[RADIATOR] EAP result: 1, EAP authentication is not permitted.
Garth Ladlow
GLadlow at Austar.com.au
Thu Jun 21 02:08:15 CDT 2012
Have searched the mailing lists and the web to no avail and it's driving me nuts, trying to setup a 802.1x wired solution.
Hoping someone can point me in the right direction for the error EAP result: 1, EAP authentication is not permitted.
Thu Jun 21 17:01:28 2012: DEBUG: Packet dump:
*** Received from 172.22.220.253 port 1645 ....
Code: Access-Request
Identifier: 186
Authentic: B<211>/<133>xd<174><195><252><243><168><201>?<17><9>_
Attributes:
NAS-IP-Address = 172.22.220.253
NAS-Port = 50009
NAS-Port-Type = Ethernet
User-Name = "ACD\gladl"
Called-Station-Id = "00-17-0E-74-26-09"
Calling-Station-Id = "00-21-70-9E-40-1F"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = <2><0><0><14><1>ACD\gladl
Message-Authenticator = <201>%{<7><203><209>u<180><254>b<171><186><219><233><12><240>
Thu Jun 21 17:01:28 2012: DEBUG: Handling request with Handler 'User-Name=/ACD\\.+/ ', Identifier ''
Thu Jun 21 17:01:28 2012: DEBUG: Rewrote user name to gladl
Thu Jun 21 17:01:28 2012: DEBUG: Deleting session for ACD\gladl, 172.22.220.253, 50009
Thu Jun 21 17:01:28 2012: DEBUG: Handling with Radius::AuthLDAP2: LDAP
Thu Jun 21 17:01:28 2012: DEBUG: Handling with EAP: code 2, 0, 14, 1
Thu Jun 21 17:01:28 2012: DEBUG: Response type 1
Thu Jun 21 17:01:28 2012: DEBUG: EAP result: 1, EAP authentication is not permitted.
Thu Jun 21 17:01:28 2012: DEBUG: AuthBy LDAP2 result: REJECT, EAP authentication is not permitted.
Thu Jun 21 17:01:28 2012: INFO: Access rejected for gladl: EAP authentication is not permitted.
Thu Jun 21 17:01:28 2012: DEBUG: Packet dump:
*** Sending to 172.22.220.253 port 1645 ....
Code: Access-Reject
Identifier: 186
Authentic: <166><254><10><133>'ZI<28>T;j<161><229><238>9<146>
Attributes:
Reply-Message = "Request Denied"
...
...
<AuthBy FILE>
Identifier Peap_outer_file
# The username of the outer authentication
# must be in this file to get anywhere. In this example,
# it requires an entry for 'anonymous' which is the standard username
# in the outer requests, and it also requires an entry for the
# actual user name who is trying to connect (ie the 'Login name' entered
# in the Funk Odyssey 'Edit Profile Properties' page
Filename %D/users
# EAPType sets the EAP type(s) that Radiator will honour.
# Options are: MD5-Challenge, One-Time-Password
# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
# Multiple types can be comma separated. With the default (most
# preferred) type given first
EAPType MD5-Challenge, PEAP
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA certificates
# Radiator will first look in EAPTLS_CAFile then in
# EAPTLS_CAPath, so there usually is no need to set both
#EAPTLS_CAFile /etc/radius/certificates/DigiCertCA2.crt
EAPTLS_CAFile /etc/radius/certificates/AustarCA.cer
# EAPTLS_CertificateFile is the name of a file containing
# the servers certificate. EAPTLS_CertificateType
# specifies the type of the file. Can be PEM or ASN1
# defaults to ASN1
EAPTLS_CertificateFile /etc/radius/certificates/certnew.cer
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile is the name of the file containing
# the servers private key. It is sometimes in the same file
# as the server certificate (EAPTLS_CertificateFile)
# If the private key is encrypted (usually the case)
# then EAPTLS_PrivateKeyPassword is the key to descrypt it
EAPTLS_PrivateKeyFile /etc/radius/certificates/lab-rat.dsa_austar_com_au.key
#EAPTLS_PrivateKeyPassword whatever
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# enough to fit in a single Radius request (ie less than 4096)
