[RADIATOR] PEAP-MSCHAPv2 + LDAP problem [RESOLVED]
William Ulrich
bulrich at haverford.edu
Fri Oct 10 10:59:24 CDT 2008
Shifting the EAPType directive didn't work, BUT...
What _did_ work was replacing the samba.schema LDIF I was using. I
originally used a Samba 2 ldif with ntPassword holding the NTHash. In
the course of tweaking the setup, I changed to a Samba 3 ldif schema
with sambaNTPassword holding the NTHash.
This works on Sun's LDAP and OpenLDAP. No idea why, but I'm not arguing.
Thanks for everyone's patience.
Cheers,
Bill
Hugh Irvine wrote:
>
> Hello Bill -
>
> Could you try this and let me know how you go?
>
>
>
> <Handler TunnelledByPEAP=1>
> <AuthBy GROUP>
>
> EAPType MSCHAP-V2
>
> AuthByPolicy ContinueWhileReject
>
> <AuthBy FILE>
> Filename /etc/radiator/users
> </AuthBy>
>
> <AuthBy LDAP2>
> Host **********
> P ort 389
> AuthDN cn=**********
> AuthPassword *********
> BaseDN ou=people,dc=test,*******
> UsernameAttr uid
> PasswordAttr ntPassword
> </AuthBy>
>
> </AuthBy>
> </Handler>
>
> <Handler>
> <AuthBy FILE>
> EAPType PEAP
> EAPTLS_CAFile .../ips-ipscabundle.crt
> EAPTLS_CertificateFile .../server.crt
> EAPTLS_PrivateKeyFile .../server.key
> EAPTLS_CertificateType PEM
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> </AuthBy>
> </Handler>
>
>
> regards
>
> Hugh
>
>
> On 7 Oct 2008, at 22:35, Bill Ulrich wrote:
>
>> Hello,
>>
>> Sorry for the confusion. I got tired of shifting the symlinks between
>> the FILE and LDAP2 AuthBy clauses, and found that I got the same results
>> if I concatenated them with a ContinueWhileReject policy. There are no
>> username overlaps, so it seemed OK for testing. FWIW the original
>> problem was seen with separate config files.
>>
>> Here's the full Inner and Outer Handler clauses:
>>
>>> <Handler TunnelledByPEAP=1>
>>> AuthByPolicy ContinueWhileReject
>>> <AuthBy FILE>
>>> Filename /etc/radiator/users
>>> EAPType MSCHAP-V2
>>> </AuthBy>
>>> <AuthBy LDAP2>
>>> Host **********
>>> Port 389
>>> AuthDN cn=**********
>>> AuthPassword *********
>>> BaseDN ou=people,dc=test,*******
>>> UsernameAttr uid
>>> PasswordAttr ntPassword
>>> EAPType MSCHAP-V2
>>> EAPTLS_CAFile .../ips-ipscabundle.crt
>>> EAPTLS_CertificateFile .../server.crt
>>> EAPTLS_PrivateKeyFile .../server.key
>>> EAPTLS_CertificateType PEM
>>> EAPTLS_MaxFragmentSize 1000
>>> AutoMPPEKeys
>>> </AuthBy>
>>> </Handler>
>>> <Handler>
>>> <AuthBy FILE>
>>> EAPType PEAP
>>> EAPTLS_CAFile .../ips-ipscabundle.crt
>>> EAPTLS_CertificateFile .../server.crt
>>> EAPTLS_PrivateKeyFile .../server.key
>>> EAPTLS_CertificateType PEM
>>> EAPTLS_MaxFragmentSize 1000
>>> AutoMPPEKeys
>>> </AuthBy>
>>> </Handler>
>>
>> Thanks again for your time - wading through the debug output can't be
>> entertaining.
>>
>> Cheers,
>>
>> Bill
>>
>> Hugh Irvine wrote:
>>>
>>> Hello William -
>>>
>>> Thanks for the additional information.
>>>
>>> The debug below appears to show both an AuthBy FILE and an AuthBy LDAP2
>>> clause in your inner Handler?
>>>
>>> Can you please send me a copy of the configuration file you are using?
