(RADIATOR) AuthByPolicy ContinueUntilAccept problems

Robin Breathe rbreathe at brookes.ac.uk
Fri May 26 09:36:48 CDT 2006


Hi,

We've running into problems with AuthByPolicy logic...
We call the AUTHENTICATE AuthBy from a TunnelledByPEAP handler; the
'Outer-Realm' attribute of the reply is set by a :

<AuthBy NTLM>
    Identifier NTLM-CIS
    EAPType MSCHAP-V2
    UsernameMatchesWithoutRealm 1
    Domain cis.brookes.ac.uk
    NtlmAuthProg /openpkg/bin/ntlm_auth --helper-protocol=ntlm-server-1
</AuthBy>
<AuthBy NTLM>
    Identifier NTLM-ACS
    EAPType MSCHAP-V2
    UsernameMatchesWithoutRealm 1
    Domain acs.brookes.ac.uk
    NtlmAuthProg /openpkg/bin/ntlm_auth --helper-protocol=ntlm-server-1
</AuthBy>
<AuthBy GROUP>
    Identifier AUTH-CIS
    AuthByPolicy ContinueWhileAccept
    <AuthBy INTERNAL>
        Identifier REALM-CIS
        # Accept if realm is cis.brookes.ac.uk, otherwise reject.
        AuthHook sub { \
          my $rc = ($_[1]->get_attr('Outer-Realm') eq \
          'cis.brookes.ac.uk' ? $main::ACCEPT : $main::REJECT); \
          &main::log($main::LOG_DEBUG,"=== REALM-CIS: rc = $rc"); \
          return $rc; }
    </AuthBy>
    AuthBy NTLM-CIS
</AuthBy>
<AuthBy GROUP>
    Identifier AUTH-DEFAULT
    AuthBy NTLM-ACS
</AuthBy>
<AuthBy GROUP>
    Identifier AUTHENTICATE
    AuthByPolicy ContinueUntilAccept
    AuthBy AUTH-CIS
    AuthBy AUTH-DEFAULT
</AuthBy>
<Handler TunnelledByPEAP=1>
    AuthBy AUTHENTICATE
    RejectHasReason
    PreAuthHook  file:"%D/outerUserRealm"
    PostAuthHook file:"%D/innerUserRealm"
</Handler>
<Handler TunnelledByTTLS=1>
    AuthBy AUTHENTICATE
    RejectHasReason
    PreAuthHook  file:"%D/outerUserRealm"
    PostAuthHook file:"%D/innerUserRealm"
</Handler>
<Handler>
    AuthByPolicy ContinueWhileAccept
    AuthBy TUNNEL
    AuthBy AUTHORIZE
    StripFromReply Inner-User,Inner-Realm,Outer-User,Outer-Realm
</Handler>

...so what we're trying to do is select the appropriate <AuthBy NTLM>
based upon the 'Outer-Realm' attribute.

When the 'Outer-Realm' != 'cis.brookes.ac.uk', this works perfectly, the
REALM-CIS stops NTLM-CIS getting called, and NTLM-ACS correctly
authenticates the user. All of PEAP/EAP-MSCHAPv2, TTLS/MSCHAPv2 and
TTLS/EAP-MSCHAPv2 work as we expect.

Now, when 'Outer-Realm' == 'cis.brookes.ac.uk', REALM-CIS matches and
NTLM-CIS authenticates and Accepts. However, when the inner
authentication is EAP MSCHAP-V2, NTLM-ACS still gets called despite the
'AuthByPolicy ContinueUntilAccept' in 'AuthBy AUTHENTICATE' and so the
end result is a Reject.

Here's what it looks like in the failure case:

DEBUG: Handling request with Handler 'TunnelledByPEAP=1'
DEBUG: SDB Deleting session for anonymous at cis.brookes.ac.uk,
161.73.23.11, 1160
DEBUG: do query is: 'delete from RADONLINE where
NASIDENTIFIER='161.73.23.11' and NASPORT=01160':
DEBUG: outerUserRealm hook
DEBUG: === Outer: anonymous @ cis.brookes.ac.uk
DEBUG: Handling with Radius::AuthGROUP: AUTHENTICATE
DEBUG: Handling with Radius::AuthGROUP: AUTH-CIS
DEBUG: Handling with AuthINTERNAL: REALM-CIS
DEBUG: === REALM-CIS: rc = 0
DEBUG: Handling with Radius::AuthNTLM: NTLM-CIS
DEBUG: Handling with EAP: code 2, 0, 11
DEBUG: Response type 1
DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
DEBUG: Handling with Radius::AuthGROUP: AUTH-DEFAULT
DEBUG: Handling with Radius::AuthNTLM: NTLM-ACS
DEBUG: Handling with EAP: code 2, 0, 11
DEBUG: Response type 1
DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
DEBUG: AuthBy GROUP result: CHALLENGE, EAP MSCHAP-V2 Challenge
DEBUG: innerUserRealm hook
DEBUG: === EAP Identity = backup
DEBUG: === Identity = backup
DEBUG: === Inner-User = backup, Inner-Realm =
DEBUG: Access challenged for anonymous at cis.brookes.ac.uk: EAP MSCHAP-V2
Challenge
DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Challenge
Identifier: UNDEF
Authentic:  <219><204><138><252><181>^<170><176>^<220>wx<193><145><242><166>
Attributes:
        Outer-User = anonymous
        Outer-Realm = cis.brookes.ac.uk
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        EAP-Message =
<1><1><0>"<26><1><1><0><29><16><213><8><217>7<191><16>dC6<177><210>8<22>yQ<9>csradius
        Inner-User = backup
        Inner-Realm =

