(RADIATOR) Authentication failure in leap when Username including domain-suffix
nagataki at nri-net.com
nagataki at nri-net.com
Mon Nov 10 02:05:12 CST 2003
Hello,
Thank you for quickly response, Mike
I was downloading newest patches from www.open.com.au and applied them,
but LEAP-Authentication does not work well.
In environment, there is no different from previous, except appling patches.
Result wrote in below.(What's "Access-Accept" in log?)
-------------------------------------------------------------------
Mon Nov 10 15:41:03 2003: DEBUG: Finished reading configuration file '/etc/eap_p
eap.cfg'
Mon Nov 10 15:41:03 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona
ry'
Mon Nov 10 15:41:04 2003: DEBUG: Reading dictionary file '/etc/radiator/dictiona
ry.cisco'
Mon Nov 10 15:41:04 2003: DEBUG: Creating authentication port 0.0.0.0:1812
Mon Nov 10 15:41:04 2003: DEBUG: Creating accounting port 0.0.0.0:1813
Mon Nov 10 15:41:04 2003: NOTICE: Server started: Radiator 3.7.1 on test1.test.com
Mon Nov 10 15:43:41 2003: DEBUG: Packet dump:
*** Received from aaa.bbb.ccc.ddd port 1516 ....
Code: Access-Request
Identifier: 204
Authentic: <157><10><174>9:m<129>tQ<183><174><3>v}M>
Attributes:
User-Name = "nagataki at test.com"
cisco-avpair = "ssid=TEST-SPOT"
NAS-IP-Address = aaa.bbb.ccc.ddd
Called-Station-Id = "000c30da9d03"
Calling-Station-Id = "00022d559b41"
NAS-Identifier = "TEST-AP-1"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login
EAP-Message = <2><13><0><27><1>nagataki at test.com
Message-Authenticator = <239><23><10><159><242><230><198><207><131>A1Z<1
63><136>P<238>
Mon Nov 10 15:43:41 2003: DEBUG: Rewrote user name to nagataki
Mon Nov 10 15:43:41 2003: DEBUG: Rewrote user name to nagataki
Mon Nov 10 15:43:41 2003: DEBUG: Handling request with Handler ''
Mon Nov 10 15:43:41 2003: DEBUG: Deleting session for nagataki at test.com, a
aa.bbb.ccc.ddd, 37
Mon Nov 10 15:43:41 2003: DEBUG: Handling with Radius::AuthDBFILE:
Mon Nov 10 15:43:41 2003: DEBUG: Handling with EAP: code 2, 13, 27
Mon Nov 10 15:43:41 2003: DEBUG: Response type 1
Mon Nov 10 15:43:41 2003: DEBUG: EAP result: 3, EAP PEAP Challenge
Mon Nov 10 15:43:41 2003: DEBUG: Access challenged for nagataki: EAP PEAP Challe
nge
Mon Nov 10 15:43:41 2003: DEBUG: Packet dump:
*** Sending to aaa.bbb.ccc.ddd port 1516 ....
Code: Access-Challenge
Identifier: 204
Authentic: <157><10><174>9:m<129>tQ<183><174><3>v}M>
Attributes:
EAP-Message = <1><14><0><6><25>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Mon Nov 10 15:43:41 2003: DEBUG: Packet dump:
*** Received from aaa.bbb.ccc.ddd port 1517 ....
Code: Access-Request
Identifier: 205
Authentic: <2>4<138><161>N2<214>R<242>}.6}an<134>
Attributes:
User-Name = "nagataki at test.com"
cisco-avpair = "ssid=TEST-SPOT"
NAS-IP-Address = aaa.bbb.ccc.ddd
Called-Station-Id = "000c30da9d03"
Calling-Station-Id = "00022d559b41"
NAS-Identifier = "TEST-AP-1"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login
EAP-Message = <2><14><0><6><3><17>
Message-Authenticator = <159><195><29>E<216><247>U<241><184>1*^hWxl
Mon Nov 10 15:43:41 2003: DEBUG: Rewrote user name to nagataki
Mon Nov 10 15:43:41 2003: DEBUG: Rewrote user name to nagataki
Mon Nov 10 15:43:41 2003: DEBUG: Handling request with Handler ''
Mon Nov 10 15:43:41 2003: DEBUG: Deleting session for nagataki at test.com, 2
02.48.98.47, 37
Mon Nov 10 15:43:41 2003: DEBUG: Handling with Radius::AuthDBFILE:
Mon Nov 10 15:43:41 2003: DEBUG: Handling with EAP: code 2, 14, 6
Mon Nov 10 15:43:41 2003: DEBUG: Response type 3
Mon Nov 10 15:43:41 2003: INFO: EAP Nak desires type 17
Mon Nov 10 15:43:41 2003: DEBUG: EAP result: 3, EAP LEAP Challenge
Mon Nov 10 15:43:41 2003: DEBUG: Access challenged for nagataki: EAP LEAP Challe
nge
Mon Nov 10 15:43:41 2003: DEBUG: Packet dump:
*** Sending to aaa.bbb.ccc.ddd port 1517 ....
Code: Access-Challenge
Identifier: 205
Authentic: <2>4<138><161>N2<214>R<242>}.6}an<134>
Attributes:
EAP-Message = <1><15><0>&<17><1><0><8><159><21><143><167><172>R<220>snag
ataki at test.com
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Mon Nov 10 15:43:55 2003: DEBUG: Packet dump:
*** Received from aaa.bbb.ccc.ddd port 1518 ....
Code: Access-Request
Identifier: 206
Authentic: g8<23>r<175><251><24>x<20><29><176><248>05'<171>
Attributes:
User-Name = "nagataki at test.com"
cisco-avpair = "ssid=TEST-SPOT"
NAS-IP-Address = aaa.bbb.ccc.ddd
Called-Station-Id = "000c30da9d03"
Calling-Station-Id = "00022d559b41"
NAS-Identifier = "TEST-AP-1"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login
EAP-Message = <2><15><0>6<17><1><0><24><223>&<19>%<221> <219>*,x<194><20
6><8><247>gZ[0<213><253><136><25><237><225>nagataki at test.com
Message-Authenticator = jA<137><201><183>m<134>m<235><4>)<131><28><210>4
e
Mon Nov 10 15:43:55 2003: DEBUG: Rewrote user name to nagataki
Mon Nov 10 15:43:55 2003: DEBUG: Rewrote user name to nagataki
Mon Nov 10 15:43:55 2003: DEBUG: Handling request with Handler ''
Mon Nov 10 15:43:55 2003: DEBUG: Deleting session for nagataki at test.com, 2
02.48.98.47, 37
Mon Nov 10 15:43:55 2003: DEBUG: Handling with Radius::AuthDBFILE:
Mon Nov 10 15:43:55 2003: DEBUG: Handling with EAP: code 2, 15, 54
Mon Nov 10 15:43:55 2003: DEBUG: Response type 17
Mon Nov 10 15:43:55 2003: DEBUG: Rewrote identity to nagataki
Mon Nov 10 15:43:55 2003: DEBUG: Radius::AuthDBFILE looks for match with nagatak
i
Mon Nov 10 15:43:55 2003: DEBUG: Radius::AuthDBFILE ACCEPT:
Mon Nov 10 15:43:55 2003: DEBUG: EAP result: 0,
Mon Nov 10 15:43:55 2003: DEBUG: Access accepted for nagataki
Mon Nov 10 15:43:55 2003: DEBUG: Packet dump:
*** Sending to aaa.bbb.ccc.ddd port 1518 ....
Code: Access-Accept
Identifier: 206
Authentic: g8<23>r<175><251><24>x<20><29><176><248>05'<171>
Attributes:
EAP-Message = <3><15><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Mon Nov 10 15:43:55 2003: DEBUG: Packet dump:
