(RADIATOR) AuthByPolicy ContinueUntilAccept problems
Hugh Irvine
hugh at open.com.au
Fri May 26 23:49:01 CDT 2006
Hello Robin -
Why not do the Realm check in the Handlers?
<Handler Realm = cis.brookes.ac.uk, TunnelledByPEAP=1>
....
</Handler>
<Handler Realm = cis.brookes.ac.uk, TunnelledByTTLS=1>
....
</Handler>
<Handler>
AuthByPolicy ContinueWhileAccept
AuthBy TUNNEL
AuthBy AUTHORIZE
StripFromReply Inner-User,Inner-Realm,Outer-User,Outer-Realm
</Handler>
I'm afraid I don't understand what exactly you are wanting to do so
it makes it a bit hard to make sensible suggestions.
regards
Hugh
On 27 May 2006, at 00:36, Robin Breathe wrote:
> Hi,
>
> We've running into problems with AuthByPolicy logic...
> We call the AUTHENTICATE AuthBy from a TunnelledByPEAP handler; the
> 'Outer-Realm' attribute of the reply is set by a :
>
> <AuthBy NTLM>
> Identifier NTLM-CIS
> EAPType MSCHAP-V2
> UsernameMatchesWithoutRealm 1
> Domain cis.brookes.ac.uk
> NtlmAuthProg /openpkg/bin/ntlm_auth --helper-protocol=ntlm-
> server-1
> </AuthBy>
> <AuthBy NTLM>
> Identifier NTLM-ACS
> EAPType MSCHAP-V2
> UsernameMatchesWithoutRealm 1
> Domain acs.brookes.ac.uk
> NtlmAuthProg /openpkg/bin/ntlm_auth --helper-protocol=ntlm-
> server-1
> </AuthBy>
> <AuthBy GROUP>
> Identifier AUTH-CIS
> AuthByPolicy ContinueWhileAccept
> <AuthBy INTERNAL>
> Identifier REALM-CIS
> # Accept if realm is cis.brookes.ac.uk, otherwise reject.
> AuthHook sub { \
> my $rc = ($_[1]->get_attr('Outer-Realm') eq \
> 'cis.brookes.ac.uk' ? $main::ACCEPT : $main::REJECT); \
> &main::log($main::LOG_DEBUG,"=== REALM-CIS: rc = $rc"); \
> return $rc; }
> </AuthBy>
> AuthBy NTLM-CIS
> </AuthBy>
> <AuthBy GROUP>
> Identifier AUTH-DEFAULT
> AuthBy NTLM-ACS
> </AuthBy>
> <AuthBy GROUP>
> Identifier AUTHENTICATE
> AuthByPolicy ContinueUntilAccept
> AuthBy AUTH-CIS
> AuthBy AUTH-DEFAULT
> </AuthBy>
> <Handler TunnelledByPEAP=1>
> AuthBy AUTHENTICATE
> RejectHasReason
> PreAuthHook file:"%D/outerUserRealm"
> PostAuthHook file:"%D/innerUserRealm"
> </Handler>
> <Handler TunnelledByTTLS=1>
> AuthBy AUTHENTICATE
> RejectHasReason
> PreAuthHook file:"%D/outerUserRealm"
> PostAuthHook file:"%D/innerUserRealm"
> </Handler>
> <Handler>
> AuthByPolicy ContinueWhileAccept
> AuthBy TUNNEL
> AuthBy AUTHORIZE
> StripFromReply Inner-User,Inner-Realm,Outer-User,Outer-Realm
> </Handler>
>
> ...so what we're trying to do is select the appropriate <AuthBy NTLM>
> based upon the 'Outer-Realm' attribute.
>
> When the 'Outer-Realm' != 'cis.brookes.ac.uk', this works
> perfectly, the
> REALM-CIS stops NTLM-CIS getting called, and NTLM-ACS correctly
> authenticates the user. All of PEAP/EAP-MSCHAPv2, TTLS/MSCHAPv2 and
> TTLS/EAP-MSCHAPv2 work as we expect.
>
> Now, when 'Outer-Realm' == 'cis.brookes.ac.uk', REALM-CIS matches and
> NTLM-CIS authenticates and Accepts. However, when the inner
> authentication is EAP MSCHAP-V2, NTLM-ACS still gets called despite
> the
> 'AuthByPolicy ContinueUntilAccept' in 'AuthBy AUTHENTICATE' and so the
> end result is a Reject.
