(RADIATOR) Authentication failure in leap when Username including domain-suffix
Mike McCauley
mikem at open.com.au
Sun Nov 9 22:42:16 CST 2003
Hello,
The problem here was that the LEAP identity being sent by the client was
nagataki at test.com, and although you had a RewriteUsername to rewrite the
Radius user name it had no effect on the LEAP identity.
We have now posted a patch so that RewriteUsername also affects the LEAP
identity. That should fix your problem. The new version of EAP_17.pm has also
been attached. PLs let us know how you get on.
Cheers.
On Mon, 10 Nov 2003 01:17 pm, nagataki at nri-net.com wrote:
> Hi everyone,
>
> I'm testing wireless LAN connection by using peap(ms-chap2-v2)&leap.
> But I have a problem in leap (everything looks like OK in peap) and
> can't see what is incorrect.
>
>
> (Prerequisite(summary))
> 1.Radiator server version is 3.7.1 applied newest(?) patches
> (downloading at 21 Oct.)
> 2.Clients are using Funk Odyssey Client 2.22 and Windows XP Home-Edition
> 3.Username is include "@domain-suffix"
> (When excluding "@domain-suffix" from Username, test is passed)
> 4.User-Authentication is using DBFile.
> 5.config_file is like below.
> -------------------------------------------------------------------
> #Foreground
> #LogStdout
> LogDir /var/log
> #DbDir /etc/raddb
> AuthPort 1812
> AcctPort 1813
> DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco
> # User a lower trace level in production systems:
> Trace 4
> RewriteUsername s/^([^@]+).*/$1/
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client aaa.bbb.ccc.ddd>
> Secret test
> DupInterval 0
> RewriteUsername s/^([^@]+).*/$1/
> </Client>
>
> # This is where we autneticate a PEAP inner request, which will be an EAP
> # request. The username of the inner request will be anonymous, although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> <Handler TunnelledByPEAP=1>
> #<AuthBy FILE>
> <AuthBy DBFILE>
> Filename /etc/raddb/users
> RewriteUsername s/^([^@]+).*/$1/
>
> # This tells the PEAP client what types of inner EAP
> requests # we will honour
> EAPType PEAP,MSCHAP-V2
> </AuthBy>
> </Handler>
>
>
> # The original PEAP request from a NAS will be sent to a matching
> # Realm or Handler in the usual way, where it will be unpacked and the
> inner aut hentication
> # extracted.
> # The inner authentication request will be sent again to a matching
> # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to
> sele ct
> # a specific handler, or else you can use EAPAnonymous to set a username
> and rea lm
> # which can be used to select a Realm clause for the inner request.
> # This allows you to select an inner authentication method based on Realm,
> and/o r the
> # fact that they were tunnelled. You can therfore act just as a PEAP
> server, or also
> # act as the AAA/H home server, and authenticate PEAP requests locally or
> proxy # them to another remote server based on the realm of the inner
> authenticaiton r equest.
> # In this basic example, both the inner and outer authentication are
> authenticat ed
> # from a file by AuthBy FILE
> <Handler>
> #<AuthBy FILE>
> <AuthBy DBFILE>
> # The username of the outer authentication
> # must be in this file to get anywhere. In this example,
> # it requires an entry for 'anonymous' which is the
> standard use rname
> # in the outer requests, and it also requires an entry for
> the # actual user name who is trying to connect (ie the 'Login name'
> entered
> # in the Funk Odyssey 'Edit Profile Properties' page
> Filename /etc/raddb/users
> RewriteUsername s/^([^@]+).*/$1/
>
> # EAPType sets the EAP type(s) that Radiator will honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the default
> (most # preferred) type given first
> EAPType PEAP,MSCHAP-V2,LEAP
>
> # EAPTLS_CAFile is the name of a file of CA certificates
> # in PEM format. The file can contain several CA
> certificates # Radiator will first look in EAPTLS_CAFile then in #
> EAPTLS_CAPath, so there usually is no need to set both EAPTLS_CAFile
> /home/test/ca/ca2.pem
>
> # EAPTLS_CAPath is the name of a directory containing CA
> # certificates in PEM format. The files each contain one
> # CA certificate. The files are looked up by the CA
> # subject name hash value
> EAPTLS_CAPath /home/test/ca
>
> # EAPTLS_CertificateFile is the name of a file containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> EAPTLS_CertificateFile /home/test/ca/cert2.pem
> EAPTLS_CertificateType PEM
>
> # EAPTLS_PrivateKeyFile is the name of the file containing
> # the servers private key. It is sometimes in the same file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to descrypt it
> EAPTLS_PrivateKeyFile /home/test/ca/key2.pem
> EAPTLS_PrivateKeyPassword test1234
>
> # EAPTLS_RandomFile is an optional file containing
> # randdomness
> # EAPTLS_RandomFile %D/certificates/random
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be small
> # enough to fit in a single Radius request (ie less than
> 4096) # and still leave enough space for other attributes # Aironet APs
> seem to need a smaller MaxFragmentSize # (eg 1024) than the default of
> 2048. Others need even smaller s izes.
