[RADIATOR] PEAP-MSCHAPv2 + LDAP problem

Bill Ulrich bulrich at haverford.edu
Tue Oct 7 06:35:44 CDT 2008


Hello,

Sorry for the confusion. I got tired of shifting the symlinks between
the FILE and LDAP2 AuthBy clauses, and found that I got the same results
if I concatenated them with a ContinueWhileReject policy. There are no
username overlaps, so it seemed OK for testing. FWIW the original
problem was seen with separate config files.

Here's the full Inner and Outer Handler clauses:

> <Handler TunnelledByPEAP=1>
>         AuthByPolicy ContinueWhileReject
>         <AuthBy FILE>
>                 Filename    /etc/radiator/users
>                 EAPType         MSCHAP-V2
>         </AuthBy>
>         <AuthBy LDAP2>
>                 Host            **********
>                 Port            389
>                 AuthDN          cn=**********
>                 AuthPassword    *********
>                 BaseDN          ou=people,dc=test,*******
>                 UsernameAttr    uid
>                 PasswordAttr    ntPassword
>                 EAPType MSCHAP-V2
>                 EAPTLS_CAFile .../ips-ipscabundle.crt
>                 EAPTLS_CertificateFile .../server.crt
>                 EAPTLS_PrivateKeyFile .../server.key
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>         </AuthBy>
> </Handler>
> <Handler>
>         <AuthBy FILE>
>                 EAPType PEAP
>                 EAPTLS_CAFile .../ips-ipscabundle.crt
>                 EAPTLS_CertificateFile .../server.crt
>                 EAPTLS_PrivateKeyFile .../server.key
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>         </AuthBy>
> </Handler>

Thanks again for your time - wading through the debug output can't be
entertaining.

