[RADIATOR] Upgrade to 4.2 problem
Hugh Irvine
hugh at open.com.au
Thu Jul 10 00:32:52 CDT 2008
Hello Colin -
Could you please try adding "NoEAP" to your AuthBy GROUP?
......
<Handler>
<AuthBy GROUP>
NoEAP
AuthByPolicy ContinueUntilReject
<AuthBy RADIUS>
Host roaming0.ja.net
Secret sS7n2T5f7UbsNK4
AuthPort 1812
AcctPort 1813
RetryTimeout 8
StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-
Group-ID,Filter-Id, cisco-avpair
</AuthBy>
#Second NRPS
<AuthBy RADIUS>
Host roaming1.ja.net
Secret 2GFRv4y77KNa021
AuthPort 1812
AcctPort 1813
Retries 3
RetryTimeout 8
StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-
Group-ID,Filter-Id, cisco-avpair
</AuthBy>
#Third NRPS
<AuthBy RADIUS>
Host roaming2.ja.net
Secret jc5pnRc254uj88w
AuthPort 1812
AcctPort 1813
Retries 3
RetryTimeout 8
StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-
Group-ID,Filter-Id, cisco-avpair
</AuthBy>
</AuthBy>
AuthLog NRPSSTATS
</Handler>
I would also suggest using a single AuthBy RADIUS clause with
multiple <Host ...> entries, rather than multiple AuthBy RADIUS
clauses as you currently do.
See section 5.30 in the Radiator 4.2 reference manual ("doc/ref.pdf").
regards
Hugh
On 9 Jul 2008, at 18:16, Colin Byelong wrote:
> Hi,
>
> We have had a working radiator for some time now it authenticates
> our eduroam service for staff here UCL and visitors.
> The staff either use PAP or EAP TTLS, visitors get proxied to there
> home institutions.
>
> At the moment we are running 3.16, when I try and upgrade to 4.2
> the visitor part stops working.
> Heres the config and error messages:
>
> #
> #Logfile for local users
> <AuthLog FILE>
> Identifier LOCALUSERS
> Filename %L/localusers.%Y-%m-%d.log
> SuccessFormat :%l:%o %T from %u at %N:OK
> FailureFormat :%l:%o %T from %u at %N:FAIL
> LogSuccess 1
> LogFailure 1
> </AuthLog>
> #
> #Logfile for local pap
> <AuthLog FILE>
> Identifier UCL_PAP
> Filename %L/UCLPAP.%Y-%m-%d.log
> SuccessFormat :%l:%o %T from %u at %N:OK
> FailureFormat :%l:%o %T from %u at %N:FAIL
> LogSuccess 1
> LogFailure 1
> </AuthLog>
> #
> #
>
> <Client roaming0.ja.net>
> Secret <Removed>
> StatusServerShowClientDetails
> Identifier NRPS
> StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-
> Group-ID,Filter-Id, cisco-avpair
> NoIgnoreDuplicates Accounting-Request
> </Client>
> #
> #
> #
> #
> <Client roaming1.ja.net>
> Secret <Removed>
> StatusServerShowClientDetails
> Identifier NRPS
> StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-
> Group-ID,Filter-Id, cisco-avpair
> NoIgnoreDuplicates Accounting-Request
> </Client>
> #
> #
> <Client roaming2.ja.net>
> Secret <Removed>
> StatusServerShowClientDetails
> Identifier NRPS
> StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-
> Group-ID,Filter-Id, cisco-avpair
> NoIgnoreDuplicates Accounting-Request
> </Client>
>
> #
> <Client localhost>
> Secret <Removed>
> DupInterval 0
> </Client>
> #
>
> #
> #
> #
> #
> #
> #
> <Client DEFAULT>
> Secret <Removed>
> DupInterval 2
> StatusServerShowClientDetails
> </Client>
> #
> #Handlers with authentication
> <Handler TunnelledByTTLS=1>
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
> AcctLogFileName %L/ucl-detail.%m%y
> <AuthBy LDAP2>
> # Identifier UCL
> Host uclusers-dc1.uclusers.ucl.ac.uk
>
> # Microsoft AD also listens on port 3268, and
> # requests received on that port are reported to be
> # more compliant with standfard LDAP, so you may want
> to use:
> # Port 3268
>
> AuthDN cn=locindnet,ou=System
> Users,dc=uclusers,dc=ucl,dc=ac,dc=uk
> # AuthPassword yourADadminpasswordhere
> AuthPassword <Removed>
> BaseDN ou=departments,dc=uclusers,dc=ucl,dc=ac,dc=uk
> ServerChecksPassword
> EAPType MSCHAP-V2,TTLS,PAP,PEAP
> UsernameAttr sAMAccountName
