(RADIATOR) AuthByPolicy ContinueUntilAccept problems

Hugh Irvine hugh at open.com.au
Fri May 26 23:49:01 CDT 2006 

Hello Robin -

Why not do the Realm check in the Handlers?


<Handler Realm = cis.brookes.ac.uk, TunnelledByPEAP=1>
     ....
</Handler>

<Handler Realm = cis.brookes.ac.uk, TunnelledByTTLS=1>
     ....
</Handler>

<Handler>
     AuthByPolicy ContinueWhileAccept
     AuthBy TUNNEL
     AuthBy AUTHORIZE
     StripFromReply Inner-User,Inner-Realm,Outer-User,Outer-Realm
</Handler>


I'm afraid I don't understand what exactly you are wanting to do so  
it makes it a bit hard to make sensible suggestions.

regards

Hugh


On 27 May 2006, at 00:36, Robin Breathe wrote:

> Hi,
>
> We've running into problems with AuthByPolicy logic...
> We call the AUTHENTICATE AuthBy from a TunnelledByPEAP handler; the
> 'Outer-Realm' attribute of the reply is set by a :
>
> <AuthBy NTLM>
>     Identifier NTLM-CIS
>     EAPType MSCHAP-V2
>     UsernameMatchesWithoutRealm 1
>     Domain cis.brookes.ac.uk
>     NtlmAuthProg /openpkg/bin/ntlm_auth --helper-protocol=ntlm- 
> server-1
> </AuthBy>
> <AuthBy NTLM>
>     Identifier NTLM-ACS
>     EAPType MSCHAP-V2
>     UsernameMatchesWithoutRealm 1
>     Domain acs.brookes.ac.uk
>     NtlmAuthProg /openpkg/bin/ntlm_auth --helper-protocol=ntlm- 
> server-1
> </AuthBy>
> <AuthBy GROUP>
>     Identifier AUTH-CIS
>     AuthByPolicy ContinueWhileAccept
>     <AuthBy INTERNAL>
>         Identifier REALM-CIS
>         # Accept if realm is cis.brookes.ac.uk, otherwise reject.
>         AuthHook sub { \
>           my $rc = ($_[1]->get_attr('Outer-Realm') eq \
>           'cis.brookes.ac.uk' ? $main::ACCEPT : $main::REJECT); \
>           &main::log($main::LOG_DEBUG,"=== REALM-CIS: rc = $rc"); \
>           return $rc; }
>     </AuthBy>
>     AuthBy NTLM-CIS
> </AuthBy>
> <AuthBy GROUP>
>     Identifier AUTH-DEFAULT
>     AuthBy NTLM-ACS
> </AuthBy>
> <AuthBy GROUP>
>     Identifier AUTHENTICATE
>     AuthByPolicy ContinueUntilAccept
>     AuthBy AUTH-CIS
>     AuthBy AUTH-DEFAULT
> </AuthBy>
> <Handler TunnelledByPEAP=1>
>     AuthBy AUTHENTICATE
>     RejectHasReason
>     PreAuthHook  file:"%D/outerUserRealm"
>     PostAuthHook file:"%D/innerUserRealm"
> </Handler>
> <Handler TunnelledByTTLS=1>
>     AuthBy AUTHENTICATE
>     RejectHasReason
>     PreAuthHook  file:"%D/outerUserRealm"
>     PostAuthHook file:"%D/innerUserRealm"
> </Handler>
> <Handler>
>     AuthByPolicy ContinueWhileAccept
>     AuthBy TUNNEL
>     AuthBy AUTHORIZE
>     StripFromReply Inner-User,Inner-Realm,Outer-User,Outer-Realm
> </Handler>
>
> ...so what we're trying to do is select the appropriate <AuthBy NTLM>
> based upon the 'Outer-Realm' attribute.
>
> When the 'Outer-Realm' != 'cis.brookes.ac.uk', this works  
> perfectly, the
> REALM-CIS stops NTLM-CIS getting called, and NTLM-ACS correctly
> authenticates the user. All of PEAP/EAP-MSCHAPv2, TTLS/MSCHAPv2 and
> TTLS/EAP-MSCHAPv2 work as we expect.
>
> Now, when 'Outer-Realm' == 'cis.brookes.ac.uk', REALM-CIS matches and
> NTLM-CIS authenticates and Accepts. However, when the inner
> authentication is EAP MSCHAP-V2, NTLM-ACS still gets called despite  
> the
> 'AuthByPolicy ContinueUntilAccept' in 'AuthBy AUTHENTICATE' and so the
> end result is a Reject.
>
> Here's what it looks like in the failure case:
>
> DEBUG: Handling request with Handler 'TunnelledByPEAP=1'
> DEBUG: SDB Deleting session for anonymous at cis.brookes.ac.uk,
> 161.73.23.11, 1160
> DEBUG: do query is: 'delete from RADONLINE where
> NASIDENTIFIER='161.73.23.11' and NASPORT=01160':
> DEBUG: outerUserRealm hook
> DEBUG: === Outer: anonymous @ cis.brookes.ac.uk
> DEBUG: Handling with Radius::AuthGROUP: AUTHENTICATE
> DEBUG: Handling with Radius::AuthGROUP: AUTH-CIS
> DEBUG: Handling with AuthINTERNAL: REALM-CIS
> DEBUG: === REALM-CIS: rc = 0
> DEBUG: Handling with Radius::AuthNTLM: NTLM-CIS
> DEBUG: Handling with EAP: code 2, 0, 11
> DEBUG: Response type 1
> DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> DEBUG: Handling with Radius::AuthGROUP: AUTH-DEFAULT
> DEBUG: Handling with Radius::AuthNTLM: NTLM-ACS
> DEBUG: Handling with EAP: code 2, 0, 11
> DEBUG: Response type 1
> DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> DEBUG: AuthBy GROUP result: CHALLENGE, EAP MSCHAP-V2 Challenge
