[RADIATOR] Problem rewriting inner username with PEAP-MSCHAPV2
Michael Harlow
Michael.Harlow at utas.edu.au
Mon Dec 22 19:19:53 CST 2008
Hi,
I'm trying to work our how to re-write the inner username for a TTLS or PEAP request.
It is possible that the request is coming in with "user at company.com" inside the request, as well as on the outer wrapper. Usually the word anonymous is on the outer, but I need user at company.com on the outer, as I'm part of a RADIUS federation.
It seems to be working for TunnelledByTTLS/PAP, but not for TunnelledByTTLS/MSCHAP-V2 and TunnelledByPEAP/MSCHAP-V2. Am I missing something?
I rewrite the user name with this snipet (in an include file)
---------------------------
# Convert to all lowercase tr/A-Z/a-z/
# Convert xxxx at uni.edu.au to xxxx s/(.*)@(.*)/$1/
# Convert domain\xxxx to xxxx s/(.*)\\(.*)/$2/
# Convert domain/xxxx to xxxx s/(.*)\/(.*)/$2/
RewriteFunction sub { my($a) = shift; \
$a =~ s/[\000]//g; \
$a =~ tr/A-Z/a-z/; \
$a =~ s/(.*)@(.*)/$1/; \
$a =~ s/(.*)\\(.*)/$2/; \
$a =~ s/(.*)\/(.*)/$2/; \
$a; }
---------------------------
This handler is hit first:
<Handler Client-Identifier=DMZ-RADIUS-Proxy,User-Name=/utas.edu.au$/>
RejectHasReason
Include "%D/configs/ReWriteUserFn.cfg"
<AuthBy FILE>
NoDefault
EAPType PEAP, MSCHAP-V2, TTLS
EAPTLS_PEAPVersion 0
Include "%D/configs/TTLS-Cert.cfg"
AutoMPPEKeys
</AuthBy FILE>
</Handler>
---------------------------
And either of these is then hit to handle the Inner Request
<Handler TunnelledByTTLS=1,Client-Identifier=DMZ-RADIUS-Proxy>
Include "%D/configs/ReWriteUserFn.cfg"
RejectHasReason
<AuthBy LSA>
EAPType MSCHAP-V2, PEAP
</AuthBy>
PostAuthHook file:"%D/scripts/eduroam_eap_anon_hook_external.pl"
</Handler>
<Handler TunnelledByPEAP=1,Client-Identifier=DMZ-RADIUS-Proxy>
Include "%D/configs/ReWriteUserFn.cfg"
RejectHasReason
<AuthBy LSA>
EAPType MSCHAP-V2, PEAP
</AuthBy>
PostAuthHook file:"%D/scripts/eduroam_eap_anon_hook_external.pl"
</Handler>
#################################################
The Log for TTLS WITH PAP (WORKS!)
#################################################
(inner username is mike at utas.edu.au, outer username is outer at utas.edu.au)
Code: Access-Request
Identifier: 20
Authentic: c.<201>F<145><26><253>C<175>M^fy<17><252>:
Attributes:
User-Name = "outer at utas.edu.au"
Calling-Station-Id = "00-40-96-A6-36-96"
Called-Station-Id = "00-1E-13-85-AE-60:eduroam"
NAS-Port = 29
NAS-IP-Address = 172.31.3.2
NAS-Identifier = "WismB1"
Airespace-WLAN-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
EAP-Message = <2><6><0>O<21><128><0><0><0>E<23><3><1><0>@Sw$vO<247>V<156><14>r:<203><255>t<153>#<224><172>Y<243>z<204>J<252><211>9<215>$ <16><240><249>PD<252><26>/<0><17>(<239><209><203>b<242><161><164><137><171><193>Q<17><152><133><167><152>x<13>M]B\<213><151>
Message-Authenticator = z<198><216><149><142>1M<241><138><209><212><27>\<200>D<137>
Tue Dec 23 11:50:48 2008: DEBUG: Handling request with Handler 'Client-Identifier=DMZ-RADIUS-Proxy,User-Name=/utas.edu.au$/'
Tue Dec 23 11:50:48 2008: DEBUG: RewriteFunction rewrote user name to outer
Tue Dec 23 11:50:48 2008: DEBUG: Handling with Radius::AuthFILE:
Tue Dec 23 11:50:48 2008: DEBUG: Handling with EAP: code 2, 6, 79, 21
Tue Dec 23 11:50:48 2008: DEBUG: Response type 21
Tue Dec 23 11:50:48 2008: DEBUG: EAP TTLS data, 3, 6, 5
Tue Dec 23 11:50:48 2008: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code: UNDEF
Identifier: UNDEF
Authentic: UNDEF
Attributes:
User-Name = "mike at utas.edu.au"
User-Password = (my plain text password)
Tue Dec 23 11:50:48 2008: DEBUG: EAP TTLS inner authentication request for mike at utas.edu.au
Tue Dec 23 11:50:48 2008: DEBUG: Handling request with Handler 'TunnelledByTTLS=1,Client-Identifier=DMZ-RADIUS-Proxy'
Tue Dec 23 11:50:48 2008: DEBUG: RewriteFunction rewrote user name to mike
Tue Dec 23 11:50:48 2008: DEBUG: Handling with Radius::AuthLSA:
Tue Dec 23 11:50:48 2008: DEBUG: Radius::AuthLSA looks for match with mike [mike at utas.edu.au]
Tue Dec 23 11:50:48 2008: DEBUG: Radius::AuthLSA ACCEPT: : mike [mike at utas.edu.au]
Tue Dec 23 11:50:48 2008: DEBUG: AuthBy LSA result: ACCEPT,
Tue Dec 23 11:50:48 2008: DEBUG: eduroam external EAP Anon: 'mike', '172.31.3.2', '00-40-96-A6-36-96', '00-1E-13-85-AE-60:eduroam'
Tue Dec 23 11:50:48 2008: DEBUG: Access accepted for mike
Tue Dec 23 11:50:48 2008: DEBUG: Returned TTLS tunnelled Diameter Packet dump:
Code: Access-Accept
Identifier: UNDEF
#################################################
This Log is for TTLS with MSCHAP-V2 (FAILS)
#################################################
Code: Access-Request
Identifier: 27
Authentic: <22><148><186><185><19><251><7><208><228>g=<167><145>;<223><22>
Attributes:
User-Name = "outer at utas.edu.au"
Calling-Station-Id = "00-40-96-A6-36-96"
Called-Station-Id = "00-1E-13-85-AE-60:eduroam"
NAS-Port = 29
NAS-IP-Address = 172.31.3.2
NAS-Identifier = "WismB1"
Airespace-WLAN-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
EAP-Message = <2><7><0><151><21><128><0><0><0><141><23><3><1><0><136>V<195><203>2d<228>/<194><25><212>I <200><193><27>h*@<134><151>`S<235>|<204><181><2>P<206>fD<237><222><253>\<180><226><184>s<9><202><254>%<207><187>V<<169>><248><144><13>i<200>>L<134><211><151>ca <251><209><227>.<253>GAi<222><192><<31>L<171><237><189><199>}*RG<182>2<250><240><232><188> <18>_T0<252>y<229><172><219><129>x<8>u<12>7I<162>y<250><213><135><9><21><206>@<222>i34<<207>u<232>I<129><2><142>B<254>\<156><162><!Z<11>
Message-Authenticator = <241>@<181><171><245>C<174>#|g<236><216><254><168><174>g
Tue Dec 23 11:54:51 2008: DEBUG: Handling request with Handler 'Client-Identifier=DMZ-RADIUS-Proxy,User-Name=/utas.edu.au$/'
Tue Dec 23 11:54:51 2008: DEBUG: RewriteFunction rewrote user name to outer
Tue Dec 23 11:54:51 2008: DEBUG: Handling with Radius::AuthFILE:
Tue Dec 23 11:54:51 2008: DEBUG: Handling with EAP: code 2, 7, 151, 21
Tue Dec 23 11:54:51 2008: DEBUG: Response type 21
Tue Dec 23 11:54:51 2008: DEBUG: EAP TTLS data, 3, 7, 6
Tue Dec 23 11:54:51 2008: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code: UNDEF
Identifier: UNDEF
Authentic: UNDEF
Attributes:
EAP-Message = <2><1><0>K<26><2><1><0>F1<9><172>a<21><133><134>PG<230><140><152><192>|@<193>2<0><0><0><0><0><0><0><0><222>IN<246><172><127>Vur<18><8><7>rP<132><192><177><196><128>\<27><221>~<220><0>mike at utas.edu.au
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tue Dec 23 11:54:51 2008: DEBUG: EAP TTLS inner authentication request for anonymous
Tue Dec 23 11:54:51 2008: DEBUG: Handling request with Handler 'TunnelledByTTLS=1,Client-Identifier=DMZ-RADIUS-Proxy'
Tue Dec 23 11:54:51 2008: DEBUG: RewriteFunction rewrote user name to anonymous
Tue Dec 23 11:54:51 2008: DEBUG: Handling with Radius::AuthLSA:
Tue Dec 23 11:54:51 2008: DEBUG: Handling with EAP: code 2, 1, 75, 26
Tue Dec 23 11:54:51 2008: DEBUG: Response type 26
Tue Dec 23 11:54:51 2008: DEBUG: Radius::AuthLSA looks for match with mike at utas.edu.au [anonymous]
Tue Dec 23 11:54:51 2008: DEBUG: Radius::AuthLSA ACCEPT: : mike at utas.edu.au [anonymous]
Tue Dec 23 11:54:52 2008: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
Tue Dec 23 11:54:52 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
Tue Dec 23 11:54:52 2008: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP-V2 Authentication failure
Tue Dec 23 11:54:52 2008: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure
Tue Dec 23 11:54:52 2008: DEBUG: Returned TTLS tunnelled Diameter Packet dump:
Code: Access-Reject
Identifier: UNDEF
---------------
Error 3221225581 (LogonUserNetworkMSCHAP (V2): 3221225581) is "3221225581 C000006D User logon has incorrect user name"
#################################################
This Log is for PEAP with MSCHAP-V2 (FAILS)
