(RADIATOR) PEAP with LDAP problem

R.H.Hoek r.h.hoek at utwente.nl
Wed Nov 1 06:47:50 CST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hugh,

Thanks a lot!
That's exactly were I was looking for.


Hugh Irvine schreef:
> 
> Hello Roel -
> 
> As it  is not the AuthBy FILE that is doing the MSCHAP-V2, you should
> use NoEAP instead of EAPType MSCHAP-V2, and you should add EAPType
> MSCHAP-V2 to your AuthBy LDAP2 clause:
> 
> 
> # the innerauthentication for PEAP
> <Handler Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>         AuthByPolicy ContinueUntilAccept
>         <AuthBy FILE>
>                 # Stripoff de realm
>                 RewriteUsername s/^([^@]+).*/$1/
>                 # Stripoff leading whitespaces en zo
>                 RewriteUsername s/^\s*//
>                 # Stripoff trailing whitespaces en zo
>                 RewriteUsername s/\s*$//
> 
>                 Filename %D/users-wlanpeap
> 
>                 # This tells the PEAP client what types of inner EAP
>         # requests we will honour
>                 NoEAP
>         </AuthBy>
> </Handler>
> 
> <AuthBy LDAP2>
>    Identifier productieoid-peap
>    Version 2
>    # Productie OID
>    Host *****.utwente.nl
>    AuthDN cn=****
>    AuthPassword *****
>    BaseDN o="university of twente",c=nl
>    RcryptKey *****
> 
>    # Stripoff de realm
>    RewriteUsername s/^([^@]+).*/$1/
>    # Stripoff leading whitespaces en zo
>    RewriteUsername s/^\s*//
>    # Stripoff trailing whitespaces en zo
>    RewriteUsername s/\s*$//
>    UsernameAttr uid
>    PasswordAttr chappassword
>    AuthAttrDef orclisenabled, OIDactive, request
>    EAPType MSCHAP-V2
> </AuthBy>
> 
> 
> There may also be a problem with your RewriteUsername(s) as you cannot
> usually change the username string with MSCHAP-V2.
> 
> regards
> 
> Hugh
> 
> 
> 
> On 31 Oct 2006, at 01:56, R.H.Hoek wrote:
> 
> Dear Hugh/Mike and others,
> 
> We are running an wireless-lan with TTLS authentication. It runs
> fine with Radiator.
> 
> We also wants to add PEAP authentication. But I can't manage to get
> it running in combination with LDAP and the use of 'users-file'. In
> our LDAP server we store cleartext passwords with rcrypt.
> 
> There goes something wrong in the mschapv2 challenge: "no such user"
> 
> When I authenticate with account stored in a users-file (hoekroel)
> all runs well.
> What's wrong with my config?
> 
> This the error log:
> 
> Mon Oct 30 14:07:43 2006: DEBUG: Handling request with Handler
> 'Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1'
> Mon Oct 30 14:07:43 2006: DEBUG: Handling with Radius::AuthFILE:
> Mon Oct 30 14:07:43 2006: DEBUG: Handling with EAP: code 2, 11, 74
> Mon Oct 30 14:07:43 2006: DEBUG: Response type 26
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Reading users file
> /etc/radiator//users-wlanpeap
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE looks for match
> with m7642037 [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE REJECT: No such
> user: m7642037 [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE looks for match
> with DEFAULT [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: Handling with Radius::AuthLDAP2:
> productieoid-peap
> Mon Oct 30 14:07:43 2006: DEBUG: Handling with EAP: code 2, 11, 74
> Mon Oct 30 14:07:43 2006: DEBUG: Response type 26
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: INFO: Connecting to
> oralx065.civ.utwente.nl:389
> Mon Oct 30 14:07:43 2006: INFO: Attempting to bind to LDAP server
> oralx065.civ.utwente.nl:389
> Mon Oct 30 14:07:43 2006: DEBUG: LDAP got result for uid=m7642037,
> ou=Employees, cn=Users, o=university of twente,c=nl
> Mon Oct 30 14:07:43 2006: DEBUG: LDAP got chappassword:
> {rcrypt}K+qOU/D4aEHTAcGBrzsMhUtH
> Mon Oct 30 14:07:43 2006: DEBUG: LDAP got orclisenabled: ENABLED
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthLDAP2 looks for match
> with m7642037 [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthLDAP2 ACCEPT: :
