[RADIATOR] PEAP from Radiator via Juniper switches
All, I ran into an interesting issue. I am trying to do PEAP/MSCHAPv2 via Juniper EX switch to Radiator. I am seeing the Access-Request come in, and Radiator responds with Access-Challenge which is dropped by the EX. However, I have the same switch pointing to Microsoft NPS and everything works flawlessly. Looking over packet captures and debugs on the Radiator I noticed the following difference in responses: - NPS returns "Authenticator" and following AVPs: o Session-Timeout oEAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and PEAP version 0 o State o Messages-Authenticator - Radiator returns "Authenticator" and none of the AVPs. I am suspecting that Juniper EX has an issue with this and that's why it's dropping the frames, while Cisco IOS switch is absolutely fine and forwards the traffic back to the client w/o much of a consideration. Is there any easy way to force Radiator to add the same attributes to the Challenge as NPS? Thanks. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] PEAP from Radiator via Juniper switches
config? alan Original message From: Garry Shtern Date: 26/07/2013 22:40 (GMT+00:00) To: "'radiator@open.com.au'" Subject: [RADIATOR] PEAP from Radiator via Juniper switches All, I ran into an interesting issue. I am trying to do PEAP/MSCHAPv2 via Juniper EX switch to Radiator. I am seeing the Access-Request come in, and Radiator responds with Access-Challenge which is dropped by the EX. However, I have the same switch pointing to Microsoft NPS and everything works flawlessly. Looking over packet captures and debugs on the Radiator I noticed the following difference in responses: - NPS returns “Authenticator” and following AVPs: o Session-Timeout oEAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and PEAP version 0 o State o Messages-Authenticator - Radiator returns “Authenticator” and none of the AVPs. I am suspecting that Juniper EX has an issue with this and that’s why it’s dropping the frames, while Cisco IOS switch is absolutely fine and forwards the traffic back to the client w/o much of a consideration. Is there any easy way to force Radiator to add the same attributes to the Challenge as NPS? Thanks. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] PEAP from Radiator via Juniper switches
Hi Alan, The config is pretty straight forward. Here you go: # User check from user file Identifier user-file-auth # Location of the users file Filename%D/users # Suppoted EAP Types and session info EAPType PEAP,TLS,MSCHAP-V2 EAPTLS_MaxFragmentSize 1024 EAPTLS_SessionResumptionLimit 60 # Certificate Info EAPTLS_CAFile %D/certs/ca.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certs/%h.pem EAPTLS_CertificateChainFile %D/certs/%h.pem # This flag tells EAPType MSCHAP-V2 to convert the inner EAP-MSCHAPV2 request into # an ordinary Radius-MSCHAPV2 request and redespatch to to a Handler # that matches ConvertedFromEAPMSCHAPV2=1 EAP_PEAP_MSCHAP_Convert 1 # Deal with MPPE keys AutoMPPEKeys From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: Saturday, July 27, 2013 7:22 AM To: Garry Shtern; 'radiator@open.com.au' Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches config? alan Original message From: Garry Shtern mailto:garry.sht...