[RADIATOR] EAP result: 1, EAP authentication is not permitted.
Heikki Vatiainen
hvn at open.com.au
Thu Jun 21 02:49:02 CDT 2012
On 06/21/2012 10:08 AM, Garth Ladlow wrote:
> Hoping someone can point me in the right direction for the error EAP
> result: 1, EAP authentication is not permitted.
The request goes to an AuthBy that has no EAPType set. From the log:
Thu Jun 21 17:01:28 2012: DEBUG: Handling request with Handler
'User-Name=/ACD\\.+/ ', Identifier ''
...
Thu Jun 21 17:01:28 2012: DEBUG: Handling with Radius::AuthLDAP2: LDAP
>From the config:
<Handler User-Name=/ACD\\.+/ >
...
AuthBy LDAP
<AuthBy LDAP2>
Identifier LDAP
There's no EAPType defined for this AuthBy
I noticed you have AuthBy FILE with Identifier Peap_outer_file in the
config. Maybe the Handler above should use 'AuthBy Peap_outer_file' to
take care of EAP requests?
Heikki
> Thu Jun 21 17:01:28 2012: DEBUG: Packet dump:
>
> *** Received from 172.22.220.253 port 1645 ....
>
> Code: Access-Request
>
> Identifier: 186
>
> Authentic: B<211>/<133>xd<174><195><252><243><168><201>?<17><9>_
>
> Attributes:
>
> NAS-IP-Address = 172.22.220.253
>
> NAS-Port = 50009
>
> NAS-Port-Type = Ethernet
>
> User-Name = "ACD\gladl"
>
> Called-Station-Id = "00-17-0E-74-26-09"
>
> Calling-Station-Id = "00-21-70-9E-40-1F"
>
> Service-Type = Framed-User
>
> Framed-MTU = 1500
>
> EAP-Message = <2><0><0><14><1>ACD\gladl
>
> Message-Authenticator =
> <201>%{<7><203><209>u<180><254>b<171><186><219><233><12><240>
>
>
>
> Thu Jun 21 17:01:28 2012: DEBUG: Handling request with Handler
> 'User-Name=/ACD\\.+/ ', Identifier ''
>
> Thu Jun 21 17:01:28 2012: DEBUG: Rewrote user name to gladl
>
> Thu Jun 21 17:01:28 2012: DEBUG: Deleting session for ACD\gladl,
> 172.22.220.253, 50009
>
> Thu Jun 21 17:01:28 2012: DEBUG: Handling with Radius::AuthLDAP2: LDAP
>
> Thu Jun 21 17:01:28 2012: DEBUG: Handling with EAP: code 2, 0, 14, 1
>
> Thu Jun 21 17:01:28 2012: DEBUG: Response type 1
>
> Thu Jun 21 17:01:28 2012: DEBUG: EAP result: 1, EAP authentication is
> not permitted.
>
> Thu Jun 21 17:01:28 2012: DEBUG: AuthBy LDAP2 result: REJECT, EAP
> authentication is not permitted.
>
> Thu Jun 21 17:01:28 2012: INFO: Access rejected for gladl: EAP
> authentication is not permitted.
>
> Thu Jun 21 17:01:28 2012: DEBUG: Packet dump:
>
> *** Sending to 172.22.220.253 port 1645 ....
>
> Code: Access-Reject
>
> Identifier: 186
>
> Authentic: <166><254><10><133>'ZI<28>T;j<161><229><238>9<146>
>
> Attributes:
>
> Reply-Message = "Request Denied"
>
>
>
> …
>
> …
>
>
>
>
>
> <AuthBy FILE>
>
>
>
> Identifier Peap_outer_file
>
>
>
> # The username of the outer authentication
>
> # must be in this file to get anywhere. In this example,
>
> # it requires an entry for 'anonymous' which is the standard
> username
>
> # in the outer requests, and it also requires an entry for the
>
> # actual user name who is trying to connect (ie the 'Login name'
> entered
>
> # in the Funk Odyssey 'Edit Profile Properties' page
>
> Filename %D/users
>
>
>
> # EAPType sets the EAP type(s) that Radiator will honour.
>
> # Options are: MD5-Challenge, One-Time-Password
>
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
>
> # Multiple types can be comma separated. With the default (most
>
> # preferred) type given first
>
> EAPType MD5-Challenge, PEAP
>
>
>
> # EAPTLS_CAFile is the name of a file of CA certificates
>
> # in PEM format. The file can contain several CA certificates
>
> # Radiator will first look in EAPTLS_CAFile then in
>
> # EAPTLS_CAPath, so there usually is no need to set both
>
> #EAPTLS_CAFile /etc/radius/certificates/DigiCertCA2.crt
>
> EAPTLS_CAFile /etc/radius/certificates/AustarCA.cer
>
>
>
> # EAPTLS_CertificateFile is the name of a file containing
>
> # the servers certificate. EAPTLS_CertificateType
>
> # specifies the type of the file. Can be PEM or ASN1
>
> # defaults to ASN1
>
> EAPTLS_CertificateFile /etc/radius/certificates/certnew.cer
>
> EAPTLS_CertificateType PEM
>
>
>
> # EAPTLS_PrivateKeyFile is the name of the file containing
>
> # the servers private key. It is sometimes in the same file
>
> # as the server certificate (EAPTLS_CertificateFile)
>
> # If the private key is encrypted (usually the case)
>
> # then EAPTLS_PrivateKeyPassword is the key to descrypt it
>
> EAPTLS_PrivateKeyFile
> /etc/radius/certificates/lab-rat.dsa_austar_com_au.key
>
> #EAPTLS_PrivateKeyPassword whatever
>
>
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
>
> # size that will be replied by Radiator. It must be small
>
> # enough to fit in a single Radius request (ie less than 4096)
>
> # and still leave enough space for other attributes
>
> # Aironet APs seem to need a smaller MaxFragmentSize
>
> # (eg 1024) than the default of 2048. Others need even smaller
> sizes.
