[RADIATOR] (RADIATOR) AuthBy LSA Error when using groups

Hugh Irvine hugh at open.com.au
Thu Jun 26 20:12:02 CDT 2008 

Hello Kristof -

Thanks for your mail.

The debug you sent shows an error in the AuthBy FILE clause in the  
default Handler:

......

Thu Jun 26 09:54:26 2008: DEBUG: Packet dump:
*** Received from 10.223.143.54 port 32769 ....
Code:       Access-Request
Identifier: 105
Authentic:   
<173><181><173>qD<186><243>1<151><13><200>s<248><209><165><171>
Attributes:
	User-Name = "XPP243"
	Calling-Station-Id = "00-13-E8-58-43-A9"
	Called-Station-Id = "00-19-07-8C-8E-C0:tcm-work"
	NAS-Port = 1
	NAS-IP-Address = 10.223.143.54
	NAS-Identifier = "wlan1"
	Airespace-WLAN-Id = 2
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-IEEE-802-11
	Tunnel-Type = 0:VLAN
	Tunnel-Medium-Type = 0:802
	Tunnel-Private-Group-ID = 10
	EAP-Message = <2><7><0><144><25><0><23><3><1><0> <151><21>~<176>,| 
Zy<231><180><163>=7<14>A<130>L<219><188><178>]<160><23><166><235>1 
[<189>Mtq<155><23><3><1><0>`k 
{<215><200><163><25><247><235>S<189>o<13><164>S%0<2>]<188><216>} 
<160><227>E<0><192><197><201>!W<214><224><<28><151>N<238>v 
$g0<205><225>U<143>R<253>Vl<160>t^K<15>u<26>&<148>f<4>.<143><230><244>)< 
9><225>2jt<27><160><182><195><31>/<190><242>9gJ  
s^<23><193><178>7<3><170><189><29><4>=R<217>
	Message-Authenticator =  
<15><212><183><131><14>v<238><254><215><15><<227>&g<170><162>

Thu Jun 26 09:54:26 2008: DEBUG: Handling request with Handler ''
Thu Jun 26 09:54:26 2008: DEBUG:  Deleting session for XPP243,  
10.223.143.54, 1
Thu Jun 26 09:54:26 2008: DEBUG: Handling with Radius::AuthFILE:
Thu Jun 26 09:54:26 2008: DEBUG: Handling with EAP: code 2, 7, 144, 25
Thu Jun 26 09:54:26 2008: DEBUG: Response type 25
Thu Jun 26 09:54:26 2008: ERR: EAP PEAP TLS read failed:  2480: 1 -  
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad  
record mac

Thu Jun 26 09:54:26 2008: DEBUG: EAP result: 1, EAP PEAP TLS read failed
Thu Jun 26 09:54:26 2008: DEBUG: AuthBy FILE result: REJECT, EAP PEAP  
TLS read failed
Thu Jun 26 09:54:26 2008: INFO: Access rejected for XPP243: EAP PEAP  
TLS read failed
Thu Jun 26 09:54:26 2008: DEBUG: Packet dump:
*** Sending to 10.223.143.54 port 32769 ....
Code:       Access-Reject
Identifier: 105
Authentic:   
<173><181><173>qD<186><243>1<151><13><200>s<248><209><165><171>
Attributes:
	Reply-Message = "Request Denied"


This doesn't have anything to do with a Group specification in the  
AuthBy LSA clause.

Can you please send a more complete debug showing both success  
without Group's and failure with Group's?

regards

Hugh


On 26 Jun 2008, at 19:58, <kristof.vandenouweland at thomsonreuters.com>  
<kristof.vandenouweland at thomsonreuters.com> wrote:

