(RADIATOR) EAP-MD5 is not striping realm

Hugh Irvine hugh at open.com.au
Thu Aug 5 02:27:32 CDT 2004 

Hello Jan -

Thanks for reporting this - there is a patch now available in the  
patches area to fix the problem.

Please let us know how you get on.

regards

Hugh


On 4 Aug 2004, at 22:23, Jan Tomasek wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
> I just fund some bug in my Radiator configuration. For some reason it  
> don't
> strip realm from user name. It search in LDAP for  
> "(uid=semik at cesnet.cz)" but
> only for EAP-MD5! EAP-TTLS and EAP-PEAP seams to be working.
>
> Radiator configuration is attached. Please can someone check it, what  
> am I
> doing bad. Please not that in logs Radiator says that "Access  
> accepted.." that
> is just because I added uid=semik at cesnet.cz to my entry to by able  
> continue in
> testing.
>
> Log from LDAP server:
>
> [04/Aug/2004:13:49:18 +0200] conn=1530468 op=1 msgId=4 - SRCH
> base="dc=cesnet,dc=cz" scope=2 filter="(uid=semik at cesnet.cz)"
> attrs="radiusPassword"
> [04/Aug/2004:13:49:18 +0200] conn=1530468 op=1 msgId=4 - RESULT err=0  
> tag=101
> nentries=1 etime=0
>
>
> Radiator LOG file (I deleted "Wed Aug  4 13:49:18 2004: DEBUG/INFO: to  
> prevent
> line wrap):
>
> Handling request with Handler  
> 'Realm=/^cesnet\.cz$|^radius1\.cesnet\.cz$/'
> Rewrote user name to semik
> Rewrote user name to semik
>  Deleting session for semik at cesnet.cz, 195.113.205.155, 425
> Handling with Radius::AuthLDAP2: CheckLDAP
> Handling with EAP: code 2, 3, 37
> Response type 4
> Connecting to localhost, port 389
> Attempting to bind to LDAP server localhost:389)
> LDAP got result for uid=semik,ou=People,dc=cesnet,dc=cz
> LDAP got radiusPassword: heslo
> Radius::AuthLDAP2 looks for match with semik at cesnet.cz
> Radius::AuthLDAP2 ACCEPT:
> EAP result: 0,
> DEBUG: Access accepted for semik
> Packet dump:
> *** Sending to 195.113.205.155 port 21645 ....
> Code:       Access-Accept
> Identifier: 254
> Authentic:  <29>#l<227>,<137><152>/<189><237><<8>~<192>Z<7>
> Attributes:
>         Tunnel-Type = 1:VLAN
>         Tunnel-Medium-Type = 1:Ether_802
>         Tunnel-Private-Group-ID = 1:100
>
>
> I will be very thankfull for any help
> - --
> - --------------------------------------------------------------
> Jan Tomasek aka Semik           work: CESNET, z.s.p.o.
> http://www.tomasek.cz/                Zikova 4, 160 00 Praha 6
>                                       Czech Republic
> phone(work): +420 2 2435 5279         http://www.cesnet.cz/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBENU279++DGvj6tMRAjAHAJ46s/4Qx748TsxTs2MjaMxwFfQQCgCgpklq
> KBogv0QwOMAnoNJPorMXHtk=
> =UtdR
> -----END PGP SIGNATURE-----
> Foreground
> LogStdout
> Trace		4
> LogDir		/var/log/radiator
> DbDir		/home/semik/iproj/Radiator-Demo-3.9
>
> <AuthLog SYSLOG>
> 		Identifier authlogger
> 		Facility	local7
> 		LogSuccess	1
> 		LogFailure	1
> 		SuccessFormat	%U:%P:OK
> 		FailureFormat	%U:%P:FAIL
> </AuthLog>
> <Log SYSLOG>
