[RADIATOR] Upgrade to 4.2 problem
Colin Byelong
c.byelong at ucl.ac.uk
Wed Jul 9 03:16:34 CDT 2008
Hi,
We have had a working radiator for some time now it authenticates our
eduroam service for staff here UCL and visitors.
The staff either use PAP or EAP TTLS, visitors get proxied to there home
institutions.
At the moment we are running 3.16, when I try and upgrade to 4.2 the
visitor part stops working.
Heres the config and error messages:
#
#Logfile for local users
<AuthLog FILE>
Identifier LOCALUSERS
Filename %L/localusers.%Y-%m-%d.log
SuccessFormat :%l:%o %T from %u at %N:OK
FailureFormat :%l:%o %T from %u at %N:FAIL
LogSuccess 1
LogFailure 1
</AuthLog>
#
#Logfile for local pap
<AuthLog FILE>
Identifier UCL_PAP
Filename %L/UCLPAP.%Y-%m-%d.log
SuccessFormat :%l:%o %T from %u at %N:OK
FailureFormat :%l:%o %T from %u at %N:FAIL
LogSuccess 1
LogFailure 1
</AuthLog>
#
#
<Client roaming0.ja.net>
Secret <Removed>
StatusServerShowClientDetails
Identifier NRPS
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
NoIgnoreDuplicates Accounting-Request
</Client>
#
#
#
#
<Client roaming1.ja.net>
Secret <Removed>
StatusServerShowClientDetails
Identifier NRPS
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
NoIgnoreDuplicates Accounting-Request
</Client>
#
#
<Client roaming2.ja.net>
Secret <Removed>
StatusServerShowClientDetails
Identifier NRPS
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
NoIgnoreDuplicates Accounting-Request
</Client>
#
<Client localhost>
Secret <Removed>
DupInterval 0
</Client>
#
#
#
#
#
#
#
<Client DEFAULT>
Secret <Removed>
DupInterval 2
StatusServerShowClientDetails
</Client>
#
#Handlers with authentication
<Handler TunnelledByTTLS=1>
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Z/a-z/
AcctLogFileName %L/ucl-detail.%m%y
<AuthBy LDAP2>
# Identifier UCL
Host uclusers-dc1.uclusers.ucl.ac.uk
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standfard LDAP, so you may want to use:
# Port 3268
AuthDN cn=locindnet,ou=System
Users,dc=uclusers,dc=ucl,dc=ac,dc=uk
# AuthPassword yourADadminpasswordhere
AuthPassword <Removed>
BaseDN ou=departments,dc=uclusers,dc=ucl,dc=ac,dc=uk
ServerChecksPassword
EAPType MSCHAP-V2,TTLS,PAP,PEAP
UsernameAttr sAMAccountName
# EncryptedPasswordAttr sn
#
# AuthAttrDef logonHours,MS-Login-Hours,check
</AuthBy>
#
#
#
AuthLog LOCALUSERS
</Handler>
#
#
#
#
#EAPOUTER
<Handler Realm=ucl.ac.uk, EAP-Message = /.+/>
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Z/a-z/
AcctLogFileName %L/ucl-detail.eapout.%m%y
<AuthBy FILE>
Filename %D/users
EAPType TTLS,pap,PEAP,MSCHAP-V2
EAPTLS_CAFile %D/cacert.pem
EAPTLS_CertificateFile %D/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/rsa.key
EAPTLS_MaxFragmentSize 1500
AutoMPPEKeys
EAPAnonymous anonymous
</AuthBy>
</Handler>
#
#
#Non EAP
<Handler Realm=ucl.ac.uk>
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Z/a-z/
AcctLogFileName %L/ucl-detailplain.%m%y
<AuthBy LDAP2>
# Identifier UCL
Host uclusers-dc1.uclusers.ucl.ac.uk
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standfard LDAP, so you may want to use:
# Port 3268
AuthDN cn=locindnet,ou=System
Users,dc=uclusers,dc=ucl,dc=ac,dc=uk
# AuthPassword yourADadminpasswordhere
AuthPassword <Removed>
BaseDN ou=departments,dc=uclusers,dc=ucl,dc=ac,dc=uk
ServerChecksPassword
UsernameAttr sAMAccountName
# EncryptedPasswordAttr sn
#
# AuthAttrDef logonHours,MS-Login-Hours,check
</AuthBy>
AcctLogFileName %L/detail
AuthLog UCL_PAP
</Handler>
#
#
#
#Send Everything else to the NRPS
#
#
#Handler for users with no realm
<Handler Realm = "">
<AuthBy INTERNAL>
DefaultResult REJECT
</AuthBy>
AuthLog AUTH-DENY-NOREALM
</Handler>
#
#
<Handler>
<AuthBy GROUP>
AuthByPolicy ContinueUntilReject
<AuthBy RADIUS>
Host roaming0.ja.net
Secret sS7n2T5f7UbsNK4
AuthPort 1812
AcctPort 1813
RetryTimeout 8
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
</AuthBy>
#Second NRPS
<AuthBy RADIUS>
Host roaming1.ja.net
Secret 2GFRv4y77KNa021
AuthPort 1812
AcctPort 1813
Retries 3
RetryTimeout 8
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
</AuthBy>
#Third NRPS
<AuthBy RADIUS>
Host roaming2.ja.net
Secret jc5pnRc254uj88w
AuthPort 1812
AcctPort 1813
Retries 3
RetryTimeout 8
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
</AuthBy>
</AuthBy>
AuthLog NRPSSTATS
</Handler>
#
#
With this config we have been able to authenticate UCL users and proxy
visitors.
When I upgrade to 4.2 I can authenticate UCL users but not visitors.
