(RADIATOR) Lost AddToReply Reply-Message value

Jhonny Freire de Oliveira joliveira at nic.ul.pt
Wed Mar 5 10:22:27 CST 2008 

Hi,

 

Consider the following configuration. I'm using the latest version and patches available on your site on the 22nd of February of 2008.

 

#####################################################################

...

 

<Handler  TunnelledByTTLS=1>

        <AuthBy NTLM>

                UsernameFormat %U

                DomainFormat %R

                EAPType         MSCHAP-V2

        </AuthBy>

</Handler>

 

<Handler Realm = /domain\.net\.tst$/i>

        <AuthBy LDAP2>

                Host            ip1 ip2

                Port            389

                AuthDN          CN=Radiator Service,OU=eU,OU=Services,DC=net,DC=tst

                AuthPassword    XXXXXXX

                BaseDN          OU=Teste,OU=Other,DC=domain,DC=net,DC=tst

 

                ServerChecksPassword

                UsernameAttr userPrincipalName

                AuthAttrDef logonHours,MS-Login-Hours,check

                AuthAttrDef department,department,request

                AddToReply Reply-Message=Group_TEST:%{department}

 

                EAPType PEAP,TTLS

                EAPTLS_CAFile /etc/radiator/certs/demoCA/ca.crt

                EAPTLS_CertificateFile /etc/radiator/certs/server.crt

                EAPTLS_CertificateType PEM

 

                EAPTLS_PrivateKeyFile /etc/radiator/certs/server.key

                EAPTLS_PrivateKeyPassword XXXXXXXXXXX

 

                EAPTLS_MaxFragmentSize 1000

                EAPAnonymous %0

 

                AutoMPPEKeys

                SSLeayTrace 4

                EAPTLS_PEAPVersion 0

        </AuthBy>

 

        AcctLogFileName %L/%R-%m-%Y.detail

</Handler>

 

...

#####################################################################

 

When I run the following I get the correct result:

 

--------------------------------------------------------------------------------------------------------------

# radpwtst -trace 4 -s localhost -secret teste -auth_port 1812 -acct_port 1813 -noacct -user test1 at domain.net.tst -password XXXXXXXXXXX

Fri Feb 22 17:00:37 2008: DEBUG: Reading dictionary file './dictionary'

sending Access-Request...

Fri Feb 22 17:00:37 2008: DEBUG: Packet dump:

*** Sending to 127.0.0.1 port 1812 ....

Code:       Access-Request

Identifier: 187

Authentic:  <253><175><252><155><245><209>dn<154><2><196><135>b<230>t<204>

Attributes:

        User-Name = " test1 at domain.net.tst "

        Service-Type = Framed-User

        NAS-IP-Address = 203.63.154.1

        NAS-Identifier = "203.63.154.1"

        NAS-Port = 1234

        Called-Station-Id = "123456789"

        Calling-Station-Id = "987654321"

        NAS-Port-Type = Async

        User-Password = <3><2>R<214><242><26> %x<134>(<244><192><206><149>J

 

Fri Feb 22 17:00:37 2008: DEBUG: Packet dump:

*** Received from 127.0.0.1 port 1812 ....

Code:       Access-Accept

Identifier: 187

Authentic:  <216>B)r6w<234> j"<1><19><235><182>*<30>

Attributes:

        Reply-Message = "Group_TEST:yes"

 

OK

--------------------------------------------------------------------------------------------------------------

 

If I try to authenticate the same user with another client using TTLS department attribute gets empty.

 

.....................................................................................................................................................................

...

Fri Feb 22 17:34:38 2008: DEBUG: EAP result: 0, EAP TTLS inner authentication redespatched to a Handler

Fri Feb 22 17:34:38 2008: DEBUG: AuthBy LDAP2 result: ACCEPT, EAP TTLS inner authentication redespatched to a Handler

Fri Feb 22 17:34:38 2008: DEBUG: Access accepted for test1 at domain.net.tst

Fri Feb 22 17:34:38 2008: DEBUG: Packet dump:

*** Sending to 194.117.1.196 port 33183 ....

Code:       Access-Accept

Identifier: 7

Authentic:  u<236><206>.<209>\5v<250><250><172><253><9>m<184><135>

Attributes:

        Reply-Message = "Group_TEST:"

        MS-MPPE-Send-Key = <207><6><185>5<192><1><243><180><128><4><232>8<230><6><141><<214><154><146>o<195><10><184>TK<234><244>e<143><235><7><186><232><226>d<156>[<150>Bo<153><217><139><8><165><230>v%<1>9

...

.....................................................................................................................................................................

 

Why is this happening? How can I fix this?

 

Regards,

____________________________________________________________________

Jhonny Freire Oliveira    Núcleo de Informática e Comunicações da UL

joliveira at nic.ul.pt       Reitoria da UL,  Alameda  da  Universidade

Tel: +351 210170194       Campo Grande - 1649-004 Lisboa,   Portugal

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080305/165e0046/attachment.html>

More information about the radiator mailing list