[RADIATOR] PEAP-MSCHAPv2 + LDAP problem
Hugh Irvine
hugh at open.com.au
Wed Oct 8 21:58:51 CDT 2008
Hello Bill -
Could you try this and let me know how you go?
<Handler TunnelledByPEAP=1>
<AuthBy GROUP>
EAPType MSCHAP-V2
AuthByPolicy ContinueWhileReject
<AuthBy FILE>
Filename /etc/radiator/users
</AuthBy>
<AuthBy LDAP2>
Host **********
Port 389
AuthDN cn=**********
AuthPassword *********
BaseDN ou=people,dc=test,*******
UsernameAttr uid
PasswordAttr ntPassword
</AuthBy>
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
EAPType PEAP
EAPTLS_CAFile .../ips-ipscabundle.crt
EAPTLS_CertificateFile .../server.crt
EAPTLS_PrivateKeyFile .../server.key
EAPTLS_CertificateType PEM
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
</AuthBy>
</Handler>
regards
Hugh
On 7 Oct 2008, at 22:35, Bill Ulrich wrote:
> Hello,
>
> Sorry for the confusion. I got tired of shifting the symlinks between
> the FILE and LDAP2 AuthBy clauses, and found that I got the same
> results
> if I concatenated them with a ContinueWhileReject policy. There are no
> username overlaps, so it seemed OK for testing. FWIW the original
> problem was seen with separate config files.
>
> Here's the full Inner and Outer Handler clauses:
>
>> <Handler TunnelledByPEAP=1>
>> AuthByPolicy ContinueWhileReject
>> <AuthBy FILE>
>> Filename /etc/radiator/users
>> EAPType MSCHAP-V2
>> </AuthBy>
>> <AuthBy LDAP2>
>> Host **********
>> Port 389
>> AuthDN cn=**********
>> AuthPassword *********
>> BaseDN ou=people,dc=test,*******
>> UsernameAttr uid
>> PasswordAttr ntPassword
>> EAPType MSCHAP-V2
>> EAPTLS_CAFile .../ips-ipscabundle.crt
>> EAPTLS_CertificateFile .../server.crt
>> EAPTLS_PrivateKeyFile .../server.key
>> EAPTLS_CertificateType PEM
>> EAPTLS_MaxFragmentSize 1000
>> AutoMPPEKeys
>> </AuthBy>
>> </Handler>
>> <Handler>
>> <AuthBy FILE>
>> EAPType PEAP
>> EAPTLS_CAFile .../ips-ipscabundle.crt
>> EAPTLS_CertificateFile .../server.crt
>> EAPTLS_PrivateKeyFile .../server.key
>> EAPTLS_CertificateType PEM
>> EAPTLS_MaxFragmentSize 1000
>> AutoMPPEKeys
>> </AuthBy>
>> </Handler>
>
> Thanks again for your time - wading through the debug output can't be
> entertaining.
>
> Cheers,
>
> Bill
>
> Hugh Irvine wrote:
>>
>> Hello William -
>>
>> Thanks for the additional information.
>>
>> The debug below appears to show both an AuthBy FILE and an AuthBy
>> LDAP2
>> clause in your inner Handler?
>>
>> Can you please send me a copy of the configuration file you are
>> using?
