SBR and 802.1x Windows authentication

  • Failing to find another concise source of information for this fairly straightforward and common task, here are the steps that we used to setup 802.1x authentication to a Windows domain through Steel-Belted RADIUS using EAP-PEAP:

    1. Create, sign, and install Server Auth Certificate (e.g. with a Windows CA: http://x.x.x.x/certsrv) on any local machine

    2. Open up certificates mmc snap-in and export new public key, private key, and key chain to .pfx file

    3. Upload .pfx file to SBR and specify file location and password in certinfo.ini:

    4. Enable PEAP in peapauth.aut

    5. Enable EAP-PEAP authentication method in Admin GUI

    6. Enable Windows Domain Group authentication method in Admin GUI with ‘MS-CHAP-V2’ and ‘First Handle via Auto EAP’ checked

    7. Create a filter in filter.ini to pass switch specific attributes outside inner authentication method:
    Allow Tunnel-Type
    Allow Tunnel-Medium-Type
    Allow Tunnel-Private-Group-Id

    8. Set Response Filter in peapauth.aut to apply previously defined filter:
    Transfer_Inner_Attribs_To_Accept = inside-out

    The above steps allow for Windows clients to perform 802.1x PEAP authentication through any properly configured NAS device (e.g. switch, access point).  On the Windows 802.1x supplicant you may need to uncheck the ‘Validate Server Certificate’ checkbox if the server certificate is signed by an untrusted root CA.  The server certificate is needed because SBR does not have any default server certificate that it can use to initiate PEAP authentication.  Also, the filter needs to be applied, otherwise SBR will pass back the RADIUS attributes within the inner authentication protocol which is not visible to the NAS.

  • Hi

    can anyone help me in how to configure sbr to server based authentication for ttls authentication.

    Im using sbr v6.0 and when i insert root ca certificate(which is in pfx format) from cisco acs server, sbr remove ttls authentication
    from order of methods.

    But when i insert client certificate (which is in pfx format) from cisco acs server, sbr shows ttls authentication
    from order of methods.

    this issue blocks me to authenticate server and i facing this issue for more than month. need anyone help to fix this issue.

  • I have followed this guide but have still got problems trying to authenicate my machines.  Does it matter what order the EAP-PEAP and domain-groups are in.  I also use native users for authenicating ADSL users.

    Here is my log:-
    Authenticating user HOST/ICTLT01194.??.??.??.?? with authentication method Native User
    06/02/2010 10:38:04 Auto EAP protocol 0,26 selected as pre-processor of Windows Domain Group authentication method for user host/ICTLT01194.??.??.??.??
    06/02/2010 10:38:04 Authenticating user host/ICTLT01194.??.??.??.?? with automatic EAP helper method EAP-MS-CHAP-V2
    06/02/2010 10:38:04 EAP MS-CHAP-V2 sub-protocol processing started for username host/ICTLT01194.??.??.??.??
    06/02/2010 10:38:04 EAP MS-CHAP-V2 sub-protocol issuing challenge
    06/02/2010 10:38:04 Sent challenge response for user host/ICTLT01194.??.??.??.?? to client
    06/02/2010 10:38:04 –---------------------------------------------------------
    06/02/2010 10:38:04 Authentication Response
    06/02/2010 10:38:04 Packet : Code = 0xb ID = 0x80
    06/02/2010 10:38:04 Vector =
    06/02/2010 10:38:04 000: a99b8917 32530ae2 df947cdd 28366776 |…2S…|.(6gv|
    06/02/2010 10:38:04 State : String Value = SBR-CH 0|1
    06/02/2010 10:38:04 EAP-Message : Value =
    06/02/2010 10:38:04 000: 0101002d 1a010100 28104436 c5a888c4 |…-…(.D6…|
    06/02/2010 10:38:04 010: 9a457d84 281b0670 b8d85374 65656c2d |.E}.(…p…Steel-|
    06/02/2010 10:38:04 020: 42656c74 65642052 61646975 73       |Belted Radius   |
    06/02/2010 10:38:04 Session-Timeout : Integer Value = 120
    06/02/2010 10:38:04 -----------------------------------------------------------
    06/02/2010 10:38:04 -----------------------------------------------------------
    06/02/2010 10:38:04 Authentication Response
    06/02/2010 10:38:04 Sent to: ip= port=3600
    06/02/2010 10:38:04
    06/02/2010 10:38:04 Raw Packet :
    06/02/2010 10:38:04 000: 0b800068 a99b8917 32530ae2 df947cdd |…h…2S…|.|
    06/02/2010 10:38:04 010: 28366776 180d5342 522d4348 20307c31 |(6gv…SBR-CH 0|1|
    06/02/2010 10:38:04 020: 004f2f01 01002d1a 01010028 104436c5 |.O/…-…(.D6.|
    06/02/2010 10:38:04 030: a888c49a 457d8428 1b0670b8 d8537465 |…E}.(…p…Ste|
    06/02/2010 10:38:04 040: 656c2d42 656c7465 64205261 64697573 |el-Belted Radius|
    06/02/2010 10:38:04 050: 1b060000 00785012 d2f4bd46 dc673d72 |…xP…F.g=r|
    06/02/2010 10:38:04 060: 1b632cae 300506ea                   |.c,.0…        |
    06/02/2010 10:38:04
    06/02/2010 10:38:04 -----------------------------------------------------------
    06/02/2010 10:38:04 Packet containing 104 bytes successfully sent
    06/02/2010 10:38:04 F:\build\zMhtHo68zI\SBR\xradius\radauthd.c radAuthHandleRequest() 3777 Exiting

    Any suggestions would really help

  • Hi, am using steel belted radius entreprise edition v5.3
    it supports many attributes in the user blogs (checklist and return list attributes) but its guide dosen’t provide an sufficient explanation .For example i want to limit the session-time users, limit the rate of bandwith …etc something like that…
    Any suggestions???

  • Hi I’m currently using SBR enterprise edition. and I need to setup 802.1X authentication of domain users using EAP-TLS. I didnt find useful documents on the internet. Could you help me out on how to setup the certificates and configurations? I’m using SBR 6.0 version.

    thanks !!