> # EncryptedPasswordAttr sn
> #
> # AuthAttrDef logonHours,MS-Login-Hours,check
>
>
> </AuthBy>
> #
> #
> #
> AuthLog LOCALUSERS
> </Handler>
> #
> #
>
> #
> #
> #EAPOUTER
> <Handler Realm=ucl.ac.uk, EAP-Message = /.+/>
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
> AcctLogFileName %L/ucl-detail.eapout.%m%y
> <AuthBy FILE>
> Filename %D/users
> EAPType TTLS,pap,PEAP,MSCHAP-V2
> EAPTLS_CAFile %D/cacert.pem
> EAPTLS_CertificateFile %D/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/rsa.key
> EAPTLS_MaxFragmentSize 1500
> AutoMPPEKeys
> EAPAnonymous anonymous
> </AuthBy>
> </Handler>
> #
> #
> #Non EAP
> <Handler Realm=ucl.ac.uk>
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
> AcctLogFileName %L/ucl-detailplain.%m%y
> <AuthBy LDAP2>
> # Identifier UCL
> Host uclusers-dc1.uclusers.ucl.ac.uk
>
> # Microsoft AD also listens on port 3268, and
> # requests received on that port are reported to be
> # more compliant with standfard LDAP, so you may want
> to use:
> # Port 3268
>
> AuthDN cn=locindnet,ou=System
> Users,dc=uclusers,dc=ucl,dc=ac,dc=uk
> # AuthPassword yourADadminpasswordhere
> AuthPassword <Removed>
> BaseDN ou=departments,dc=uclusers,dc=ucl,dc=ac,dc=uk
> ServerChecksPassword
> UsernameAttr sAMAccountName
> # EncryptedPasswordAttr sn
> #
> # AuthAttrDef logonHours,MS-Login-Hours,check
>
>
> </AuthBy>
> AcctLogFileName %L/detail
> AuthLog UCL_PAP
> </Handler>
> #
> #
> #
> #Send Everything else to the NRPS
> #
> #
> #Handler for users with no realm
> <Handler Realm = "">
> <AuthBy INTERNAL>
> DefaultResult REJECT
> </AuthBy>
> AuthLog AUTH-DENY-NOREALM
> </Handler>
> #
> #
> <Handler>
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilReject
> <AuthBy RADIUS>
> Host roaming0.ja.net
> Secret sS7n2T5f7UbsNK4
> AuthPort 1812
> AcctPort 1813
> RetryTimeout 8
> StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-
> Group-ID,Filter-Id, cisco-avpair
> </AuthBy>
> #Second NRPS
> <AuthBy RADIUS>
> Host roaming1.ja.net
> Secret 2GFRv4y77KNa021
> AuthPort 1812
> AcctPort 1813
> Retries 3
> RetryTimeout 8
> StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-
> Group-ID,Filter-Id, cisco-avpair
> </AuthBy>
> #Third NRPS
> <AuthBy RADIUS>
> Host roaming2.ja.net
> Secret jc5pnRc254uj88w
> AuthPort 1812
> AcctPort 1813
> Retries 3
> RetryTimeout 8
> StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-
> Group-ID,Filter-Id, cisco-avpair
> </AuthBy>
> </AuthBy>
> AuthLog NRPSSTATS
> </Handler>
> #
> #
>
> With this config we have been able to authenticate UCL users and
> proxy visitors.
>
> When I upgrade to 4.2 I can authenticate UCL users but not visitors.
>
> Wed Jul 9 08:01:39 2008: DEBUG: Packet dump:
> *** Received from 10.101.1.11 port 1645 ....
> Code: Access-Request
> Identifier: 151
> Authentic: <198>#E<247>o<163>c<174><198>~<224>_#k<224>S
> Attributes:
> User-Name = "ucl.ac.uk at eduroam.ac.uk"
> Framed-MTU = 1400
> Called-Station-Id = "0000.0c07.ac00"
> Calling-Station-Id = "000c.859a.21d6"
> Service-Type = Login-User
> Message-Authenticator = <161><234><1><198><129>W<20>
> +<167><30><243><249><246><31><157><184>
> EAP-Message = <2><2><0><28><1>ucl.ac.uk at eduroam.ac.uk
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 3083104
> NAS-IP-Address = 10.101.1.11
>
> Wed Jul 9 08:01:39 2008: DEBUG: Handling request with Handler ''
> Wed Jul 9 08:01:39 2008: DEBUG: Deleting session for
> ucl.ac.uk at eduroam.ac.uk, 10.101.1.11, 3083104
> Wed Jul 9 08:01:39 2008: DEBUG: Handling with Radius::AuthGROUP:
> Wed Jul 9 08:01:39 2008: DEBUG: Handling with EAP: code 2, 2, 28, 1
> Wed Jul 9 08:01:39 2008: DEBUG: Response type 1
> Wed Jul 9 08:01:39 2008: DEBUG: EAP result: 1, EAP authentication
> is not permitted.
