Re: [RADIATOR] Radiator
On 03/26/2012 02:54 PM, Sudhir Harwalkar wrote: Hello Sudhir, > Please find the modified EAP-PEAPv0 file, please check once whether whatever > changes I made are correct or not, please see the error message attached with > this peaperror.PNG. Try defining your using slash '/' instead of backslash '\'. For example: LogDir C:/Radiator/Radiator-Locked-4.9/goodies/ I also recommend defining LogDir and DbDir to point to where Radiator installed its configuration file. Typically this is: C:/Program Files/Radiator/ The directory specified with DbDir should also have file called dictionary. If not, you need to specify DictionaryFile to point to that file. Other changes: You have specified files and directories with '%C:\...'. You do not need to use '%' sign here. Use for example: Filename C:/Radiator/Radiator-Locked-4.9/users instead of Filename %C:\Radiator\Radiator-Locked-4.9/users Here I also recommend setting AuthBy FILE Filename to C:/Program Files/Radiator/users if C:/Program Files/Radiator/ already contains e.g., dictionary file. Related to this and your previous message. The simplest users file would have just this one line: username User-Password=mypassword This creates users file which knows about one user 'username' and where the user has password 'mypassword'. Thanks! Heikki > Thanks > Sudhir H > > -Original Message- > From: Sudhir Harwalkar > Sent: Monday, March 26, 2012 10:53 AM > To: 'Heikki Vatiainen' > Subject: RE: [RADIATOR] Radiator > > Hi Heikki, > > How to add device username and password in our config file.is there any > command for that. > > Thanks > Sudhir H > > -Original Message- > From: Sudhir Harwalkar > Sent: Thursday, March 22, 2012 3:49 PM > To: 'Heikki Vatiainen' > Subject: RE: [RADIATOR] Radiator > > Thanks a lot Heikki, will try and let you know. > > Thanks > Sudhir H > > -Original Message- > From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On > Behalf Of Heikki Vatiainen > Sent: Thursday, March 22, 2012 3:23 PM > To: radiator@open.com.au > Subject: Re: [RADIATOR] Radiator > > On 03/22/2012 11:44 AM, Sudhir Harwalkar wrote: >> I made all the changes you have mentioned, then I run the config file, in >> the log file I got message as follows >> Thu Mar 22 15:00:17 2012: DEBUG: Finished reading configuration file >> 'c:\Program Files\Radiator\radiusnew.cfg' >> Thu Mar 22 15:00:17 2012: DEBUG: Reading dictionary file >> 'C:\Program Files\Radiator/dictionary' >> Thu Mar 22 15:00:17 2012: DEBUG: Creating authentication >> port 0.0.0.0:1812 >>Thu Mar 22 15:00:17 2012: DEBUG: Creating accounting port >> 0.0.0.0:1813 >> Thu Mar 22 15:00:17 2012: NOTICE: Server started: >> Radiator 4.9 on EMMYS0938 (LOCKED) Is this authenticated with AP? > > Looks good. It is ready to receive messages from AP. There is no > authentication done between RADIUS server and wireless AP. The shared secret > and client IP just make sure they can communicate with each other when the > WLAN users need to be authenticated by the AP. > >> As you mentioned I haven't got message like receives from AP. > > The next step is to configure AP so that it will authenticate WLAN users. How > this is done depends on your AP. > > Thanks! > Heikki > > >> Regards >> Sudhir H >> -Original Message- >> From: radiator-boun...@open.com.au >> [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen >> Sent: Thursday, March 22, 2012 2:22 PM >> To: radiator@open.com.au >> Subject: Re: [RADIATOR] Radiator >> >> On 03/21/2012 03:58 PM, Sudhir Harwalkar wrote: >> >>> Thanks a lot for helping me out. >>> I have one query : >>> Steps that I followed for EAP-PEAPv0 Testing: >>> 1. Copied eap_peap.cfg file to c:\program file >> >> Add a Client clause with your AP's address in the configuration. Also set >> DbDir and LogDir as I just mentioned in my other message: >> >> LogDir c:/Program Files/Radiator >> DbDir c:/Program Files/Radiator >> >>> 2. in the command line I typed the command "perl radiusd >>> -bind_address 192. . . . -auth_port 1812 -log_file filename >>> -config_file c:\program files\eap_peap.cfg When I run this command I >>> am getting an error, the error details are shown in the screenshot >>> named as eap_peap.PNG >> >> You do not need to set BindAddress. If set, it should be address belonging >> to your computer, not to the AP. You usually do not need to set this at all. >> >>> - Is there anything that I need to make change? >> >> Please see above. >> >>> -How does we know that communication happening between AP and Radius Server? >> >> The log will messages Radiator receives from AP. >> >>> -Port address that I have given in AP is 1812 is that right? >> >> Please see above. About auth_port, it should match the setting in AP. By >> default Radiator uses 1645 so you need to check both AP and Radiator use >> same po
Re: [RADIATOR] CRL reload error