>>>
>>> thanks and regards
>>>
>>> Hugh
>>>
>>>
>>> Mon Oct 6 12:04:48 2008: DEBUG: Handling request with Handler
>>> 'TunnelledByPEAP=1'
>>> Mon Oct 6 12:04:48 2008: DEBUG: Deleting session for anonymous,
>>> 165.82.1.101, 1
>>> Mon Oct 6 12:04:48 2008: DEBUG: Handling with Radius::AuthFILE:
>>> Mon Oct 6 12:04:48 2008: DEBUG: Handling with EAP: code 2, 1, 64, 26
>>> Mon Oct 6 12:04:48 2008: DEBUG: Response type 26
>>> Mon Oct 6 12:04:48 2008: DEBUG: Reading users file /etc/radiator/users
>>> Mon Oct 6 12:04:48 2008: DEBUG: Radius::AuthFILE looks for match with
>>> fuser [anonymous]
>>> Mon Oct 6 12:04:48 2008: DEBUG: Radius::AuthFILE REJECT: No such user:
>>> fuser [anonymous]
>>> Mon Oct 6 12:04:48 2008: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no
>>> such user fuser
>>> Mon Oct 6 12:04:48 2008: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP
>>> V2 failed: no such user fuser
>>> Mon Oct 6 12:04:48 2008: DEBUG: Handling with Radius::AuthLDAP2:
>>> Mon Oct 6 12:04:48 2008: DEBUG: Handling with EAP: code 2, 1, 64, 26
>>> Mon Oct 6 12:04:48 2008: DEBUG: Response type 26
>>> Mon Oct 6 12:04:48 2008: INFO: Connecting to wwwdev.haverford.edu:389
>>> Mon Oct 6 12:04:48 2008: INFO: Attempting to bind to LDAP server
>>> wwwdev.haverford.edu:389
>>> Mon Oct 6 12:04:48 2008: DEBUG: LDAP got result for
>>> uid=fuser,ou=people,dc=test,dc=haverford,dc=edu
>>> Mon Oct 6 12:04:48 2008: DEBUG: LDAP got ntPassword:
>>> {nthash}6DB1E3552E2ED738ED10FA3ED91C3768
>>> Mon Oct 6 12:04:48 2008: DEBUG: Radius::AuthLDAP2 looks for match with
>>> fuser [anonymous]
>>> Mon Oct 6 12:04:48 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fuser
>>> [anonymous]
>>> Mon Oct 6 12:04:48 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2
>>> Authentication failure
>>> Mon Oct 6 12:04:48 2008: DEBUG: AuthBy LDAP2 result: REJECT, EAP
>>> MSCHAP-V2 Authentication failure
>>> Mon Oct 6 12:04:48 2008: INFO: Access rejected for anonymous: EAP
>>> MSCHAP-V2 Authentication failure
>>> Mon Oct 6 12:04:48 2008: DEBUG: Returned PEAP tunnelled packet dump:
>>> Code: Access-Reject
>>> Identifier: UNDEF
>>> Authentic: <176>#<174><138><1><223>jw<171><203><173><218>P7<185><176>
>>> Attributes:
>>> EAP-Message = <4><1><0><4>
>>> Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>> Reply-Message = "Request Denied"
>>>
>>> On 7 Oct 2008, at 03:39, William Ulrich wrote:
>>>
>>>> Hello again,
>>>>
>>>> Thanks for your time in looking at this.
>>>>
>>>>> Can you please tell me what version of Radiator you are using?
>>>>> The latest version is Radiator 4.3.1 (plus patches).
>>>>
>>>> We're on the latest/greatest with patches. It was installed fresh just
>>>> last week.
>>>>
>>>>> I would also like to see a more complete trace 4 debug showing the
>>>>> complete packet exchange sequence for both cases.
>>>>
>>>> I've inserted the full trace 4 debug of both cases at the end of this
>>>> message. I was reluctant to put the whole thing inline, as it is quite
>>>> long, but I figure the MLM will strip zipped attachments. Please let me
>>>> know if there's a better option.
>>>>
>>>> FWIW, the configuration is unchanged from my original post.
>>>>
>>>> Again, thanks for checking this out. Short of plowing into the source,
>>>> I'm not sure what else to do.
>>>>
>>>> Cheers,
>>>>
>>>> Bill Ulrich
>>>>
>>>>
>>>>> On 3 Oct 2008, at 23:42, William Ulrich wrote:
>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I'm currently attempting to use a combination of Radiator and Sun's
>>>>>> LDAP
>>>>>> to provide authentication for our wireless network. The wireless
>>>>>> controller uses PEAP/MSCHAPv2. If anyone has a suggestion on getting
>>>>>> this to work, I'd be most grateful.
