-Id = "<WLC-MAC>:Prueba"
> NAS-Port = 13
> NAS-IP-Address = <WLC-IP>
> NAS-Identifier = "<WLC-1>"
> Airespace-WLAN-Id = 4
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 509
> EAP-Message = <2><2><0><10><1>mikem
> Message-Authenticator = <187><240><2><212><255><230><223><191><202><178>t<19>PA;<0>
>
> Wed Feb 16 18:20:17 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC-IP>"', Identifier 'EAP-PEAP'
> Wed Feb 16 18:20:17 2011: DEBUG: Deleting session for mikem, <WLC-IP>, 13
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with Radius::AuthFILE:
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with EAP: code 2, 2, 10, 1
> Wed Feb 16 18:20:17 2011: DEBUG: Response type 1
> Wed Feb 16 18:20:17 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Feb 16 18:20:17 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
> Wed Feb 16 18:20:17 2011: DEBUG: Access challenged for mikem: EAP PEAP Challenge
> Wed Feb 16 18:20:17 2011: DEBUG: Packet dump:
> *** Sending to <WLC-IP> port 32768 ....
> Code: Access-Challenge
> Identifier: 122
> Authentic: <2>j<251>)<2>J<207>MD<183><139>^4<138>K-
> Attributes:
> EAP-Message = <1><3><0><6><25>!
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Feb 16 18:20:17 2011: DEBUG: Packet dump:
> *** Received from <WLC-IP> port 32768 ....
> Code: Access-Request
> Identifier: 123
> Authentic: <6><184><200><17>g<18>a<231>X<203><239><161><138><174>"<159>
> Attributes:
> User-Name = "mikem"
> Calling-Station-Id = "<PC-MAC>"
> Called-Station-Id = "<WLC-MAC>:Prueba"
> NAS-Port = 13
> NAS-IP-Address = <WLC-IP>
> NAS-Identifier = "<WLC-1>"
> Airespace-WLAN-Id = 4
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 509
> Message-Authenticator = <149>y<167><16><170>S6<252><134><223><140><178><246><228><205><143>
>
> Wed Feb 16 18:20:17 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC-IP>"', Identifier 'EAP-PEAP'
> Wed Feb 16 18:20:17 2011: DEBUG: Deleting session for mikem, <WLC-IP>, 13
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with Radius::AuthFILE:
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with EAP: code 2, 3, 87, 25
> Wed Feb 16 18:20:17 2011: DEBUG: Response type 25
> Wed Feb 16 18:20:17 2011: DEBUG: EAP TLS SSL_accept result: -1, 2, 8576
> Wed Feb 16 18:20:17 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Feb 16 18:20:17 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
> Wed Feb 16 18:20:17 2011: DEBUG: Access challenged for mikem: EAP PEAP Challenge
> Wed Feb 16 18:20:17 2011: DEBUG: Packet dump:
> *** Sending to <WLC-IP> port 32768 ....
> Code: Access-Challenge
> Identifier: 123
> Authentic: <27><147><240>De<225>Db<156><207>><24>;<191><141><132>
> Attributes:
> EAP-Message = <211><157><150><226>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
>
> Wed Feb 16 18:20:17 2011: DEBUG: Packet dump:
> *** Received from <WLC-IP> port 32768 ....
> Code: Access-Request
> Identifier: 129
> Authentic: [<144>6<185> y<21><7><140><<217><155>@<128><13><213>
> Attributes:
> User-Name = "mikem"
> Calling-Station-Id = "<PC-MAC>"
> Called-Station-Id = "<WLC-MAC>:Prueba"
> NAS-Port = 13
> NAS-IP-Address = <WLC-IP>
> NAS-Identifier = "<WLC-1>"
> Airespace-WLAN-Id = 4
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 509
> Message-Authenticator = <240><196><24><154>[<132><229><30><7><197><144><212><7>4<131>/
>
> Wed Feb 16 18:20:17 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC-IP>"', Identifier 'EAP-PEAP'
> Wed Feb 16 18:20:17 2011: DEBUG: Deleting session for mikem, <WLC-IP>, 13
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with Radius::AuthFILE:
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with EAP: code 2, 9, 192, 25
> Wed Feb 16 18:20:17 2011: DEBUG: Response type 25
> Wed Feb 16 18:20:17 2011: DEBUG: EAP TLS SSL_accept result: 1, 0, 3
> Wed Feb 16 18:20:17 2011: DEBUG: EAP result: 3, EAP PEAP Challenge
> Wed Feb 16 18:20:17 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge
> Wed Feb 16 18:20:17 2011: DEBUG: Access challenged for mikem: EAP PEAP Challenge
> Wed Feb 16 18:20:17 2011: DEBUG: Packet dump:
> *** Sending to <WLC-IP> port 32768 ....