...snip...

DEBUG: Handling request with Handler 'TunnelledByPEAP=1'
DEBUG: SDB Deleting session for anonymous at cis.brookes.ac.uk,
161.73.23.11, 1160
DEBUG: do query is: 'delete from RADONLINE where
NASIDENTIFIER='161.73.23.11' and NASPORT=01160':
DEBUG: outerUserRealm hook
DEBUG: === Outer: anonymous @ cis.brookes.ac.uk
DEBUG: Handling with Radius::AuthGROUP: AUTHENTICATE
DEBUG: Handling with Radius::AuthGROUP: AUTH-CIS
DEBUG: Handling with AuthINTERNAL: REALM-CIS
DEBUG: === REALM-CIS: rc = 0
DEBUG: Handling with Radius::AuthNTLM: NTLM-CIS
DEBUG: Handling with EAP: code 2, 1, 65
DEBUG: Response type 26
DEBUG: Radius::AuthNTLM looks for match with backup
[anonymous at cis.brookes.ac.uk]
DEBUG: Radius::AuthNTLM ACCEPT: : backup [anonymous at cis.brookes.ac.uk]
DEBUG: Passing attribute Request-User-Session-Key: Yes
DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
DEBUG: Passing attribute LANMAN-Challenge: 5226c263271537bf
DEBUG: Passing attribute NT-Response: (private)
DEBUG: Passing attribute NT-Domain:: Y2lzLmJyb29rZXMuYWMudWs=
DEBUG: Passing attribute Username:: YmFja3Vw
DEBUG: Received attribute: Authenticated: Yes
DEBUG: Received attribute: LANMAN-Session-Key: (private)
DEBUG: Received attribute: User-Session-Key: (private)
DEBUG: Received attribute: .
DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
DEBUG: Handling with Radius::AuthGROUP: AUTH-DEFAULT
DEBUG: Handling with Radius::AuthNTLM: NTLM-ACS
DEBUG: Handling with EAP: code 2, 1, 65
DEBUG: Response type 26
DEBUG: Radius::AuthNTLM looks for match with backup
[anonymous at cis.brookes.ac.uk]
DEBUG: Radius::AuthNTLM ACCEPT: : backup [anonymous at cis.brookes.ac.uk]
DEBUG: Passing attribute Request-User-Session-Key: Yes
DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
DEBUG: Passing attribute LANMAN-Challenge: 6d0d45840889c768
DEBUG: Passing attribute NT-Response: (private)
DEBUG: Passing attribute NT-Domain:: YWNzLmJyb29rZXMuYWMudWs=
DEBUG: Passing attribute Username:: YmFja3Vw
DEBUG: Received attribute: .
DEBUG: Received attribute: Authenticated: No
DEBUG: Received attribute: Authentication-Error: Wrong Password
DEBUG: Received attribute: .
WARNING: NTLM Could not authenticate user: Wrong Password
DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
DEBUG: AuthBy GROUP result: REJECT, EAP MSCHAP-V2 Authentication failure
DEBUG: innerUserRealm hook
DEBUG: === EAP Identity = backup
DEBUG: === Identity = backup
DEBUG: === Inner-User = backup, Inner-Realm =
INFO: Access rejected for anonymous at cis.brookes.ac.uk: EAP MSCHAP-V2
Authentication failure
DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Reject
Identifier: UNDEF
Authentic:  D`B<153>p<238><165>Z<209><146>7i<26><176>'<248>
Attributes:
        Outer-User = anonymous
        Outer-Realm = cis.brookes.ac.uk
        EAP-Message = <4><1><0><4>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Inner-User = backup
        Inner-Realm =
        Reply-Message = "EAP MSCHAP-V2 Authentication failure"



Apologies for the overly long message, but I'm totally failing to see
where the logic is breaking down. What's special about the inner-EAP case?

Any more information happily provided if required.

Regards,
Robin
-- 
Robin Breathe, Computer Services, Oxford Brookes University, Oxford, UK
rbreathe at brookes.ac.uk       Tel: +44 1865 483685  Fax: +44 1865 483073

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060526/5d88386c/attachment.bin>


More information about the radiator mailing list