(RADIATOR) LDAP to AD and PEAP problems
Michael Harlow
Michael.Harlow at utas.edu.au
Wed Jun 20 22:04:24 CDT 2007
Hi,
I have had a fully functioning Radiator setup, using TTLS/PAP (SecureW2) to
a Sun LDAP server, with crypt passwords for some years now.
We now have a full AD system with all users loaded, running alongside our
older Sun LDAP system. I'd now like to try and use the integrated MS-Windows
PEAP client, and for other PEAP devices like PDA etc.
I'd like to use LDAP to get Radiator (on Unix) to authenticate users against
the AD. So I've set up a test network, a TunneledByPEAP handler, and binding
details for AD.
I can get as far as searching for a user in the AD, getting back a list of
attributes, but none are a password.
There is no attempt to bind as the user to check the password. It makes no
difference if I have the ServerChecksPassword option or not.
I am snooping with wireshark, and I see the bind request from radiator to
the ldap server, the successful bind result, then the search, the search
results, then the connection is dropped (ACK,FIN etc).
Can anyone work out what is going wrong? Can I do PEAP-MSCHAPv2 against AD
via LDAP? I don't want to use the samba method, or install onto Windows yet.
I'd like to be able to extract other things (groups, reply-items) via the
LDAP later.
Regards, Michael
################################
<Handler Called-Station-Id=/:UANA-ITR-Testing$/>
PreProcessingHook file:"/etc/radiator/utas_eap_anon_hook.pl"
PostAuthHook file:"/etc/radiator/utas_eap_anon_hook.pl"
<AuthBy LDAP2>
Debug 255
SSLeayTrace 4
NoDefault
EAPType PEAP
Host XXXXXXXXX <-- I don't think this gets called, a typo
makes no difference
AuthDN cn=XXXXX, ou=accounts, dc=XXXXXX
AuthPassword XXXXXXXX
BaseDN ou=people, dc=XXXXXXXXX
Scope sub
UsernameAttr cn
PasswordAttr userPassword
ServerChecksPassword
# NoBindBeforeOp
Version 3
# Location and starup information for EAP/TTLS certificates
EAPTLS_CAFile /etc/radiator/cacert.pem
EAPTLS_CertificateFile /etc/radiator/radius.crt
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/radius.key
EAPTLS_PrivateKeyPassword XXXXXXXXXXXXXXXX
EAPTLS_MaxFragmentSize 1200
#EAPTLS_SessionResumption no
EAPTLS_NoCheckId
EAPTLS_PEAPVersion 1
EAPTLS_PEAPBrokenV1Label
AutoMPPEKeys
</AuthBy>
</Handler>
<Handler TunnelledByPEAP=1>
# RewriteUsername s/(.*)\\(.*)/$2/
PreProcessingHook file:"/etc/radiator/utas_eap_anon_hook.pl"
PostAuthHook file:"/etc/radiator/utas_eap_anon_hook.pl"
<AuthBy LDAP2>
Debug 255
SSLeayTrace 4
NoDefault
# This tells the PEAP client what types of inner EAP
requests
# we will honour
EAPType MSCHAP-V2
Host XXXXXXXXXXXX
AuthDN cn=XXXXX,ou=Accounts,dc=XXXXXXXXXX
AuthPassword XXXXXXXXX
BaseDN ou=people, dc=XXXXXXXXXX
Scope sub
UsernameAttr cn
PasswordAttr userPassword
ServerChecksPassword
# NoBindBeforeOp
Version 3
</AuthBy>
</Handler>
############################################################################
###################
Debug output, there are about 6 RADIUS packets before this one, setting up
the PEAP tunnel, handshaking, mutual trust etc (I think).
Code: Access-Request
Identifier: 192
Authentic: <174><10><245><211>I03<159>q<255>|<12><204><219><249>S
Attributes:
User-Name = "roamingouter" <-- My outer ID
Calling-Station-Id = "00-19-D2-D6-6A-72" <-- My laptop Mac
Called-Station-Id = "00-1A-30-30-72-C0:UANA-ITR-Testing" <-- AP Mac
via WiSM, and SSID
NAS-Port = 29 <-- Always seems to be 29 !
