(RADIATOR) Lost AddToReply Reply-Message value
Hugh Irvine
hugh at open.com.au
Wed Mar 5 16:03:10 CST 2008
Hello Jhonny -
This has to do with the different processing of EAP requests and
"normal" requests.
In the case below, a normal request is processed by the AuthBy LDAP2
clause with a query sent to the LDAP server and the AuthAttrDef's
evaluated.
In the EAP case, the AuthBy LDAP2 clause is only a placeholder which
is only used for the establishment of the EAP tunnel - the LDAP
server is not queried. When the EAP "inner" request is received it is
passed to the <Handler TunnelledByTTLS=1> clause and it is processed
by the AuthBy NTLM clause.
See my other mail for additional comments.
regards
Hugh
On 6 Mar 2008, at 03:22, Jhonny Freire de Oliveira wrote:
> Hi,
>
> Consider the following configuration. I’m using the latest version
> and patches available on your site on the 22nd of February of 2008.
>
> #####################################################################
> …
>
> <Handler TunnelledByTTLS=1>
> <AuthBy NTLM>
> UsernameFormat %U
> DomainFormat %R
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
> <Handler Realm = /domain\.net\.tst$/i>
> <AuthBy LDAP2>
> Host ip1 ip2
> Port 389
> AuthDN CN=Radiator
> Service,OU=eU,OU=Services,DC=net,DC=tst
> AuthPassword XXXXXXX
> BaseDN
> OU=Teste,OU=Other,DC=domain,DC=net,DC=tst
>
> ServerChecksPassword
> UsernameAttr userPrincipalName
> AuthAttrDef logonHours,MS-Login-Hours,check
> AuthAttrDef department,department,request
> AddToReply Reply-Message=Group_TEST:%{department}
>
> EAPType PEAP,TTLS
> EAPTLS_CAFile /etc/radiator/certs/demoCA/ca.crt
> EAPTLS_CertificateFile /etc/radiator/certs/server.crt
> EAPTLS_CertificateType PEM
>
> EAPTLS_PrivateKeyFile /etc/radiator/certs/server.key
> EAPTLS_PrivateKeyPassword XXXXXXXXXXX
>
> EAPTLS_MaxFragmentSize 1000
> EAPAnonymous %0
>
> AutoMPPEKeys
> SSLeayTrace 4
> EAPTLS_PEAPVersion 0
> </AuthBy>
>
> AcctLogFileName %L/%R-%m-%Y.detail
> </Handler>
>
> …
> #####################################################################
>
> When I run the following I get the correct result:
>
> ----------------------------------------------------------------------
> ----------------------------------------
> # radpwtst -trace 4 -s localhost -secret teste -auth_port 1812 -
> acct_port 1813 -noacct -user test1 at domain.net.tst -password
> XXXXXXXXXXX
> Fri Feb 22 17:00:37 2008: DEBUG: Reading dictionary file './
> dictionary'
> sending Access-Request...
> Fri Feb 22 17:00:37 2008: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1812 ....
> Code: Access-Request
> Identifier: 187
> Authentic:
> <253><175><252><155><245><209>dn<154><2><196><135>b<230>t<204>
> Attributes:
> User-Name = " test1 at domain.net.tst "
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> User-Password = <3><2>R<214><242><26> %x<134>
> (<244><192><206><149>J
>
> Fri Feb 22 17:00:37 2008: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 1812 ....
> Code: Access-Accept
> Identifier: 187
> Authentic: <216>B)r6w<234> j"<1><19><235><182>*<30>
> Attributes:
> Reply-Message = "Group_TEST:yes"
>
> OK
> ----------------------------------------------------------------------
> ----------------------------------------
>
> If I try to authenticate the same user with another client using
> TTLS department attribute gets empty.
>
> ………………………………………………………………………………………………………………………………………………...
> …
> Fri Feb 22 17:34:38 2008: DEBUG: EAP result: 0, EAP TTLS inner
> authentication redespatched to a Handler
> Fri Feb 22 17:34:38 2008: DEBUG: AuthBy LDAP2 result: ACCEPT, EAP
> TTLS inner authentication redespatched to a Handler
> Fri Feb 22 17:34:38 2008: DEBUG: Access accepted for
> test1 at domain.net.tst
> Fri Feb 22 17:34:38 2008: DEBUG: Packet dump:
> *** Sending to 194.117.1.196 port 33183 ....
> Code: Access-Accept
> Identifier: 7
> Authentic: u<236><206>.<209>\5v<250><250><172><253><9>m<184><135>
> Attributes:
> Reply-Message = "Group_TEST:"
> MS-MPPE-Send-Key =
> <207><6><185>5<192><1><243><180><128><4><232>8<230><6><141><<214><154>
> <146>o<195><10><184>TK<234><244>e<143><235><7><186><232><226>d<156>
> [<150>Bo<153><217><139><8><165><230>v%<1>9
> …
> ………………………………………………………………………………………………………………………………………………...
>
> Why is this happening? How can I fix this?
>
> Regards,
> ____________________________________________________________________
> Jhonny Freire Oliveira Núcleo de Informática e Comunicações da UL
> joliveira at nic.ul.pt Reitoria da UL, Alameda da Universidade
> Tel: +351 210170194 Campo Grande – 1649-004 Lisboa, Portugal
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list