(RADIATOR) Windows LSA, LEAP, and RewriteUsername

Kawakubo, Ken kkawakub at fhcrc.org
Thu Sep 16 11:46:05 CDT 2004 

All,

I am in the process of migrating Radiator 3.9 with the latest patches from
Linux to Windows platform to take advantage of Authby LSA for PEAP,
EAP-TTLS, and LEAP wireless access.

I have managed to get PEAP and EAP-TTLS to work with LSA but having problems
with LEAP.

I created a test radius.conf which is only concerned with LEAP LSA
authentication.

Here is the snippet.

<Handler>
	<AuthBy LSA>
		
		RewriteUsername s/^([^@]+).*/$1/
		
		Domain fhcrc

		DefaultDomain fhcrc
		
		DomainController wluc01

		EAPType LEAP

	</AuthBy>

	AcctLogFileName	%L/detail
	AuthLog	eap-authlog
</Handler>

I tested with MacOSX Internet Connect. When I enter a username without realm
name, I get Access-Accept, but when I enter a username with a realm name, I
get Access-Reject.

Here are the differences in Trace 4 logs.

When I enter a username without realm name:

Thu Sep 16 09:31:53 2004: DEBUG: Packet dump:
*** Received from aaa.bbb.ccc.ddd port 21651 ....
Code:       Access-Request
Identifier: 76
Authentic:  <181><166>9<2>v<19><20><249><171><13>?:7<141><186><154>
Attributes:
	User-Name = "wireless1"
	Framed-MTU = 1400
	Called-Station-Id = "0011.21fd.20e0"
	Calling-Station-Id = "0030.6528.c3fa"
	Service-Type = Login-User
	Message-Authenticator = iED>@<170>H<0><138><9>b<8>T<136><6><179>
	EAP-Message =
<1><2><0><25><17><1><0><8><2>x<186><196>4W<195>twireless1
	NAS-Port-Type = Wireless-IEEE-802-11
	NAS-Port = 319
	NAS-IP-Address = aaa.bbb.ccc.ddd
	NAS-Identifier = "test1g-ap                 "

Thu Sep 16 09:31:53 2004: DEBUG: Handling request with Handler ''
Thu Sep 16 09:31:53 2004: DEBUG:  Deleting session for wireless1,
aaa.bbb.ccc.ddd, 319
Thu Sep 16 09:31:53 2004: DEBUG: Handling with Radius::AuthLSA: 
Thu Sep 16 09:31:53 2004: DEBUG: Handling with EAP: code 1, 2, 25
Thu Sep 16 09:31:53 2004: DEBUG: EAP Request 17
Thu Sep 16 09:31:53 2004: DEBUG: Rewrote identity to wireless1
Thu Sep 16 09:31:53 2004: DEBUG: Radius::AuthLSA looks for match with
wireless1
Thu Sep 16 09:31:53 2004: DEBUG: Radius::AuthLSA ACCEPT: 
Thu Sep 16 09:31:53 2004: DEBUG: EAP result: 0, EAP LEAP Accept
Thu Sep 16 09:31:53 2004: DEBUG: Access accepted for wireless1
Thu Sep 16 09:31:53 2004: DEBUG: Packet dump:
*** Sending to 140.107.74.146 port 21651 ....
Code:       Access-Accept
Identifier: 76
Authentic:  <181><166>9<2>v<19><20><249><171><13>?:7<141><186><154>
Attributes:
	EAP-Message =
<2><2><0>)<17><1><0><24><159><186><226>2<7>l<17><215><192>F)<217><231><23><1
54><136><144><158><218><145><216>k[<185>wireless1
	Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
	cisco-avpair =
"leap:session-key=<181>ga<8><185>,a<166>;H2<182><152>"<150><206>k<28><10>"nG
<10><11><5>^<12><127>K7<168><13><127>~


when I enter a username with realm name:

Thu Sep 16 09:32:25 2004: DEBUG: Packet dump:
*** Received from aaa.bbb.ccc.ddd port 21651 ....
Code:       Access-Request
Identifier: 80
Authentic:  Q<"<130>xx<154><132><231><248>\<21><217>a<150><250>
Attributes:
	User-Name = "wireless1 at fhcrc.org"
	Framed-MTU = 1400
	Called-Station-Id = "0011.21fd.20e0"
	Calling-Station-Id = "0030.6528.c3fa"
	Service-Type = Login-User
	Message-Authenticator =
hvEQ<241><200>`<176><130><27><201><217><20><178><245><165>
	EAP-Message =
<2><2><0>3<17><1><0><24><186><242><144><131><174><188>7,l;<150><206>!G<3><20
><133>W<147>ln<214>])wireless1 at fhcrc.org
	NAS-Port-Type = Wireless-IEEE-802-11
	NAS-Port = 320
	NAS-IP-Address = aaa.bbb.ccc.ddd
	NAS-Identifier = "test1g-ap                 "

Thu Sep 16 09:32:25 2004: DEBUG: Handling request with Handler ''
Thu Sep 16 09:32:25 2004: DEBUG:  Deleting session for wireless1 at fhcrc.org,
aaa.bbb.ccc.ddd, 320
Thu Sep 16 09:32:25 2004: DEBUG: Handling with Radius::AuthLSA: 
Thu Sep 16 09:32:25 2004: DEBUG: Handling with EAP: code 2, 2, 51
Thu Sep 16 09:32:25 2004: DEBUG: Response type 17
Thu Sep 16 09:32:25 2004: DEBUG: Rewrote identity to wireless1
Thu Sep 16 09:32:25 2004: DEBUG: Radius::AuthLSA looks for match with
wireless1
Thu Sep 16 09:32:25 2004: DEBUG: Radius::AuthLSA ACCEPT: 
Thu Sep 16 09:32:25 2004: WARNING: Could not LogonUserNetworkMSCHAP: Logon
failure: unknown user name or bad password.


Thu Sep 16 09:32:25 2004: DEBUG: EAP result: 1, Bad LEAP Password
Thu Sep 16 09:32:25 2004: INFO: Access rejected for wireless1 at fhcrc.org: Bad
LEAP Password
Thu Sep 16 09:32:25 2004: DEBUG: Packet dump:
*** Sending to 140.107.74.146 port 21651 ....
Code:       Access-Reject
Identifier: 80
Authentic:  Q<"<130>xx<154><132><231><248>\<21><217>a<150><250>
Attributes:
	EAP-Message = <4><2><0><4>
	Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
	Reply-Message = "Request Denied"

Please note that RewriteUsername appears to be removing realm name in either
case. I made sure that I used the same password in both cases. I read in the
mailing archive that a patch was issued for LEAP to accept RewriteUsername
previously, but the patch does not seem to be working. I am using EAP_17.pm
dated 12/23/2003 3:40pm.

Ken Kawakubo
FHCRC IT

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list