> Hi All,
>
> We've successfully set up a configuration for Radiator using
> PEAP/MSCHAPV2 and then LSA
>
> Now the strange thing is, from the moment we add the Group property to
> the LSA authentication to check wether the user is in a group and  
> so may
> connect, the repsonse givin back seems to be wrong and causes a TLS  
> READ
> error (see log) which results in a REJECTED message
>
> I've tried non-existing groups to see wether he can dedect them which
> than add the following line :
>
>   Thu Jun 26 09:45:47 2008: DEBUG: Radius::AuthLSA looks for match  
> with
> TLR\u0093289 [TLR\u0093289]
>   Thu Jun 26 09:45:52 2008: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
> User is not a member of any Group: TLR\u0093289 [TLR\u0093289]
>   Thu Jun 26 09:45:52 2008: DEBUG: AuthBy LSA result: REJECT,  
> AuthBy LSA
> User is not a member of any Group
>   Thu Jun 26 09:45:52 2008: INFO: Access rejected for TLR\u0093289:
> AuthBy LSA User is not a member of any Group
>
>    :  and then result in an REJECTED, which is off course normal.  
> (Just
> to point that he can dedect groups)
>
> Rejection message encoutering:
>
>   Thu Jun 26 09:45:52 2008: DEBUG: EAP TLS SSL_accept result: -1, 1,
> 8465
>   Thu Jun 26 09:45:53 2008: ERR: EAP TLS error: -1, 1, 8465,  2832:  
> 1 -
> error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
>
>   Thu Jun 26 09:45:53 2008: DEBUG: EAP result: 1, EAP PEAP TLS error
>   Thu Jun 26 09:45:53 2008: DEBUG: AuthBy FILE result: REJECT, EAP  
> PEAP
> TLS error
>   Thu Jun 26 09:45:53 2008: INFO: Access rejected for XPP243: EAP PEAP
> TLS error
>
>
> If we remove the groups, everything is back to normal and functions
> fine.
>
>
> Did someone encounter this problem and found a solution?
>
> Much appreciated
>
> See config below and log in attachment
>
> Kind regards,
> Met vriendelijke groet,
>
> Kristof Van Den Ouweland
> ---------------------------------------------------------------------- 
> --
> -------------------
>
> DbDir %D
> Trace 4
> LogStdout
> AuthPort 1812
> AcctPort 1813
> LogFile c:\Radiator\logs\%Y-%m-logfile.log
> PidFile %D/radiusd.pid
> DictionaryFile c:\Radiator\dictionary
>
> <Client 10.223.143.54>
>         Secret  somehting
>         DupInterval 0
> 		
> </Client>
>
>
> <Client LOCALHOST>
> 	Secret somethingelse
> 	DupInterval 0	
> 	Identifier LOCALHOST
> 	
> </Client>
>
> <AuthLog FILE>
> 	Identifier logger1
> 	Filename c:\Radiator\authenticationlogs\%Y-%m-authlog.log
> 	LogSuccess 1
> 	LogFailure 1
> </AuthLog>
>
> <Handler Client-Identifier=LOCALHOST>
>
>                 # Connection to LDAP Thomson TLR AD
>                 <AuthBy LSA>
> 				  #EAPType MSCHAP-v2
>
> 					#Only users in these groups are
> allowed to have access to the WLAN
> 					#Group CME-grpDomainAdmins
> 					#Group CME-grpWLANAccess
> 					
> 				
>                 </AuthBy>
> </Handler>
>
> <Handler ConvertedFromEAPMSCHAPV2=1>
>
> 	        <AuthBy RADIUS>
> 			Host localhost
>        		        Secret somethingelse
>                 	AuthPort 1812
>                 	AcctPort 1813
>                 	StripFromRequest ConvertedFromEAPMSCHAPV2
> 					
>         	</AuthBy>
> 			
> </Handler>
>
> <Handler TunnelledByPEAP=1>
>         <AuthBy FILE>
>             EAPType MSCHAP-V2
>             EAP_PEAP_MSCHAP_Convert 1	
>         </AuthBy>
> </Handler>
>
> <Handler>
>         <AuthBy FILE>
> 			Filename c:/Radiator/users
>             EAPType PEAP, TTLS
>             EAPTLS_CAFile c:/Radiator/certificates/demoCA/cacert.pem
>             EAPTLS_CertificateFile
> c:/Radiator/certificates/signed-newcert.pem
>             EAPTLS_CertificateType PEM
>             EAPTLS_PrivateKeyFile c:/Radiator/certificates/newkey.pem
>             EAPTLS_PrivateKeyPassword somethingdifferent
>             EAPTLS_MaxFragmentSize 2048
>             EAPAnonymous anonymous
>             EAPTLS_PEAPVersion 0
> 	RejectEmptyPassword
> 	EAPTLS_PEAPBrokenV1Label
> 			
>         </AuthBy>
> 		
> 		AuthLog logger1
>
> </Handler><log_radius_exmaple.txt>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list