Hi Heikki, Am 2012-03-22 17:16, schrieb Heikki Vatiainen: > On 03/21/2012 12:11 PM, Alexander Hartmaier wrote: > >> Now that our dot1x and WLAN Radiator needs to check three different crls >> I've looked into a better solution for refreshing them. >> While reading Radius::TLS I've stumbled over the method reloadCrls which >> claims to reload the crl if the timestamp changes. Has this ever worked? > I asked about this, and this is the current situation: The code in > Radiator works and is enabled (if so configured) by default. So the code > for checking CRLs is there without modifications to Radiator sources. > > If the check really happens as expected depends on OpenSSL library. > There is a patch for a 0.9.? version, but it doesnt work in 1.0. It > could be that some distributions have applied the patch themselves, so > the situation is not very clear. There are a couple of entries in > OpenSSL request tracker, but it does not look like they have been processed. > > You could try to see if it works on your system. I didn't find anything regarding autoloading of the crl in the openssl changelog so the patch must still be not mainline. We're using Debian Squeeze (6) on the server with openssl from the testing tree to get openssl 1.0.0 which is now at version 1.0.0h. Is OCSP an option instead of a crl? Can Radiator use OCSP? > >> In the contextInit method you've put a note # REVISIT: what if a CRL >> changes while we are running? > Hmm, that might be a little older comment, I'll check that too. > >> I'm trying to restart Radiator as rarely as possible to not terminate an >> ongoing EAP communication but the crls all have different expiration >> dates (two have a lifetime of a day, the third of a week which will >> probabliy also changed to a day or less). > That's very understandable. > > Heikki > >> Best regards, Alex >> >> >> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien >> Handelsgericht Wien, FN 79340b >> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >> Notice: This e-mail contains information that is confidential and may be >> privileged. >> If you are not the intended recipient, please notify the sender and then >> delete this e-mail immediately. >> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >> ___ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] EAP Nak desires type 26
Hello all I use a PEAP ,MSCHAPV2 auth set up , going to an AD server. I will send on config file if needed , but hopefully it's a simple fix I get the error EAP Nak desires type 26. From Google and everything else I don't get much. Can anyone send me on my way, Regards Richard Dunne DIT.IE This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP Nak desires type 26
I found this on a cisco book VALUE EAP-Type MS-EAP-Authentication 26 Now the problem is I use ms-chap v2 and it works fine. So why am I seeing this message Thanks for any ideas Richard From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Richard Dunne Sent: 26 March 2012 10:55 To: radiator@open.com.au Subject: [RADIATOR] EAP Nak desires type 26 Hello all I use a PEAP ,MSCHAPV2 auth set up , going to an AD server. I will send on config file if needed , but hopefully it's a simple fix I get the error EAP Nak desires type 26. From Google and everything else I don't get much. Can anyone send me on my way, Regards Richard Dunne DIT.IE This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP Nak desires type 26
Hi, >I use a PEAP ,MSCHAPV2 auth set up , going to an AD server. I will send on >config file if needed , but hopefully it’s a simple fix sending the obfuscated config might help.. type 26 is EAP MS-CHAP-V2 (a slightly different beast to plain MSCHAPv2) - your config needs to be configured to handle that type... you can convert EAP-MSCHAPv2 into plain MSCHAPv2 (EAP_PEAP_MSCHAP_Convert) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP Nak desires type 26
On 03/26/2012 05:55 PM, Richard Dunne wrote: > I use a PEAP ,MSCHAPV2 auth set up , going to an AD server. I will send > on config file if needed , but hopefully it’s a simple fix > I get the error *EAP Nak desires type 26. *From Google and everything > else I don’t get much. Can anyone send me on my way, I agree with Alan. Sounds like there is a 'EAPType MSCHAP-V2' missing somewhere. Most likely from an inner PEAP AuthBy. Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP Nak desires type 26
An EAP NAK is usually issued by the Client Side when the server initiates the connection with a method and the client is not configured from it. In the NAK the client sends the EAP Method type it supports/is configured for. >From the Log snipped it seems that the client is setup for EAPMsChapv2 instead of PEAP Eap-MsChapv2 On Mon, Mar 26, 2012 at 3:33 PM, Richard Dunne wrote: > I found this on a cisco book > > ** ** > > VALUE EAP-Type MS-EAP-Authentication 26 > > ** ** > > ** ** > > Now the problem is I use ms-chap v2 and it works fine. So why am I seeing > this message > > ** ** > > Thanks for any ideas > > ** ** > > Richard > > *From:* radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] > *On Behalf Of *Richard Dunne > *Sent:* 26 March 2012 10:55 > *To:* radiator@open.com.au > *Subject:* [RADIATOR] EAP Nak desires type 26 > > ** ** > > Hello all > > ** ** > > I use a PEAP ,MSCHAPV2 auth set up , going to an AD server. I will send on > config file if needed , but hopefully it’s a simple fix > > ** ** > > I get the error *EAP Nak desires type 26. *From Google and everything > else I don’t get much. Can anyone send me on my way, > > > Regards > > ** ** > > Richard Dunne > > DIT.IE > > > This message has been scanned for content and viruses by the DIT > Information Services E-Mail Scanning Service, and is believed to be clean. > http://www.dit.ie > > This message has been scanned for content and viruses by the DIT > Information Services E-Mail Scanning Service, and is believed to be clean. > http://www.dit.ie > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] FW: Radiator