*** Received from aaa.bbb.ccc.ddd port 1519 ....
Code: Access-Request
Identifier: 207
Authentic: <128><194><14><140>4m<238><240><253><143><16><197><178>./~
Attributes:
User-Name = "nagataki at test.com"
cisco-avpair = "ssid=TEST-SPOT"
NAS-IP-Address = aaa.bbb.ccc.ddd
Called-Station-Id = "000c30da9d03"
Calling-Station-Id = "00022d559b41"
NAS-Identifier = "TEST-AP-1"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login
EAP-Message = <1><15><0>&<17><1><0><8><245><195><130><245><2><172>><196>
nagataki at test.com
Message-Authenticator = .<<239><220><24><139>d<201><207><158><22><144><1
55><236><183>!
Mon Nov 10 15:43:55 2003: DEBUG: Rewrote user name to nagataki
Mon Nov 10 15:43:55 2003: DEBUG: Rewrote user name to nagataki
Mon Nov 10 15:43:55 2003: DEBUG: Handling request with Handler ''
Mon Nov 10 15:43:55 2003: DEBUG: Deleting session for nagataki at test.com, 2
02.48.98.47, 37
Mon Nov 10 15:43:55 2003: DEBUG: Handling with Radius::AuthDBFILE:
Mon Nov 10 15:43:55 2003: DEBUG: Handling with EAP: code 1, 15, 38
Mon Nov 10 15:43:55 2003: DEBUG: EAP Request 17
Mon Nov 10 15:43:55 2003: DEBUG: Radius::AuthDBFILE looks for match with nagatak
i at test.com
Mon Nov 10 15:43:55 2003: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such us
er nagataki at test.com
Mon Nov 10 15:43:55 2003: INFO: Access rejected for nagataki: EAP MSCHAP V2 fail
ed: no such user nagataki at test.com
Mon Nov 10 15:43:55 2003: DEBUG: Packet dump:
*** Sending to aaa.bbb.ccc.ddd port 1519 ....
Code: Access-Reject
Identifier: 207
Authentic: <128><194><14><140>4m<238><240><253><143><16><197><178>./~
Attributes:
EAP-Message = <4><15><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
-------------------------------------------------------------------
Please tell me what's wrong.
Thank you in advance.
> Hello,
>
> The problem here was that the LEAP identity being sent by the client was
> nagataki at test.com, and although you had a RewriteUsername to rewrite the
> Radius user name it had no effect on the LEAP identity.
>
> We have now posted a patch so that RewriteUsername also affects the LEAP
> identity. That should fix your problem. The new version of EAP_17.pm has also
> been attached. PLs let us know how you get on.
>
> Cheers.
>
>
> On Mon, 10 Nov 2003 01:17 pm, nagataki at nri-net.com wrote:
> > Hi everyone,
> >
> > I'm testing wireless LAN connection by using peap(ms-chap2-v2)&leap.
> > But I have a problem in leap (everything looks like OK in peap) and
> > can't see what is incorrect.
> >
> >
> > (Prerequisite(summary))
> > 1.Radiator server version is 3.7.1 applied newest(?) patches
> > (downloading at 21 Oct.)
> > 2.Clients are using Funk Odyssey Client 2.22 and Windows XP Home-Edition
> > 3.Username is include "@domain-suffix"
> > (When excluding "@domain-suffix" from Username, test is passed)
> > 4.User-Authentication is using DBFile.
> > 5.config_file is like below.
> > -------------------------------------------------------------------
> > #Foreground
> > #LogStdout
> > LogDir /var/log
> > #DbDir /etc/raddb
> > AuthPort 1812
> > AcctPort 1813
> > DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.cisco
> > # User a lower trace level in production systems:
> > Trace 4
> > RewriteUsername s/^([^@]+).*/$1/
> >
> > # You will probably want to add other Clients to suit your site,
> > # one for each NAS you want to work with
> > <Client aaa.bbb.ccc.ddd>
> > Secret test
> > DupInterval 0
> > RewriteUsername s/^([^@]+).*/$1/
> > </Client>
> >
> > # This is where we autneticate a PEAP inner request, which will be an EAP
> > # request. The username of the inner request will be anonymous, although
> > # the identity of the EAP request will be the real username we are
> > # trying to authenticate.
