(RADIATOR) PEAP with LDAP problem

Hugh Irvine hugh at open.com.au
Mon Oct 30 18:47:29 CST 2006


Hello Roel -

As it  is not the AuthBy FILE that is doing the MSCHAP-V2, you should  
use NoEAP instead of EAPType MSCHAP-V2, and you should add EAPType  
MSCHAP-V2 to your AuthBy LDAP2 clause:


# the innerauthentication for PEAP
<Handler Realm=utwente.nl,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
         AuthByPolicy ContinueUntilAccept
         <AuthBy FILE>
                 # Stripoff de realm
                 RewriteUsername s/^([^@]+).*/$1/
                 # Stripoff leading whitespaces en zo
                 RewriteUsername s/^\s*//
                 # Stripoff trailing whitespaces en zo
                 RewriteUsername s/\s*$//

                 Filename %D/users-wlanpeap

                 # This tells the PEAP client what types of inner EAP
		# requests we will honour
                 NoEAP
         </AuthBy>
</Handler>

<AuthBy LDAP2>
    Identifier productieoid-peap
    Version 2
    # Productie OID
    Host *****.utwente.nl
    AuthDN cn=****
    AuthPassword *****
    BaseDN o="university of twente",c=nl
    RcryptKey *****

    # Stripoff de realm
    RewriteUsername s/^([^@]+).*/$1/
    # Stripoff leading whitespaces en zo
    RewriteUsername s/^\s*//
    # Stripoff trailing whitespaces en zo
    RewriteUsername s/\s*$//
    UsernameAttr uid
    PasswordAttr chappassword
    AuthAttrDef orclisenabled, OIDactive, request
    EAPType MSCHAP-V2
</AuthBy>


There may also be a problem with your RewriteUsername(s) as you  
cannot usually change the username string with MSCHAP-V2.