I modified the file according to your changes, that works fine. There are some queries: 1. In the config file if I mentioned Auth PORT and ACCTPORT then it's taking as 1645 and 1646, and I tried with the command line means I gave authport and acctport its taking properly. 2. I gave UserName and Password for both WLAN Device and Radius Server, but its not able to associated with the AP and Radius server, how to verify that all three AP,WLAN Device and Radius Server are communicating with each other. Thanks Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Monday, March 26, 2012 1:35 PM To: radiator@open.com.au list Subject: Re: [RADIATOR] Radiator On 03/26/2012 02:54 PM, Sudhir Harwalkar wrote: Hello Sudhir, > Please find the modified EAP-PEAPv0 file, please check once whether whatever > changes I made are correct or not, please see the error message attached with > this peaperror.PNG. Try defining your using slash '/' instead of backslash '\'. For example: LogDir C:/Radiator/Radiator-Locked-4.9/goodies/ I also recommend defining LogDir and DbDir to point to where Radiator installed its configuration file. Typically this is: C:/Program Files/Radiator/ The directory specified with DbDir should also have file called dictionary. If not, you need to specify DictionaryFile to point to that file. Other changes: You have specified files and directories with '%C:\...'. You do not need to use '%' sign here. Use for example: Filename C:/Radiator/Radiator-Locked-4.9/users instead of Filename %C:\Radiator\Radiator-Locked-4.9/users Here I also recommend setting AuthBy FILE Filename to C:/Program Files/Radiator/users if C:/Program Files/Radiator/ already contains e.g., dictionary file. Related to this and your previous message. The simplest users file would have just this one line: username User-Password=mypassword This creates users file which knows about one user 'username' and where the user has password 'mypassword'. Thanks! Heikki > Thanks > Sudhir H > > -Original Message- > From: Sudhir Harwalkar > Sent: Monday, March 26, 2012 10:53 AM > To: 'Heikki Vatiainen' > Subject: RE: [RADIATOR] Radiator > > Hi Heikki, > > How to add device username and password in our config file.is there any > command for that. > > Thanks > Sudhir H > > -Original Message- > From: Sudhir Harwalkar > Sent: Thursday, March 22, 2012 3:49 PM > To: 'Heikki Vatiainen' > Subject: RE: [RADIATOR] Radiator > > Thanks a lot Heikki, will try and let you know. > > Thanks > Sudhir H > > -Original Message- > From: radiator-boun...@open.com.au > [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen > Sent: Thursday, March 22, 2012 3:23 PM > To: radiator@open.com.au > Subject: Re: [RADIATOR] Radiator > > On 03/22/2012 11:44 AM, Sudhir Harwalkar wrote: >> I made all the changes you have mentioned, then I run the config file, in >> the log file I got message as follows >> Thu Mar 22 15:00:17 2012: DEBUG: Finished reading configuration file >> 'c:\Program Files\Radiator\radiusnew.cfg' >> Thu Mar 22 15:00:17 2012: DEBUG: Reading dictionary file >> 'C:\Program Files\Radiator/dictionary' >> Thu Mar 22 15:00:17 2012: DEBUG: Creating authentication >> port 0.0.0.0:1812 >>Thu Mar 22 15:00:17 2012: DEBUG: Creating accounting port >> 0.0.0.0:1813 >> Thu Mar 22 15:00:17 2012: NOTICE: Server started: >> Radiator 4.9 on EMMYS0938 (LOCKED) Is this authenticated with AP? > > Looks good. It is ready to receive messages from AP. There is no > authentication done between RADIUS server and wireless AP. The shared secret > and client IP just make sure they can communicate with each other when the > WLAN users need to be authenticated by the AP. > >> As you mentioned I haven't got message like receives from AP. > > The next step is to configure AP so that it will authenticate WLAN users. How > this is done depends on your AP. > > Thanks! > Heikki > > >> Regards >> Sudhir H >> -Original Message- >> From: radiator-boun...@open.com.au >> [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen >> Sent: Thursday, March 22, 2012 2:22 PM >> To: radiator@open.com.au >> Subject: Re: [RADIATOR] Radiator >> >> On 03/21/2012 03:58 PM, Sudhir Harwalkar wrote: >> >>> Thanks a lot for helping me out. >>> I have one query : >>> Steps that I followed for EAP-PEAPv0 Testing: >>> 1. Copied eap_peap.cfg file to c:\program file >> >> Add a Client clause with your AP's address in the configuration. Also set >> DbDir and LogDir as I just mentioned in my other message: >> >> LogDir c:/Program Files/Radiator >> DbDir c:/Program Files/Radiator >> >>> 2. in the command line I typed the command "perl radiusd >>> -bind_address 192. . . . -auth_port 1812 -log_file filename >>> -config_file c:\program files\e