[RADIATOR] PEAP from Radiator via Juniper switches
Garry Shtern
Garry.Shtern at twosigma.com
Mon Jul 29 08:26:50 CDT 2013
I figured out what happened. I apply "AllowInReply" attributes to the clients depending on the type and I forgot to include "EAP-Message", "Message-Authenticator" and others.
Once I added those, everything started working correctly.
Thanks!
-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Garry Shtern
Sent: Monday, July 29, 2013 9:05 AM
To: 'Sami Keski-Kasari'; radiator at open.com.au
Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches
Sure, here you go...
Fri Jul 19 22:07:40 2013: DEBUG: Packet dump:
*** Received from 172.20.60.2 port 6850 ....
Code: Access-Request
Identifier: 196
Authentic: <205>dD<193>x<230><138><161>+?B<217>k<154><218>C
Attributes:
User-Name = "SECURITYTEST$"
NAS-Port = 121
EAP-Message = <2><0><0><18><1>SECURITYTEST$
Message-Authenticator = <246>X<208>3<137><196>#nP<230><186>^<138><25><226><227>
Acct-Session-Id = "8O2.1x81a0139d000556a4"
NAS-Port-Id = "ge-0/0/14.0"
Calling-Station-Id = "78-2b-cb-9a-85-34"
Called-Station-Id = "88-e0-f3-b0-80-00"
NAS-IP-Address = 192.168.61.6
NAS-Identifier = "udsw16-1603-1-re0"
NAS-Port-Type = Ethernet
Fri Jul 19 22:07:40 2013: DEBUG: Handling request with Handler '', Identifier ''
Fri Jul 19 22:07:40 2013: DEBUG: Rewrote user name to SECURITYTEST$ Fri Jul 19 22:07:40 2013: DEBUG: Deleting session for SECURITYTEST$, 192.168.61.6, 121 Fri Jul 19 22:07:40 2013: DEBUG: Handling with Radius::AuthFILE: user-file-auth Fri Jul 19 22:07:40 2013: DEBUG: Handling with EAP: code 2, 0, 18, 1 Fri Jul 19 22:07:40 2013: DEBUG: Response type 1 Fri Jul 19 22:07:40 2013: DEBUG: EAP result: 3, EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: Access challenged for SECURITYTEST$: EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: Packet dump:
*** Sending to 172.20.60.2 port 6850 ....
Code: Access-Challenge
Identifier: 196
Authentic: 7<11>p;<158><225><243><247><16><206>C<22><178>F<231><252>
Attributes:
-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Sami Keski-Kasari
Sent: Monday, July 29, 2013 6:52 AM
To: radiator at open.com.au
Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches
Hello Garry,
Can you reply with Trace 4 log file.
Best Regards,
Sami
On 07/29/2013 04:27 AM, Garry Shtern wrote:
> Hi Alan,
>
> The config is pretty straight forward. Here you go:
>
> # User check from user file
>
> <AuthBy FILE>
>
> Identifier user-file-auth
>
> # Location of the users file
>
> Filename %D/users
>
> # Suppoted EAP Types and session info
>
> EAPType PEAP,TLS,MSCHAP-V2
>
> EAPTLS_MaxFragmentSize 1024
>
> EAPTLS_SessionResumptionLimit 60
>
> # Certificate Info
>
> EAPTLS_CAFile %D/certs/ca.pem
>
> EAPTLS_CertificateType PEM
>
> EAPTLS_PrivateKeyFile %D/certs/%h.pem
>
> EAPTLS_CertificateChainFile %D/certs/%h.pem
>
> # This flag tells EAPType MSCHAP-V2 to convert the inner
> EAP-MSCHAPV2 request into
>
> # an ordinary Radius-MSCHAPV2 request and redespatch to to a
> Handler
>
> # that matches ConvertedFromEAPMSCHAPV2=1
>
> EAP_PEAP_MSCHAP_Convert 1
>
> # Deal with MPPE keys
>
> AutoMPPEKeys
>
> </AuthBy>
>
> *From:*Alan Buxey [mailto:A.L.M.Buxey at lboro.ac.uk]
> *Sent:* Saturday, July 27, 2013 7:22 AM
> *To:* Garry Shtern; 'radiator at open.com.au'
> *Subject:* Re: [RADIATOR] PEAP from Radiator via Juniper switches
>
> config?
>
> alan
>
>
>
>
> -------- Original message --------
> From: Garry Shtern <Garry.Shtern at twosigma.com
> <mailto:Garry.Shtern at twosigma.com>>
> Date: 26/07/2013 22:40 (GMT+00:00)
> To: "'radiator at open.com.au'" <radiator at open.com.au
> <mailto:radiator at open.com.au>>
> Subject: [RADIATOR] PEAP from Radiator via Juniper switches
>
> All,
>
> I ran into an interesting issue. I am trying to do PEAP/MSCHAPv2 via
> Juniper EX switch to Radiator. I am seeing the Access-Request come
> in, and Radiator responds with Access-Challenge which is dropped by the EX.
> However, I have the same switch pointing to Microsoft NPS and
> everything works flawlessly.
>
> Looking over packet captures and debugs on the Radiator I noticed the
> following difference in responses:
>
> -NPS returns "Authenticator" and following AVPs:
>
> oSession-Timeout
>
> o EAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and
> PEAP version 0
>
> oState
>
> oMessages-Authenticator
>
> -Radiator returns "Authenticator" and none of the AVPs.
>
> I am suspecting that Juniper EX has an issue with this and that's why
> it's dropping the frames, while Cisco IOS switch is absolutely fine
> and forwards the traffic back to the client w/o much of a consideration.
>
> Is there any easy way to force Radiator to add the same attributes to
> the Challenge as NPS?
>
> Thanks.
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Sami Keski-Kasari <samikk at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list