# and still leave enough space for other attributes
# Aironet APs seem to need a smaller MaxFragmentSize
# (eg 1024) than the default of 2048. Others need even smaller sizes.
EAPTLS_MaxFragmentSize 1000
# Some clients, depending on their configuration, may require you to specify
# MPPE send and receive keys. This _will_ be required if you select
# 'Keys will be generated automatically for data privacy' in the Funk Odyssey
# client Network Properties dialog.
# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
# in the final Access-Accept
AutoMPPEKeys
# You can control which version of the draft PEAP protocol to honour
# with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual clients,
# such as Funk Odyssey Client 2.22 or later.
EAPTLS_PEAPVersion 0
</AuthBy>
<AuthBy LDAP2>
Identifier LDAP
BaseDN DC=acd,DC=internal
AuthDN xxx at xxxxxxx
AuthPassword xxxxxx
ServerChecksPassword
NoDefault
Timeout 9
FailureBackoffTime 90
Host xxxxxxx
Version 3
UsernameAttr sAMAccountName
#AuthAttrDef extensionAttribute10, Tunnel-Private-Group-ID,reply
AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=Ether_802, Tunnel-Private-Group-ID=220
</AuthBy>
<AuthBy LDAP2>
Identifier LDAP_machine
BaseDN DC=acd,DC=internal
AuthDN xxxx at xxxx
AuthPassword xxxxxxxxxxxx
ServerChecksPassword
NoDefault
Timeout 9
FailureBackoffTime 90
Host xxxxxxxxxxxx
Version 3
UsernameAttr sAMAccountName
#AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=Ether_802, Tunnel-Private-Group-ID=222
</AuthBy>
############################################################
<AuthBy FILE>
Identifier Peap_inner_file
# Dont really need this
# Filename %D/users
# This tells the PEAP client what types of inner EAP requests
# we will honour
EAPType MSCHAP-V2
# This flag tells EAPType MSCHAP-V2 to convert the inner EAP-MSCHAPV2 request into
# an ordinary Radius-MSCHAPV2 request and redespatch to to a Handler
# that matches ConvertedFromEAPMSCHAPV2=1 (see above)
EAP_PEAP_MSCHAP_Convert 1
</AuthBy>
#############################################################
#############################################################
#
# Handlers
#
#############################################################
#############################################################
# This is where the inner EAP-MSCHAPV2 request appears, after being converted to
# a conventional Radius-MSCHAPV2 request. You can proxy or handle locally.
# Since its an odinary Radius request, it can be proxied to non-EAP capable Radius
# servers.
<Handler ConvertedFromEAPMSCHAPV2=1>
AuthBy LDAP
</Handler>
<Handler TunnelledByPEAP=1>
AddToRequest Handler-used="TunnelledByPEAP=1"
AuthBy Peap_inner_file
</Handler>
<Handler User-Name=/host\/.+/ >
#dot1x auth on visitor switch
RewriteUsername s/(.*)\/(.*)/$2/
RewriteUsername s/.acd.internal//
AuthBy LDAP_machine
RejectHasReason
AcctLogFileName %L/detail
</Handler>
<Handler User-Name=/ACD\\.+/ >
#dot1x auth on visitor switch
RewriteUsername s/(.*)\\(.*)/$2/
AuthBy LDAP
#RejectHasReason
AcctLogFileName %L/detail
</Handler>
This e-mail, and any attachment, is confidential. If you are not the intended recipient, please delete it from your system, do not use or disclose the information in any way, and notify the sender immediately.
Any views expressed in this message are those of the individual sender and may not be the views of AUSTAR, unless specifically stated. No warranty is made that the e-mail or attachment (s) are free from computer viruses or other defects.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20120621/3c9ff8e5/attachment-0001.html
More information about the radiator
mailing list