[RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2

Heikki Vatiainen hvn at open.com.au
Mon Apr 16 13:22:03 CDT 2012 

On 04/16/2012 06:02 PM, Sudhir Harwalkar wrote:
> Please check the modification in the config ( eap_fast.cfg) file is correct or not? Because still not authenticated DBI drivers are already installed.

Try with the attached configuration file. The changes are:
- Enabled <Handler TunnelledByFAST=1> so that you can keep the users in
a file while keeping PACs in SQL
- Changed SQLite db file location to c:/Program Files/Radiator/pacdb.sqlite

You need to create c:/Program Files/Radiator/pacdb.sqlite with the
following command:
sqlite3.exe -init pac.sql c:/Program Files/Radiator/pacdb.sqlite

This will create an empty db file with the appropriate structure for
EAP-FAST.

When you test with the client the log will show how Radiator creates the
PAC and reads it from the db file. You can now stop radiusd without
loosing PAC information.

Thanks!
Heikki


> Regards
> Sudhir H
> 
> -----Original Message-----
> From: Sudhir Harwalkar
> Sent: Monday, April 16, 2012 4:33 PM
> To: 'Heikki Vatiainen'
> Cc: radiator at open.com.au
> Subject: RE: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2
> 
> As per your comment, I made changes for EAP-FAST MACHAPv2, If I enable AUTHBY SQL ,its giving me an error for User Filename ERR: Unknown keyword 'Filename' in c:\Radiator\Radiator-Locked-4.9\goodies\eap_fast.cfg line 51".
> 
> Please see the config file and sql.cfg file.
> 
> Regards
> Sudhir H
> 
> -----Original Message-----
> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
> Sent: Monday, April 16, 2012 2:39 PM
> To: radiator at open.com.au
> Subject: Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2
> 
> On 04/16/2012 11:12 AM, Sudhir Harwalkar wrote:
> 
>> 1. Please guide me how to keep PACs in memory, what are all the changes need to make in config files.
> 
> You need to change the Handler for outer EAP-FAST authentication to use AuthBy SQL. See goodies/sql.cfg and look for CreateEAPFastPACQuery and GetEAPFastPACQuery.
> 
> For defintion of the single table that is needed, see goodies/mysqlCreate.sql. The table is EAPFAST_PAC
> 
> MySQL is not required, it is just used for an example. You could try SQLite for a simple file based DB. http://www.sqlite.org/download.html
> 
> You can keep all EAPTLS_* settings the same as they are now when setting up AuthBy SQL.
> 
>> 2. I tried to authenticate with the EAP-TLS, as I was seen Access challenge message only and I haven't found any error in that case, please find the log, and config files for this.
> 
> The log shows two different messages:
> 1. EAP Identity from your client
> 2. EAP-TLS start from Radiator
> 
> The client then resends the identity. Check the client settings. It seems not to accept EAP-TLS or is otherwise incorrectly configured. Note that at some point you need to configure the client to trust the CA certificate in certificates/demoCA/cacert.pem
> 
> Thanks!
> Heikki
> 
> 
>> Regards
>> Sudhir H
>>
>> -----Original Message-----
>> From: radiator-bounces at open.com.au
>> [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
>> Sent: Friday, April 13, 2012 6:00 PM
>> To: radiator at open.com.au
>> Subject: Re: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2
>>
>> On 04/12/2012 04:14 PM, Sudhir Harwalkar wrote:
>>
>>> 1. Whenever I flash the new code to the device it's generating new PAC key at that time it's getting authenticate with the server,
>>>      If PACs are gone after a restart, but our device generating the same and send to the server so it should authenticate, why that's not happening here.
>>
>> If the server has lost its PACs, the client PAC are useless. It is the server that decides if the PAC is valid. If the server refuses the PAC client sends, then a new PAC needs to be provisioned to the client. That is my take to how this should work.
>>
>>> 2. For EAP-TLS I took CA Certificate from C:\Radiator\Radiator-Locked-4.9\certificates\demoCA \cacert.pem and for Client I used C:\Radiator\Radiator-Locked-4.9\certificates\ cert-clt.pem is these are the correct files that I am using.
>>
>> Yes. See goodies/eap_tls.cfg for an example of EAP-TLS configuration.
>>
>> Heikki
>>
>>
>>> Sudhir H
>>>
>>> -----Original Message-----
>>> From: Heikki Vatiainen [mailto:hvn at open.com.au]
>>> Sent: Thursday, April 12, 2012 2:52 PM
>>> To: Sudhir Harwalkar
>>> Subject: Re: FW: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2
>>>
>>> On 04/12/2012 09:25 AM, Sudhir Harwalkar wrote:
>>>
>>>> Thanks for helping me Heikki, when I flash the new code, then start the radius server it's working fine after that I restarted the radius server and power on the device then it's not authenticated.
>>>> Again I flash the code and verified working fine.
>>>
>>> Ok. Good to hear it works.
>>>
>>>> Problem arises only if I restart the radius server.
>>>> This should not happen right.
>>>
>>> By default Radiator keeps PACs in memory and they are gone after a restart. There is a possibility to keep them in SQL so that they survive across reboots.
>>>
>>> Heikki
>>>
>>>
>>>
>>>
>>> Larsen & Toubro Limited
>>>
>>> www.larsentoubro.com
>>>
>>> This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system.
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>> --
>> Heikki Vatiainen <hvn at open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>> Larsen & Toubro Limited
>>
>> www.larsentoubro.com
>>
>> This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system.
> 
> 
> --
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> Larsen & Toubro Limited
> 
> www.larsentoubro.com
> 
> This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system.


