Re: (RADIATOR) How to differentiate PEAP-EAP-CHAPV2 and EAP-TTLS radius packets

Wed, 19 Mar 2003 18:15:37 -0800


Hello Ken -

On thinking about this a bit more, you should be able to do what you need like this (note the AuthBy RADIUS must be last):

# define AuthBy clauses

<AuthBy PAM>
        Identifier CheckPAM
        .....
</AuthBy>

<AuthBy RADIUS>
        Identifier ForwardToIAS
        .....
</AuthBy>

.....

# define Realms or Handlers

<Handler ...>
        AuthByPolicy ContinueUntilAccept
        AuthBy CheckPAM
        AuthBy ForwardToIAS
        ....
</Handler>

Note that the AuthBy RADIUS clause operates asynchronously, so it must be last in any list of AuthBy clauses.

regards

Hugh


On Thursday, Mar 20, 2003, at 11:11 Australia/Melbourne, Kawakubo, Ken wrote:

All,

I would like Radiator to do the following.

When Radiator gets PEAP-EAP-CHAPv2 radius packets, Radiator proxies to IAS
on Windows 2003 server. When Radiator gets EAP-TTLS-PAP packets, Radiator
authenticate via Authby PAM using pam_smb. I have to do this setup because
we need to authenticate against NTLM. I can do NTLM authentication with
EAP-TTLS since I can use plaintext PAP, but I cannot do NTLM authentication
with PEAP-EAP-CHAPv2 since it uses encrypted passwords.

I got working both Radius proxy with PEAP-EAP-CHAPv2 and AuthBy PAM with
EAP-TTLS-PAP separately. But when I try to combine both packets together, I
am not getting it to work. Either one or the other fails authentication. I
have tried using AuthByPolicy and list both AuthBy clauses but it does not
seem to work.

I am wondering if there is a way to check radius packets beforehand and send
them to the appropriate AuthBy clause. The first request packet uses code 1
instead of 25 (PEAP) or 21 (EAP-TTLS) and it seems to make it difficult to
differenticate.

I appreciate any help. Thank you.

Ken Kawakubo








===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.



NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Reply via email to