>>
>> thanks and regards
>>
>> Hugh
>>
>>
>> Mon Oct 6 12:04:48 2008: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1'
>> Mon Oct 6 12:04:48 2008: DEBUG: Deleting session for anonymous,
>> 165.82.1.101, 1
>> Mon Oct 6 12:04:48 2008: DEBUG: Handling with Radius::AuthFILE:
>> Mon Oct 6 12:04:48 2008: DEBUG: Handling with EAP: code 2, 1, 64, 26
>> Mon Oct 6 12:04:48 2008: DEBUG: Response type 26
>> Mon Oct 6 12:04:48 2008: DEBUG: Reading users file /etc/radiator/
>> users
>> Mon Oct 6 12:04:48 2008: DEBUG: Radius::AuthFILE looks for match
>> with
>> fuser [anonymous]
>> Mon Oct 6 12:04:48 2008: DEBUG: Radius::AuthFILE REJECT: No such
>> user:
>> fuser [anonymous]
>> Mon Oct 6 12:04:48 2008: DEBUG: EAP result: 1, EAP MSCHAP V2
>> failed: no
>> such user fuser
>> Mon Oct 6 12:04:48 2008: DEBUG: AuthBy FILE result: REJECT, EAP
>> MSCHAP
>> V2 failed: no such user fuser
>> Mon Oct 6 12:04:48 2008: DEBUG: Handling with Radius::AuthLDAP2:
>> Mon Oct 6 12:04:48 2008: DEBUG: Handling with EAP: code 2, 1, 64, 26
>> Mon Oct 6 12:04:48 2008: DEBUG: Response type 26
>> Mon Oct 6 12:04:48 2008: INFO: Connecting to wwwdev.haverford.edu:
>> 389
>> Mon Oct 6 12:04:48 2008: INFO: Attempting to bind to LDAP server
>> wwwdev.haverford.edu:389
>> Mon Oct 6 12:04:48 2008: DEBUG: LDAP got result for
>> uid=fuser,ou=people,dc=test,dc=haverford,dc=edu
>> Mon Oct 6 12:04:48 2008: DEBUG: LDAP got ntPassword:
>> {nthash}6DB1E3552E2ED738ED10FA3ED91C3768
>> Mon Oct 6 12:04:48 2008: DEBUG: Radius::AuthLDAP2 looks for match
>> with
>> fuser [anonymous]
>> Mon Oct 6 12:04:48 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fuser
>> [anonymous]
>> Mon Oct 6 12:04:48 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2
>> Authentication failure
>> Mon Oct 6 12:04:48 2008: DEBUG: AuthBy LDAP2 result: REJECT, EAP
>> MSCHAP-V2 Authentication failure
>> Mon Oct 6 12:04:48 2008: INFO: Access rejected for anonymous: EAP
>> MSCHAP-V2 Authentication failure
>> Mon Oct 6 12:04:48 2008: DEBUG: Returned PEAP tunnelled packet dump:
>> Code: Access-Reject
>> Identifier: UNDEF
>> Authentic:
>> <176>#<174><138><1><223>jw<171><203><173><218>P7<185><176>
>> Attributes:
>> EAP-Message = <4><1><0><4>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> Reply-Message = "Request Denied"
>>
>> On 7 Oct 2008, at 03:39, William Ulrich wrote:
>>
>>> Hello again,
>>>
>>> Thanks for your time in looking at this.
>>>
>>>> Can you please tell me what version of Radiator you are using?
>>>> The latest version is Radiator 4.3.1 (plus patches).
>>>
>>> We're on the latest/greatest with patches. It was installed fresh
>>> just
>>> last week.
>>>
>>>> I would also like to see a more complete trace 4 debug showing the
>>>> complete packet exchange sequence for both cases.
>>>
>>> I've inserted the full trace 4 debug of both cases at the end of
>>> this
>>> message. I was reluctant to put the whole thing inline, as it is
>>> quite
>>> long, but I figure the MLM will strip zipped attachments. Please
>>> let me
>>> know if there's a better option.
>>>
>>> FWIW, the configuration is unchanged from my original post.
>>>
>>> Again, thanks for checking this out. Short of plowing into the
>>> source,
>>> I'm not sure what else to do.
>>>
>>> Cheers,
>>>
>>> Bill Ulrich
>>>
>>>
>>>> On 3 Oct 2008, at 23:42, William Ulrich wrote:
>>>>
>>>>> Hello all,
>>>>>
>>>>> I'm currently attempting to use a combination of Radiator and
>>>>> Sun's
>>>>> LDAP
>>>>> to provide authentication for our wireless network. The wireless
>>>>> controller uses PEAP/MSCHAPv2. If anyone has a suggestion on
>>>>> getting
>>>>> this to work, I'd be most grateful.