regards

Hugh



On 31 Oct 2006, at 01:56, R.H.Hoek wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dear Hugh/Mike and others,
>
> We are running an wireless-lan with TTLS authentication. It runs
> fine with Radiator.
>
> We also wants to add PEAP authentication. But I can't manage to get
> it running in combination with LDAP and the use of 'users-file'. In
> our LDAP server we store cleartext passwords with rcrypt.
>
> There goes something wrong in the mschapv2 challenge: "no such user"
>
> When I authenticate with account stored in a users-file (hoekroel)
> all runs well.
> What's wrong with my config?
>
> This the error log:
>
> Mon Oct 30 14:07:43 2006: DEBUG: Handling request with Handler
> 'Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1'
> Mon Oct 30 14:07:43 2006: DEBUG: Handling with Radius::AuthFILE:
> Mon Oct 30 14:07:43 2006: DEBUG: Handling with EAP: code 2, 11, 74
> Mon Oct 30 14:07:43 2006: DEBUG: Response type 26
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Reading users file
> /etc/radiator//users-wlanpeap
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE looks for match
> with m7642037 [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE REJECT: No such
> user: m7642037 [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE looks for match
> with DEFAULT [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: Handling with Radius::AuthLDAP2:
> productieoid-peap
> Mon Oct 30 14:07:43 2006: DEBUG: Handling with EAP: code 2, 11, 74
> Mon Oct 30 14:07:43 2006: DEBUG: Response type 26
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: INFO: Connecting to
> oralx065.civ.utwente.nl:389
> Mon Oct 30 14:07:43 2006: INFO: Attempting to bind to LDAP server
> oralx065.civ.utwente.nl:389
> Mon Oct 30 14:07:43 2006: DEBUG: LDAP got result for uid=m7642037,
> ou=Employees, cn=Users, o=university of twente,c=nl
> Mon Oct 30 14:07:43 2006: DEBUG: LDAP got chappassword:
> {rcrypt}K+qOU/D4aEHTAcGBrzsMhUtH
> Mon Oct 30 14:07:43 2006: DEBUG: LDAP got orclisenabled: ENABLED
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthLDAP2 looks for match
> with m7642037 [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthLDAP2 ACCEPT: :
> m7642037 [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: EAP result: 3, EAP MSCHAP V2
> Challenge: Success
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE CHALLENGE: EAP
> MSCHAP V2 Challenge: Success: DEFAULT [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: EAP result: 1, EAP MSCHAP V2
> failed: no such user m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: AuthBy FILE result: REJECT, EAP
> MSCHAP V2 failed: no such user m7642037
> Mon Oct 30 14:07:43 2006: INFO: Access rejected for
> anonymous at utwente.nl: EAP MSCHAP V2 failed: no such user m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Reject
>
> This a part of the config:
>
> # the outer authentication
> <Handler Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByTTLS=0>
>   <AuthBy FILE>
>      EAPType TTLS, PEAP
>      EAPTLS_CAFile /****/CAs/CAs.pem
>      EAPTLS_CAPath /****/CAs
>      EAPTLS_CertificateFile /****/certificate.pem
>      EAPTLS_CertificateType PEM
>      EAPTLS_PrivateKeyFile /****/privatekey.pem
>      EAPTLS_PrivateKeyPassword *****
>      EAPTLS_MaxFragmentSize 1024
>      EAPTLS_SessionResumption 1
>      EAPTLS_SessionResumptionLimit 900
>      AutoMPPEKeys
>      SSLeayTrace 4
>      EAPAnonymous anonymous at utwente.nl
>    </AuthBy>
> </Handler>
>
> # the innerauthentication for PEAP
> <Handler Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>         AuthByPolicy ContinueUntilAccept
>         <AuthBy FILE>
>                 # Stripoff de realm
>                 RewriteUsername s/^([^@]+).*/$1/
>                 # Stripoff leading whitespaces en zo
>                 RewriteUsername s/^\s*//
>                 # Stripoff trailing whitespaces en zo
>                 RewriteUsername s/\s*$//
>
>                 Filename %D/users-wlanpeap
>
>                 # This tells the PEAP client what types of inner EAP
> 		# requests we will honour
>                 EAPType MSCHAP-V2
>         </AuthBy>
> </Handler>
>
> <AuthBy LDAP2>
>    Identifier productieoid-peap
>    Version 2
>    # Productie OID
>    Host *****.utwente.nl
>    AuthDN cn=****
>    AuthPassword *****
>    BaseDN o="university of twente",c=nl
>    RcryptKey *****
>
>    # Stripoff de realm
>    RewriteUsername s/^([^@]+).*/$1/
>    # Stripoff leading whitespaces en zo
>    RewriteUsername s/^\s*//
>    # Stripoff trailing whitespaces en zo
>    RewriteUsername s/\s*$//
>    UsernameAttr uid
>    PasswordAttr chappassword
>    AuthAttrDef orclisenabled, OIDactive, request
> </AuthBy>
>
> users-wlapeap file:
>
> DEFAULT  Auth-Type = productieoid-peap,
>         OIDactive=ENABLED
>         Tunnel-Type = 1:VLAN,
>         Tunnel-Medium-Type = 1:Ether_802,
>         Tunnel-Private-Group-ID = 1:125,
>         Session-Timeout = "1200"
>
> hoekroel  User-Password = xxxx
>         Tunnel-Type = 1:VLAN,
>         Tunnel-Medium-Type = 1:Ether_802,
>         Tunnel-Private-Group-ID = 1:125,
>         Session-Timeout = "1200"
>
>
> - --
>
> Groeten,
>
> Roel H.Hoek, Netwerkbeheer
> Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
> Universiteit Twente,  Postbus 217,  7500 AE  Enschede
> kmr SP 422, telefoon: 053 - 489 4598,  fax: 053 - 489 2383
> e-mail: r.h.hoek at utwente.nl http://www.utwente.nl/itbe
> IM-Jabber: rhhoek at gmail.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFRhKwJwlRSGnYBcYRAn3PAJ9Kec3jvRcCYPVelwFS29YlvmLr+gCgi5uF
> Zk8Mh/IkM60nBCIsnYmbCk0=
> =LabY
> -----END PGP SIGNATURE-----
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list