> EAPTLS_MaxFragmentSize 1024
>
> # EAPTLS_DHFile if set specifies the DH group file. It
> # may be required if you need to use ephemeral DH keys.
> # EAPTLS_DHFile %D/certificates/cert/dh
>
>
> # If EAPTLS_CRLCheck is set and the client presents a
> certifica te
> # then Radiator will look for a certificate revocation list
> (CRL )
> # for the certificate issuer
> # when authenticating each client. If a CRL file is not
> found, o r
> # if the CRL says the certificate has neen revoked, the
> authenti cation will
> # fail with an error:
> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> # One or more CRLs can be named with the EAPTLS_CRLFile
> paramete r.
> # Alternatively, CRLs may follow a file naming convention:
> # the hash of the issuer subject name
> # and a suffix that depends on the serial number.
> # eg ab1331b2.r0, ab1331b2.r1 etc.
> # You can find out the hash of the issuer name in a CRL
> with # openssl crl -in crl.pem -hash -noout
> # CRLs with tis name convention
> # will be searched in EAPTLS_CAPath, else in the openssl
> # certificates directory typically
> /usr/local/openssl/certs/ # CRLs are expected to be in PEM format.
> # A CRL files can be generated with openssl like this:
> # openssl ca -gencrl -revoke cert-clt.pem
> # openssl ca -gencrl -out crl.pem
> # Use of these flags requires Net_SSLeay-1.21 or later
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> # Some clients, depending on their configuration, may
> require yo u to specify
> # MPPE send and receive keys. This _will_ be required if
> you sel ect
> # 'Keys will be generated automatically for data privacy'
> in the Funk Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can enable some warning messages from the Net::SSLeay
> # module by setting SSLeayTrace to an integer from 1 to 4
> # 1=ciphers, 2=trace, 3=dump data
> SSLeayTrace 4
>
> # You can configure the User-Name that will be used for the
> inne r
> # authentication. Defaults to 'anonymous'. This can be
> useful # when proxying the inner authentication. If tehre is a realm, i t
> can
> # be used to choose a local Realm to handle the inner
> authentica tion.
> # %0 is replaced with the EAP identitiy
> # EAPAnonymous anonymous at some.other.realm
>
> # You can enable or disable support for TTLS Session
> Resumption and
> # PEAP Fast Reconnect with the EAPTLS_SessionResumption
> flag. # Default is enabled
> #EAPTLS_SessionResumption 0
>
> # You can limit how long after the initial session that a
> sessio n can be resumed
> # with EAPTLS_SessionResumptionLimit (time in seconds).
> Defaults to 43200
> # (12 hours)
> #EAPTLS_SessionResumptionLimit 10
>
> # You can control which version of the draft PEAP protocol
> to ho nour
> # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for
> unusua l clients,
> # such as Funk Odyssey Client 2.22 or later.
> EAPTLS_PEAPVersion 0
> </AuthBy>
> </Handler>
> -------------------------------------------------------------------
>
>
> (Results)
> detail in below.
