(RADIATOR) Authentication failure in leap when Username including domain-suffix

nagataki at nri-net.com nagataki at nri-net.com
Sun Nov 9 20:17:28 CST 2003


Hi everyone,

I'm testing wireless LAN connection by using peap(ms-chap2-v2)&leap.
But I have a problem in leap (everything looks like OK in peap) and
can't see what is incorrect.


(Prerequisite(summary))
1.Radiator server version is 3.7.1 applied newest(?) patches
  (downloading at 21 Oct.)
2.Clients are using Funk Odyssey Client 2.22 and Windows XP Home-Edition
3.Username is include "@domain-suffix"
  (When excluding "@domain-suffix" from Username, test is passed)
4.User-Authentication is using DBFile.
5.config_file is like below.
-------------------------------------------------------------------
#Foreground
#LogStdout
LogDir          /var/log
#DbDir          /etc/raddb
AuthPort        1812
AcctPort        1813
DictionaryFile  /etc/radiator/dictionary,/etc/radiator/dictionary.cisco
# User a lower trace level in production systems:
Trace           4
RewriteUsername s/^([^@]+).*/$1/

# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client aaa.bbb.ccc.ddd>
        Secret  test
        DupInterval 0
        RewriteUsername s/^([^@]+).*/$1/
</Client>

# This is where we autneticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.
<Handler TunnelledByPEAP=1>
        #<AuthBy FILE>
        <AuthBy DBFILE>
                Filename /etc/raddb/users
                RewriteUsername s/^([^@]+).*/$1/

                # This tells the PEAP client what types of inner EAP requests
                # we will honour
                EAPType PEAP,MSCHAP-V2
        </AuthBy>
</Handler>


# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and the inner aut
hentication
# extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to sele
ct
# a specific handler, or else you can use EAPAnonymous to set a username and rea
lm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm, and/o
r the
# fact that they were tunnelled. You can therfore act just as a PEAP server, or
also
# act as the AAA/H home server, and authenticate PEAP requests locally or proxy
# them to another remote server based on the realm of the inner authenticaiton r
equest.
# In this basic example, both the inner and outer authentication are authenticat
ed
# from a file by AuthBy FILE
<Handler>
        #<AuthBy FILE>
        <AuthBy DBFILE>
                # The username of the outer authentication
                #  must be in this file to get anywhere. In this example,
                # it requires an entry for 'anonymous' which is the standard use
rname
                # in the outer requests, and it also requires an entry for the
                # actual user name who is trying to connect (ie the 'Login name'
 entered
                # in the Funk Odyssey 'Edit Profile Properties' page
                Filename /etc/raddb/users
                RewriteUsername s/^([^@]+).*/$1/

                # EAPType sets the EAP type(s) that Radiator will honour.
                # Options are: MD5-Challenge, One-Time-Password
                # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
                # Multiple types can be comma separated. With the default (most
                # preferred) type given first
                EAPType PEAP,MSCHAP-V2,LEAP

                # EAPTLS_CAFile is the name of a file of CA certificates
                # in PEM format. The file can contain several CA certificates
                # Radiator will first look in EAPTLS_CAFile then in
                # EAPTLS_CAPath, so there usually is no need to set both
                EAPTLS_CAFile /home/test/ca/ca2.pem

                # EAPTLS_CAPath is the name of a directory containing CA
                # certificates in PEM format. The files each contain one
                # CA certificate. The files are looked up by the CA
                # subject name hash value
                EAPTLS_CAPath /home/test/ca

                # EAPTLS_CertificateFile is the name of a file containing
                # the servers certificate. EAPTLS_CertificateType
                # specifies the type of the file. Can be PEM or ASN1
                # defaults to ASN1
                EAPTLS_CertificateFile /home/test/ca/cert2.pem
                EAPTLS_CertificateType PEM

                # EAPTLS_PrivateKeyFile is the name of the file containing
                # the servers private key. It is sometimes in the same file
                # as the server certificate (EAPTLS_CertificateFile)
                # If the private key is encrypted (usually the case)
                # then EAPTLS_PrivateKeyPassword is the key to descrypt it
                EAPTLS_PrivateKeyFile /home/test/ca/key2.pem
                EAPTLS_PrivateKeyPassword test1234

                # EAPTLS_RandomFile is an optional file containing
                # randdomness
#               EAPTLS_RandomFile %D/certificates/random

                # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
                # size that will be replied by Radiator. It must be small
                # enough to fit in a single Radius request (ie less than 4096)
                # and still leave enough space for other attributes
                # Aironet APs seem to need a smaller MaxFragmentSize
                # (eg 1024) than the default of 2048. Others need even smaller s
izes.
                EAPTLS_MaxFragmentSize 1024

                # EAPTLS_DHFile if set specifies the DH group file. It
                # may be required if you need to use ephemeral DH keys.
#               EAPTLS_DHFile %D/certificates/cert/dh