>
> EAPTLS_MaxFragmentSize 1000
>
>
>
> # Some clients, depending on their configuration, may require
> you to specify
>
> # MPPE send and receive keys. This _will_ be required if you select
>
> # 'Keys will be generated automatically for data privacy' in the
> Funk Odyssey
>
> # client Network Properties dialog.
>
> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
>
> # in the final Access-Accept
>
> AutoMPPEKeys
>
>
>
>
>
> # You can control which version of the draft PEAP protocol to honour
>
> # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for
> unusual clients,
>
> # such as Funk Odyssey Client 2.22 or later.
>
> EAPTLS_PEAPVersion 0
>
> </AuthBy>
>
>
>
>
>
> <AuthBy LDAP2>
>
>
>
> Identifier LDAP
>
>
>
> BaseDN DC=acd,DC=internal
>
> AuthDN xxx at xxxxxxx
>
> AuthPassword xxxxxx
>
> ServerChecksPassword
>
> NoDefault
>
> Timeout 9
>
> FailureBackoffTime 90
>
> Host xxxxxxx
>
> Version 3
>
> UsernameAttr sAMAccountName
>
> #AuthAttrDef extensionAttribute10,
> Tunnel-Private-Group-ID,reply
>
> AddToReply Tunnel-Type=VLAN,
> Tunnel-Medium-Type=Ether_802, Tunnel-Private-Group-ID=220
>
>
>
>
>
> </AuthBy>
>
>
>
> <AuthBy LDAP2>
>
>
>
> Identifier LDAP_machine
>
>
>
> BaseDN DC=acd,DC=internal
>
> AuthDN xxxx at xxxx
>
> AuthPassword xxxxxxxxxxxx
>
> ServerChecksPassword
>
> NoDefault
>
> Timeout 9
>
> FailureBackoffTime 90
>
> Host xxxxxxxxxxxx
>
> Version 3
>
> UsernameAttr sAMAccountName
>
> #AddToReply Tunnel-Type=VLAN,
> Tunnel-Medium-Type=Ether_802, Tunnel-Private-Group-ID=222
>
>
>
>
>
> </AuthBy>
>
>
>
>
>
>
>
> ############################################################
>
>
>
> <AuthBy FILE>
>
>
>
> Identifier Peap_inner_file
>
> # Dont really need this
>
> # Filename %D/users
>
>
>
> # This tells the PEAP client what types of inner EAP requests
>
> # we will honour
>
> EAPType MSCHAP-V2
>
>
>
> # This flag tells EAPType MSCHAP-V2 to convert the inner
> EAP-MSCHAPV2 request into
>
> # an ordinary Radius-MSCHAPV2 request and redespatch to to a Handler
>
> # that matches ConvertedFromEAPMSCHAPV2=1 (see above)
>
> EAP_PEAP_MSCHAP_Convert 1
>
> </AuthBy>
>
>
>
>
>
> #############################################################
>
> #############################################################
>
> #
>
> # Handlers
>
> #
>
> #############################################################
>
> #############################################################
>
>
>
> # This is where the inner EAP-MSCHAPV2 request appears, after being
> converted to
>
> # a conventional Radius-MSCHAPV2 request. You can proxy or handle locally.
>
> # Since its an odinary Radius request, it can be proxied to non-EAP
> capable Radius
>
> # servers.
>
> <Handler ConvertedFromEAPMSCHAPV2=1>
>
> AuthBy LDAP
>
> </Handler>
>
>
>
> <Handler TunnelledByPEAP=1>
>
>
>
>
>
> AddToRequest Handler-used="TunnelledByPEAP=1"
>
> AuthBy Peap_inner_file
>
>
>
> </Handler>
>
>
>
> <Handler User-Name=/host\/.+/ >
>
> #dot1x auth on visitor switch
>
> RewriteUsername s/(.*)\/(.*)/$2/
>
> RewriteUsername s/.acd.internal//
>
> AuthBy LDAP_machine
>
> RejectHasReason
>
> AcctLogFileName %L/detail
>
> </Handler>
>
>
>
> <Handler User-Name=/ACD\\.+/ >
>
> #dot1x auth on visitor switch
>
> RewriteUsername s/(.*)\\(.*)/$2/
>
> AuthBy LDAP
>
> #RejectHasReason
>
> AcctLogFileName %L/detail
>
> </Handler>
>
> This e-mail, and any attachment, is confidential. If you are not the
> intended recipient, please delete it from your system, do not use or
> disclose the information in any way, and notify the sender immediately.
> Any views expressed in this message are those of the individual sender
> and may not be the views of AUSTAR, unless specifically stated. No
> warranty is made that the e-mail or attachment (s) are free from
> computer viruses or other defects.
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list