> 		Facility	local7
> 		LogIdent	radiator
> 		Trace		4
> </Log>
>
> AuthPort	1645,1812
> AcctPort	1646,1813
>
> <Client localhost>
> 	Secret		mysecret
> 	DupInterval 	0
> </Client>
>
> <Client DEFAULT>
> 	Secret		xxx
> </Client>
>
> # -- Definition of local authentication  
> ---------------------------------------
> <AuthBy LDAP2>
> 	Identifier CheckLDAP
>
> 	# Strip realm
> 	RewriteUsername		s/^(.*?)\@.*$/$1/
> 	# Convert user name to lowercase
> 	RewriteUsername		tr/A-Z/a-z/
>
> 	Host		localhost
>
> 	AuthDN		uid=rad1,ou=Special Users,dc=cesnet,dc=cz
> 	AuthPassword	xxx
>
> 	BaseDN		dc=cesnet,dc=cz
> 	UsernameAttr	uid
> 	PasswordAttr    radiusPassword
>
> 	EAPType		PEAP,TTLS,TLS,MSCHAP-V2,MD5,MD5-Challenge
>
> 	EAPTLS_CAFile	/etc/ssl/certs/trusted-CA-list.crt
> 	EAPTLS_CertificateFile	/etc/ssl/certs/ 
> radius_radius1.eduroam.cz.crt.pem
> 	EAPTLS_CertificateType	PEM
> 	EAPTLS_PrivateKeyFile	/etc/ssl/private/ 
> radius_radius1.eduroam.cz.key.pem
> 	#EAPTLS_PrivateKeyPassword whatever
>
> 	EAPTLS_MaxFragmentSize	1000
>
> 	EAPTLS_CRLCheck
> 	EAPTLS_CRLFile	/etc/ssl/ed99a497.r0
>
> 	EAPTLSRewriteCertificateCommonName s/Jan Tomasek/semik/
> 	EAPTLSRewriteCertificateCommonName s/Jan Ruzicka/janru/
> 	
> 	AutoMPPEKeys
>
> 	SSLeayTrace 0
>
> 	AllowInReply
> 	AddToReply	Tunnel-Type=1:VLAN,\
> 			Tunnel-Medium-Type=1:Ether_802,\
> 			Tunnel-Private-Group-ID=1:100
> </AuthBy>
>
> # -- Local realms  
> -------------------------------------------------------------
> <Client saint.cesnet.cz>
>         Secret          xxx
> </Client>
>
> <Client radius1.eduroam.cz>
> 	Secret		xxx
> </Client>
>
> <Client ldap3.cesnet.cz> # radius2.eduroam.cz
> 	Secret		xxx
> </Client>
>
> <Handler Realm=/^cesnet\.cz$|^radius1\.cesnet\.cz$/>
> 	# Strip realm
> 	RewriteUsername		s/^(.*?)\@.*$/$1/
> 	# Convert user name to lowercase
> 	RewriteUsername		tr/A-Z/a-z/
>
> 	AuthBy	CheckLDAP
> 	AuthLog authlogger
> </Realm>
>
> <Handler TunnelledByTTLS=1>
> 	AuthBy	CheckLDAP
> 	AuthLog authlogger
> </Handler>
>
> <Handler TunnelledByPEAP=1>
> 	AuthBy	CheckLDAP
> 	AuthLog authlogger
> </Handler>
> #  
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
> ^^^^^^
>
> # -- A vechno co neni nase posilame na narodni radiusy  
> ------------------------
> <Handler>
>         <AuthBy RADIUS>
>                 <Host radius1.eduroam.cz>
>                         AuthPort        1812
>                         AcctPort        1813
>                         Secret          xxx
>                 </Host>
>                 <Host radius2.eduroam.cz>
>                         AuthPort        1812
>                         AcctPort        1813
>                         Secret          xxx
>                 </Host>
>         </AuthBy>
>
> 	AllowInReply
> 	AddToReply	Tunnel-Type=1:VLAN,\
> 			Tunnel-Medium-Type=1:Ether_802,\
> 			Tunnel-Private-Group-ID=1:100
> </Handler>
> #  
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
> ^^^^^^
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list