> -------------------------------------------------------------------
> Sat Nov 8 15:27:19 2003: DEBUG: Finished reading configuration file
> '/etc/eap_p eap.cfg'
> Sat Nov 8 15:27:19 2003: DEBUG: Reading dictionary file
> '/etc/radiator/dictiona ry'
> Sat Nov 8 15:27:19 2003: DEBUG: Reading dictionary file
> '/etc/radiator/dictiona ry.cisco'
> Sat Nov 8 15:27:20 2003: DEBUG: Creating authentication port 0.0.0.0:1812
> Sat Nov 8 15:27:20 2003: DEBUG: Creating accounting port 0.0.0.0:1813
> Sat Nov 8 15:27:20 2003: NOTICE: Server started: Radiator 3.7.1 on
> test1.test.com Sat Nov 8 15:29:32 2003: DEBUG: Packet dump:
> *** Received from aaa.bbb.ccc.ddd port 1457 ....
> Code: Access-Request
> Identifier: 158
> Authentic: -<130>b9<143>i<175>M<223><16><179>r<2>l<223><30>
> Attributes:
> User-Name = "nagataki at test.com"
> cisco-avpair = "ssid=TEST-SPOT"
> NAS-IP-Address = aaa.bbb.ccc.ddd
> Called-Station-Id = "000c30da9d03"
> Calling-Station-Id = "00022d559b41"
> NAS-Identifier = "Test-AP-1"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Service-Type = Login
> EAP-Message = <2><20><0><27><1>nagataki at test.com
> Message-Authenticator =
> <248>6<152>4<171><26><244><210>c3%1z<151>S<152>
>
> Sat Nov 8 15:29:32 2003: DEBUG: Rewrote user name to nagataki
> Sat Nov 8 15:29:32 2003: DEBUG: Rewrote user name to nagataki
> Sat Nov 8 15:29:32 2003: DEBUG: Handling request with Handler ''
> Sat Nov 8 15:29:32 2003: DEBUG: Deleting session for nagataki at test.com, a
> aa.bbb.ccc.ddd, 37
> Sat Nov 8 15:29:32 2003: DEBUG: Handling with Radius::AuthDBFILE:
> Sat Nov 8 15:29:32 2003: DEBUG: Handling with EAP: code 2, 20, 27
> Sat Nov 8 15:29:32 2003: DEBUG: Response type 1
> Sat Nov 8 15:29:33 2003: DEBUG: EAP result: 3, EAP PEAP Challenge
> Sat Nov 8 15:29:33 2003: DEBUG: Access challenged for nagataki: EAP PEAP
> Challe nge
> Sat Nov 8 15:29:33 2003: DEBUG: Packet dump:
> *** Sending to aaa.bbb.ccc.ddd port 1457 ....
> Code: Access-Challenge
> Identifier: 158
> Authentic: -<130>b9<143>i<175>M<223><16><179>r<2>l<223><30>
> Attributes:
> EAP-Message = <1><21><0><6><25>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sat Nov 8 15:29:33 2003: DEBUG: Packet dump:
> *** Received from aaa.bbb.ccc.ddd port 1458 ....
> Code: Access-Request
> Identifier: 159
> Authentic: r<216><178><194><202>|<15><129>bdj<165><236>G<139><173>
> Attributes:
> User-Name = "nagataki at test.com"
> cisco-avpair = "ssid=TEST-SPOT"
> NAS-IP-Address = aaa.bbb.ccc.ddd
> Called-Station-Id = "000c30da9d03"
> Calling-Station-Id = "00022d559b41"
> NAS-Identifier = "Test-AP-1"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Service-Type = Login
> EAP-Message = <2><21><0><6><3><17>
> Message-Authenticator =
> <221><216><210><166><187><199>Y<229>%<185>)<247> <255><199><246><158>
>
> Sat Nov 8 15:29:33 2003: DEBUG: Rewrote user name to nagataki
> Sat Nov 8 15:29:33 2003: DEBUG: Rewrote user name to nagataki
> Sat Nov 8 15:29:33 2003: DEBUG: Handling request with Handler ''
> Sat Nov 8 15:29:33 2003: DEBUG: Deleting session for nagataki at test.com, a
> aa.bbb.ccc.ddd, 37
> Sat Nov 8 15:29:33 2003: DEBUG: Handling with Radius::AuthDBFILE:
> Sat Nov 8 15:29:33 2003: DEBUG: Handling with EAP: code 2, 21, 6
> Sat Nov 8 15:29:33 2003: DEBUG: Response type 3
> Sat Nov 8 15:29:33 2003: INFO: EAP Nak desires type 17
> Sat Nov 8 15:29:33 2003: DEBUG: EAP result: 3, EAP LEAP Challenge
> Sat Nov 8 15:29:33 2003: DEBUG: Access challenged for nagataki: EAP LEAP
> Challe nge
> Sat Nov 8 15:29:33 2003: DEBUG: Packet dump:
> *** Sending to aaa.bbb.ccc.ddd port 1458 ....
