<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I hope someone can help me with the problem I’m having while trying to configure our new RADIUS environment.<o:p></o:p></p>
<p class="MsoNormal">I’ve attached my config file, it doesn’t contain any shared secret or password.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Additional info: <o:p></o:p></p>
<p class="MsoNormal"> Old servers: Windows 2008R2 – Radiator 4.14<o:p></o:p></p>
<p class="MsoNormal"> New servers: Windows 2016 – Radiator 4.19<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In our old configuration we have something like this:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><Handler Identifier=LUMCusers> <o:p></o:p></p>
<p class="MsoNormal"> Identifier LUMCusers_AD<o:p></o:p></p>
<p class="MsoNormal"> <AuthBy GROUP><o:p></o:p></p>
<p class="MsoNormal"> AuthByPolicy ContinueWhileReject<o:p></o:p></p>
<p class="MsoNormal"> <AuthBy LSA><o:p></o:p></p>
<p class="MsoNormal"> EAPType MSCHAP-V2<o:p></o:p></p>
<p class="MsoNormal"> DefaultDomain lumcnet<o:p></o:p></p>
<p class="MsoNormal"> UsernameMatchesWithoutRealm<o:p></o:p></p>
<p class="MsoNormal"> Group eduroam-wireless<o:p></o:p></p>
<p class="MsoNormal"> AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:420<o:p></o:p></p>
<p class="MsoNormal"> </AuthBy><o:p></o:p></p>
<p class="MsoNormal"> <AuthBy LSA><o:p></o:p></p>
<p class="MsoNormal"> EAPType MSCHAP-V2<o:p></o:p></p>
<p class="MsoNormal"> DefaultDomain lumcnet<o:p></o:p></p>
<p class="MsoNormal"> UsernameMatchesWithoutRealm<o:p></o:p></p>
<p class="MsoNormal"> Group lumc-wireless-1<o:p></o:p></p>
<p class="MsoNormal"> AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:281<o:p></o:p></p>
<p class="MsoNormal"> </AuthBy><o:p></o:p></p>
<p class="MsoNormal"> </AuthBy><o:p></o:p></p>
<p class="MsoNormal"></Handler><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Which actually works fine, if a user doesn’t belong to the first group the next AuthBy LSA header will be called and checked. So I figured I’d reuse this part of the config file to keep things working as they are right now.<o:p></o:p></p>
<p class="MsoNormal">The reason we use that AuthBy GROUP with multiple AuthBy LSA sections is to distribute users across different VLAN’s.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">However using this construction on the new servers for the inner authentication requests to validate the user credentials actually fails.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In the logfiles I see something like this:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Handling request with Handler 'TunnelledByPEAP=1', Identifier 'Handler_PEAP'<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Deleting session for <a href="mailto:testuser@lumc.nl">
testuser@lumc.nl</a>, 10.250.88.245, 8<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthHANDLER:
<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: AuthBy HANDLER is redirecting to Handler 'Auth_ActiveDirectory2'<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Handling request with Handler 'Identifier=^(Handler_PEAP|Handler_TTLS)$', Identifier 'Auth_ActiveDirectory2'<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Deleting session for <a href="mailto:testuser@lumc.nl">
testuser@lumc.nl</a>, 10.250.88.245, 8<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthGROUP:
<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthLSA:
<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Handling with EAP: code 2, 9, 75, 26<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Response type 26<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthLSA looks for match with testuser [testuser@lumc.nl]<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Checking LSA Group membership for
<a href="file://LUMC-DC01">\\LUMC-DC01</a>, eduroam-wireless, testuser<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: testuser [testuser@lumc.nl]<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: EAP Failure, elapsed time 0.044654<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user testuser<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP V2 failed: no such user testuser<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthLSA:
<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Handling with EAP: code 2, 9, 75, 26<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Response type 26<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: INFO: EAP Response type 26 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: EAP Failure, elapsed time 0.000006<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: EAP result: 1, EAP Response type 26 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP Response type 26 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: AuthBy GROUP result: REJECT, EAP Response type 26 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: AuthBy HANDLER result: REJECT, EAP Response type 26 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: INFO: Access rejected for <a href="mailto:testuser@lumc.nl">
testuser@lumc.nl</a>: EAP Response type 26 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?<o:p></o:p></p>
<p class="MsoNormal">Fri Sep 29 18:44:47 2017: DEBUG: Returned PEAP tunnelled packet dump:<o:p></o:p></p>
<p class="MsoNormal">Code: Access-Reject<o:p></o:p></p>
<p class="MsoNormal">I don’t understand why it stops processing other AuthBy headers and returns a result that the user doesn’t exist, since that’s not the case.<o:p></o:p></p>
<p class="MsoNormal">I’be tried different AuthByPolicy settings all with the same result, I’ve tried it by not defining it at all, or by using ContinueWhileIgnore, ContinueWhileReject or ContinueUntilAcceptOrChallenge.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">So then I tried something else to see if that works, which apparently does work. If I remove all additional AuthBy sections, I get a successful authentication
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><Handler Identifier=^(Handler_PEAP|Handler_TTLS)$><o:p></o:p></p>
<p class="MsoNormal">Identifier Auth_ActiveDirectory2<o:p></o:p></p>
<p class="MsoNormal"> <AuthBy GROUP><o:p></o:p></p>
<p class="MsoNormal"> <AuthBy LSA><o:p></o:p></p>
<p class="MsoNormal"> # eduroam override<o:p></o:p></p>
<p class="MsoNormal"> EAPType MSCHAP-V2<o:p></o:p></p>
<p class="MsoNormal"> DefaultDomain lumcnet<o:p></o:p></p>
<p class="MsoNormal"> UsernameMatchesWithoutRealm<o:p></o:p></p>
<p class="MsoNormal"> Group eduroam-wireless<o:p></o:p></p>
<p class="MsoNormal"> Group lumc-wireless-0<o:p></o:p></p>
<p class="MsoNormal"> AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:420<o:p></o:p></p>
<p class="MsoNormal"> </AuthBy><o:p></o:p></p>
<p class="MsoNormal"> </AuthBy><o:p></o:p></p>
<p class="MsoNormal"></Handler><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This way I’d still be able to check whether users are part of a certain user group, but I cannot assign a different VLAN ID to specific user groups.<o:p></o:p></p>
<p class="MsoNormal">So not entirely desired, but at least I know that the validation part works.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The weird thing is that the whole AuthBy GROUP -> multiple AuthBy sections actually works for a different kind of request I process.<o:p></o:p></p>
<p class="MsoNormal">Our WLAN controllers usually forward their requests to another device (qmanage) which actually terminates the PEAP tunnel and then forwards the authentication request to me in order to validate it.<o:p></o:p></p>
<p class="MsoNormal">But I need this same configuration to work when the WLAN controllers are configured to forward their requests to my RADIUS servers when there’s maintenance on that other system.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’ve added some attachments, the old and new configurations along with log files showing the different results.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hopefully this somewhat makes sense!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Kind regards,<o:p></o:p></p>
<p class="MsoNormal">Stephan Schwarz<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>