[RADIATOR] EAP-PEAP-MSCAHCAPV and EAP-PEAP-TLS ( smartcard)

Vandenbroucke Luc lvandenb at sckcen.be
Wed Jun 22 03:29:39 CDT 2011 

I think the config below is fine now. ( And MSCAHCAPV means MSCHAP-V2... )
But I'm new to radiator ... So if anyone thinks I'm doing stupid things, please tell me before this thing will be in production .

The handler with EAPType=TLS ids doing everything for the smartcards. I even can use a separate ca : the smartcard CA 

For Windows it handles automatic machine authentication host/pcxxx.x.y, user dom/username, with no realm,
And manual user input user at x.y with realm x.y ( necessary for eduroam)

Does this works by accident, or is everything ok like this ?
Specifying Realm=  ,means Realm = NULL ,  I hope, and not Realm Default.

Regards
Luc Vandenbroucke
System Engineer
SCK-CEN


... config file 

<AuthBy LSA>	
	Identifier LSASCK
	UsernameMatchesWithoutRealm
	DefaultDomain SCK.BE
	#Group Administrators
	EAPType MSCHAP-V2
	AddToReply Trapeze-VLAN-Name="guest" 
</AuthBy>

#Here I'm using a public CA and server certificate, for proxying through the eduroam network.
<AuthBy LSA>
	Identifier LSAPEAP
	EAPType PEAP,TTLS
	DefaultDomain SCK.BE
	EAPTLS_CAFile %D/certificates/Addtrust/AddTrustChain.pem
	EAPTLS_CertificateFile %D/certificates/radius.pem
	EAPTLS_CertificateType PEM
	EAPTLS_PrivateKeyFile %D/certificates/radius.pvk
	EAPTLS_MaxFragmentSize 1000
	AutoMPPEKeys
	EAPTLS_PEAPVersion 0
	EAPTLS_PEAPBrokenV1Label
</AuthBy>



<Handler TunnelledByPEAP=1,Realm=sck.be>
	AuthBy LSASCK
</Handler>

#empty realm when automatic login by windows.
<Handler TunnelledByPEAP=1,Realm=>
	AuthBy LSASCK
</Handler>

<Handler EAPType=PEAP,Realm=> 
	AuthBy LSAPEAP
</Handler>

<Handler EAPType=PEAP,Realm=sck.be> 
	AuthBy LSAPEAP
</Handler>
....

# Windows Smartcard authentication
# I'm using an internal CA, and server Certificate, from the same CA that provides the smartcards.
# this is only internally.  Because no outside company will trust our ca, but neither will they proxy or smartcard request.
<Handler EAPType=TLS> 
	Identifier HPEAPTLS
	<AuthBy FILE>
		Filename %D/users
		EAPType TLS
		EAPTLS_CAFile %D/certificates/sckCA/sckCA.pem
		EAPTLS_CertificateFile %D/certificates/pc2848.pem
		EAPTLS_CertificateType PEM
		EAPTLS_PrivateKeyFile %D/certificates/pc2848.pvk
		EAPTLS_PrivateKeyPassword whatever
		EAPTLS_MaxFragmentSize 1000
		AutoMPPEKeys
		EAPTLS_SessionResumption 0
		AddToReplyIfNotExist Trapeze-VLAN-Name="guest"
	</AuthBy>
</Handler>


-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Vandenbroucke Luc
Sent: dinsdag 21 juni 2011 13:51
To: 'radiator at open.com.au'
Subject: [RADIATOR] EAP-PEAP-MSCAHCAPV and EAP-PEAP-TLS ( smartcard)

Hi

I would like to make the config useable for both EAP-PEAP protocols on Windows 7
Smartcard certificate and MSCHAPV2
Is it possible to use a different outer handler and different inner handlers ?

I do have two configuration files successfully working, one for eap-peap-tls ( using AuthBy File )
and the other eap-peap-mschap-v2 using AuthBy LSA.

I just don't succeed putting them in one config, (using the same realm).

Regards,
Luc Vandenbroucke
System Engineer
SCK*CEN Belgium



SCK-CEN Disclaimer: http://www.sckcen.be/en/Legal-aspects/E-mail-disclaimer

_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list