>>>>>
>>>>> I've successfully authenticated the ubiquitous 'mikem' user
>>>>> using a
>>>>> stripped down user file (/etc/radiator/users) containing only this
>>>>> entry:
>>>>>
>>>>> mikem User-Password = {nthash}
>>>>> DCB8E94AC7D0AADC8A81D9C895ACE5F4
>>>>> Service-Type=Framed-User
>>>>>
>>>>> and the following radius.cfg file, shamelessly cribbed from a
>>>>> mailing
>>>>> list posting back in May:
>>>>>
>>>>> <Handler TunnelledByPEAP=1>
>>>>> <AuthBy FILE>
>>>>> Filename /etc/radiator/users
>>>>> EAPType MSCHAP-V2
>>>>> </AuthBy>
>>>>> </Handler>
>>>>> <Handler>
>>>>> <AuthBy FILE>
>>>>> EAPType PEAP
>>>>> EAPTLS_CAFile .../CA_cert_file.crt
>>>>> EAPTLS_CertificateFile .../server.crt
>>>>> EAPTLS_PrivateKeyFile .../server.key
>>>>> EAPTLS_CertificateType PEM
>>>>> EAPTLS_MaxFragmentSize 1000
>>>>> AutoMPPEKeys
>>>>> </AuthBy>
>>>>> </Handler>
>>>>>
>>>>> This works. Now if I swap the TunnelledByPEAP handler's <AuthBy
>>>>> FILE>
>>>>> section with an analogous <AuthBy LDAP2>:
>>>>>
>>>>> <AuthBy LDAP2>
>>>>> Host *******************
>>>>> Port 389
>>>>> AuthDN cn=*************
>>>>> AuthPassword ***********
>>>>> BaseDN ou=people,dc=test,***********
>>>>> UsernameAttr uid
>>>>> PasswordAttr ntPassword
>>>>> EAPType MSCHAP-V2
>>>>> EAPTLS_CAFile .../CA_cert_file.crt
>>>>> EAPTLS_CertificateFile .../server.crt
>>>>> EAPTLS_PrivateKeyFile .../server.key
>>>>> EAPTLS_CertificateType PEM
>>>>> EAPTLS_MaxFragmentSize 1000
>>>>> AutoMPPEKeys
>>>>> </AuthBy>
>>>>>
>>>>> Authentication fails, with the following log entry (apologies
>>>>> for the
>>>>> awkward wrapping):
>>>>>
>>>>> Thu Oct 2 15:32:28 2008: INFO: Connecting to ***********:389
>>>>> Thu Oct 2 15:32:28 2008: INFO: Attempting to bind to LDAP server
>>>>> *************:389
>>>>> Thu Oct 2 15:32:28 2008: DEBUG: LDAP got result for
>>>>> uid=fuser,ou=people,*************
>>>>> Thu Oct 2 15:32:28 2008: DEBUG: LDAP got ntPassword:
>>>>> {nthash}6DB1E3552E2ED738ED10FA3ED91C3768
>>>>> Thu Oct 2 15:32:28 2008: DEBUG: Radius::AuthLDAP2 looks for
>>>>> match with
>>>>> fuser [anonymous]
>>>>> Thu Oct 2 15:32:28 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fuser
>>>>> [anonymous]
>>>>> Thu Oct 2 15:32:28 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2
>>>>> Authentication failure
>>>>> Thu Oct 2 15:32:28 2008: DEBUG: AuthBy LDAP2 result: REJECT, EAP
>>>>> MSCHAP-V2 Authentication failure
>>>>> Thu Oct 2 15:32:28 2008: INFO: Access rejected for anonymous: EAP
>>>>> MSCHAP-V2 Authentication failure
>>>>> Thu Oct 2 15:32:28 2008: DEBUG: Returned PEAP tunnelled packet
>>>>> dump:
>>>>>
>>>>>> From what I can see in the log, it gets the right attribute
>>>>>> (ntPassword)
>>>>> in the right form ({nthash}... a la the users file) an I've
>>>>> verified
>>>>> that the nthash is correct for the test user account.
>>>>>
>>>>> So - what's going wrong? I'm a little stymied, so if anyone has an
>>>>> idea,
>>>>> I'd love to hear it.
>>>>>
>>>>> Thanks in Advance,
>>>>>
>>>>> Bill Ulrich
>>>>>
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>
>
> --
> E pur si muove!
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list