                # If EAPTLS_CRLCheck is set  and the client presents a certifica
te
                # then Radiator will look for a certificate revocation list (CRL
)
                # for the certificate issuer
                # when authenticating each client. If a CRL file is not found, o
r
                # if the CRL says the certificate has neen revoked, the authenti
cation will
                # fail with an error:
                #   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
                # One or more CRLs can be named with the EAPTLS_CRLFile paramete
r.
                # Alternatively, CRLs may follow a file naming convention:
                #  the hash of the issuer subject name
                # and a suffix that depends on the serial number.
                # eg ab1331b2.r0, ab1331b2.r1 etc.
                # You can find out the hash of the issuer name in a CRL with
                #  openssl crl -in crl.pem -hash -noout
                # CRLs with tis name convention
                # will be searched in EAPTLS_CAPath, else in the openssl
                # certificates directory typically /usr/local/openssl/certs/
                # CRLs are expected to be in PEM format.
                # A CRL files can be generated with openssl like this:
                #  openssl ca -gencrl -revoke cert-clt.pem
                #  openssl ca -gencrl -out crl.pem
                # Use of these flags requires Net_SSLeay-1.21 or later
                #EAPTLS_CRLCheck
                #EAPTLS_CRLFile %D/certificates/crl.pem
                #EAPTLS_CRLFile %D/certificates/revocations.pem

                # Some clients, depending on their configuration, may require yo
u to specify
                # MPPE send and receive keys. This _will_ be required if you sel
ect
                # 'Keys will be generated automatically for data privacy' in the
 Funk Odyssey
                # client Network Properties dialog.
                # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
                # in the final Access-Accept
                AutoMPPEKeys

                # You can enable some warning messages from the Net::SSLeay
                # module by setting SSLeayTrace to an integer from 1 to 4
                # 1=ciphers, 2=trace, 3=dump data
                SSLeayTrace 4

                # You can configure the User-Name that will be used for the inne
r
                # authentication. Defaults to 'anonymous'. This can be useful
                # when proxying the inner authentication. If tehre is a realm, i
t can
                # be used to choose a local Realm to handle the inner authentica
tion.
                # %0 is replaced with the EAP identitiy
                # EAPAnonymous anonymous at some.other.realm

                # You can enable or disable support for TTLS Session Resumption
and
                # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
                # Default is enabled
                #EAPTLS_SessionResumption 0

                # You can limit how long after the initial session that a sessio
n can be resumed
                # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults
 to 43200
                # (12 hours)
                #EAPTLS_SessionResumptionLimit 10

                # You can control which version of the draft PEAP protocol to ho
nour
                # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusua
l clients,
                # such as Funk Odyssey Client 2.22 or later.
                EAPTLS_PEAPVersion 0
        </AuthBy>
</Handler>
-------------------------------------------------------------------


(Results)
detail in below.
-------------------------------------------------------------------
Sat Nov  8 15:27:19 2003: DEBUG: Finished reading configuration file '/etc/eap_p
eap.cfg'
Sat Nov  8 15:27:19 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona
ry'
Sat Nov  8 15:27:19 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona
ry.cisco'
Sat Nov  8 15:27:20 2003: DEBUG: Creating authentication port 0.0.0.0:1812
Sat Nov  8 15:27:20 2003: DEBUG: Creating accounting port 0.0.0.0:1813
Sat Nov  8 15:27:20 2003: NOTICE: Server started: Radiator 3.7.1 on test1.test.com
Sat Nov  8 15:29:32 2003: DEBUG: Packet dump:
*** Received from aaa.bbb.ccc.ddd port 1457 ....
Code:       Access-Request
Identifier: 158
Authentic:  -<130>b9<143>i<175>M<223><16><179>r<2>l<223><30>
Attributes:
        User-Name = "nagataki at test.com"
        cisco-avpair = "ssid=TEST-SPOT"
        NAS-IP-Address = aaa.bbb.ccc.ddd
        Called-Station-Id = "000c30da9d03"
        Calling-Station-Id = "00022d559b41"
        NAS-Identifier = "Test-AP-1"
        NAS-Port = 37
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        Service-Type = Login
        EAP-Message = <2><20><0><27><1>nagataki at test.com
        Message-Authenticator = <248>6<152>4<171><26><244><210>c3%1z<151>S<152>

Sat Nov  8 15:29:32 2003: DEBUG: Rewrote user name to nagataki
Sat Nov  8 15:29:32 2003: DEBUG: Rewrote user name to nagataki
Sat Nov  8 15:29:32 2003: DEBUG: Handling request with Handler ''
Sat Nov  8 15:29:32 2003: DEBUG:  Deleting session for nagataki at test.com, a
aa.bbb.ccc.ddd, 37
Sat Nov  8 15:29:32 2003: DEBUG: Handling with Radius::AuthDBFILE:
Sat Nov  8 15:29:32 2003: DEBUG: Handling with EAP: code 2, 20, 27
Sat Nov  8 15:29:32 2003: DEBUG: Response type 1
Sat Nov  8 15:29:33 2003: DEBUG: EAP result: 3, EAP PEAP Challenge
Sat Nov  8 15:29:33 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Sat Nov  8 15:29:33 2003: DEBUG: Packet dump:
*** Sending to aaa.bbb.ccc.ddd port 1457 ....
Code:       Access-Challenge
Identifier: 158
Authentic:  -<130>b9<143>i<175>M<223><16><179>r<2>l<223><30>
Attributes:
        EAP-Message = <1><21><0><6><25>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Sat Nov  8 15:29:33 2003: DEBUG: Packet dump:
*** Received from aaa.bbb.ccc.ddd port 1458 ....
Code:       Access-Request
Identifier: 159
Authentic:  r<216><178><194><202>|<15><129>bdj<165><236>G<139><173>
Attributes:
        User-Name = "nagataki at test.com"
        cisco-avpair = "ssid=TEST-SPOT"
        NAS-IP-Address = aaa.bbb.ccc.ddd
        Called-Station-Id = "000c30da9d03"
        Calling-Station-Id = "00022d559b41"
        NAS-Identifier = "Test-AP-1"
        NAS-Port = 37
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        Service-Type = Login
        EAP-Message = <2><21><0><6><3><17>
        Message-Authenticator = <221><216><210><166><187><199>Y<229>%<185>)<247>
<255><199><246><158>