> Code: Access-Challenge
> Identifier: 129
> Authentic: <149><227><231>?<192>9d<23>4<139>[B&<133>-<194>
> Attributes:
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
>
>
> Wed Feb 16 18:20:17 2011: DEBUG: Packet dump:
> *** Received from <WLC-IP> port 32768 ....
> Code: Access-Request
> Identifier: 131
> Authentic: <150>6<187>S<140><0>r<187><233><174><230><241><242>?<24>0
> Attributes:
> User-Name = "mikem"
> Calling-Station-Id = "<PC-MAC>"
> Called-Station-Id = "<WLC-MAC>:Prueba"
> NAS-Port = 13
> NAS-IP-Address = <WLC-IP>
> NAS-Identifier = "<WLC-1>"
> Airespace-WLAN-Id = 4
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 509
> EAP-Message = <2><11><0>!<25><0><23><3><1><0><22><160><216><196><168><187>.<205><227>o8<4><214>i<234><198>yw<143><194><136>]j
> Message-Authenticator = <183>[qp<3>J[<218>re<7>&<143><171><209><146>
>
> Wed Feb 16 18:20:17 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC-IP>"', Identifier 'EAP-PEAP'
> Wed Feb 16 18:20:17 2011: DEBUG: Deleting session for mikem, <WLC-IP>, 13
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with Radius::AuthFILE:
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with EAP: code 2, 11, 33, 25
> Wed Feb 16 18:20:17 2011: DEBUG: Response type 25
> Wed Feb 16 18:20:17 2011: DEBUG: EAP PEAP inner authentication request for anonymous
> Wed Feb 16 18:20:17 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: @<137><147>9<1><242><234>@<9>k<215>a<242><133><6>R
> Attributes:
> EAP-Message = <2><11><0><6><1>mikem
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = <WLC-IP>
> NAS-Identifier = "<WLC-1>"
> NAS-Port = 13
> Calling-Station-Id = "<PC-MAC>"
> User-Name = "anonymous"
>
> Wed Feb 16 18:20:17 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC-IP>",TunnelledByPEAP=1', Identifier 'EAP-MSCHAP-V2'
> Wed Feb 16 18:20:17 2011: DEBUG: Deleting session for anonymous, <WLC-IP>, 13
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with Radius::AuthFILE:
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with EAP: code 2, 11, 6, 1
> Wed Feb 16 18:20:17 2011: DEBUG: Response type 1
> Wed Feb 16 18:20:17 2011: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Wed Feb 16 18:20:17 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP MSCHAP-V2 Challenge
> Wed Feb 16 18:20:17 2011: DEBUG: Access challenged for anonymous: EAP MSCHAP-V2 Challenge
> Wed Feb 16 18:20:17 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Challenge
> Identifier: UNDEF
> Authentic: @<137><147>9<1><242><234>@<9>k<215>a<242><133><6>R
> Attributes:
> EAP-Message = <1><12><0>'<26><1><12><0>"<16>@<18>N<3><11>;<247><26><162>w0<3><167>3<223><203><RAD-SERV>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Feb 16 18:20:17 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
> Wed Feb 16 18:20:17 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
> Wed Feb 16 18:20:17 2011: DEBUG: Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler
> Wed Feb 16 18:20:17 2011: DEBUG: Packet dump:
> *** Sending to <WLC-IP> port 32768 ....
> Code: Access-Challenge
> Identifier: 131
> Authentic: <230>9<243><16>0k<227>F<166><249><241><221><9><204><168>6
> Attributes:
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Feb 16 18:20:17 2011: DEBUG: Packet dump:
> *** Received from <WLC-IP> port 32768 ....
