[RADIATOR] A second handler just to add attributes gets PEAP tunneled requests rejected
Jhonny Freire de Oliveira
joliveira at reitoria.ul.pt
Wed Sep 2 06:56:05 CDT 2009
Hi,
I'm trying to add VLan definitions with a second Authby clause in a "per user basis". This seems to work with TTLS (I'm not sure), unfortunately, it doesn't for PEAP tunneled requests. I think I already came across someone with the same problem, but now I'm unable to find it. How can I fix this behavior?
Wed Sep 2 11:35:51 2009: DEBUG: EAP result: 1, Not authenticated by this AuthBy
Wed Sep 2 11:35:51 2009: DEBUG: AuthBy LDAP2 result: REJECT, Not authenticated by this AuthBy
Wed Sep 2 11:35:51 2009: DEBUG: vlan-override-based-on-UL-realm-postauth VLAN ID PostAuthHook called
Wed Sep 2 11:35:51 2009: INFO: Access rejected for testew3 at nic.ul.pt: Not authenticated by this AuthBy
Wed Sep 2 11:35:51 2009: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Reject
Later on the configuration I'm also trying to change the VLAN on a domain basis (if the LDAP attribute was not filled). I'm posting the hook here to share it with the community. Any suggestions are welcome.
Configuration:
(...)
# Generic Auth
<AuthBy NTLM>
Identifier Auth4Tunneled
UsernameFormat %U
DomainFormat %R
EAPType MSCHAP-V2
</AuthBy>
# To add vlan attributes
<AuthBy LDAP2>
Identifier LDAP_VLan_attr
Host 192.168.1.2 192.168.1.3
Port 3268
AuthDN OU=eU,OU=Services,DC=ul,DC=pt
AuthPassword XXXXXXXXXXXXXXX
BaseDN DC=ul,DC=pt
ServerChecksPassword
UsernameAttr userPrincipalName
NoCheckPassword
AuthAttrDef extensionAttribute14,rad_vlan_attr,request
StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID, Filter-Id, cisco-avpair
AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=%{rad_vlan_attr}
NoDefault
</AuthBy>
<Handler TunnelledByPEAP=1, Realm=nic.ul.pt, Client-Identifier=wism>
AuthByPolicy ContinueWhileAccept
AuthBy Auth4Tunneled
# Adding VLan config
AuthBy LDAP_VLan_attr
PostAuthHook file:"%D/hooks/vlan-override-based-on-UL-realm-postauth"
</Handler>
(...)
Logs:
(...)
Wed Sep 2 11:35:51 2009: DEBUG: Handling request with Handler 'TunnelledByPEAP=1, Realm=nic.ul.pt, Client-Identifier=wism'
Wed Sep 2 11:35:51 2009: DEBUG: SessionDB Deleting session for testew3 at nic.ul.pt, 10.99.4.221, 29
Wed Sep 2 11:35:51 2009: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='10.99.4.221' and NASPORT=029':
Wed Sep 2 11:35:51 2009: DEBUG: Handling with Radius::AuthNTLM: Auth4Tunneled
Wed Sep 2 11:35:51 2009: DEBUG: Handling with EAP: code 2, 11, 2, 26
Wed Sep 2 11:35:51 2009: DEBUG: Response type 26
Wed Sep 2 11:35:51 2009: DEBUG: EAP result: 0,
Wed Sep 2 11:35:51 2009: DEBUG: AuthBy NTLM result: ACCEPT,
Wed Sep 2 11:35:51 2009: DEBUG: Handling with Radius::AuthLDAP2: LDAP_VLan_attr
Wed Sep 2 11:35:51 2009: DEBUG: Handling with EAP: code 2, 11, 2, 26
Wed Sep 2 11:35:51 2009: DEBUG: Response type 26
Wed Sep 2 11:35:51 2009: DEBUG: EAP result: 1, Not authenticated by this AuthBy
Wed Sep 2 11:35:51 2009: DEBUG: AuthBy LDAP2 result: REJECT, Not authenticated by this AuthBy
Wed Sep 2 11:35:51 2009: DEBUG: vlan-override-based-on-UL-realm-postauth VLAN ID PostAuthHook called
Wed Sep 2 11:35:51 2009: INFO: Access rejected for testew3 at nic.ul.pt: Not authenticated by this AuthBy
Wed Sep 2 11:35:51 2009: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Reject
Identifier: UNDEF
Authentic: X)<23><169>^<250><223><190><214><153><143>"s<199>>!
Attributes:
EAP-Message = <3><11><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
(...)
The Vlan override hook:
# -*- mode: Perl -*-
# vlan-override-based-on-UL-realm-postauth
#
# PostAuthHook to change or add VLAN attributes
# in a domain basis if needed
#
# Author: Jhonny Oliveira (joliveira at reitoria.ul.pt)
# Nucleo de Informatica e Comunicacoes
# Universidade de Lisboa
#
use strict;
use warnings;
sub
{
my $p = ${$_[0]};
my $rp = ${$_[1]};
my $result = ${$_[2]};
my $ASCIIvlan;
my $binaryvlan;
my $identifier;
my $tag;
my %realmVlan;
$realmVlan{"somedomain1.ul.pt"}=40;
$realmVlan{"somedomain2.ul.pt"}=41;
$realmVlan{"somedomain3.ul.pt "}=42;
$realmVlan{"somedomain4.ul.pt "}=43;
$realmVlan{"default "}=100;
&main::log($main::LOG_DEBUG, "vlan-override-based-on-UL-realm-postauth VLAN ID PostAuthHook called");
$identifier = $p->{Client}->{Identifier};
if (($result == $main::ACCEPT) && ($identifier == "wism"))
{
&main::log($main::LOG_DEBUG, "vlan-override: Getting VLAN ID");
$ASCIIvlan = $rp->get_attr('Tunnel-Private-Group-ID');
# The username is the EAP identitiy or the User-Name
my $username = $p->{EAPIdentity};
$username = $p->getUserName() unless defined $username;
&main::log($main::LOG_DEBUG, "vlan-override: Got username <$username>");
my $realm;
($username, $realm) = split(/\@/, lc $username);
&main::log($main::LOG_DEBUG, "vlan-override: Got realm <$realm>");
my $newVlan = $realmVlan{$realm};
$newVlan = $realmVlan{"default"} unless defined $newVlan;
if (!defined $ASCIIvlan)
{
# Add attribute
&main::log($main::LOG_DEBUG, "vlan-override: Adding vlan attributes for vlan <$newVlan>");
$rp->add_attr('Tunnel-Type','VLAN');
$rp->add_attr('Tunnel-Medium-Type',802);
$rp->add_attr('Tunnel-Private-Group-ID', $newVlan);
}
elsif ( $ASCIIvlan =~ /^(\d+):(\s*)($realmVlan{"default"})$/ or $ASCIIvlan =~ '')
{
# Either it is on the default VLAN or the LDAP attribute was not set
# Replace attribute
&main::log($main::LOG_DEBUG, "vlan-override: Replacing vlan tag <$ASCIIvlan> with <$newVlan>");
$rp->change_attr('Tunnel-Private-Group-ID', $newVlan);
}
}
return;
}
Cumprimentos,
____________________________________________________________________
Jhonny Freire Oliveira Núcleo de Informática e Comunicações da UL
joliveira at reitoria.ul.pt<mailto:joliveira at nic.ul.pt> Reitoria da UL, Alameda da Universidade
Tel: +351 210170194 Campo Grande - 1649-004 Lisboa, Portugal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20090902/4e7f9de9/attachment-0001.html
More information about the radiator
mailing list