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
-------------- next part --------------
# eap_fast.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with 
# EAP FAST authentication
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# You should consider this file to be a starting point only
# $Id: eap_fast.cfg,v 1.2 2010/02/05 01:34:55 mikem Exp $

Foreground
LogStdout
LogDir C:/Program Files/Radiator/
DbDir	C:/Program Files/Radiator/
# User a lower trace level in production systems:
Trace 		4

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
#<Client DEFAULT>
AuthPort 1812
AcctPort 1813
<Client 192.168.32.78>

#Secret	mysecret
Secret	GSDEMO12
#DupInterval 0
</Client>

<Handler TunnelledByFAST=1>
	<AuthBy FILE>
		Filename %D/users

		# This tells the FAST client what types of inner EAP requests
		# we will honour
		EAPType MSCHAP-V2,Generic-Token
		# Required for all EAP-FAST
		AutoMPPEKeys
	</AuthBy>
</Handler>

<Handler>
	#<AuthBy FILE>
	<AuthBy SQL>

		#DBSource        dbi:SQLite:dbname=/path/to/pacdb.sqlite
		#DBSource        dbi:SQLite:a.db=c:/WINDOWS/system32/sqlite-dll-win32-x86-3071100
		DBSource        dbi:SQLite:dbname=c:/Program Files/Radiator/pacdb.sqlite
		
		# Users must be in this file to get anywhere
		#Filename %D/users
		#Filename C:/Radiator/Radiator-Locked-4.9/users

		# EAPType sets the EAP type(s) that Radiator will honour.
		# We are happy to handle EAP-MSCHAPV2 and Generic-Token,
		# inside EAP-FAST
		EAPType FAST,MSCHAP-V2,Generic-Token
		#EAPType FAST,Generic-Token
				
		# Required for all EAP-FAST
		AutoMPPEKeys

		# EAP-FAST requires a Diffie Helman parameters
		# file to be precomputed and available
		# to the server. Odyssey Client will only accept the 2048 bit
		# RFC3526 MODP group
		#EAPTLS_DHFile %D/certificates/dh2048.pem
		EAPTLS_DHFile C:/Radiator/Radiator-Locked-4.9/certificates/dh2048.pem


		# You can control the maximum lifetime of PACS provisioned by 
		# Radiator, and also when a PAC must be reprovisioned.
		# PACs older than EAPFAST_PAC_Lifetime will not be used. PACS
		# with less than EAPFAST_PAC_Reprovision seconds left in their
		# lifetime will be reprovisioned
		# Times are in seconds. PACS are cached in memory, so
		# a restart of Radiator will cause all EAP-FAST PACS to be
		# reprovisioned on next authentication. Defaults to 90 days
		# and 30 days.
		#EAPFAST_PAC_Lifetime 7776000
		#EAPFAST_PAC_Reprovision 2592000

		# Some clients (notably Cisco SSC) fall back to certificate
                # based authentication under some circumstances, so you will
		# also need these TLS certificate details:
		#EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
		#EAPTLS_CertificateFile %D/certificates/cert-srv.pem
		#EAPTLS_CertificateType PEM
		#EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
		#EAPTLS_PrivateKeyPassword whatever

		EAPTLS_CAFile C:/Radiator/Radiator-Locked-4.9/certificates/demoCA/cacert.pem
		EAPTLS_CertificateFile C:/Radiator/Radiator-Locked-4.9/certificates/cert-srv.pem
		EAPTLS_CertificateType PEM
		EAPTLS_PrivateKeyFile C:/Radiator/Radiator-Locked-4.9/certificates/cert-srv.pem
		EAPTLS_PrivateKeyPassword whatever

		CreateEAPFastPACQuery insert into EAPFAST_PAC (PAC_OPAQUE, PAC_LIFETIME, PAC_KEY) values ('%0', '%1', '%2')
		GetEAPFastPACQuery select PAC_LIFETIME, PAC_KEY from EAPFAST_PAC where PAC_OPAQUE='%0' and PAC_LIFETIME >= %1

	</AuthBy>
</Handler>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pac.sql
Type: text/x-sql
Size: 496 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20120416/d05bc361/attachment.bin

More information about the radiator mailing list