> Code: Access-Request
> Identifier: 132
> Authentic: <6><3><184>0E<218><249>^/1<191>u<214><253>d<216>
> Attributes:
> User-Name = "mikem"
> Calling-Station-Id = "<PC-MAC>"
> Called-Station-Id = "<WLC-MAC>:Prueba"
> NAS-Port = 13
> NAS-IP-Address = <WLC-IP>
> NAS-Identifier = "<WLC-1>"
> Airespace-WLAN-Id = 4
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 509
> Message-Authenticator = <254><179><143><235><1>{Gt<220>H<136><132>$<184>KZ
>
> Wed Feb 16 18:20:17 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC-IP>"', Identifier 'EAP-PEAP'
> Wed Feb 16 18:20:17 2011: DEBUG: Deleting session for mikem, <WLC-IP>, 13
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with Radius::AuthFILE:
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with EAP: code 2, 12, 87, 25
> Wed Feb 16 18:20:17 2011: DEBUG: Response type 25
> Wed Feb 16 18:20:17 2011: DEBUG: EAP PEAP inner authentication request for anonymous
> Wed Feb 16 18:20:17 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <221>b<24><150>N}n-<159><245><25> <216><216><199>H
> Attributes:
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = <WLC-IP>
> NAS-Identifier = "<WLC-1>"
> NAS-Port = 13
> Calling-Station-Id = "<PC-MAC>"
> User-Name = "anonymous"
>
> Wed Feb 16 18:20:17 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC-IP>",TunnelledByPEAP=1', Identifier 'EAP-MSCHAP-V2'
> Wed Feb 16 18:20:17 2011: DEBUG: Deleting session for anonymous, <WLC-IP>, 13
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with Radius::AuthFILE:
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with EAP: code 2, 12, 60, 26
> Wed Feb 16 18:20:17 2011: DEBUG: Response type 26
> Wed Feb 16 18:20:17 2011: DEBUG: Rewrote identity to mikem
> Wed Feb 16 18:20:17 2011: DEBUG: Reading users file /etc/radiator/users
> Wed Feb 16 18:20:17 2011: DEBUG: Radius::AuthFILE looks for match with mikem [anonymous]
> Wed Feb 16 18:20:17 2011: DEBUG: Radius::AuthFILE ACCEPT: : mikem [anonymous]
> Wed Feb 16 18:20:17 2011: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
> Wed Feb 16 18:20:17 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP-V2 Authentication failure
> Wed Feb 16 18:20:17 2011: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure
> Wed Feb 16 18:20:17 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
> Identifier: UNDEF
> Authentic: <221>b<24><150>N}n-<159><245><25> <216><216><199>H
> Attributes:
> EAP-Message = <4><12><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
> Wed Feb 16 18:20:17 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
> Wed Feb 16 18:20:17 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
> Wed Feb 16 18:20:17 2011: DEBUG: Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler
> Wed Feb 16 18:20:17 2011: DEBUG: Packet dump:
> *** Sending to <WLC-IP> port 32768 ....
> Code: Access-Challenge
> Identifier: 132
> Authentic: <129>[<213><243><188><140><211><137><151>n\<8><170><8><232>v
> Attributes:
> EAP-Message = <1><13><0>&<25><0><23><3><1><0><27><142><161>LC<17>Mf<13>z<223>s'f<169>m<243><31>p<3><176><238>%<228><1><13>E<214>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Feb 16 18:20:17 2011: DEBUG: Packet dump:
> *** Received from <WLC-IP> port 32768 ....
> Code: Access-Request
> Identifier: 133
> Authentic: <&,<153><12>#J<149><224><205>m<195><157>O]<255>
> Attributes:
> User-Name = "mikem"
> Calling-Station-Id = "<PC-MAC>"
> Called-Station-Id = "<WLC-MAC>:Prueba"
> NAS-Port = 13
> NAS-IP-Address = <WLC-IP>
> NAS-Identifier = "<WLC-1>"
> Airespace-WLAN-Id = 4
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 509
> EAP-Message = <2><13><0>&<25><0><23><3><1><0><27>$<146><203>O<132><10><166><202>5<12>=<173><31><155><17><213><27><205><235><242>m<156><2>sU9:
> Message-Authenticator = :<19>e<28><248><178><134><127><225><13><192><236>m<149><8><241>
>
> Wed Feb 16 18:20:17 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC-IP>"', Identifier 'EAP-PEAP'
> Wed Feb 16 18:20:17 2011: DEBUG: Deleting session for mikem, <WLC-IP>, 13
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with Radius::AuthFILE:
> Wed Feb 16 18:20:17 2011: DEBUG: Handling with EAP: code 2, 13, 38, 25
> Wed Feb 16 18:20:17 2011: DEBUG: Response type 25
> Wed Feb 16 18:20:17 2011: DEBUG: EAP result: 1, PEAP Authentication Failure
> Wed Feb 16 18:20:17 2011: DEBUG: AuthBy FILE result: REJECT, PEAP Authentication Failure
> Wed Feb 16 18:20:17 2011: INFO: Access rejected for mikem: PEAP Authentication Failure
> Wed Feb 16 18:20:17 2011: DEBUG: Packet dump:
> *** Sending to <WLC-IP> port 32768 ....