#################################################
(inner username is mike at utas.edu.au, outer username is the same because this is standard for WindowsXP-SP2 wireless networking)
Code: Access-Request
Identifier: 34
Authentic: <158><146>/<210>9<196><162>l<0>p7<195><243><14>@<27>
Attributes:
User-Name = "mike at utas.edu.au"
Calling-Station-Id = "00-40-96-A6-36-96"
Called-Station-Id = "00-1E-13-85-AE-60:eduroam"
NAS-Port = 29
NAS-IP-Address = 172.31.3.2
NAS-Identifier = "WismB1"
Airespace-WLAN-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
EAP-Message = <2><7><0>b<25><0><23><3><1><0>W<206><208>go<174>x;<141><193><5>1<211>~<224>=<246>{<151>{<127><19>x<221>L<214>_<207>R<5>E6<16><159><220>t<238><167><27><144>0i<208><242> <149><204>E<162><206><242><148>R<155><172><28><179><14>*<202>!<128><220><162><225><184><18><182><1><198><153><172><252>+<183>/0n<201><153>Qt<195><235><142><161><234>a
Message-Authenticator = <2><149>c<250><224><208><157><170><146><15><199><13>nnTi
Tue Dec 23 12:10:58 2008: DEBUG: Handling request with Handler 'Client-Identifier=DMZ-RADIUS-Proxy,User-Name=/utas.edu.au$/'
Tue Dec 23 12:10:58 2008: DEBUG: RewriteFunction rewrote user name to mike
Tue Dec 23 12:10:58 2008: DEBUG: Handling with Radius::AuthFILE:
Tue Dec 23 12:10:58 2008: DEBUG: Handling with EAP: code 2, 7, 98, 25
Tue Dec 23 12:10:58 2008: DEBUG: Response type 25
Tue Dec 23 12:10:58 2008: DEBUG: EAP PEAP inner authentication request for anonymous
Tue Dec 23 12:10:58 2008: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <222>dW<162><201>_<155><23><11><137><211><179>5<163><233><178>
Attributes:
EAP-Message = <2><7><0>G<26><2><7><0>F1G<213><218>u$<135><235>'<229>U<163>sO<22>1<0><0><0><0><0><0><0><0><0>j(E<6>WG<20><185><173><250><255><174><131><195>X<252>Z<234><178><136><17><30><232><21><0>mike at utas.edu.au
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = "anonymous"
NAS-IP-Address = 172.31.3.2
NAS-Identifier = "WismB1"
NAS-Port = 29
Calling-Station-Id = "00-40-96-A6-36-96"
Tue Dec 23 12:10:58 2008: DEBUG: Handling request with Handler 'TunnelledByPEAP=1,Client-Identifier=DMZ-RADIUS-Proxy'
Tue Dec 23 12:10:58 2008: DEBUG: RewriteFunction rewrote user name to anonymous
Tue Dec 23 12:10:58 2008: DEBUG: Handling with Radius::AuthLSA:
Tue Dec 23 12:10:58 2008: DEBUG: Handling with EAP: code 2, 7, 71, 26
Tue Dec 23 12:10:58 2008: DEBUG: Response type 26
Tue Dec 23 12:10:58 2008: DEBUG: Radius::AuthLSA looks for match with mike at utas.edu.au [anonymous]
Tue Dec 23 12:10:58 2008: DEBUG: Radius::AuthLSA ACCEPT: : mike at utas.edu.au [anonymous]
Tue Dec 23 12:10:58 2008: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.
Tue Dec 23 12:10:58 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
Tue Dec 23 12:10:58 2008: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP-V2 Authentication failure
Tue Dec 23 12:10:58 2008: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure
Tue Dec 23 12:10:58 2008: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Reject
------------------------
I think the bit in the "[xxx]" is not important, it is the word before it that is sent to AD for authentication.
Again, I repeat, if I use the "short" name, PEAP, MSCHAP-V2 etc all work perfectly, so it is not a problem there. It is a problem with re-writing the long username with MSCHAP-V2.
Thanks, Michael
-----------------------------------------------------------------
Yesterday is history, tomorrow is a mystery, but today is a gift.
That is why it is called the present. [Oogway - Kungfu Panda]
-----------------------------------------------------------------
Michael Harlow Private Bag 69
Network Engineer Hobart Tasmania 7001
IT Resources Ph 03 6226 1812
University of Tasmania Mob 0438 26 1812
Michael.Harlow at utas.edu.au Fx 03 6226 7171
-----------------------------------------------------------------
More information about the radiator
mailing list