Cheers,

Bill

Hugh Irvine wrote:
> 
> Hello William -
> 
> Thanks for the additional information.
> 
> The debug below appears to show both an AuthBy FILE and an AuthBy LDAP2
> clause in your inner Handler?
> 
> Can you please send me a copy of the configuration file you are using?
> 
> thanks and regards
> 
> Hugh
> 
> 
> Mon Oct  6 12:04:48 2008: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Mon Oct  6 12:04:48 2008: DEBUG:  Deleting session for anonymous,
> 165.82.1.101, 1
> Mon Oct  6 12:04:48 2008: DEBUG: Handling with Radius::AuthFILE:
> Mon Oct  6 12:04:48 2008: DEBUG: Handling with EAP: code 2, 1, 64, 26
> Mon Oct  6 12:04:48 2008: DEBUG: Response type 26
> Mon Oct  6 12:04:48 2008: DEBUG: Reading users file /etc/radiator/users
> Mon Oct  6 12:04:48 2008: DEBUG: Radius::AuthFILE looks for match with
> fuser [anonymous]
> Mon Oct  6 12:04:48 2008: DEBUG: Radius::AuthFILE REJECT: No such user:
> fuser [anonymous]
> Mon Oct  6 12:04:48 2008: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no
> such user fuser
> Mon Oct  6 12:04:48 2008: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP
> V2 failed: no such user fuser
> Mon Oct  6 12:04:48 2008: DEBUG: Handling with Radius::AuthLDAP2:
> Mon Oct  6 12:04:48 2008: DEBUG: Handling with EAP: code 2, 1, 64, 26
> Mon Oct  6 12:04:48 2008: DEBUG: Response type 26
> Mon Oct  6 12:04:48 2008: INFO: Connecting to wwwdev.haverford.edu:389
> Mon Oct  6 12:04:48 2008: INFO: Attempting to bind to LDAP server
> wwwdev.haverford.edu:389
> Mon Oct  6 12:04:48 2008: DEBUG: LDAP got result for
> uid=fuser,ou=people,dc=test,dc=haverford,dc=edu
> Mon Oct  6 12:04:48 2008: DEBUG: LDAP got ntPassword:
> {nthash}6DB1E3552E2ED738ED10FA3ED91C3768
> Mon Oct  6 12:04:48 2008: DEBUG: Radius::AuthLDAP2 looks for match with
> fuser [anonymous]
> Mon Oct  6 12:04:48 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fuser
> [anonymous]
> Mon Oct  6 12:04:48 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2
> Authentication failure
> Mon Oct  6 12:04:48 2008: DEBUG: AuthBy LDAP2 result: REJECT, EAP
> MSCHAP-V2 Authentication failure
> Mon Oct  6 12:04:48 2008: INFO: Access rejected for anonymous: EAP
> MSCHAP-V2 Authentication failure
> Mon Oct  6 12:04:48 2008: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Reject
> Identifier: UNDEF
> Authentic:  <176>#<174><138><1><223>jw<171><203><173><218>P7<185><176>
> Attributes:
>     EAP-Message = <4><1><0><4>
>     Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>     Reply-Message = "Request Denied"
> 
> On 7 Oct 2008, at 03:39, William Ulrich wrote:
> 
>> Hello again,
>>
>> Thanks for your time in looking at this.
>>
>>> Can you please tell me what version of Radiator you are using?
>>> The latest version is Radiator 4.3.1 (plus patches).
>>
>> We're on the latest/greatest with patches. It was installed fresh just
>> last week.
>>
>>> I would also like to see a more complete trace 4 debug showing the
>>> complete packet exchange sequence for both cases.
>>
>> I've inserted the full trace 4 debug of both cases at the end of this
>> message. I was reluctant to put the whole thing inline, as it is quite
>> long, but I figure the MLM will strip zipped attachments. Please let me
>> know if there's a better option.
>>
>> FWIW, the configuration is unchanged from my original post.
>>
>> Again, thanks for checking this out. Short of plowing into the source,
>> I'm not sure what else to do.
>>
>> Cheers,
>>
>> Bill Ulrich
>>
>>
>>> On 3 Oct 2008, at 23:42, William Ulrich wrote:
>>>
>>>> Hello all,
>>>>
>>>> I'm currently attempting to use a combination of Radiator and Sun's
>>>> LDAP
>>>> to provide authentication for our wireless network. The wireless
>>>> controller uses PEAP/MSCHAPv2. If anyone has a suggestion on getting
>>>> this to work, I'd be most grateful.
>>>>
>>>> I've successfully authenticated the ubiquitous 'mikem' user using a
>>>> stripped down user file (/etc/radiator/users) containing only this
>>>> entry:
>>>>
>>>>     mikem     User-Password = {nthash}DCB8E94AC7D0AADC8A81D9C895ACE5F4
>>>>         Service-Type=Framed-User
>>>>
>>>>  and the following radius.cfg file, shamelessly cribbed from a mailing
>>>> list posting back in May:
>>>>
>>>>     <Handler TunnelledByPEAP=1>
>>>>         <AuthBy FILE>
>>>>             Filename    /etc/radiator/users
>>>>             EAPType     MSCHAP-V2
>>>>         </AuthBy>
>>>>     </Handler>
>>>>     <Handler>
>>>>         <AuthBy FILE>
>>>>             EAPType PEAP
>>>>             EAPTLS_CAFile         .../CA_cert_file.crt
>>>>             EAPTLS_CertificateFile     .../server.crt
>>>>             EAPTLS_PrivateKeyFile     .../server.key
>>>>             EAPTLS_CertificateType     PEM
>>>>             EAPTLS_MaxFragmentSize     1000
>>>>             AutoMPPEKeys
>>>>         </AuthBy>
>>>>     </Handler>
>>>>
>>>> This works. Now if I swap the TunnelledByPEAP handler's <AuthBy FILE>
>>>> section with an analogous <AuthBy LDAP2>:
>>>>
>>>>     <AuthBy LDAP2>
>>>>         Host                *******************
>>>>         Port                389
>>>>         AuthDN              cn=*************
>>>>         AuthPassword        ***********
>>>>         BaseDN              ou=people,dc=test,***********
>>>>         UsernameAttr        uid
>>>>         PasswordAttr        ntPassword
>>>>         EAPType MSCHAP-V2
>>>>         EAPTLS_CAFile         .../CA_cert_file.crt
>>>>         EAPTLS_CertificateFile     .../server.crt
>>>>         EAPTLS_PrivateKeyFile     .../server.key
>>>>         EAPTLS_CertificateType     PEM
>>>>         EAPTLS_MaxFragmentSize     1000
>>>>         AutoMPPEKeys
>>>>     </AuthBy>
>>>>
>>>> Authentication fails, with the following log entry (apologies for the
>>>> awkward wrapping):
>>>>
>>>> Thu Oct  2 15:32:28 2008: INFO: Connecting to ***********:389
>>>> Thu Oct  2 15:32:28 2008: INFO: Attempting to bind to LDAP server
>>>> *************:389
>>>> Thu Oct  2 15:32:28 2008: DEBUG: LDAP got result for
>>>> uid=fuser,ou=people,*************
>>>> Thu Oct  2 15:32:28 2008: DEBUG: LDAP got ntPassword:
>>>> {nthash}6DB1E3552E2ED738ED10FA3ED91C3768
>>>> Thu Oct  2 15:32:28 2008: DEBUG: Radius::AuthLDAP2 looks for match with
>>>> fuser [anonymous]
>>>> Thu Oct  2 15:32:28 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fuser
>>>> [anonymous]
>>>> Thu Oct  2 15:32:28 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2
>>>> Authentication failure
>>>> Thu Oct  2 15:32:28 2008: DEBUG: AuthBy LDAP2 result: REJECT, EAP
>>>> MSCHAP-V2 Authentication failure
>>>> Thu Oct  2 15:32:28 2008: INFO: Access rejected for anonymous: EAP
>>>> MSCHAP-V2 Authentication failure
>>>> Thu Oct  2 15:32:28 2008: DEBUG: Returned PEAP tunnelled packet dump:
>>>>
>>>>> From what I can see in the log, it gets the right attribute
>>>>> (ntPassword)
>>>> in the right form ({nthash}... a la the users file) an I've verified
>>>> that the nthash is correct for the test user account.
>>>>
>>>> So - what's going wrong? I'm a little stymied, so if anyone has an
>>>> idea,
>>>> I'd love to hear it.
>>>>
>>>> Thanks in Advance,
>>>>
>>>> Bill Ulrich
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
> 


-- 
E pur si muove!



More information about the radiator mailing list