Wed Jul 9 08:01:39 2008: DEBUG: Packet dump:
*** Received from 10.101.1.11 port 1645 ....
Code: Access-Request
Identifier: 151
Authentic: <198>#E<247>o<163>c<174><198>~<224>_#k<224>S
Attributes:
User-Name = "ucl.ac.uk at eduroam.ac.uk"
Framed-MTU = 1400
Called-Station-Id = "0000.0c07.ac00"
Calling-Station-Id = "000c.859a.21d6"
Service-Type = Login-User
Message-Authenticator =
<161><234><1><198><129>W<20>+<167><30><243><249><246><31><157><184>
EAP-Message = <2><2><0><28><1>ucl.ac.uk at eduroam.ac.uk
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 3083104
NAS-IP-Address = 10.101.1.11
Wed Jul 9 08:01:39 2008: DEBUG: Handling request with Handler ''
Wed Jul 9 08:01:39 2008: DEBUG: Deleting session for
ucl.ac.uk at eduroam.ac.uk, 10.101.1.11, 3083104
Wed Jul 9 08:01:39 2008: DEBUG: Handling with Radius::AuthGROUP:
Wed Jul 9 08:01:39 2008: DEBUG: Handling with EAP: code 2, 2, 28, 1
Wed Jul 9 08:01:39 2008: DEBUG: Response type 1
Wed Jul 9 08:01:39 2008: DEBUG: EAP result: 1, EAP authentication is
not permitted.
Wed Jul 9 08:01:39 2008: DEBUG: AuthBy GROUP result: REJECT, EAP
authentication is not permitted.
Wed Jul 9 08:01:39 2008: INFO: Access rejected for
ucl.ac.uk at eduroam.ac.uk: EAP authentication is not permitted.
Wed Jul 9 08:01:39 2008: DEBUG: Packet dump:
*** Sending to 10.101.1.11 port 1645 ....
Code: Access-Reject
Identifier: 151
Authentic: <198>#E<247>o<163>c<174><198>~<224>_#k<224>S
Attributes:
Reply-Message = "Request Denied"
The same config worked in 3.16 has something changed ?
I tried adding EAPTypes:
<Handler>
<AuthBy GROUP>
AuthByPolicy ContinueUntilReject
EAPType TLS,TTLS,pap,PEAP,MSCHAPV2
<AuthBy RADIUS>
Host roaming0.ja.net
Secret sS7n2T5f7UbsNK4
AuthPort 1812
AcctPort 1813
EAPType TLS,TTLS,pap,PEAP,MSCHAPV2
RetryTimeout 8
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
</AuthBy>
#Second NRPS
<AuthBy RADIUS>
Host roaming1.ja.net
Secret 2GFRv4y77KNa021
AuthPort 1812
AcctPort 1813
EAPType TLS,TTLS,pap,PEAP,MSCHAPV2
RetryTimeout 8
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
</AuthBy>
#Third NRPS
<AuthBy RADIUS>
Host roaming2.ja.net
Secret jc5pnRc254uj88w
AuthPort 1812
AcctPort 1813
EAPType TLS, TTLS,pap,PEAP,MSCHAPV2
RetryTimeout 8
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
</AuthBy>
</AuthBy>
AuthLog NRPSSTATS
</Handler>
But I know get these errors:
Wed Jul 9 08:08:35 2008: DEBUG: Packet dump:
*** Received from 10.101.1.11 port 1645 ....
Code: Access-Request
Identifier: 161
Authentic: i<2><187><242><7><183><218>y<129>S=<19><236>q<172><210>
Attributes:
User-Name = "ucl.ac.uk at eduroam.ac.uk"
Framed-MTU = 1400
Called-Station-Id = "0000.0c07.ac00"
Calling-Station-Id = "000c.859a.21d6"
Service-Type = Login-User
Message-Authenticator =
<20>K<204><168>)<151><142>*MEFf}<170><177><211>
EAP-Message = <2><2><0><28><1>ucl.ac.uk at eduroam.ac.uk
NAS-Port-Type = Wireless-IEEE-802-11
NAS-Port = 3083124
NAS-IP-Address = 10.101.1.11
Wed Jul 9 08:08:35 2008: DEBUG: Handling request with Handler ''
Wed Jul 9 08:08:35 2008: DEBUG: Deleting session for
ucl.ac.uk at eduroam.ac.uk, 10.101.1.11, 3083124
Wed Jul 9 08:08:35 2008: DEBUG: Handling with Radius::AuthGROUP:
Wed Jul 9 08:08:35 2008: DEBUG: Handling with EAP: code 2, 2, 28, 1
Wed Jul 9 08:08:35 2008: DEBUG: Response type 1
Wed Jul 9 08:08:35 2008: ERR: TLS could not load_verify_locations , :
Wed Jul 9 08:08:35 2008: DEBUG: EAP result: 1, EAP TLS Could not
initialise context
Wed Jul 9 08:08:35 2008: DEBUG: AuthBy GROUP result: REJECT, EAP TLS
Could not initialise context
Wed Jul 9 08:08:35 2008: INFO: Access rejected for
ucl.ac.uk at eduroam.ac.uk: EAP TLS Could not initialise context
Wed Jul 9 08:08:35 2008: DEBUG: Packet dump:
*** Sending to 10.101.1.11 port 1645 ....
Code: Access-Reject
Identifier: 161
Authentic: i<2><187><242><7><183><218>y<129>S=<19><236>q<172><210>
Attributes:
Reply-Message = "Request Denied"
Any help much appreciated.
Thanks
Colin
-----------------------------------------------------------------------
Colin Byelong Email: C.Byelong at ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street Phone: 020 7679-2572
London WC1E 6BT
------------------------------------------------------------------------
More information about the radiator
mailing list