NAS-IP-Address = 172.31.3.3 <-- WiSM IP
NAS-Identifier = "WismB2"
Airespace-WLAN-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 2005
EAP-Message = <2><6><0>P<25><1><23><3><1><0>
<163>k<146>[;?t<171><146><166><162>7C^d<171>?3<29>Hdq<252><178>?<<167><176>C
P<209><175><23><3><1><0>
<152><207>%&Nv<248><243>?<136><205><174>D<150>9(<252><8><206><10><228><251><
0>C<7><171>$W<172>h<26>O
Message-Authenticator =
5f<133><198><254><19>V<8>]<160><212><197>F2<160><26>
Thu Jun 21 12:07:33 2007: DEBUG: Handling request with Handler
'Called-Station-Id=/:UANA-ITR-Testing$/'
Thu Jun 21 12:07:33 2007: DEBUG: Deleting session for roamingouter,
172.31.3.3, 29
Thu Jun 21 12:07:33 2007: DEBUG: do query is: 'delete from RADONLINE where
NASIDENTIFIER='172.31.3.3' and NASPORT=029':
Thu Jun 21 12:07:33 2007: DEBUG: Handling with Radius::AuthLDAP2:
Thu Jun 21 12:07:33 2007: DEBUG: Handling with EAP: code 2, 6, 80
Thu Jun 21 12:07:33 2007: DEBUG: Response type 25
Thu Jun 21 12:07:33 2007: DEBUG: EAP PEAP inner authentication request for
anonymous
Thu Jun 21 12:07:33 2007: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: ;<4>9Z<28><25><25>J'<236><211><241>E<29><<235>
Attributes:
EAP-Message = <2><0><0><9><1>mike
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = "anonymous"
NAS-IP-Address = 172.31.3.3
NAS-Identifier = "WismB2"
NAS-Port = 29
Calling-Station-Id = "00-19-D2-D6-6A-72"
Thu Jun 21 12:07:33 2007: DEBUG: Handling request with Handler
'TunnelledByPEAP=1'
Thu Jun 21 12:07:33 2007: DEBUG: Deleting session for anonymous,
172.31.3.3, 29
Thu Jun 21 12:07:33 2007: DEBUG: do query is: 'delete from RADONLINE where
NASIDENTIFIER='172.31.3.3' and NASPORT=029':
Thu Jun 21 12:07:33 2007: DEBUG: Handling with Radius::AuthLDAP2:
Thu Jun 21 12:07:33 2007: DEBUG: Handling with EAP: code 2, 0, 9
Thu Jun 21 12:07:33 2007: DEBUG: Response type 1
Thu Jun 21 12:07:33 2007: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Thu Jun 21 12:07:33 2007: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP
MSCHAP-V2 Challenge
Thu Jun 21 12:07:33 2007: DEBUG: Access challenged for anonymous: EAP
MSCHAP-V2 Challenge
Thu Jun 21 12:07:33 2007: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Challenge
Identifier: UNDEF
Authentic: ;<4>9Z<28><25><25>J'<236><211><241>E<29><<235>
Attributes:
EAP-Message =
<1><1><0>0<26><1><1><0>+<16><238><161><147>/N<182>R<255><192><134>Z<170>A<19
0><204><16>hadmar.its.utas.edu.au
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jun 21 12:07:33 2007: DEBUG: EAP result: 3, EAP PEAP inner
authentication redespatched to a Handler
Thu Jun 21 12:07:33 2007: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP
inner authentication redespatched to a Handler
Thu Jun 21 12:07:33 2007: DEBUG: Access challenged for roamingouter: EAP
PEAP inner authentication redespatched to a Handler
Thu Jun 21 12:07:33 2007: DEBUG: Packet dump:
*** Sending to 172.31.3.3 port 32770 ....
Packet length = 131
[SNIP]
Code: Access-Challenge
Identifier: 192
Authentic: <174><10><245><211>I03<159>q<255>|<12><204><219><249>S
Attributes:
EAP-Message =
<1><7><0>[<25><1><23><3><1><0>P<5>xJ<195><8><177><9><31><196><253>g<132><14>
<144>;j/i<4><4><27>'<176><213>m<14><132>l<220>6<208><231><212>_q<129>&Ei<137
>G<252><1><137><26>n<133><139><227><217><29><207><140>9?~~<207>O<5><137><161
>1<254>"Y<25><158>!<179><140>q<174><201><139><228>4<156>]m
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jun 21 12:07:33 2007: DEBUG: Packet dump:
*** Received from 172.31.3.3 port 32770 ....
Packet length = 321
[SNIP]
Code: Access-Request
Identifier: 193
Authentic: <135>R/<195><12><144><23>OVQ'<148><19><229>}V
Attributes:
User-Name = "roamingouter"
Calling-Station-Id = "00-19-D2-D6-6A-72"
Called-Station-Id = "00-1A-30-30-72-C0:UANA-ITR-Testing"
NAS-Port = 29
NAS-IP-Address = 172.31.3.3
NAS-Identifier = "WismB2"
Airespace-WLAN-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 2005
EAP-Message = <2><7><0><144><25><1><23><3><1><0>
<176>J^<237>e<224><224>&W<20><187><184><248>v<201><254><188>6<191>!<197><226
><194><171><251><28>C<174><181><192><157>*<23><3><1><0>`<231><22>X<18><147><
206><185><0>x<9> _ at 6<221>,
<213><196>+*N<Uf<130><2>HT<201><183><25><6><205><153><16>t}z<164><243>$<227>
?<150>Lo<182><212><200><1><252>2<223><163>k<206><224><180><183>c<188><152><1
95>tp_<158><229><235><8><254><231><196>K.z<174>!<252>&<7>C<219><11><169><16>
,<26>T<173>;`<167><243>b
Message-Authenticator =
<137><225><197><197><161><219><190><252><187><247><233><236><12><138><4><246
>
Thu Jun 21 12:07:33 2007: DEBUG: Handling request with Handler
'Called-Station-Id=/:UANA-ITR-Testing$/'
Thu Jun 21 12:07:33 2007: DEBUG: Deleting session for roamingouter,
172.31.3.3, 29
Thu Jun 21 12:07:33 2007: DEBUG: do query is: 'delete from RADONLINE where
NASIDENTIFIER='172.31.3.3' and NASPORT=029':
Thu Jun 21 12:07:33 2007: DEBUG: Handling with Radius::AuthLDAP2:
Thu Jun 21 12:07:33 2007: DEBUG: Handling with EAP: code 2, 7, 144
Thu Jun 21 12:07:33 2007: DEBUG: Response type 25
Thu Jun 21 12:07:33 2007: DEBUG: EAP PEAP inner authentication request for
anonymous
Thu Jun 21 12:07:33 2007: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: I<20><249>C<161><219><198>ii4<137><255>uWr<233>
Attributes:
EAP-Message =
<2><1><0>?<26><2><1><0>:1<197><251><180><233>K<151><12>t',d<26><196>Z<240><1
74><0><0><0><0><0><0><0><0><199>z<153><14>\<192><209><0><197><197><242><233>
<199>L<134><0><213><234><189><219>)<135>+<21><0>mike
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = "anonymous"
NAS-IP-Address = 172.31.3.3
NAS-Identifier = "WismB2"
NAS-Port = 29
Calling-Station-Id = "00-19-D2-D6-6A-72"
Thu Jun 21 12:07:33 2007: DEBUG: Handling request with Handler
'TunnelledByPEAP=1'
Thu Jun 21 12:07:33 2007: DEBUG: Deleting session for anonymous,
172.31.3.3, 29
Thu Jun 21 12:07:33 2007: DEBUG: do query is: 'delete from RADONLINE where
NASIDENTIFIER='172.31.3.3' and NASPORT=029':
Thu Jun 21 12:07:33 2007: DEBUG: Handling with Radius::AuthLDAP2:
Thu Jun 21 12:07:33 2007: DEBUG: Handling with EAP: code 2, 1, 63
Thu Jun 21 12:07:33 2007: DEBUG: Response type 26
Thu Jun 21 12:07:33 2007: INFO: Connecting to XXX:389
Thu Jun 21 12:07:33 2007: INFO: Attempting to bind to LDAP server XXX:389
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got result for
CN=mike,OU=Staff,OU=People,DC=xxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got objectClass: top person
organizationalPerson user
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got cn: mike
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got sn: Harlow
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got description: staff_group
xxxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got givenName: Michael
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got initials: xx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got distinguishedName:
CN=mike,OU=Staff,OU=People,DC=xxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got instanceType: 4
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got whenCreated: xxxxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got whenChanged: xxxxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got displayName: Michael Harlow
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got uSNCreated: xxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got memberOf: CN=xxxxx CN=yyyy CN=zzzz
CN=wwwwwww
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got uSNChanged: xxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got name: mike
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got objectGUID: xxxxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got userAccountControl: xxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got badPwdCount: 0
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got codePage: 0
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got countryCode: 0
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got badPasswordTime: xxxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got lastLogoff: 0
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got lastLogon: xxxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got pwdLastSet: xxxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got primaryGroupID: xxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got objectSid: xxxxxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got accountExpires: xxxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got logonCount: 1
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got sAMAccountName: mike
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got sAMAccountType: xxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got userPrincipalName: mike at xxxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=xxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got dSCorePropagationData: xxxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: LDAP got lastLogonTimestamp: xxxxxxxxxxxx
Thu Jun 21 12:07:33 2007: DEBUG: Radius::AuthLDAP2 looks for match with mike
[anonymous]
Thu Jun 21 12:07:33 2007: DEBUG: Radius::AuthLDAP2 ACCEPT: : mike
[anonymous]
Thu Jun 21 12:07:33 2007: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication
failure
Thu Jun 21 12:07:33 2007: DEBUG: AuthBy LDAP2 result: REJECT, EAP MSCHAP-V2
Authentication failure
Thu Jun 21 12:07:33 2007: INFO: Access rejected for anonymous: EAP MSCHAP-V2
Authentication failure
Thu Jun 21 12:07:33 2007: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Reject
Identifier: UNDEF
Authentic: I<20><249>C<161><219><198>ii4<137><255>uWr<233>
Attributes:
EAP-Message = <4><1><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
Thu Jun 21 12:07:33 2007: DEBUG: EAP result: 3, EAP PEAP inner
authentication redespatched to a Handler
Thu Jun 21 12:07:33 2007: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP PEAP
inner authentication redespatched to a Handler
Thu Jun 21 12:07:33 2007: DEBUG: Access challenged for roamingouter: EAP
PEAP inner authentication redespatched to a Handler
Thu Jun 21 12:07:33 2007: DEBUG: Packet dump:
*** Sending to 172.31.3.3 port 32770 ....
Packet length = 83
[SNIP]
Code: Access-Challenge
Identifier: 193
Authentic: <135>R/<195><12><144><23>OVQ'<148><19><229>}V
Attributes:
EAP-Message = <1><8><0>+<25><1><23><3><1><0>
<27>k<132><16>}+<144>Ch<245>A<183><220><208><227><18><162><185>x<144><219><1
95><202><148><171><176>`<166>h<159><255>:
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Jun 21 12:07:33 2007: DEBUG: Packet dump:
*** Received from 172.31.3.3 port 32770 ....
Packet length = 257
[SNIP]
Code: Access-Request
Identifier: 194
Authentic: <145><157><185>u/<214>.B<197><166><228><<30><212><216>.
Attributes:
User-Name = "roamingouter"
Calling-Station-Id = "00-19-D2-D6-6A-72"
Called-Station-Id = "00-1A-30-30-72-C0:UANA-ITR-Testing"
NAS-Port = 29
NAS-IP-Address = 172.31.3.3
NAS-Identifier = "WismB2"
Airespace-WLAN-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 2005
EAP-Message = <2><8><0>P<25><1><23><3><1><0>
i<217><233><19>]<193>@<25><145><161><162>x<160>:<27><194>\<137>s<171><189><1
46><186><7>K<183><155>'<183><225><152><200><23><3><1><0>
P8fv<24>MNLvF<15><215>^<199><14><226><147><227><196><17>;"<218>&L<134>R<5><1
98><20><156><244>
Message-Authenticator =
%<177>`<174><237>r:$>)<18><183><31><165><175><233>
Thu Jun 21 12:07:33 2007: DEBUG: Handling request with Handler
'Called-Station-Id=/:UANA-ITR-Testing$/'
Thu Jun 21 12:07:33 2007: DEBUG: Deleting session for roamingouter,
172.31.3.3, 29
Thu Jun 21 12:07:33 2007: DEBUG: do query is: 'delete from RADONLINE where
NASIDENTIFIER='172.31.3.3' and NASPORT=029':
Thu Jun 21 12:07:33 2007: DEBUG: Handling with Radius::AuthLDAP2:
Thu Jun 21 12:07:33 2007: DEBUG: Handling with EAP: code 2, 8, 80
Thu Jun 21 12:07:33 2007: DEBUG: Response type 25
Thu Jun 21 12:07:33 2007: DEBUG: EAP result: 1, PEAP Authentication Failure
Thu Jun 21 12:07:33 2007: DEBUG: AuthBy LDAP2 result: REJECT, PEAP
Authentication Failure
Thu Jun 21 12:07:33 2007: INFO: Access rejected for roamingouter: PEAP
Authentication Failure
Thu Jun 21 12:07:33 2007: DEBUG: Packet dump:
*** Sending to 172.31.3.3 port 32770 ....
Packet length = 60
[SNIP]
Code: Access-Reject
Identifier: 194
Authentic: <145><157><185>u/<214>.B<197><166><228><<30><212><216>.
Attributes:
EAP-Message = <4><8><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
--------------------------------------------
Michael Harlow Private Bag 69
Network Engineer Hobart Tasmania 7001
IT Resources Ph 03 6226 1812
University of Tasmania Mob 0438 26 1812
Michael.Harlow at utas.edu.au Fx 03 6226 7171
--------------------------------------------
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list