> DEBUG: innerUserRealm hook
> DEBUG: === EAP Identity = backup
> DEBUG: === Identity = backup
> DEBUG: === Inner-User = backup, Inner-Realm =
> DEBUG: Access challenged for anonymous at cis.brookes.ac.uk: EAP  
> MSCHAP-V2
> Challenge
> DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> Identifier: UNDEF
> Authentic:   
> <219><204><138><252><181>^<170><176>^<220>wx<193><145><242><166>
> Attributes:
>         Outer-User = anonymous
>         Outer-Realm = cis.brookes.ac.uk
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         EAP-Message =
> <1><1><0>"<26><1><1><0><29><16><213><8><217>7<191><16>dC6<177><210>8<2 
> 2>yQ<9>csradius
>         Inner-User = backup
>         Inner-Realm =
>
> ...snip...
>
> DEBUG: Handling request with Handler 'TunnelledByPEAP=1'
> DEBUG: SDB Deleting session for anonymous at cis.brookes.ac.uk,
> 161.73.23.11, 1160
> DEBUG: do query is: 'delete from RADONLINE where
> NASIDENTIFIER='161.73.23.11' and NASPORT=01160':
> DEBUG: outerUserRealm hook
> DEBUG: === Outer: anonymous @ cis.brookes.ac.uk
> DEBUG: Handling with Radius::AuthGROUP: AUTHENTICATE
> DEBUG: Handling with Radius::AuthGROUP: AUTH-CIS
> DEBUG: Handling with AuthINTERNAL: REALM-CIS
> DEBUG: === REALM-CIS: rc = 0
> DEBUG: Handling with Radius::AuthNTLM: NTLM-CIS
> DEBUG: Handling with EAP: code 2, 1, 65
> DEBUG: Response type 26
> DEBUG: Radius::AuthNTLM looks for match with backup
> [anonymous at cis.brookes.ac.uk]
> DEBUG: Radius::AuthNTLM ACCEPT: : backup [anonymous at cis.brookes.ac.uk]
> DEBUG: Passing attribute Request-User-Session-Key: Yes
> DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
> DEBUG: Passing attribute LANMAN-Challenge: 5226c263271537bf
> DEBUG: Passing attribute NT-Response: (private)
> DEBUG: Passing attribute NT-Domain:: Y2lzLmJyb29rZXMuYWMudWs=
> DEBUG: Passing attribute Username:: YmFja3Vw
> DEBUG: Received attribute: Authenticated: Yes
> DEBUG: Received attribute: LANMAN-Session-Key: (private)
> DEBUG: Received attribute: User-Session-Key: (private)
> DEBUG: Received attribute: .
> DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
> DEBUG: Handling with Radius::AuthGROUP: AUTH-DEFAULT
> DEBUG: Handling with Radius::AuthNTLM: NTLM-ACS
> DEBUG: Handling with EAP: code 2, 1, 65
> DEBUG: Response type 26
> DEBUG: Radius::AuthNTLM looks for match with backup
> [anonymous at cis.brookes.ac.uk]
> DEBUG: Radius::AuthNTLM ACCEPT: : backup [anonymous at cis.brookes.ac.uk]
> DEBUG: Passing attribute Request-User-Session-Key: Yes
> DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
> DEBUG: Passing attribute LANMAN-Challenge: 6d0d45840889c768
> DEBUG: Passing attribute NT-Response: (private)
> DEBUG: Passing attribute NT-Domain:: YWNzLmJyb29rZXMuYWMudWs=
> DEBUG: Passing attribute Username:: YmFja3Vw
> DEBUG: Received attribute: .
> DEBUG: Received attribute: Authenticated: No
> DEBUG: Received attribute: Authentication-Error: Wrong Password
> DEBUG: Received attribute: .
> WARNING: NTLM Could not authenticate user: Wrong Password
> DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
> DEBUG: AuthBy GROUP result: REJECT, EAP MSCHAP-V2 Authentication  
> failure
> DEBUG: innerUserRealm hook
> DEBUG: === EAP Identity = backup
> DEBUG: === Identity = backup
> DEBUG: === Inner-User = backup, Inner-Realm =
> INFO: Access rejected for anonymous at cis.brookes.ac.uk: EAP MSCHAP-V2
> Authentication failure
> DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Reject
> Identifier: UNDEF
> Authentic:  D`B<153>p<238><165>Z<209><146>7i<26><176>'<248>
> Attributes:
>         Outer-User = anonymous
>         Outer-Realm = cis.brookes.ac.uk
>         EAP-Message = <4><1><0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         Inner-User = backup
>         Inner-Realm =
>         Reply-Message = "EAP MSCHAP-V2 Authentication failure"
>
>
>
> Apologies for the overly long message, but I'm totally failing to see
> where the logic is breaking down. What's special about the inner- 
> EAP case?
>
> Any more information happily provided if required.
>
> Regards,
> Robin
> -- 
> Robin Breathe, Computer Services, Oxford Brookes University,  
> Oxford, UK
> rbreathe at brookes.ac.uk       Tel: +44 1865 483685  Fax: +44 1865  
> 483073
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list