Sat Nov  8 15:29:33 2003: DEBUG: Rewrote user name to nagataki
Sat Nov  8 15:29:33 2003: DEBUG: Rewrote user name to nagataki
Sat Nov  8 15:29:33 2003: DEBUG: Handling request with Handler ''
Sat Nov  8 15:29:33 2003: DEBUG:  Deleting session for nagataki at test.com, a
aa.bbb.ccc.ddd, 37
Sat Nov  8 15:29:33 2003: DEBUG: Handling with Radius::AuthDBFILE:
Sat Nov  8 15:29:33 2003: DEBUG: Handling with EAP: code 2, 21, 6
Sat Nov  8 15:29:33 2003: DEBUG: Response type 3
Sat Nov  8 15:29:33 2003: INFO: EAP Nak desires type 17
Sat Nov  8 15:29:33 2003: DEBUG: EAP result: 3, EAP LEAP Challenge
Sat Nov  8 15:29:33 2003: DEBUG: Access challenged for nagataki: EAP LEAP Challe
nge
Sat Nov  8 15:29:33 2003: DEBUG: Packet dump:
*** Sending to aaa.bbb.ccc.ddd port 1458 ....
Code:       Access-Challenge
Identifier: 159
Authentic:  r<216><178><194><202>|<15><129>bdj<165><236>G<139><173>
Attributes:
        EAP-Message = <1><22><0>&<17><1><0><8><202>|<190><158><214><153>"<182>na
gataki at test.com
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Sat Nov  8 15:29:45 2003: DEBUG: Packet dump:
*** Received from aaa.bbb.ccc.ddd port 1459 ....
Code:       Access-Request
Identifier: 160
Authentic:  <6>(<20>/<242>]<189>/<180><153><157><156>5<192><131><11>
Attributes:
        User-Name = "nagataki at test.com"
        cisco-avpair = "ssid=TEST-SPOT"
        NAS-IP-Address = aaa.bbb.ccc.ddd
        Called-Station-Id = "000c30da9d03"
        Calling-Station-Id = "00022d559b41"
        NAS-Identifier = "Test-AP-1"
        NAS-Port = 37
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-IEEE-802-11
        Service-Type = Login
        EAP-Message = <2><22><0>6<17><1><0><24><169><153><196>f<169>%up<188>s<19
3><199><129>v<162><136><186><174><127><217><152>O<197><181>nagataki at test.com
        Message-Authenticator = y<4><235>xS at m<178><189>E<128>%<135>#<244><157>

Sat Nov  8 15:29:45 2003: DEBUG: Rewrote user name to nagataki
Sat Nov  8 15:29:45 2003: DEBUG: Rewrote user name to nagataki
Sat Nov  8 15:29:45 2003: DEBUG: Handling request with Handler ''
Sat Nov  8 15:29:45 2003: DEBUG:  Deleting session for nagataki at test.com, a
aa.bbb.ccc.ddd, 37
Sat Nov  8 15:29:45 2003: DEBUG: Handling with Radius::AuthDBFILE:
Sat Nov  8 15:29:45 2003: DEBUG: Handling with EAP: code 2, 22, 54
Sat Nov  8 15:29:45 2003: DEBUG: Response type 17
Sat Nov  8 15:29:45 2003: DEBUG: Radius::AuthDBFILE looks for match with nagatak
i at test.com
Sat Nov  8 15:29:45 2003: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such us
er nagataki at test.com
Sat Nov  8 15:29:45 2003: INFO: Access rejected for nagataki: EAP MSCHAP V2 fail
ed: no such user nagataki at test.com
Sat Nov  8 15:29:45 2003: DEBUG: Packet dump:
*** Sending to aaa.bbb.ccc.ddd port 1459 ....
Code:       Access-Reject
Identifier: 160
Authentic:  <6>(<20>/<242>]<189>/<180><153><157><156>5<192><131><11>
Attributes:
        EAP-Message = <4><22><0><4>
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"
-------------------------------------------------------------------

What does cause the problems?

So I need you help for resolving problems.
Please give me any ideas.

Thank you in advance.

Best Regards.

Masa
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list