[RADIATOR] PEAP from Radiator via Juniper switches

Sami Keski-Kasari samikk at open.com.au
Mon Jul 29 05:51:35 CDT 2013


Hello Garry,

Can you reply with Trace 4 log file.

Best Regards,
  Sami


On 07/29/2013 04:27 AM, Garry Shtern wrote:
> Hi Alan,
>
> The config is pretty straight forward.  Here you go:
>
> # User check from user file
>
> <AuthBy FILE>
>
>          Identifier                      user-file-auth
>
>          # Location of the users file
>
>          Filename                        %D/users
>
>          # Suppoted EAP Types and session info
>
>          EAPType                         PEAP,TLS,MSCHAP-V2
>
>          EAPTLS_MaxFragmentSize          1024
>
>          EAPTLS_SessionResumptionLimit   60
>
>          # Certificate Info
>
>          EAPTLS_CAFile                   %D/certs/ca.pem
>
>          EAPTLS_CertificateType          PEM
>
>          EAPTLS_PrivateKeyFile           %D/certs/%h.pem
>
>          EAPTLS_CertificateChainFile     %D/certs/%h.pem
>
>          # This flag tells EAPType MSCHAP-V2 to convert the inner
> EAP-MSCHAPV2 request into
>
>          # an ordinary Radius-MSCHAPV2 request and redespatch to to a
> Handler
>
>          # that matches ConvertedFromEAPMSCHAPV2=1
>
>          EAP_PEAP_MSCHAP_Convert         1
>
>          # Deal with MPPE keys
>
>          AutoMPPEKeys
>
> </AuthBy>
>
> *From:*Alan Buxey [mailto:A.L.M.Buxey at lboro.ac.uk]
> *Sent:* Saturday, July 27, 2013 7:22 AM
> *To:* Garry Shtern; 'radiator at open.com.au'
> *Subject:* Re: [RADIATOR] PEAP from Radiator via Juniper switches
>
> config?
>
> alan
>
>
>
>
> -------- Original message --------
> From: Garry Shtern <Garry.Shtern at twosigma.com
> <mailto:Garry.Shtern at twosigma.com>>
> Date: 26/07/2013 22:40 (GMT+00:00)
> To: "'radiator at open.com.au'" <radiator at open.com.au
> <mailto:radiator at open.com.au>>
> Subject: [RADIATOR] PEAP from Radiator via Juniper switches
>
> All,
>
> I ran into an interesting issue.  I am trying to do PEAP/MSCHAPv2 via
> Juniper EX switch to Radiator.  I am seeing the Access-Request come in,
> and Radiator responds with Access-Challenge which is dropped by the EX.
>   However, I have the same switch pointing to Microsoft NPS and
> everything works flawlessly.
>
> Looking over packet captures and debugs on the Radiator I noticed the
> following difference in responses:
>
> -NPS returns “Authenticator” and following AVPs:
>
> oSession-Timeout
>
> o EAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and
> PEAP version 0
>
> oState
>
> oMessages-Authenticator
>
> -Radiator returns “Authenticator” and none of the AVPs.
>
> I am suspecting that Juniper EX has an issue with this and that’s why
> it’s dropping the frames, while Cisco IOS switch is absolutely fine and
> forwards the traffic back to the client w/o much of a consideration.
>
> Is there any easy way to force Radiator to add the same attributes to
> the Challenge as NPS?
>
> Thanks.
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>


-- 
Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list