> Code: Access-Reject
> Identifier: 133
> Authentic: <139><15>:<199><235><158>(<143><131><134><189><152> 6L<217>
> Attributes:
> EAP-Message = <4><13><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
>
> ######################################################################################################
> ######################################################################################################
>
> ________________________________________
> De: Christian Kratzer [ck at cksoft.de]
> Enviado el: miércoles, 16 de febrero de 2011 16:36
> Para: Raúl Tejeda Calero
> CC: radiator at open.com.au
> Asunto: Re: [RADIATOR] PEAP Unknow Problem
>
> Hi,
>
> On Wed, 16 Feb 2011, Raúl Tejeda Calero wrote:
>
>> Hi,
>>
>> I´m still having problems with my PEAP-MSCHAP-V2 configuration.
>>
>> But the problem seems more complex this time and I don´t sure to understand the process.
>>
>> The log shows this:
>>
>> Schema:
>> 1) EAPChallenge for mikem
>> 2) Access challenged for anonymous: EAP PEAP Challenge
>> 3) Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler
>> 4) EAP PEAP inner authentication request for anonymous
>> 5) Access challenged for anonymous: EAP MSCHAP-V2 Challenge
>> 6) Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler
>> 7) Radius::AuthFILE looks for match with mikem [anonymous]
>> Radius::AuthFILE ACCEPT: : mikem [anonymous]
>> EAP result: 1, EAP MSCHAP-V2 Authentication failure
>>
>> Thanks for the help.
>> Raúl Tejeda
>>
>> ** Details: **
>>
>> Radius.cfg:
>> ######################################################################################################
>> ######################################################################################################
>>
>> # Basic radius configuration #
>>
>> # outer auth with just PEAP
>> <Handler NAS-IP-Address="<WLC-IP>">
>> <AuthBy FILE>
>> EAPType PEAP, MSCHAP-V2
>> Filename %D/users-eap
>> EAPTLS_CAFile %D/certificados/CAxxx.pem
>> EAPTLS_CAPath %D/certificados
>> EAPTLS_CertificateFile %D/certificados/serverxxx.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile %D/certificados/serverxxx.key
>> EAPTLS_MaxFragmentSize 500
>> </AuthBy>
>> </Handler>
>>
>> # inner auth with MS-CHAP-V2
>> <Handler NAS-IP-Address="<WLC-IP>",TunnelledByPEAP=1>
>> <AuthBy FILE>
>> RewriteUsername s/(.*)\\(.*)/$2/
>> EAPType MSCHAP-V2
>> Filename %D/users
>> EAPTLS_CAFile %D/certificados/CAxxx.pem
>> EAPTLS_CertificateFile %D/certificados/serverxxx.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile %D/certificados/serverxxx.key
>> EAPTLS_MaxFragmentSize 500
>> </AuthBy>
>> </Handler>
>
> you might want to do the following:
>
> 1. Swap the order of the two handlers so that the more specific TunneledByPEAP handler
> is checked first. From looking at your logs it seems all requests go
> into your outer auth handler and thus into the wrong AuthBy FILE.
>
> 2. Drop the MSCHAP-V2 from your EAPType list in your outer auth handler.
> It is of no use there as there is no MSCHAP in the outer authentication.
>
> 3. Drop all the EAPTLS options from your inner auth as they are no use for MSCHAP.
>
> 4. Add identifiers to both handlers so you can more easily identify them in your logs.
> Something like this for the outer handler
>
> Identifier EAP-PEAP
>
> and this for the inner
>
> Identifier EAP-MSCHAP-V2
>
> This should get you a bit further. If it still does not work post the
> new config and the appropriate log and we should see what is happening.
>
> Greetings
> Christian Kratzer
> CK Software GmbH
>
> --
> Christian Kratzer CK Software GmbH
> Email: ck at cksoft.de Wildberger Weg 24/2
> Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
> Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
> Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list