[RADIATOR] PEAP from Radiator via Juniper switches

Garry Shtern Garry.Shtern at twosigma.com
Mon Jul 29 08:26:50 CDT 2013


I figured out what happened.  I apply "AllowInReply" attributes to the clients depending on the type and I forgot to include "EAP-Message", "Message-Authenticator" and others.

Once I added those, everything started working correctly.

Thanks!

-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Garry Shtern
Sent: Monday, July 29, 2013 9:05 AM
To: 'Sami Keski-Kasari'; radiator at open.com.au
Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches

Sure, here you go...

Fri Jul 19 22:07:40 2013: DEBUG: Packet dump:
*** Received from 172.20.60.2 port 6850 ....
Code:       Access-Request
Identifier: 196
Authentic:  <205>dD<193>x<230><138><161>+?B<217>k<154><218>C
Attributes:
        User-Name = "SECURITYTEST$"
        NAS-Port = 121
        EAP-Message = <2><0><0><18><1>SECURITYTEST$
        Message-Authenticator = <246>X<208>3<137><196>#nP<230><186>^<138><25><226><227>
        Acct-Session-Id = "8O2.1x81a0139d000556a4"
        NAS-Port-Id = "ge-0/0/14.0"
        Calling-Station-Id = "78-2b-cb-9a-85-34"
        Called-Station-Id = "88-e0-f3-b0-80-00"
        NAS-IP-Address = 192.168.61.6
        NAS-Identifier = "udsw16-1603-1-re0"
        NAS-Port-Type = Ethernet

Fri Jul 19 22:07:40 2013: DEBUG: Handling request with Handler '', Identifier ''
Fri Jul 19 22:07:40 2013: DEBUG: Rewrote user name to SECURITYTEST$ Fri Jul 19 22:07:40 2013: DEBUG:  Deleting session for SECURITYTEST$, 192.168.61.6, 121 Fri Jul 19 22:07:40 2013: DEBUG: Handling with Radius::AuthFILE: user-file-auth Fri Jul 19 22:07:40 2013: DEBUG: Handling with EAP: code 2, 0, 18, 1 Fri Jul 19 22:07:40 2013: DEBUG: Response type 1 Fri Jul 19 22:07:40 2013: DEBUG: EAP result: 3, EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: Access challenged for SECURITYTEST$: EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: Packet dump:
*** Sending to 172.20.60.2 port 6850 ....
Code:       Access-Challenge
Identifier: 196
Authentic:  7<11>p;<158><225><243><247><16><206>C<22><178>F<231><252>
Attributes:


-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Sami Keski-Kasari
Sent: Monday, July 29, 2013 6:52 AM
To: radiator at open.com.au
Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches

Hello Garry,

Can you reply with Trace 4 log file.

Best Regards,
  Sami


On 07/29/2013 04:27 AM, Garry Shtern wrote:
> Hi Alan,
>
> The config is pretty straight forward.  Here you go:
>
> # User check from user file
>
> <AuthBy FILE>
>
>          Identifier                      user-file-auth
>
>          # Location of the users file
>
>          Filename                        %D/users
>
>          # Suppoted EAP Types and session info
>
>          EAPType                         PEAP,TLS,MSCHAP-V2
>
>          EAPTLS_MaxFragmentSize          1024
>
>          EAPTLS_SessionResumptionLimit   60
>
>          # Certificate Info
>
>          EAPTLS_CAFile                   %D/certs/ca.pem
>
>          EAPTLS_CertificateType          PEM
>
>          EAPTLS_PrivateKeyFile           %D/certs/%h.pem
>
>          EAPTLS_CertificateChainFile     %D/certs/%h.pem
>
>          # This flag tells EAPType MSCHAP-V2 to convert the inner
> EAP-MSCHAPV2 request into
>
>          # an ordinary Radius-MSCHAPV2 request and redespatch to to a 
> Handler
>
>          # that matches ConvertedFromEAPMSCHAPV2=1
>
>          EAP_PEAP_MSCHAP_Convert         1
>
>          # Deal with MPPE keys
>
>          AutoMPPEKeys
>
> </AuthBy>
>
> *From:*Alan Buxey [mailto:A.L.M.Buxey at lboro.ac.uk]
> *Sent:* Saturday, July 27, 2013 7:22 AM
> *To:* Garry Shtern; 'radiator at open.com.au'
> *Subject:* Re: [RADIATOR] PEAP from Radiator via Juniper switches
>
> config?
>
> alan
>
>
>
>
> -------- Original message --------
> From: Garry Shtern <Garry.Shtern at twosigma.com 
> <mailto:Garry.Shtern at twosigma.com>>
> Date: 26/07/2013 22:40 (GMT+00:00)
> To: "'radiator at open.com.au'" <radiator at open.com.au 
> <mailto:radiator at open.com.au>>
> Subject: [RADIATOR] PEAP from Radiator via Juniper switches
>
> All,
>
> I ran into an interesting issue.  I am trying to do PEAP/MSCHAPv2 via 
> Juniper EX switch to Radiator.  I am seeing the Access-Request come 
> in, and Radiator responds with Access-Challenge which is dropped by the EX.
>   However, I have the same switch pointing to Microsoft NPS and 
> everything works flawlessly.
>
> Looking over packet captures and debugs on the Radiator I noticed the 
> following difference in responses:
>
> -NPS returns "Authenticator" and following AVPs:
>
> oSession-Timeout
>
> o EAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and 
> PEAP version 0
>
> oState
>
> oMessages-Authenticator
>
> -Radiator returns "Authenticator" and none of the AVPs.
>
> I am suspecting that Juniper EX has an issue with this and that's why 
> it's dropping the frames, while Cisco IOS switch is absolutely fine 
> and forwards the traffic back to the client w/o much of a consideration.
>
> Is there any easy way to force Radiator to add the same attributes to 
> the Challenge as NPS?
>
> Thanks.
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>


--
Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator


More information about the radiator mailing list