@twosigma.com>> Date: 26/07/2013 22:40 (GMT+00:00) To: "'radiator@open.com.au'" mailto:radiator@open.com.au>> Subject: [RADIATOR] PEAP from Radiator via Juniper switches All, I ran into an interesting issue. I am trying to do PEAP/MSCHAPv2 via Juniper EX switch to Radiator. I am seeing the Access-Request come in, and Radiator responds with Access-Challenge which is dropped by the EX. However, I have the same switch pointing to Microsoft NPS and everything works flawlessly. Looking over packet captures and debugs on the Radiator I noticed the following difference in responses: - NPS returns "Authenticator" and following AVPs: o Session-Timeout oEAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and PEAP version 0 o State o Messages-Authenticator - Radiator returns "Authenticator" and none of the AVPs. I am suspecting that Juniper EX has an issue with this and that's why it's dropping the frames, while Cisco IOS switch is absolutely fine and forwards the traffic back to the client w/o much of a consideration. Is there any easy way to force Radiator to add the same attributes to the Challenge as NPS? Thanks. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] PEAP from Radiator via Juniper switches
Hello Garry, Can you reply with Trace 4 log file. Best Regards, Sami On 07/29/2013 04:27 AM, Garry Shtern wrote: > Hi Alan, > > The config is pretty straight forward. Here you go: > > # User check from user file > > > > Identifier user-file-auth > > # Location of the users file > > Filename%D/users > > # Suppoted EAP Types and session info > > EAPType PEAP,TLS,MSCHAP-V2 > > EAPTLS_MaxFragmentSize 1024 > > EAPTLS_SessionResumptionLimit 60 > > # Certificate Info > > EAPTLS_CAFile %D/certs/ca.pem > > EAPTLS_CertificateType PEM > > EAPTLS_PrivateKeyFile %D/certs/%h.pem > > EAPTLS_CertificateChainFile %D/certs/%h.pem > > # This flag tells EAPType MSCHAP-V2 to convert the inner > EAP-MSCHAPV2 request into > > # an ordinary Radius-MSCHAPV2 request and redespatch to to a > Handler > > # that matches ConvertedFromEAPMSCHAPV2=1 > > EAP_PEAP_MSCHAP_Convert 1 > > # Deal with MPPE keys > > AutoMPPEKeys > > > > *From:*Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] > *Sent:* Saturday, July 27, 2013 7:22 AM > *To:* Garry Shtern; 'radiator@open.com.au' > *Subject:* Re: [RADIATOR] PEAP from Radiator via Juniper switches > > config? > > alan > > > > > Original message ---- > From: Garry Shtern <mailto:garry.sht...@twosigma.com>> > Date: 26/07/2013 22:40 (GMT+00:00) > To: "'radiator@open.com.au'" <mailto:radiator@open.com.au>> > Subject: [RADIATOR] PEAP from Radiator via Juniper switches > > All, > > I ran into an interesting issue. I am trying to do PEAP/MSCHAPv2 via > Juniper EX switch to Radiator. I am seeing the Access-Request come in, > and Radiator responds with Access-Challenge which is dropped by the EX. > However, I have the same switch pointing to Microsoft NPS and > everything works flawlessly. > > Looking over packet captures and debugs on the Radiator I noticed the > following difference in responses: > > -NPS returns “Authenticator” and following AVPs: > > oSession-Timeout > > o EAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and > PEAP version 0 > > oState > > oMessages-Authenticator > > -Radiator returns “Authenticator” and none of the AVPs. > > I am suspecting that Juniper EX has an issue with this and that’s why > it’s dropping the frames, while Cisco IOS switch is absolutely fine and > forwards the traffic back to the client w/o much of a consideration. > > Is there any easy way to force Radiator to add the same attributes to > the Challenge as NPS? > > Thanks. > > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > -- Sami Keski-Kasari Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] PEAP from Radiator via Juniper switches
