[RADIATOR] PEAP-MSCHAPv2 + LDAP problem

Hugh Irvine hugh at open.com.au
Mon Oct 6 19:20:00 CDT 2008


Hello William -

Thanks for the additional information.

The debug below appears to show both an AuthBy FILE and an AuthBy  
LDAP2 clause in your inner Handler?

Can you please send me a copy of the configuration file you are using?

thanks and regards

Hugh


Mon Oct  6 12:04:48 2008: DEBUG: Handling request with Handler
'TunnelledByPEAP=1'
Mon Oct  6 12:04:48 2008: DEBUG:  Deleting session for anonymous,
165.82.1.101, 1
Mon Oct  6 12:04:48 2008: DEBUG: Handling with Radius::AuthFILE:
Mon Oct  6 12:04:48 2008: DEBUG: Handling with EAP: code 2, 1, 64, 26
Mon Oct  6 12:04:48 2008: DEBUG: Response type 26
Mon Oct  6 12:04:48 2008: DEBUG: Reading users file /etc/radiator/users
Mon Oct  6 12:04:48 2008: DEBUG: Radius::AuthFILE looks for match with
fuser [anonymous]
Mon Oct  6 12:04:48 2008: DEBUG: Radius::AuthFILE REJECT: No such user:
fuser [anonymous]
Mon Oct  6 12:04:48 2008: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no
such user fuser
Mon Oct  6 12:04:48 2008: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP
V2 failed: no such user fuser
Mon Oct  6 12:04:48 2008: DEBUG: Handling with Radius::AuthLDAP2:
Mon Oct  6 12:04:48 2008: DEBUG: Handling with EAP: code 2, 1, 64, 26
Mon Oct  6 12:04:48 2008: DEBUG: Response type 26
Mon Oct  6 12:04:48 2008: INFO: Connecting to wwwdev.haverford.edu:389
Mon Oct  6 12:04:48 2008: INFO: Attempting to bind to LDAP server
wwwdev.haverford.edu:389
Mon Oct  6 12:04:48 2008: DEBUG: LDAP got result for
uid=fuser,ou=people,dc=test,dc=haverford,dc=edu
Mon Oct  6 12:04:48 2008: DEBUG: LDAP got ntPassword:
{nthash}6DB1E3552E2ED738ED10FA3ED91C3768
Mon Oct  6 12:04:48 2008: DEBUG: Radius::AuthLDAP2 looks for match with
fuser [anonymous]
Mon Oct  6 12:04:48 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fuser
[anonymous]
Mon Oct  6 12:04:48 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2
Authentication failure
Mon Oct  6 12:04:48 2008: DEBUG: AuthBy LDAP2 result: REJECT, EAP
MSCHAP-V2 Authentication failure
Mon Oct  6 12:04:48 2008: INFO: Access rejected for anonymous: EAP
MSCHAP-V2 Authentication failure
Mon Oct  6 12:04:48 2008: DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Reject
Identifier: UNDEF
Authentic:  <176>#<174><138><1><223>jw<171><203><173><218>P7<185><176>
Attributes:
	EAP-Message = <4><1><0><4>
	Message-Authenticator =  
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
	Reply-Message = "Request Denied"

On 7 Oct 2008, at 03:39, William Ulrich wrote:

> Hello again,
>
> Thanks for your time in looking at this.
>
>> Can you please tell me what version of Radiator you are using?
>> The latest version is Radiator 4.3.1 (plus patches).
>
> We're on the latest/greatest with patches. It was installed fresh just
> last week.
>
>> I would also like to see a more complete trace 4 debug showing the
>> complete packet exchange sequence for both cases.
>
> I've inserted the full trace 4 debug of both cases at the end of this
> message. I was reluctant to put the whole thing inline, as it is quite
> long, but I figure the MLM will strip zipped attachments. Please  
> let me
> know if there's a better option.
>
> FWIW, the configuration is unchanged from my original post.
>
> Again, thanks for checking this out. Short of plowing into the source,
> I'm not sure what else to do.
>
> Cheers,
>
> Bill Ulrich
>
>
>> On 3 Oct 2008, at 23:42, William Ulrich wrote:
>>
>>> Hello all,
>>>
>>> I'm currently attempting to use a combination of Radiator and  
>>> Sun's LDAP
>>> to provide authentication for our wireless network. The wireless
>>> controller uses PEAP/MSCHAPv2. If anyone has a suggestion on getting
>>> this to work, I'd be most grateful.
>>>
>>> I've successfully authenticated the ubiquitous 'mikem' user using a
>>> stripped down user file (/etc/radiator/users) containing only  
>>> this entry:
>>>
>>>     mikem     User-Password = {nthash} 
>>> DCB8E94AC7D0AADC8A81D9C895ACE5F4
>>>         Service-Type=Framed-User
>>>
>>>  and the following radius.cfg file, shamelessly cribbed from a  
>>> mailing
>>> list posting back in May:
>>>
>>>     <Handler TunnelledByPEAP=1>
>>>         <AuthBy FILE>
>>>             Filename    /etc/radiator/users
>>>             EAPType     MSCHAP-V2
>>>         </AuthBy>
>>>     </Handler>
>>>     <Handler>
>>>         <AuthBy FILE>
>>>             EAPType PEAP
>>>             EAPTLS_CAFile         .../CA_cert_file.crt
>>>             EAPTLS_CertificateFile     .../server.crt
>>>             EAPTLS_PrivateKeyFile     .../server.key
>>>             EAPTLS_CertificateType     PEM
>>>             EAPTLS_MaxFragmentSize     1000
>>>             AutoMPPEKeys
>>>         </AuthBy>
>>>     </Handler>
>>>
>>> This works. Now if I swap the TunnelledByPEAP handler's <AuthBy  
>>> FILE>
>>> section with an analogous <AuthBy LDAP2>:
>>>
>>>     <AuthBy LDAP2>
>>>         Host                *******************
>>>         Port                389
>>>         AuthDN              cn=*************
>>>         AuthPassword        ***********
>>>         BaseDN              ou=people,dc=test,***********
>>>         UsernameAttr        uid
>>>         PasswordAttr        ntPassword
>>>         EAPType MSCHAP-V2
>>>         EAPTLS_CAFile         .../CA_cert_file.crt
>>>         EAPTLS_CertificateFile     .../server.crt
>>>         EAPTLS_PrivateKeyFile     .../server.key
>>>         EAPTLS_CertificateType     PEM
>>>         EAPTLS_MaxFragmentSize     1000
>>>         AutoMPPEKeys
>>>     </AuthBy>
>>>
>>> Authentication fails, with the following log entry (apologies for  
>>> the
>>> awkward wrapping):
>>>
>>> Thu Oct  2 15:32:28 2008: INFO: Connecting to ***********:389
>>> Thu Oct  2 15:32:28 2008: INFO: Attempting to bind to LDAP server
>>> *************:389
>>> Thu Oct  2 15:32:28 2008: DEBUG: LDAP got result for
>>> uid=fuser,ou=people,*************
>>> Thu Oct  2 15:32:28 2008: DEBUG: LDAP got ntPassword:
>>> {nthash}6DB1E3552E2ED738ED10FA3ED91C3768
>>> Thu Oct  2 15:32:28 2008: DEBUG: Radius::AuthLDAP2 looks for  
>>> match with
>>> fuser [anonymous]
>>> Thu Oct  2 15:32:28 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fuser
>>> [anonymous]
>>> Thu Oct  2 15:32:28 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2
>>> Authentication failure
>>> Thu Oct  2 15:32:28 2008: DEBUG: AuthBy LDAP2 result: REJECT, EAP
>>> MSCHAP-V2 Authentication failure
>>> Thu Oct  2 15:32:28 2008: INFO: Access rejected for anonymous: EAP
>>> MSCHAP-V2 Authentication failure
>>> Thu Oct  2 15:32:28 2008: DEBUG: Returned PEAP tunnelled packet  
>>> dump:
>>>
>>>> From what I can see in the log, it gets the right attribute  
>>>> (ntPassword)
>>> in the right form ({nthash}... a la the users file) an I've verified
>>> that the nthash is correct for the test user account.
>>>
>>> So - what's going wrong? I'm a little stymied, so if anyone has  
>>> an idea,
>>> I'd love to hear it.
>>>
>>> Thanks in Advance,
>>>
>>> Bill Ulrich
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




More information about the radiator mailing list