>>>>>>
>>>>>> I've successfully authenticated the ubiquitous 'mikem' user using a
>>>>>> stripped down user file (/etc/radiator/users) containing only this
>>>>>> entry:
>>>>>>
>>>>>> mikem User-Password =
>>>>>> {nthash}DCB8E94AC7D0AADC8A81D9C895ACE5F4
>>>>>> Service-Type=Framed-User
>>>>>>
>>>>>> and the following radius.cfg file, shamelessly cribbed from a
>>>>>> mailing
>>>>>> list posting back in May:
>>>>>>
>>>>>> <Handler TunnelledByPEAP=1>
>>>>>> <AuthBy FILE>
>>>>>> Filename /etc/radiator/users
>>>>>> EAPType MSCHAP-V2
>>>>>> </AuthBy>
>>>>>> </Handler>
>>>>>> <Handler>
>>>>>> <AuthBy FILE>
>>>>>> EAPType PEAP
>>>>>> EAPTLS_CAFile .../CA_cert_file.crt
>>>>>> EAPTLS_CertificateFile .../server.crt
>>>>>> EAPTLS_PrivateKeyFile .../server.key
>>>>>> EAPTLS_CertificateType PEM
>>>>>> EAPTLS_MaxFragmentSize 1000
>>>>>> AutoMPPEKeys
>>>>>> </AuthBy>
>>>>>> </Handler>
>>>>>>
>>>>>> This works. Now if I swap the TunnelledByPEAP handler's <AuthBy FILE>
>>>>>> section with an analogous <AuthBy LDAP2>:
>>>>>>
>>>>>> <AuthBy LDAP2>
>>>>>> Host *******************
>>>>>> Port 389
>>>>>> AuthDN cn=*************
>>>>>> AuthPassword ***********
>>>>>> BaseDN ou=people,dc=test,***********
>>>>>> UsernameAttr uid
>>>>>> PasswordAttr ntPassword
>>>>>> EAPType MSCHAP-V2
>>>>>> EAPTLS_CAFile .../CA_cert_file.crt
>>>>>> EAPTLS_CertificateFile .../server.crt
>>>>>> EAPTLS_PrivateKeyFile .../server.key
>>>>>> EAPTLS_CertificateType PEM
>>>>>> EAPTLS_MaxFragmentSize 1000
>>>>>> AutoMPPEKeys
>>>>>> </AuthBy>
>>>>>>
>>>>>> Authentication fails, with the following log entry (apologies for the
>>>>>> awkward wrapping):
>>>>>>
>>>>>> Thu Oct 2 15:32:28 2008: INFO: Connecting to ***********:389
>>>>>> Thu Oct 2 15:32:28 2008: INFO: Attempting to bind to LDAP server
>>>>>> *************:389
>>>>>> Thu Oct 2 15:32:28 2008: DEBUG: LDAP got result for
>>>>>> uid=fuser,ou=people,*************
>>>>>> Thu Oct 2 15:32:28 2008: DEBUG: LDAP got ntPassword:
>>>>>> {nthash}6DB1E3552E2ED738ED10FA3ED91C3768
>>>>>> Thu Oct 2 15:32:28 2008: DEBUG: Radius::AuthLDAP2 looks for match
>>>>>> with
>>>>>> fuser [anonymous]
>>>>>> Thu Oct 2 15:32:28 2008: DEBUG: Radius::AuthLDAP2 ACCEPT: : fuser
>>>>>> [anonymous]
>>>>>> Thu Oct 2 15:32:28 2008: DEBUG: EAP result: 1, EAP MSCHAP-V2
>>>>>> Authentication failure
>>>>>> Thu Oct 2 15:32:28 2008: DEBUG: AuthBy LDAP2 result: REJECT, EAP
>>>>>> MSCHAP-V2 Authentication failure
>>>>>> Thu Oct 2 15:32:28 2008: INFO: Access rejected for anonymous: EAP
>>>>>> MSCHAP-V2 Authentication failure
>>>>>> Thu Oct 2 15:32:28 2008: DEBUG: Returned PEAP tunnelled packet dump:
>>>>>>
>>>>>>> From what I can see in the log, it gets the right attribute
>>>>>>> (ntPassword)
>>>>>> in the right form ({nthash}... a la the users file) an I've verified
>>>>>> that the nthash is correct for the test user account.
>>>>>>
>>>>>> So - what's going wrong? I'm a little stymied, so if anyone has an
>>>>>> idea,
>>>>>> I'd love to hear it.
>>>>>>
>>>>>> Thanks in Advance,
>>>>>>
>>>>>> Bill Ulrich
>>>>>>
>>>>>> _______________________________________________
>>>>>> radiator mailing list
>>>>>> radiator at open.com.au
>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>
>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> Have you checked the RadiusExpert wiki:
>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>
>>
>>
>> --
>> E pur si muove!
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
More information about the radiator
mailing list