Sure, here you go... Fri Jul 19 22:07:40 2013: DEBUG: Packet dump: *** Received from 172.20.60.2 port 6850 Code: Access-Request Identifier: 196 Authentic: <205>dD<193>x<230><138><161>+?B<217>k<154><218>C Attributes: User-Name = "SECURITYTEST$" NAS-Port = 121 EAP-Message = <2><0><0><18><1>SECURITYTEST$ Message-Authenticator = <246>X<208>3<137><196>#nP<230><186>^<138><25><226><227> Acct-Session-Id = "8O2.1x81a0139d000556a4" NAS-Port-Id = "ge-0/0/14.0" Calling-Station-Id = "78-2b-cb-9a-85-34" Called-Station-Id = "88-e0-f3-b0-80-00" NAS-IP-Address = 192.168.61.6 NAS-Identifier = "udsw16-1603-1-re0" NAS-Port-Type = Ethernet Fri Jul 19 22:07:40 2013: DEBUG: Handling request with Handler '', Identifier '' Fri Jul 19 22:07:40 2013: DEBUG: Rewrote user name to SECURITYTEST$ Fri Jul 19 22:07:40 2013: DEBUG: Deleting session for SECURITYTEST$, 192.168.61.6, 121 Fri Jul 19 22:07:40 2013: DEBUG: Handling with Radius::AuthFILE: user-file-auth Fri Jul 19 22:07:40 2013: DEBUG: Handling with EAP: code 2, 0, 18, 1 Fri Jul 19 22:07:40 2013: DEBUG: Response type 1 Fri Jul 19 22:07:40 2013: DEBUG: EAP result: 3, EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: Access challenged for SECURITYTEST$: EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: Packet dump: *** Sending to 172.20.60.2 port 6850 Code: Access-Challenge Identifier: 196 Authentic: 7<11>p;<158><225><243><247><16><206>C<22><178>F<231><252> Attributes: -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Sami Keski-Kasari Sent: Monday, July 29, 2013 6:52 AM To: radiator@open.com.au Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches Hello Garry, Can you reply with Trace 4 log file. Best Regards, Sami On 07/29/2013 04:27 AM, Garry Shtern wrote: > Hi Alan, > > The config is pretty straight forward. Here you go: > > # User check from user file > > > > Identifier user-file-auth > > # Location of the users file > > Filename%D/users > > # Suppoted EAP Types and session info > > EAPType PEAP,TLS,MSCHAP-V2 > > EAPTLS_MaxFragmentSize 1024 > > EAPTLS_SessionResumptionLimit 60 > > # Certificate Info > > EAPTLS_CAFile %D/certs/ca.pem > > EAPTLS_CertificateType PEM > > EAPTLS_PrivateKeyFile %D/certs/%h.pem > > EAPTLS_CertificateChainFile %D/certs/%h.pem > > # This flag tells EAPType MSCHAP-V2 to convert the inner > EAP-MSCHAPV2 request into > > # an ordinary Radius-MSCHAPV2 request and redespatch to to a > Handler > > # that matches ConvertedFromEAPMSCHAPV2=1 > > EAP_PEAP_MSCHAP_Convert 1 > > # Deal with MPPE keys > > AutoMPPEKeys > > > > *From:*Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] > *Sent:* Saturday, July 27, 2013 7:22 AM > *To:* Garry Shtern; 'radiator@open.com.au' > *Subject:* Re: [RADIATOR] PEAP from Radiator via Juniper switches > > config? > > alan > > > > > Original message > From: Garry Shtern <mailto:garry.sht...@twosigma.com>> > Date: 26/07/2013 22:40 (GMT+00:00) > To: "'radiator@open.com.au'" <mailto:radiator@open.com.au>> > Subject: [RADIATOR] PEAP from Radiator via Juniper switches > > All, > > I ran into an interesting issue. I am trying to do PEAP/MSCHAPv2 via > Juniper EX switch to Radiator. I am seeing the Access-Request come > in, and Radiator responds with Access-Challenge which is dropped by the EX. > However, I have the same switch pointing to Microsoft NPS and > everything works flawlessly. > > Looking over packet captures and debugs on the Radiator I noticed the > following difference in responses: > > -NPS returns "Authenticator" and following AVPs: > > oSession-Timeout > > o EAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and > PEAP version 0 > > oState > > oMessages-Authenticator > > -Radiator returns "Authenticator" and none of the AVPs. > > I am suspecting that Juniper EX has an issue with this and that's why
Re: [RADIATOR] PEAP from Radiator via Juniper switches
