(RADIATOR) PEAP with LDAP problem
Hugh Irvine
hugh at open.com.au
Mon Oct 30 18:47:29 CST 2006
Hello Roel -
As it is not the AuthBy FILE that is doing the MSCHAP-V2, you should
use NoEAP instead of EAPType MSCHAP-V2, and you should add EAPType
MSCHAP-V2 to your AuthBy LDAP2 clause:
# the innerauthentication for PEAP
<Handler Realm=utwente.nl,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
AuthByPolicy ContinueUntilAccept
<AuthBy FILE>
# Stripoff de realm
RewriteUsername s/^([^@]+).*/$1/
# Stripoff leading whitespaces en zo
RewriteUsername s/^\s*//
# Stripoff trailing whitespaces en zo
RewriteUsername s/\s*$//
Filename %D/users-wlanpeap
# This tells the PEAP client what types of inner EAP
# requests we will honour
NoEAP
</AuthBy>
</Handler>
<AuthBy LDAP2>
Identifier productieoid-peap
Version 2
# Productie OID
Host *****.utwente.nl
AuthDN cn=****
AuthPassword *****
BaseDN o="university of twente",c=nl
RcryptKey *****
# Stripoff de realm
RewriteUsername s/^([^@]+).*/$1/
# Stripoff leading whitespaces en zo
RewriteUsername s/^\s*//
# Stripoff trailing whitespaces en zo
RewriteUsername s/\s*$//
UsernameAttr uid
PasswordAttr chappassword
AuthAttrDef orclisenabled, OIDactive, request
EAPType MSCHAP-V2
</AuthBy>
There may also be a problem with your RewriteUsername(s) as you
cannot usually change the username string with MSCHAP-V2.
regards
Hugh
On 31 Oct 2006, at 01:56, R.H.Hoek wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dear Hugh/Mike and others,
>
> We are running an wireless-lan with TTLS authentication. It runs
> fine with Radiator.
>
> We also wants to add PEAP authentication. But I can't manage to get
> it running in combination with LDAP and the use of 'users-file'. In
> our LDAP server we store cleartext passwords with rcrypt.
>
> There goes something wrong in the mschapv2 challenge: "no such user"
>
> When I authenticate with account stored in a users-file (hoekroel)
> all runs well.
> What's wrong with my config?
>
> This the error log:
>
> Mon Oct 30 14:07:43 2006: DEBUG: Handling request with Handler
> 'Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1'
> Mon Oct 30 14:07:43 2006: DEBUG: Handling with Radius::AuthFILE:
> Mon Oct 30 14:07:43 2006: DEBUG: Handling with EAP: code 2, 11, 74
> Mon Oct 30 14:07:43 2006: DEBUG: Response type 26
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Reading users file
> /etc/radiator//users-wlanpeap
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE looks for match
> with m7642037 [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE REJECT: No such
> user: m7642037 [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE looks for match
> with DEFAULT [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: Handling with Radius::AuthLDAP2:
> productieoid-peap
> Mon Oct 30 14:07:43 2006: DEBUG: Handling with EAP: code 2, 11, 74
> Mon Oct 30 14:07:43 2006: DEBUG: Response type 26
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Rewrote identity to m7642037
> Mon Oct 30 14:07:43 2006: INFO: Connecting to
> oralx065.civ.utwente.nl:389
> Mon Oct 30 14:07:43 2006: INFO: Attempting to bind to LDAP server
> oralx065.civ.utwente.nl:389
> Mon Oct 30 14:07:43 2006: DEBUG: LDAP got result for uid=m7642037,
> ou=Employees, cn=Users, o=university of twente,c=nl
> Mon Oct 30 14:07:43 2006: DEBUG: LDAP got chappassword:
> {rcrypt}K+qOU/D4aEHTAcGBrzsMhUtH
