I figured out what happened. I apply "AllowInReply" attributes to the clients depending on the type and I forgot to include "EAP-Message", "Message-Authenticator" and others.
Once I added those, everything started working correctly. Thanks! -----Original Message----- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Garry Shtern Sent: Monday, July 29, 2013 9:05 AM To: 'Sami Keski-Kasari'; radiator@open.com.au Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches Sure, here you go... Fri Jul 19 22:07:40 2013: DEBUG: Packet dump: *** Received from 172.20.60.2 port 6850 .... Code: Access-Request Identifier: 196 Authentic: <205>dD<193>x<230><138><161>+?B<217>k<154><218>C Attributes: User-Name = "SECURITYTEST$" NAS-Port = 121 EAP-Message = <2><0><0><18><1>SECURITYTEST$ Message-Authenticator = <246>X<208>3<137><196>#nP<230><186>^<138><25><226><227> Acct-Session-Id = "8O2.1x81a0139d000556a4" NAS-Port-Id = "ge-0/0/14.0" Calling-Station-Id = "78-2b-cb-9a-85-34" Called-Station-Id = "88-e0-f3-b0-80-00" NAS-IP-Address = 192.168.61.6 NAS-Identifier = "udsw16-1603-1-re0" NAS-Port-Type = Ethernet Fri Jul 19 22:07:40 2013: DEBUG: Handling request with Handler '', Identifier '' Fri Jul 19 22:07:40 2013: DEBUG: Rewrote user name to SECURITYTEST$ Fri Jul 19 22:07:40 2013: DEBUG: Deleting session for SECURITYTEST$, 192.168.61.6, 121 Fri Jul 19 22:07:40 2013: DEBUG: Handling with Radius::AuthFILE: user-file-auth Fri Jul 19 22:07:40 2013: DEBUG: Handling with EAP: code 2, 0, 18, 1 Fri Jul 19 22:07:40 2013: DEBUG: Response type 1 Fri Jul 19 22:07:40 2013: DEBUG: EAP result: 3, EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: Access challenged for SECURITYTEST$: EAP PEAP Challenge Fri Jul 19 22:07:40 2013: DEBUG: Packet dump: *** Sending to 172.20.60.2 port 6850 .... Code: Access-Challenge Identifier: 196 Authentic: 7<11>p;<158><225><243><247><16><206>C<22><178>F<231><252> Attributes: -----Original Message----- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Sami Keski-Kasari Sent: Monday, July 29, 2013 6:52 AM To: radiator@open.com.au Subject: Re: [RADIATOR] PEAP from Radiator via Juniper switches Hello Garry, Can you reply with Trace 4 log file. Best Regards, Sami On 07/29/2013 04:27 AM, Garry Shtern wrote: > Hi Alan, > > The config is pretty straight forward. Here you go: > > # User check from user file > > <AuthBy FILE> > > Identifier user-file-auth > > # Location of the users file > > Filename %D/users > > # Suppoted EAP Types and session info > > EAPType PEAP,TLS,MSCHAP-V2 > > EAPTLS_MaxFragmentSize 1024 > > EAPTLS_SessionResumptionLimit 60 > > # Certificate Info > > EAPTLS_CAFile %D/certs/ca.pem > > EAPTLS_CertificateType PEM > > EAPTLS_PrivateKeyFile %D/certs/%h.pem > > EAPTLS_CertificateChainFile %D/certs/%h.pem > > # This flag tells EAPType MSCHAP-V2 to convert the inner > EAP-MSCHAPV2 request into > > # an ordinary Radius-MSCHAPV2 request and redespatch to to a > Handler > > # that matches ConvertedFromEAPMSCHAPV2=1 > > EAP_PEAP_MSCHAP_Convert 1 > > # Deal with MPPE keys > > AutoMPPEKeys > > </AuthBy> > > *From:*Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] > *Sent:* Saturday, July 27, 2013 7:22 AM > *To:* Garry Shtern; 'radiator@open.com.au' > *Subject:* Re: [RADIATOR] PEAP from Radiator via Juniper switches > > config? > > alan > > > > > -------- Original message -------- > From: Garry Shtern <garry.sht...@twosigma.com > <mailto:garry.sht...@twosigma.com>> > Date: 26/07/2013 22:40 (GMT+00:00) > To: "'radiator@open.com.au'" <radiator@open.com.au > <mailto:radiator@open.com.au>> > Subject: [RADIATOR] PEAP from Radiator via Juniper switches > > All, > > I ran into an interesting issue. I am trying to do PEAP/MSCHAPv2 via > Juniper EX switch to Radiator. I am seeing the Access-Request come > in, and Radiator responds with Access-Challenge which is dropped by the EX. > However, I have the same switch pointing to Microsoft NPS and > everything works flawlessly. > > Looking over packet captures and debugs on the Radiator I noticed the > following difference in responses: > > -NPS returns "Authenticator" and following AVPs: > > oSession-Timeout > > o EAP-Message w/ EAP Request 1, Id 1, Type 25 (PEAP), Start Flag and > PEAP version 0 > > oState > > oMessages-Authenticator > > -Radiator returns "Authenticator" and none of the AVPs. > > I am suspecting that Juniper EX has an issue with this and that's why > it's dropping the frames, while Cisco IOS switch is absolutely fine > and forwards the traffic back to the client w/o much of a consideration. > > Is there any easy way to force Radiator to add the same attributes to > the Challenge as NPS? > > Thanks. > > > > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > -- Sami Keski-Kasari <sam...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