I figured out what happened. I apply "AllowInReply" attributes to the clients depending on the type and I forgot to include "EAP-Message", "Message-Authenticator" and others. Once I added those, everything started working correctly. Thanks! -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Garry Shtern Sent: Monday, July 29, 2013 9:05 AM To: 'Sami Keski-Kasari'; radiator@open.com.au Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches Sure, here you go... Fri Jul 19 22:07:40 2013: DEBUG: Packet dump: *** Received from 172.20.60.2 port 6850 Code: Access-Request Identifier: 196 Authentic: <205>dD<193>x<230><138><161>+?B<217>k<154><218>C Attributes: User-Name = "SECURITYTEST$" NAS-Port = 121 EAP-Message = <2><0><0><18><1>SECURITYTEST$ Message-Authenticator = <246>X<208>3<137><196>#nP<230><186>^<138><25><226><227> Acct-Session-Id = "8O2.1x81a0139d000556a4" NAS-Port-Id = "ge-0/0/14.0" Calling-Station-Id = "78-2b-cb-9a-85-34" Called-Station-Id = "88-e0-f3-b0-80-00" NAS-IP-Address = 192.168.61.6 NAS-Identifier = "udsw16-1603-1-re0" NAS-Port-Type = Ethernet Fri Jul 19 22:07:40 2013: DEBUG: Handling request with Handler '', Identifier '' Fri Jul 19 22:07:40 2013: DEBUG: Rewrote user name to SECURITYTEST$ Fri Jul 19 22:07:40 2013: DEBUG: Deleting session for SECURITYTEST$, 192.168.61.6, 121 Fri Jul 19 22:07:40 2013: DEBUG: Handling with Radius::AuthFILE: user-file-auth Fri Jul 19 22:07:40 2013: DEBUG: Handling with EAP: code 2, 0, 18, 1 Fri Jul 19 22:07:40 2013: DEBUG: Response type 1 Fri Jul 19 22:07:40 2013: DEBUG: EAP result: 3, EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: Access challenged for SECURITYTEST$: EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: Packet dump: *** Sending to 172.20.60.2 port 6850 Code: Access-Challenge Identifier: 196 Authentic: 7<11>p;<158><225><243><247><16><206>C<22><178>F<231><252> Attributes: -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Sami Keski-Kasari Sent: Monday, July 29, 2013 6:52 AM To: radiator@open.com.au Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches Hello Garry, Can you reply with Trace 4 log file. Best Regards, Sami On 07/29/2013 04:27 AM, Garry Shtern wrote: > Hi Alan, > > The config is pretty straight forward. Here you go: > > # User check from user file > > > > Identifier user-file-auth > > # Location of the users file > > Filename%D/users > > # Suppoted EAP Types and session info > > EAPType PEAP,TLS,MSCHAP-V2 > > EAPTLS_MaxFragmentSize 1024 > > EAPTLS_SessionResumptionLimit 60 > > # Certificate Info > > EAPTLS_CAFile %D/certs/ca.pem > > EAPTLS_CertificateType PEM > > EAPTLS_PrivateKeyFile %D/certs/%h.pem > > EAPTLS_CertificateChainFile %D/certs/%h.pem > > # This flag tells EAPType MSCHAP-V2 to convert the inner > EAP-MSCHAPV2 request into > > # an ordinary Radius-MSCHAPV2 request and redespatch to to a > Handler > > # that matches ConvertedFromEAPMSCHAPV2=1 > > EAP_PEAP_MSCHAP_Convert 1 > > # Deal with MPPE keys > > AutoMPPEKeys > > > > *From:*Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] > *Sent:* Saturday, July 27, 2013 7:22 AM > *To:* Garry Shtern; 'radiator@open.com.au' > *Subject:* Re: [RADIATOR] PEAP from Radiator via Juniper switches > > config? > > alan > > > > > Original message > From: Garry Shtern <mailto:garry.sht...@twosigma.com>> > Date: 26/07/2013 22:40 (GMT+00:00) > To: "'radiator@open.com.au'" <mailto:radiator@open.com.au>> > Subject: [RADIATOR] PEAP from Radiator via Juniper switches > > All, > > I ran into an interesting issue. I am trying to do PEAP/MSCHAPv2 via > Juniper EX switch to Radiator. I am seeing the Access-Request come > in, and Radiator responds with Access-Challenge which is dropped by the EX. > However, I have the same switch pointing to Microsoft NPS a