Re: [RADIATOR] PEAP and realm check
On 08/19/2014 11:50 AM, Klara Mall wrote:
> Hi,
>
> we have a problem concerning authentication with PEAP/MSCHAP-V2. We want to
> use
> different handlers per realm the user authenticates with. This is the
> configuration which does not work:
>
> -
>
> Identifier ntlm-wifi2vlan
> Domain KIT
> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
> UsernameMatchesWithoutRealm
> EAPType MSCHAP-V2
>
>
>
> Identifier ldap-ad-kit-eap
> Include %D/server/KIT-DC-01
> BaseDN dc=kit,dc=edu
> Timeout 5
> ServerChecksPassword
> UsernameAttr sAMAccountName
> PasswordAttr
>
> EAPType PEAP
> EAPTLS_CAFile %D/certificates/chain-kit-ca.pem
> EAPTLS_CertificateFile %D/certificates/server.pem
> EAPTLS_CertificateType PEM
> EAPTLS_MaxFragmentSize 1000
> EAPTLS_PrivateKeyFile %D/certificates/server.key
> EAPTLS_PEAPVersion 0
> EAPTLS_PEAPBrokenV1Label
> AutoMPPEKeys
>
>
> # this does work
> #
> # this does not work
>
> Identifier SCC-WLAN-colubris-test
> AuthBy ntlm-wifi2vlan
>
>
>
> AuthBy ldap-ad-kit-eap
>
>
> -
>
> In the comments you see that the problem is the check of the realm. I test
> this with eapol_test:
> /usr/bin/eapol_test \
> -N 32:s:colubris-wifi2vlan -c conf.colubris -a xxx.xx.xx.xx -p 1812
> -s "xxx"
>
> conf.colubris:
> network={
> ssid="wifi2vlantest"
> pairwise=CCMP TKIP
> group=CCMP TKIP WEP104 WEP40
> eap=PEAP
> eapol_flags=0
> key_mgmt=IEEE8021X
> identity="scc-netadmin-0001@colubris-test"
> password="x"
> ca_cert="/etc/ssl/certs/deutsche-telekom-root-ca-2.pem"
> phase2="auth=MSCHAPV2"
> anonymous_identity="qwerty@colubris-test"
> }
>
> I added some debug logging in the radiator source. Then I could see
> that the realm is empty. So if I check for "Realm=" instead for the
> real realm it works, too.
>
> If you need the radiator log file (debug level) just tell. Only two
> eapol_test attempts (one with the non-working and one with the working
> configuration) produce a 82K file.
>
> BTW: The same setup with EAP-TTLS/PAP is no problem. With TTLS I see that the
> checked realm is the one of the inner identity which seams reasonable for me.
>
> I'm also wondering where User-Name anonymous in the log comes from
> as I don't use "anonymous" as anonymous identity here.
>
> Can you help here? I need this because later I have to expand ntlm_auth with
> --require-membership-of= with a variable group name (though I had to patch
> radiator for this to work - there will be another email for this :) ).
>
> Thanks in advance
> Klara
>
you can do something similar to this:
AuthByPolicy ContinueUntilAcceptOrChallenge
# ActiveDirectory Group 1
Identifier Group1-PEAP
NtlmAuthProg /usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1 --require-membership-of=KIT/Group1
Domain KIT
DefaultDomain KIT
EAPType MSCHAP-V2
## Specific configuration for this group
# ActiveDirectory Group 2
Identifier Group2-PEAP
NtlmAuthProg /usr/bin/ntlm_auth
--helper-protocol=ntlm-server-1 --require-membership-of=KIT/Group2
Domain KIT
DefaultDomain KIT
EAPType MSCHAP-V2
## Specific configuration for this group
AuthByPolicy ContinueUntilAcceptOrChallenge
Filename %D/users
EAPType PEAP
EAPTLS_CAFile %D/certificates/cacert.pem
EAPTLS_CertificateFile %D/certificates/radiator-cert.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem
EAPTLS_PrivateKeyPassword scdm2k13
EAPTLS_MaxFragmentSize 1024
EAPTLS_PEAPVersion 0
EAPTLS_PEAPBrokenV1Lablel
AutoMPPEKeys
Greetings.