> Mon Oct 30 14:07:43 2006: DEBUG: LDAP got orclisenabled: ENABLED
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthLDAP2 looks for match
> with m7642037 [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthLDAP2 ACCEPT: :
> m7642037 [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: EAP result: 3, EAP MSCHAP V2
> Challenge: Success
> Mon Oct 30 14:07:43 2006: DEBUG: Radius::AuthFILE CHALLENGE: EAP
> MSCHAP V2 Challenge: Success: DEFAULT [anonymous at utwente.nl]
> Mon Oct 30 14:07:43 2006: DEBUG: EAP result: 1, EAP MSCHAP V2
> failed: no such user m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: AuthBy FILE result: REJECT, EAP
> MSCHAP V2 failed: no such user m7642037
> Mon Oct 30 14:07:43 2006: INFO: Access rejected for
> anonymous at utwente.nl: EAP MSCHAP V2 failed: no such user m7642037
> Mon Oct 30 14:07:43 2006: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
>
> This a part of the config:
>
> # the outer authentication
> <Handler Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByTTLS=0>
> <AuthBy FILE>
> EAPType TTLS, PEAP
> EAPTLS_CAFile /****/CAs/CAs.pem
> EAPTLS_CAPath /****/CAs
> EAPTLS_CertificateFile /****/certificate.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /****/privatekey.pem
> EAPTLS_PrivateKeyPassword *****
> EAPTLS_MaxFragmentSize 1024
> EAPTLS_SessionResumption 1
> EAPTLS_SessionResumptionLimit 900
> AutoMPPEKeys
> SSLeayTrace 4
> EAPAnonymous anonymous at utwente.nl
> </AuthBy>
> </Handler>
>
> # the innerauthentication for PEAP
> <Handler Realm=utwente.nl,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
> AuthByPolicy ContinueUntilAccept
> <AuthBy FILE>
> # Stripoff de realm
> RewriteUsername s/^([^@]+).*/$1/
> # Stripoff leading whitespaces en zo
> RewriteUsername s/^\s*//
> # Stripoff trailing whitespaces en zo
> RewriteUsername s/\s*$//
>
> Filename %D/users-wlanpeap
>
> # This tells the PEAP client what types of inner EAP
> # requests we will honour
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
> <AuthBy LDAP2>
> Identifier productieoid-peap
> Version 2
> # Productie OID
> Host *****.utwente.nl
> AuthDN cn=****
> AuthPassword *****
> BaseDN o="university of twente",c=nl
> RcryptKey *****
>
> # Stripoff de realm
> RewriteUsername s/^([^@]+).*/$1/
> # Stripoff leading whitespaces en zo
> RewriteUsername s/^\s*//
> # Stripoff trailing whitespaces en zo
> RewriteUsername s/\s*$//
> UsernameAttr uid
> PasswordAttr chappassword
> AuthAttrDef orclisenabled, OIDactive, request
> </AuthBy>
>
> users-wlapeap file:
>
> DEFAULT Auth-Type = productieoid-peap,
> OIDactive=ENABLED
> Tunnel-Type = 1:VLAN,
> Tunnel-Medium-Type = 1:Ether_802,
> Tunnel-Private-Group-ID = 1:125,
> Session-Timeout = "1200"
>
> hoekroel User-Password = xxxx
> Tunnel-Type = 1:VLAN,
> Tunnel-Medium-Type = 1:Ether_802,
> Tunnel-Private-Group-ID = 1:125,
> Session-Timeout = "1200"
>
>
> - --
>
> Groeten,
>
> Roel H.Hoek, Netwerkbeheer
> Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
> Universiteit Twente, Postbus 217, 7500 AE Enschede
> kmr SP 422, telefoon: 053 - 489 4598, fax: 053 - 489 2383
> e-mail: r.h.hoek at utwente.nl http://www.utwente.nl/itbe
> IM-Jabber: rhhoek at gmail.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFRhKwJwlRSGnYBcYRAn3PAJ9Kec3jvRcCYPVelwFS29YlvmLr+gCgi5uF
> Zk8Mh/IkM60nBCIsnYmbCk0=
> =LabY
> -----END PGP SIGNATURE-----
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list