> m7642037 [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: EAP result: 3, EAP MSCHAP V2
> Challenge: Success
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE CHALLENGE: EAP
> MSCHAP V2 Challenge: Success: DEFAULT [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: EAP result: 1, EAP MSCHAP V2
> failed: no such user m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: AuthBy FILE result: REJECT, EAP
> MSCHAP V2 failed: no such user m7642037
> Mon Oct 30 14:07:43 2006: INFO: Access rejected for
> anonymous at utwente.nl: EAP MSCHAP V2 failed: no such user m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Reject
> 
> This a part of the config:
> 
> # the outer authentication
> <Handler Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByTTLS=0>
>   <AuthBy FILE>
>      EAPType TTLS, PEAP
>      EAPTLS_CAFile /****/CAs/CAs.pem
>      EAPTLS_CAPath /****/CAs
>      EAPTLS_CertificateFile /****/certificate.pem
>      EAPTLS_CertificateType PEM
>      EAPTLS_PrivateKeyFile /****/privatekey.pem
>      EAPTLS_PrivateKeyPassword *****
>      EAPTLS_MaxFragmentSize 1024
>      EAPTLS_SessionResumption 1
>      EAPTLS_SessionResumptionLimit 900
>      AutoMPPEKeys
>      SSLeayTrace 4
>      EAPAnonymous anonymous at utwente.nl
>    </AuthBy>
> </Handler>
> 
> # the innerauthentication for PEAP
> <Handler Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>         AuthByPolicy ContinueUntilAccept
>         <AuthBy FILE>
>                 # Stripoff de realm
>                 RewriteUsername s/^([^@]+).*/$1/
>                 # Stripoff leading whitespaces en zo
>                 RewriteUsername s/^\s*//
>                 # Stripoff trailing whitespaces en zo
>                 RewriteUsername s/\s*$//
> 
>                 Filename %D/users-wlanpeap
> 
>                 # This tells the PEAP client what types of inner EAP
>         # requests we will honour
>                 EAPType MSCHAP-V2
>         </AuthBy>
> </Handler>
> 
> <AuthBy LDAP2>
>    Identifier productieoid-peap
>    Version 2
>    # Productie OID
>    Host *****.utwente.nl
>    AuthDN cn=****
>    AuthPassword *****
>    BaseDN o="university of twente",c=nl
>    RcryptKey *****
> 
>    # Stripoff de realm
>    RewriteUsername s/^([^@]+).*/$1/
>    # Stripoff leading whitespaces en zo
>    RewriteUsername s/^\s*//
>    # Stripoff trailing whitespaces en zo
>    RewriteUsername s/\s*$//
>    UsernameAttr uid
>    PasswordAttr chappassword
>    AuthAttrDef orclisenabled, OIDactive, request
> </AuthBy>
> 
> users-wlapeap file:
> 
> DEFAULT  Auth-Type = productieoid-peap,
>         OIDactive=ENABLED
>         Tunnel-Type = 1:VLAN,
>         Tunnel-Medium-Type = 1:Ether_802,
>         Tunnel-Private-Group-ID = 1:125,
>         Session-Timeout = "1200"
> 
> hoekroel  User-Password = xxxx
>         Tunnel-Type = 1:VLAN,
>         Tunnel-Medium-Type = 1:Ether_802,
>         Tunnel-Private-Group-ID = 1:125,
>         Session-Timeout = "1200"
> 
> 
> --
> 
> Groeten,
> 
> Roel H.Hoek, Netwerkbeheer
> Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
> Universiteit Twente,  Postbus 217,  7500 AE  Enschede
> kmr SP 422, telefoon: 053 - 489 4598,  fax: 053 - 489 2383
> e-mail: r.h.hoek at utwente.nl http://www.utwente.nl/itbe
> IM-Jabber: rhhoek at gmail.com
> 
>>
- --
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

> NB:

> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?

> --Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.



- --

Groeten,

Roel H.Hoek, Netwerkbeheer
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente,  Postbus 217,  7500 AE  Enschede
kmr SP 422, telefoon: 053 - 489 4598,  fax: 053 - 489 2383
e-mail: r.h.hoek at utwente.nl http://www.utwente.nl/itbe
IM-Jabber: rhhoek at gmail.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFSJd2JwlRSGnYBcYRAnXBAKCF0t++/LKg9H461+ta8BkYRq6IhQCfYWrM
bog93W0/6bwzP0jVYOHXV2o=
=NXQa
-----END PGP SIGNATURE-----

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list