> Code: Access-Challenge
> Identifier: 159
> Authentic: r<216><178><194><202>|<15><129>bdj<165><236>G<139><173>
> Attributes:
> EAP-Message =
> <1><22><0>&<17><1><0><8><202>|<190><158><214><153>"<182>na gataki at test.com
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Sat Nov 8 15:29:45 2003: DEBUG: Packet dump:
> *** Received from aaa.bbb.ccc.ddd port 1459 ....
> Code: Access-Request
> Identifier: 160
> Authentic: <6>(<20>/<242>]<189>/<180><153><157><156>5<192><131><11>
> Attributes:
> User-Name = "nagataki at test.com"
> cisco-avpair = "ssid=TEST-SPOT"
> NAS-IP-Address = aaa.bbb.ccc.ddd
> Called-Station-Id = "000c30da9d03"
> Calling-Station-Id = "00022d559b41"
> NAS-Identifier = "Test-AP-1"
> NAS-Port = 37
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-IEEE-802-11
> Service-Type = Login
> EAP-Message =
> <2><22><0>6<17><1><0><24><169><153><196>f<169>%up<188>s<19
> 3><199><129>v<162><136><186><174><127><217><152>O<197><181>nagataki at test.co
>m Message-Authenticator = y<4><235>xS at m<178><189>E<128>%<135>#<244><157>
>
> Sat Nov 8 15:29:45 2003: DEBUG: Rewrote user name to nagataki
> Sat Nov 8 15:29:45 2003: DEBUG: Rewrote user name to nagataki
> Sat Nov 8 15:29:45 2003: DEBUG: Handling request with Handler ''
> Sat Nov 8 15:29:45 2003: DEBUG: Deleting session for nagataki at test.com, a
> aa.bbb.ccc.ddd, 37
> Sat Nov 8 15:29:45 2003: DEBUG: Handling with Radius::AuthDBFILE:
> Sat Nov 8 15:29:45 2003: DEBUG: Handling with EAP: code 2, 22, 54
> Sat Nov 8 15:29:45 2003: DEBUG: Response type 17
> Sat Nov 8 15:29:45 2003: DEBUG: Radius::AuthDBFILE looks for match with
> nagatak i at test.com
> Sat Nov 8 15:29:45 2003: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no
> such us er nagataki at test.com
> Sat Nov 8 15:29:45 2003: INFO: Access rejected for nagataki: EAP MSCHAP V2
> fail ed: no such user nagataki at test.com
> Sat Nov 8 15:29:45 2003: DEBUG: Packet dump:
> *** Sending to aaa.bbb.ccc.ddd port 1459 ....
> Code: Access-Reject
> Identifier: 160
> Authentic: <6>(<20>/<242>]<189>/<180><153><157><156>5<192><131><11>
> Attributes:
> EAP-Message = <4><22><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request
> Denied"
> -------------------------------------------------------------------
>
> What does cause the problems?
>
> So I need you help for resolving problems.
> Please give me any ideas.
>
> Thank you in advance.
>
> Best Regards.
>
> Masa
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EAP_17.pm
Type: text/x-perl
Size: 5051 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20031110/f19c1cf0/attachment.bin>
More information about the radiator
mailing list