> > <Handler TunnelledByPEAP=1>
> > #<AuthBy FILE>
> > <AuthBy DBFILE>
> > Filename /etc/raddb/users
> > RewriteUsername s/^([^@]+).*/$1/
> >
> > # This tells the PEAP client what types of inner EAP
> > requests # we will honour
> > EAPType PEAP,MSCHAP-V2
> > </AuthBy>
> > </Handler>
> >
> >
> > # The original PEAP request from a NAS will be sent to a matching
> > # Realm or Handler in the usual way, where it will be unpacked and the
> > inner aut hentication
> > # extracted.
> > # The inner authentication request will be sent again to a matching
> > # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to
> > sele ct
> > # a specific handler, or else you can use EAPAnonymous to set a username
> > and rea lm
> > # which can be used to select a Realm clause for the inner request.
> > # This allows you to select an inner authentication method based on Realm,
> > and/o r the
> > # fact that they were tunnelled. You can therfore act just as a PEAP
> > server, or also
> > # act as the AAA/H home server, and authenticate PEAP requests locally or
> > proxy # them to another remote server based on the realm of the inner
> > authenticaiton r equest.
> > # In this basic example, both the inner and outer authentication are
> > authenticat ed
> > # from a file by AuthBy FILE
> > <Handler>
> > #<AuthBy FILE>
> > <AuthBy DBFILE>
> > # The username of the outer authentication
> > # must be in this file to get anywhere. In this example,
> > # it requires an entry for 'anonymous' which is the
> > standard use rname
> > # in the outer requests, and it also requires an entry for
> > the # actual user name who is trying to connect (ie the 'Login name'
> > entered
> > # in the Funk Odyssey 'Edit Profile Properties' page
> > Filename /etc/raddb/users
> > RewriteUsername s/^([^@]+).*/$1/
> >
> > # EAPType sets the EAP type(s) that Radiator will honour.
> > # Options are: MD5-Challenge, One-Time-Password
> > # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> > # Multiple types can be comma separated. With the default
> > (most # preferred) type given first
> > EAPType PEAP,MSCHAP-V2,LEAP
> >
> > # EAPTLS_CAFile is the name of a file of CA certificates
> > # in PEM format. The file can contain several CA
> > certificates # Radiator will first look in EAPTLS_CAFile then in #
> > EAPTLS_CAPath, so there usually is no need to set both EAPTLS_CAFile
> > /home/test/ca/ca2.pem
> >
> > # EAPTLS_CAPath is the name of a directory containing CA
> > # certificates in PEM format. The files each contain one
> > # CA certificate. The files are looked up by the CA
> > # subject name hash value
> > EAPTLS_CAPath /home/test/ca
> >
> > # EAPTLS_CertificateFile is the name of a file containing
> > # the servers certificate. EAPTLS_CertificateType
> > # specifies the type of the file. Can be PEM or ASN1
> > # defaults to ASN1
> > EAPTLS_CertificateFile /home/test/ca/cert2.pem
> > EAPTLS_CertificateType PEM
> >
> > # EAPTLS_PrivateKeyFile is the name of the file containing
> > # the servers private key. It is sometimes in the same file
> > # as the server certificate (EAPTLS_CertificateFile)
> > # If the private key is encrypted (usually the case)
> > # then EAPTLS_PrivateKeyPassword is the key to descrypt it
> > EAPTLS_PrivateKeyFile /home/test/ca/key2.pem
> > EAPTLS_PrivateKeyPassword test1234
> >
> > # EAPTLS_RandomFile is an optional file containing
> > # randdomness
> > # EAPTLS_RandomFile %D/certificates/random
> >
> > # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> > # size that will be replied by Radiator. It must be small
> > # enough to fit in a single Radius request (ie less than
> > 4096) # and still leave enough space for other attributes # Aironet APs
> > seem to need a smaller MaxFragmentSize # (eg 1024) than the default of
> > 2048. Others need even smaller s izes.
