(RADIATOR) Windows LSA, LEAP, and RewriteUsername

Mike McCauley mikem at open.com.au
Thu Sep 16 16:47:03 CDT 2004


Hello Ken,

there was a recent problem with the 3.9 patch set: the EAP_17.pm that should 
have been included was inadvertently left out.

You should confirm that you have the very latest patch set, including 
EAP_17.pm of exactly 5760 bytes.

Cheers.

On Friday 17 September 2004 02:46, Kawakubo, Ken wrote:
> All,
>
> I am in the process of migrating Radiator 3.9 with the latest patches from
> Linux to Windows platform to take advantage of Authby LSA for PEAP,
> EAP-TTLS, and LEAP wireless access.
>
> I have managed to get PEAP and EAP-TTLS to work with LSA but having
> problems with LEAP.
>
> I created a test radius.conf which is only concerned with LEAP LSA
> authentication.
>
> Here is the snippet.
>
> <Handler>
> 	<AuthBy LSA>
>
> 		RewriteUsername s/^([^@]+).*/$1/
>
> 		Domain fhcrc
>
> 		DefaultDomain fhcrc
>
> 		DomainController wluc01
>
> 		EAPType LEAP
>
> 	</AuthBy>
>
> 	AcctLogFileName	%L/detail
> 	AuthLog	eap-authlog
> </Handler>
>
> I tested with MacOSX Internet Connect. When I enter a username without
> realm name, I get Access-Accept, but when I enter a username with a realm
> name, I get Access-Reject.
>
> Here are the differences in Trace 4 logs.
>
> When I enter a username without realm name:
>
> Thu Sep 16 09:31:53 2004: DEBUG: Packet dump:
> *** Received from aaa.bbb.ccc.ddd port 21651 ....
> Code:       Access-Request
> Identifier: 76
> Authentic:  <181><166>9<2>v<19><20><249><171><13>?:7<141><186><154>
> Attributes:
> 	User-Name = "wireless1"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.21fd.20e0"
> 	Calling-Station-Id = "0030.6528.c3fa"
> 	Service-Type = Login-User
> 	Message-Authenticator = iED>@<170>H<0><138><9>b<8>T<136><6><179>
> 	EAP-Message =
> <1><2><0><25><17><1><0><8><2>x<186><196>4W<195>twireless1
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 319
> 	NAS-IP-Address = aaa.bbb.ccc.ddd
> 	NAS-Identifier = "test1g-ap                 "
>
> Thu Sep 16 09:31:53 2004: DEBUG: Handling request with Handler ''
> Thu Sep 16 09:31:53 2004: DEBUG:  Deleting session for wireless1,
> aaa.bbb.ccc.ddd, 319
> Thu Sep 16 09:31:53 2004: DEBUG: Handling with Radius::AuthLSA:
> Thu Sep 16 09:31:53 2004: DEBUG: Handling with EAP: code 1, 2, 25
> Thu Sep 16 09:31:53 2004: DEBUG: EAP Request 17
> Thu Sep 16 09:31:53 2004: DEBUG: Rewrote identity to wireless1
> Thu Sep 16 09:31:53 2004: DEBUG: Radius::AuthLSA looks for match with
> wireless1
> Thu Sep 16 09:31:53 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Thu Sep 16 09:31:53 2004: DEBUG: EAP result: 0, EAP LEAP Accept
> Thu Sep 16 09:31:53 2004: DEBUG: Access accepted for wireless1
> Thu Sep 16 09:31:53 2004: DEBUG: Packet dump:
> *** Sending to 140.107.74.146 port 21651 ....
> Code:       Access-Accept
> Identifier: 76
> Authentic:  <181><166>9<2>v<19><20><249><171><13>?:7<141><186><154>
> Attributes:
> 	EAP-Message =
> <2><2><0>)<17><1><0><24><159><186><226>2<7>l<17><215><192>F)<217><231><23><
>1 54><136><144><158><218><145><216>k[<185>wireless1
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	cisco-avpair =
> "leap:session-key=<181>ga<8><185>,a<166>;H2<182><152>"<150><206>k<28><10>"n
>G <10><11><5>^<12><127>K7<168><13><127>~
>
>
> when I enter a username with realm name:
>
> Thu Sep 16 09:32:25 2004: DEBUG: Packet dump:
> *** Received from aaa.bbb.ccc.ddd port 21651 ....
> Code:       Access-Request
> Identifier: 80
> Authentic:  Q<"<130>xx<154><132><231><248>\<21><217>a<150><250>
> Attributes:
> 	User-Name = "wireless1 at fhcrc.org"
> 	Framed-MTU = 1400
> 	Called-Station-Id = "0011.21fd.20e0"
> 	Calling-Station-Id = "0030.6528.c3fa"
> 	Service-Type = Login-User
> 	Message-Authenticator =
> hvEQ<241><200>`<176><130><27><201><217><20><178><245><165>
> 	EAP-Message =
> <2><2><0>3<17><1><0><24><186><242><144><131><174><188>7,l;<150><206>!G<3><2
>0
>
> ><133>W<147>ln<214>])wireless1 at fhcrc.org
>
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	NAS-Port = 320
> 	NAS-IP-Address = aaa.bbb.ccc.ddd
> 	NAS-Identifier = "test1g-ap                 "
>
> Thu Sep 16 09:32:25 2004: DEBUG: Handling request with Handler ''
> Thu Sep 16 09:32:25 2004: DEBUG:  Deleting session for wireless1 at fhcrc.org,
> aaa.bbb.ccc.ddd, 320
> Thu Sep 16 09:32:25 2004: DEBUG: Handling with Radius::AuthLSA:
> Thu Sep 16 09:32:25 2004: DEBUG: Handling with EAP: code 2, 2, 51
> Thu Sep 16 09:32:25 2004: DEBUG: Response type 17
> Thu Sep 16 09:32:25 2004: DEBUG: Rewrote identity to wireless1
> Thu Sep 16 09:32:25 2004: DEBUG: Radius::AuthLSA looks for match with
> wireless1
> Thu Sep 16 09:32:25 2004: DEBUG: Radius::AuthLSA ACCEPT:
> Thu Sep 16 09:32:25 2004: WARNING: Could not LogonUserNetworkMSCHAP: Logon
> failure: unknown user name or bad password.
>
>
> Thu Sep 16 09:32:25 2004: DEBUG: EAP result: 1, Bad LEAP Password
> Thu Sep 16 09:32:25 2004: INFO: Access rejected for wireless1 at fhcrc.org:
> Bad LEAP Password
> Thu Sep 16 09:32:25 2004: DEBUG: Packet dump:
> *** Sending to 140.107.74.146 port 21651 ....
> Code:       Access-Reject
> Identifier: 80
> Authentic:  Q<"<130>xx<154><132><231><248>\<21><217>a<150><250>
> Attributes:
> 	EAP-Message = <4><2><0><4>
> 	Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	Reply-Message = "Request Denied"
>
> Please note that RewriteUsername appears to be removing realm name in
> either case. I made sure that I used the same password in both cases. I
> read in the mailing archive that a patch was issued for LEAP to accept
> RewriteUsername previously, but the patch does not seem to be working. I am
> using EAP_17.pm dated 12/23/2003 3:40pm.
>
> Ken Kawakubo
> FHCRC IT
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list