> Wed Jul 9 08:01:39 2008: DEBUG: AuthBy GROUP result: REJECT, EAP
> authentication is not permitted.
> Wed Jul 9 08:01:39 2008: INFO: Access rejected for
> ucl.ac.uk at eduroam.ac.uk: EAP authentication is not permitted.
> Wed Jul 9 08:01:39 2008: DEBUG: Packet dump:
> *** Sending to 10.101.1.11 port 1645 ....
> Code: Access-Reject
> Identifier: 151
> Authentic: <198>#E<247>o<163>c<174><198>~<224>_#k<224>S
> Attributes:
> Reply-Message = "Request Denied"
>
> The same config worked in 3.16 has something changed ?
>
> I tried adding EAPTypes:
>
> <Handler>
> <AuthBy GROUP>
> AuthByPolicy ContinueUntilReject
> EAPType TLS,TTLS,pap,PEAP,MSCHAPV2
> <AuthBy RADIUS>
> Host roaming0.ja.net
> Secret sS7n2T5f7UbsNK4
> AuthPort 1812
> AcctPort 1813
> EAPType TLS,TTLS,pap,PEAP,MSCHAPV2
> RetryTimeout 8
> StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-
> Group-ID,Filter-Id, cisco-avpair
> </AuthBy>
> #Second NRPS
> <AuthBy RADIUS>
> Host roaming1.ja.net
> Secret 2GFRv4y77KNa021
> AuthPort 1812
> AcctPort 1813
> EAPType TLS,TTLS,pap,PEAP,MSCHAPV2
> RetryTimeout 8
> StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-
> Group-ID,Filter-Id, cisco-avpair
> </AuthBy>
> #Third NRPS
> <AuthBy RADIUS>
> Host roaming2.ja.net
> Secret jc5pnRc254uj88w
> AuthPort 1812
> AcctPort 1813
> EAPType TLS, TTLS,pap,PEAP,MSCHAPV2
> RetryTimeout 8
> StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-
> Group-ID,Filter-Id, cisco-avpair
> </AuthBy>
> </AuthBy>
> AuthLog NRPSSTATS
> </Handler>
>
>
> But I know get these errors:
>
> Wed Jul 9 08:08:35 2008: DEBUG: Packet dump:
> *** Received from 10.101.1.11 port 1645 ....
> Code: Access-Request
> Identifier: 161
> Authentic: i<2><187><242><7><183><218>y<129>S=<19><236>q<172><210>
> Attributes:
> User-Name = "ucl.ac.uk at eduroam.ac.uk"
> Framed-MTU = 1400
> Called-Station-Id = "0000.0c07.ac00"
> Calling-Station-Id = "000c.859a.21d6"
> Service-Type = Login-User
> Message-Authenticator = <20>K<204><168>)<151><142>*MEFf}
> <170><177><211>
> EAP-Message = <2><2><0><28><1>ucl.ac.uk at eduroam.ac.uk
> NAS-Port-Type = Wireless-IEEE-802-11
> NAS-Port = 3083124
> NAS-IP-Address = 10.101.1.11
>
> Wed Jul 9 08:08:35 2008: DEBUG: Handling request with Handler ''
> Wed Jul 9 08:08:35 2008: DEBUG: Deleting session for
> ucl.ac.uk at eduroam.ac.uk, 10.101.1.11, 3083124
> Wed Jul 9 08:08:35 2008: DEBUG: Handling with Radius::AuthGROUP:
> Wed Jul 9 08:08:35 2008: DEBUG: Handling with EAP: code 2, 2, 28, 1
> Wed Jul 9 08:08:35 2008: DEBUG: Response type 1
> Wed Jul 9 08:08:35 2008: ERR: TLS could not load_verify_locations , :
> Wed Jul 9 08:08:35 2008: DEBUG: EAP result: 1, EAP TLS Could not
> initialise context
> Wed Jul 9 08:08:35 2008: DEBUG: AuthBy GROUP result: REJECT, EAP
> TLS Could not initialise context
> Wed Jul 9 08:08:35 2008: INFO: Access rejected for
> ucl.ac.uk at eduroam.ac.uk: EAP TLS Could not initialise context
> Wed Jul 9 08:08:35 2008: DEBUG: Packet dump:
> *** Sending to 10.101.1.11 port 1645 ....
> Code: Access-Reject
> Identifier: 161
> Authentic: i<2><187><242><7><183><218>y<129>S=<19><236>q<172><210>
> Attributes:
> Reply-Message = "Request Denied"
>
>
> Any help much appreciated.
>
> Thanks
>
> Colin
>
> ----------------------------------------------------------------------
> -
>
>
> Colin Byelong Email: C.Byelong at ucl.ac.uk
> Senior Network Development Officer
> Network Group
> Information Systems Division
> University College London
> Gower Street Phone: 020 7679-2572
> London WC1E 6BT
> ----------------------------------------------------------------------
> --
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list