> > EAPTLS_MaxFragmentSize 1024
> >
> > # EAPTLS_DHFile if set specifies the DH group file. It
> > # may be required if you need to use ephemeral DH keys.
> > # EAPTLS_DHFile %D/certificates/cert/dh
> >
> >
> > # If EAPTLS_CRLCheck is set and the client presents a
> > certifica te
> > # then Radiator will look for a certificate revocation list
> > (CRL )
> > # for the certificate issuer
> > # when authenticating each client. If a CRL file is not
> > found, o r
> > # if the CRL says the certificate has neen revoked, the
> > authenti cation will
> > # fail with an error:
> > # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> > # One or more CRLs can be named with the EAPTLS_CRLFile
> > paramete r.
> > # Alternatively, CRLs may follow a file naming convention:
> > # the hash of the issuer subject name
> > # and a suffix that depends on the serial number.
> > # eg ab1331b2.r0, ab1331b2.r1 etc.
> > # You can find out the hash of the issuer name in a CRL
> > with # openssl crl -in crl.pem -hash -noout
> > # CRLs with tis name convention
> > # will be searched in EAPTLS_CAPath, else in the openssl
> > # certificates directory typically
> > /usr/local/openssl/certs/ # CRLs are expected to be in PEM format.
> > # A CRL files can be generated with openssl like this:
> > # openssl ca -gencrl -revoke cert-clt.pem
> > # openssl ca -gencrl -out crl.pem
> > # Use of these flags requires Net_SSLeay-1.21 or later
> > #EAPTLS_CRLCheck
> > #EAPTLS_CRLFile %D/certificates/crl.pem
> > #EAPTLS_CRLFile %D/certificates/revocations.pem
> >
> > # Some clients, depending on their configuration, may
> > require yo u to specify
> > # MPPE send and receive keys. This _will_ be required if
> > you sel ect
> > # 'Keys will be generated automatically for data privacy'
> > in the Funk Odyssey
> > # client Network Properties dialog.
> > # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
> > # in the final Access-Accept
> > AutoMPPEKeys
> >
> > # You can enable some warning messages from the Net::SSLeay
> > # module by setting SSLeayTrace to an integer from 1 to 4
> > # 1=ciphers, 2=trace, 3=dump data
> > SSLeayTrace 4
> >
> > # You can configure the User-Name that will be used for the
> > inne r
> > # authentication. Defaults to 'anonymous'. This can be
> > useful # when proxying the inner authentication. If tehre is a realm, i t
> > can
> > # be used to choose a local Realm to handle the inner
> > authentica tion.
> > # %0 is replaced with the EAP identitiy
> > # EAPAnonymous anonymous at some.other.realm
> >
> > # You can enable or disable support for TTLS Session
> > Resumption and
> > # PEAP Fast Reconnect with the EAPTLS_SessionResumption
> > flag. # Default is enabled
> > #EAPTLS_SessionResumption 0
> >
> > # You can limit how long after the initial session that a
> > sessio n can be resumed
> > # with EAPTLS_SessionResumptionLimit (time in seconds).
> > Defaults to 43200
> > # (12 hours)
> > #EAPTLS_SessionResumptionLimit 10
> >
> > # You can control which version of the draft PEAP protocol
> > to ho nour
> > # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for
> > unusua l clients,
> > # such as Funk Odyssey Client 2.22 or later.
> > EAPTLS_PEAPVersion 0
> > </AuthBy>
> > </Handler>
> > -------------------------------------------------------------------
Best Regards.
Masa
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list