>
> Here's what it looks like in the failure case:
>
> DEBUG: Handling request with Handler 'TunnelledByPEAP=1'
> DEBUG: SDB Deleting session for anonymous at cis.brookes.ac.uk,
> 161.73.23.11, 1160
> DEBUG: do query is: 'delete from RADONLINE where
> NASIDENTIFIER='161.73.23.11' and NASPORT=01160':
> DEBUG: outerUserRealm hook
> DEBUG: === Outer: anonymous @ cis.brookes.ac.uk
> DEBUG: Handling with Radius::AuthGROUP: AUTHENTICATE
> DEBUG: Handling with Radius::AuthGROUP: AUTH-CIS
> DEBUG: Handling with AuthINTERNAL: REALM-CIS
> DEBUG: === REALM-CIS: rc = 0
> DEBUG: Handling with Radius::AuthNTLM: NTLM-CIS
> DEBUG: Handling with EAP: code 2, 0, 11
> DEBUG: Response type 1
> DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> DEBUG: Handling with Radius::AuthGROUP: AUTH-DEFAULT
> DEBUG: Handling with Radius::AuthNTLM: NTLM-ACS
> DEBUG: Handling with EAP: code 2, 0, 11
> DEBUG: Response type 1
> DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> DEBUG: AuthBy GROUP result: CHALLENGE, EAP MSCHAP-V2 Challenge
> DEBUG: innerUserRealm hook
> DEBUG: === EAP Identity = backup
> DEBUG: === Identity = backup
> DEBUG: === Inner-User = backup, Inner-Realm =
> DEBUG: Access challenged for anonymous at cis.brookes.ac.uk: EAP
> MSCHAP-V2
> Challenge
> DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Challenge
> Identifier: UNDEF
> Authentic:
> <219><204><138><252><181>^<170><176>^<220>wx<193><145><242><166>
> Attributes:
> Outer-User = anonymous
> Outer-Realm = cis.brookes.ac.uk
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> EAP-Message =
> <1><1><0>"<26><1><1><0><29><16><213><8><217>7<191><16>dC6<177><210>8<2
> 2>yQ<9>csradius
> Inner-User = backup
> Inner-Realm =
>
> ...snip...
>
> DEBUG: Handling request with Handler 'TunnelledByPEAP=1'
> DEBUG: SDB Deleting session for anonymous at cis.brookes.ac.uk,
> 161.73.23.11, 1160
> DEBUG: do query is: 'delete from RADONLINE where
> NASIDENTIFIER='161.73.23.11' and NASPORT=01160':
> DEBUG: outerUserRealm hook
> DEBUG: === Outer: anonymous @ cis.brookes.ac.uk
> DEBUG: Handling with Radius::AuthGROUP: AUTHENTICATE
> DEBUG: Handling with Radius::AuthGROUP: AUTH-CIS
> DEBUG: Handling with AuthINTERNAL: REALM-CIS
> DEBUG: === REALM-CIS: rc = 0
> DEBUG: Handling with Radius::AuthNTLM: NTLM-CIS
> DEBUG: Handling with EAP: code 2, 1, 65
> DEBUG: Response type 26
> DEBUG: Radius::AuthNTLM looks for match with backup
> [anonymous at cis.brookes.ac.uk]
> DEBUG: Radius::AuthNTLM ACCEPT: : backup [anonymous at cis.brookes.ac.uk]
> DEBUG: Passing attribute Request-User-Session-Key: Yes
> DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
> DEBUG: Passing attribute LANMAN-Challenge: 5226c263271537bf
> DEBUG: Passing attribute NT-Response: (private)
> DEBUG: Passing attribute NT-Domain:: Y2lzLmJyb29rZXMuYWMudWs=
> DEBUG: Passing attribute Username:: YmFja3Vw
> DEBUG: Received attribute: Authenticated: Yes
> DEBUG: Received attribute: LANMAN-Session-Key: (private)
> DEBUG: Received attribute: User-Session-Key: (private)
> DEBUG: Received attribute: .
> DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
> DEBUG: Handling with Radius::AuthGROUP: AUTH-DEFAULT
> DEBUG: Handling with Radius::AuthNTLM: NTLM-ACS
> DEBUG: Handling with EAP: code 2, 1, 65
> DEBUG: Response type 26
> DEBUG: Radius::AuthNTLM looks for match with backup
> [anonymous at cis.brookes.ac.uk]
> DEBUG: Radius::AuthNTLM ACCEPT: : backup [anonymous at cis.brookes.ac.uk]
> DEBUG: Passing attribute Request-User-Session-Key: Yes
> DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
> DEBUG: Passing attribute LANMAN-Challenge: 6d0d45840889c768
> DEBUG: Passing attribute NT-Response: (private)
> DEBUG: Passing attribute NT-Domain:: YWNzLmJyb29rZXMuYWMudWs=
> DEBUG: Passing attribute Username:: YmFja3Vw
> DEBUG: Received attribute: .
> DEBUG: Received attribute: Authenticated: No
> DEBUG: Received attribute: Authentication-Error: Wrong Password
> DEBUG: Received attribute: .
> WARNING: NTLM Could not authenticate user: Wrong Password
> DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
> DEBUG: AuthBy GROUP result: REJECT, EAP MSCHAP-V2 Authentication
> failure
> DEBUG: innerUserRealm hook
> DEBUG: === EAP Identity = backup
> DEBUG: === Identity = backup
> DEBUG: === Inner-User = backup, Inner-Realm =
> INFO: Access rejected for anonymous at cis.brookes.ac.uk: EAP MSCHAP-V2
> Authentication failure
> DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
> Identifier: UNDEF
> Authentic: D`B<153>p<238><165>Z<209><146>7i<26><176>'<248>
> Attributes:
> Outer-User = anonymous
> Outer-Realm = cis.brookes.ac.uk
> EAP-Message = <4><1><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Inner-User = backup
> Inner-Realm =
> Reply-Message = "EAP MSCHAP-V2 Authentication failure"
>
>
>
> Apologies for the overly long message, but I'm totally failing to see
> where the logic is breaking down. What's special about the inner-
> EAP case?
>
> Any more information happily provided if required.
>
> Regards,
> Robin
> --
> Robin Breathe, Computer Services, Oxford Brookes University,
> Oxford, UK
> rbreathe at brookes.ac.uk Tel: +44 1865 483685 Fax: +44 1865
> 483073
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list