--
This message has been scanned for malware by Websense. www.websense.com
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)
Thank you, I will try tagging values for the reply... On 03/26/2014 12:47 PM, Sami Keski-Kasari wrote: > Hello Roberto, > > The RFC2868 defines that tunnel attributes includes Tag field before > value. Some NASes are needing that it is defined and some not. > > Try for example with > > mikem2 User-Password=fred > Service-Type = Framed-User, > Tunnel-Private-Group-ID = 0:, > Tunnel-Medium-Type = 0:802, > Tunnel-Type = 0:VLAN > > or > mikem2 User-Password=fred > Service-Type = Framed-User, > Tunnel-Private-Group-ID = 1:, > Tunnel-Medium-Type = 1:802, > Tunnel-Type = 1:VLAN > > > Best Regards, > Sami > > On 03/26/2014 08:16 PM, Roberto Pantoja wrote: >> Thank you for your promptly answer, but I have the same effect if I put >> the VLAN name or numeric ID. Do you have any other idea that can help me >> to resolve this problem. >> >> Best regards. >> >> On 03/26/2014 11:37 AM, Hartmaier Alexander wrote: >>> On 2014-03-26 18:40, Roberto Pantoja wrote: >>>> I have a problem trying to assign dynamic VLANs to users on a >>>> WPA2-Enterprise configuration. Users have successful authentication >>>> and if I don't send the Radius Attribute "Tunnel-Private-Group-ID" >>>> The Wireless Controller connects me to the default VLan for the SSID, >>>> but when I send "Tunnel-Private-Group-ID", the Wireless Controller >>>> simply drops out my connection. The Wireless controller documentation >>>> says the required attributes in the Access-Accept Reply are >>>> "Tunnel-Type=VLAN, Tunnel-Medium-Type=802, >>>> Tunnel-Private-Group-ID=". Everything works fine using >>>> Ignition Server (Avaya's Radius Server). But on product's >>>> documentation says WC8180 comply with RFC Standards and mentions to >>>> be "compatible and validated" with freeradius and Microsoft IAS, so I >>>> think my case is a configuration issue. >>>> >>>> Regards. >>>> >>>> Radiator Version: 4.12.1 >>>> Wireless Controller: AVAYA WC8180 >>>> Wireless Access Points: AVAYA AP8120 >>>> >>>> Config file: >>>> *** Config File *** >>>> # radius.cfg >>>> >>>> Foreground >>>> LogStdout >>>> LogDir /var/log/radius >>>> LogFile %L/logfile.%Y.%m.%d >>>> DbDir /etc/radiator >>>> # User a lower trace level in production systems: >>>> Trace 4 >>>> AuthPort 1812 >>>> AcctPort 1813 >>>> >>>> >>>> Secret verysecret >>>> PacketTrace >>>> Identifier Avaya WC8180 >>>> >>>> >>>> >>>> >>>> Filename %D/users >>>> EAPType MSCHAP-V2 >>>> >>>> >>>> >>>> >>>> >>>> Filename %D/users >>>> EAPType PEAP >>>> EAPTLS_CAFile %D/certificates/cacert.pem >>>> # EAPTLS_CAPath >>>> EAPTLS_CertificateFile %D/certificates/radiator-cert.pem >>>> EAPTLS_CertificateType PEM >>>> EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem >>>> EAPTLS_PrivateKeyPassword verysecret >>>> # EAPTLS_RandomFile %D/certificates/random >>>> EAPTLS_MaxFragmentSize 1024 >>>> # EAPTLS_DHFile %D/certificates/cert/dh >>>> #EAPTLS_CRLCheck >>>> #EAPTLS_CRLFile %D/certificates/crl.pem >>>> #EAPTLS_CRLFile %D/certificates/revocations.pem >>>> AutoMPPEKeys >>>> #EAPTLS_SessionResumption 0 >>>> #EAPTLS_SessionResumptionLimit 10 >>>> EAPAnonymous anonymous@localhost >>>> EAPTLS_PEAPVersion 0 >>>> EAPTTLS_NoAckRequired >>>> >>>> >>>> *** EOF Config File *** >>>> >>>> >>>> Users file: >>>> mikem user without VLAN default VLAN - Quarantine - no IP address >>>> mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24 >>&
[RADIATOR] Fwd: Re: Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)
Thank you, I will try using the radius proxy to know what are exactly the attributes Ignition Server sends to WLAN controller. On 03/26/2014 12:02 PM, Klara Mall wrote: > Hi, > > On 03/26/2014 06:40 PM, Roberto Pantoja wrote: >> I have a problem trying to assign dynamic VLANs to users on a >> WPA2-Enterprise configuration. Users have successful authentication and >> if I don't send the Radius Attribute "Tunnel-Private-Group-ID" The >> Wireless Controller connects me to the default VLan for the SSID, but >> when I send "Tunnel-Private-Group-ID", the Wireless Controller simply >> drops out my connection. The Wireless controller documentation says the >> required