[RADIATOR] FW: ] RADIATOR: EAP-FAST-MSCHAPv2
Sudhir Harwalkar
Sudhir.Harwalkar at lnties.com
Wed Apr 18 00:28:59 CDT 2012
Observing same error after restarting the radius server and using the DB. So I think Radius server is remembering the PAC for this reason it's not getting authenticated.
Regards
Sudhir H
-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Sudhir Harwalkar
Sent: Wednesday, April 18, 2012 10:38 AM
To: Heikki Vatiainen
Cc: radiator at open.com.au
Subject: [RADIATOR] ] RADIATOR: EAP-FAST-MSCHAPv2
Hi Heiki,
Still I am not clear about the working of EAP-FAST with MSCHAPv2.
In this case:
Whenever I flash the code to the device(client), its generating the new PAC with this radius server and the client are authenticated successfully.
If I restart the radius server means by pressing ctrl+c it stop the radius sever and again I run the same config file, at that time PAC key is same and authentication is failing.
As radius server is remembering the key so it's not authenticated is this true?, if not when I restart the server it should authenticate right because for radius server it's a new PAC key that's not happening here.
Note: My device(client) will generate new PAC whenever flash the code.
Regards
Sudhir H
-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Heikki Vatiainen
Sent: Wednesday, April 18, 2012 3:08 AM
To: radiator at open.com.au
Subject: Re: [RADIATOR] RADIATOR: EAP-FAST-MSCHAPv2
On 04/17/2012 01:29 PM, Sudhir Harwalkar wrote:
>
> Because previously it was working fine without any modification from client side, does modification in EAP_43.pm is affecting for authentication?
> From the client log its failing after username and Pw. See the screen shot of the client log.
The change in EAP_43.pm does one thing. If Server-Unauthenticated provisioning is done, instead of requiring just one ciphersuite
(TLS_DH_anon_WITH_AES_128_CBC_SHA) the mode is entered when this ciphersuite is present with possible other suites. One such suite is TLS_EMPTY_RENEGOTIATION_INFO_SCSV from RFC 5746.
If you want to go back to EAP_43.pm, just take it from Radiator distribution and copy it over to any existing EAP_43.pm you have in your system.
The PAC provisioning is not affected and using SQL (SQLite in your case) for storing the PAC does not change how it is generated and provisioned.
You should experiment with your client and see its logs for why it does not work. The configuration I returned to you was working and tested fine here.
Thanks!
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Larsen & Toubro Limited
www.larsentoubro.com
This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Larsen & Toubro Limited
www.larsentoubro.com
This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system.
More information about the radiator
mailing list