Hi,
On Wed, 16 Feb 2011, Raúl Tejeda Calero wrote:
Hi,
I´m still having problems with my PEAP-MSCHAP-V2 configuration.
But the problem seems more complex this time and I don´t sure to understand the
process.
The log shows this:
Schema:
1) EAPChallenge for mikem
2) Access challenged for anonymous: EAP PEAP Challenge
3) Access challenged for mikem: EAP PEAP inner authentication redispatched to a
Handler
4) EAP PEAP inner authentication request for anonymous
5) Access challenged for anonymous: EAP MSCHAP-V2 Challenge
6) Access challenged for mikem: EAP PEAP inner authentication redispatched to
a Handler
7) Radius::AuthFILE looks for match with mikem [anonymous]
Radius::AuthFILE ACCEPT: : mikem [anonymous]
EAP result: 1, EAP MSCHAP-V2 Authentication failure
Thanks for the help.
Raúl Tejeda
** Details: **
Radius.cfg:
######################################################################################################
######################################################################################################
# Basic radius configuration #
# outer auth with just PEAP
<Handler NAS-IP-Address="<WLC-IP>">
<AuthBy FILE>
EAPType PEAP, MSCHAP-V2
Filename %D/users-eap
EAPTLS_CAFile %D/certificados/CAxxx.pem
EAPTLS_CAPath %D/certificados
EAPTLS_CertificateFile %D/certificados/serverxxx.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificados/serverxxx.key
EAPTLS_MaxFragmentSize 500
</AuthBy>
</Handler>
# inner auth with MS-CHAP-V2
<Handler NAS-IP-Address="<WLC-IP>",TunnelledByPEAP=1>
<AuthBy FILE>
RewriteUsername s/(.*)\\(.*)/$2/
EAPType MSCHAP-V2
Filename %D/users
EAPTLS_CAFile %D/certificados/CAxxx.pem
EAPTLS_CertificateFile %D/certificados/serverxxx.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificados/serverxxx.key
EAPTLS_MaxFragmentSize 500
</AuthBy>
</Handler>
you might want to do the following:
1. Swap the order of the two handlers so that the more specific TunneledByPEAP
handler
is checked first. From looking at your logs it seems all requests go
into your outer auth handler and thus into the wrong AuthBy FILE.
2. Drop the MSCHAP-V2 from your EAPType list in your outer auth handler.
It is of no use there as there is no MSCHAP in the outer authentication.
3. Drop all the EAPTLS options from your inner auth as they are no use for
MSCHAP.
4. Add identifiers to both handlers so you can more easily identify them in
your logs.
Something like this for the outer handler
Identifier EAP-PEAP
and this for the inner
Identifier EAP-MSCHAP-V2
This should get you a bit further. If it still does not work post the
new config and the appropriate log and we should see what is happening.
Greetings
Christian Kratzer
CK Software GmbH
--
Christian Kratzer CK Software GmbH
Email: c...@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