attributes in the Access-Accept Reply are "Tunnel-Type=VLAN, >> Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=". >> Everything works fine using Ignition Server (Avaya's Radius Server). But >> on product's documentation says WC8180 comply with RFC Standards and >> mentions to be "compatible and validated" with freeradius and Microsoft >> IAS, so I think my case is a configuration issue. > Are you sure that it's > Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID= of VLAN> > for your wireless controller? > > We have an HP ProCurve WLAN Controller and I have to send: > Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = > > > It's the same for our LANCOM Access Points which are autonomous (no > controller). > > I found a document "Avaya WLAN 8100 Fundamentals" regarding AVAYA WC8180 > WLAN Controller. They say WC8180 is part of the WLAN 8100 solution. > http://198.152.212.23/css/P8/documents/100161076 (PDF file) > > On page 87 they talk about authorization attributes: > Tunnel-Private-Group-Id: Mobility VLAN Name > Tunnel-Medium-Type: The value is 6 (IEEE 802) > Tunnel-Type: The value is 13 (VLAN) > > So perhaps you have to send > > Tunnel-Type=13, Tunnel-Medium-Type=6, Tunnel-Private-Group-ID= > > Apart from that: is it possible to proxy the request of the controller > through radiator to the Ignition Server i.e. to configure the radiator > server as a client on the Ignition Server? Then you'd see all attributes > that the Ignition Server is sending in the radiator debug log. > > Regards > Klara > -- --- Roberto Carlos Pantoja Valdizón Analista de Sistemas ATI/GDEI/LaGeo This message has been scanned for malware by Websense. www.websense.com ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)
Thank you for your promptly answer, but I have the same effect if I put the VLAN name or numeric ID. Do you have any other idea that can help me to resolve this problem. Best regards. On 03/26/2014 11:37 AM, Hartmaier Alexander wrote: > On 2014-03-26 18:40, Roberto Pantoja wrote: >> I have a problem trying to assign dynamic VLANs to users on a >> WPA2-Enterprise configuration. Users have successful authentication >> and if I don't send the Radius Attribute "Tunnel-Private-Group-ID" >> The Wireless Controller connects me to the default VLan for the SSID, >> but when I send "Tunnel-Private-Group-ID", the Wireless Controller >> simply drops out my connection. The Wireless controller documentation >> says the required attributes in the Access-Accept Reply are >> "Tunnel-Type=VLAN, Tunnel-Medium-Type=802, >> Tunnel-Private-Group-ID=". Everything works fine using >> Ignition Server (Avaya's Radius Server). But on product's >> documentation says WC8180 comply with RFC Standards and mentions to >> be "compatible and validated" with freeradius and Microsoft IAS, so I >> think my case is a configuration issue. >> >> Regards. >> >> Radiator Version: 4.12.1 >> Wireless Controller: AVAYA WC8180 >> Wireless Access Points: AVAYA AP8120 >> >> Config file: >> *** Config File *** >> # radius.cfg >> >> Foreground >> LogStdout >> LogDir /var/log/radius >> LogFile %L/logfile.%Y.%m.%d >> DbDir /etc/radiator >> # User a lower trace level in production systems: >> Trace 4 >> AuthPort 1812 >> AcctPort 1813 >> >> >> Secret verysecret >> PacketTrace >> Identifier Avaya WC8180 >> >> >> >> >> Filename %D/users >> EAPType MSCHAP-V2 >> >> >> >> >> >> Filename %D/users >> EAPType PEAP >> EAPTLS_CAFile %D/certificates/cacert.pem >> # EAPTLS_CAPath >> EAPTLS_CertificateFile %D/certificates/radiator-cert.pem >> EAPTLS_CertificateType PEM >> EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem >> EAPTLS_PrivateKeyPassword verysecret >> # EAPTLS_RandomFile %D/certificates/random >> EAPTLS_MaxFragmentSize 1024 >> # EAPTLS_DHFile %D/certificates/cert/dh >> #EAPTLS_CRLCheck >> #EAPTLS_CRLFile %D/certificates/crl.pem >> #EAPTLS_CRLFile %D/certificates/revocations.pem >> AutoMPPEKeys >> #EAPTLS_SessionResumption 0 >> #EAPTLS_SessionResumptionLimit 10 >> EAPAnonymous anonymous@localhost >> EAPTLS_PEAPVersion 0 >> EAPTTLS_NoAckRequired >> >> >> *** EOF Config File *** >> >> >> Users file: >> mikem user without VLAN default VLAN - Quarantine - no IP address >> mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24 >> mikem2 user with VLAN ATI - IP address range 10.0.19.0/24 >> *** Users file *** >> # users >> # This is an example of how to set up simple user for >> # AuthBy FILE. >> # The example user mikem has a password of fred, and will >> # receive reply attributes suitable for most NASs. >> # You can do many more interesting things. See the Radiator reference >> # manual for more details >> # >> # You can test this user with the command >> # perl radpwtst >> >> mikem User-Password=fred >> Service-Type = Framed-User, >> Tunnel-Medium-Type = 802, >> Tunnel-Type = VLAN >> >> mikem1 User-Password=fred >> Service-Type = Framed-User, >> Tunnel-Private-Group-ID = Empleados, >> Tunnel-Medium-Type = 802, >> Tunnel-Type = VLAN >> >> mikem2 User-Password=fred >> Service-Type = Framed-User, >> Tunnel-Private-Group-ID = ATI, >> Tunnel-Medium-Type = 802, >> Tunnel-Type = VLAN >> >> *** EOF users file *** > > We're doing that with Cisco WLCs without problems but in our case by > sending the VLAN ID, not its name like for wired dot1x where Cisco IOS > switches want the VLAN name: > > AddToReply Tunnel-Type=VLAN,\ >Tunnel-Medium-Type=802, \ >Tunnel-Private-G
[RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)
I have a problem trying to assign dynamic VLANs to users on a WPA2-Enterprise configuration. Users have successful authentication and if I don't send the Radius Attribute "Tunnel-Private-Group-ID" The Wireless Controller connects me to the default VLan for the SSID, but when I send "Tunnel-Private-Group-ID", the Wireless Controller simply drops out my connection. The Wireless controller documentation says the required attributes in the Access-Accept Reply are "Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=". Everything works fine using Ignition Server (Avaya's Radius Server). But on product's documentation says WC8180 comply with RFC Standards and mentions to be "compatible and validated" with freeradius and Microsoft IAS, so I think my case is a configuration issue. Regards. Radiator Version: 4.12.1 Wireless Controller: AVAYA WC8180 Wireless Access Points: AVAYA AP8120 Config file: *** Config File *** # radius.cfg Foreground LogStdout LogDir /var/log/radius LogFile %L/logfile.%Y.%m.%d DbDir /etc/radiator # User a lower trace level in production systems: Trace 4 AuthPort 1812 AcctPort 1813 Secret verysecret PacketTrace Identifier Avaya WC8180 Filename %D/users EAPType MSCHAP-V2 Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/cacert.pem # EAPTLS_CAPath EAPTLS_CertificateFile %D/certificates/radiator-cert.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem EAPTLS_PrivateKeyPassword verysecret # EAPTLS_RandomFile %D/certificates/random EAPTLS_MaxFragmentSize 1024 # EAPTLS_DHFile %D/certificates/cert/dh #EAPTLS_CRLCheck #EAPTLS_CRLFile %D/certificates/crl.pem #EAPTLS_CRLFile %D/certificates/revocations.pem AutoMPPEKeys #EAPTLS_SessionResumption 0 #EAPTLS_SessionResumptionLimit 10 EAPAnonymous anonymous@localhost EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired *** EOF Config File *** Users file: mikem user without VLAN default VLAN - Quarantine - no IP address mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24 mikem2 user with VLAN ATI - IP address range 10.0.19.0/24 *** Users file *** # users # This is an example of how to set up simple user for # AuthBy FILE. # The example user mikem has a password of fred, and will # receive reply attributes suitable for most NASs. # You can do many more interesting things. See the Radiator reference # manual for more details # # You can test this user with the command # perl radpwtst mikem User-Password=fred Service-Type = Framed-User, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN mikem1 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = Empleados, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN mikem2 User-Password=fred Service-Type = Framed-User, Tunnel-Private-Group-ID = ATI, Tunnel-Medium-Type = 802, Tunnel-Type = VLAN *** EOF users file *** -- --- Roberto Carlos Pantoja Valdizón Analista de Sistemas ATI/GDEI/LaGeo This message has been scanned for malware by Websense. www.websense.com ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
