[RADIATOR] A second handler just to add attributes gets PEAP tunneled requests rejected
Hugh Irvine
hugh at open.com.au
Wed Sep 2 17:16:38 CDT 2009
Hello Jhonny -
You need to add "NoEAP" to your second AuthBy.
And you should be using the most recent Radiator 4.4 (plus patches).
regards
Hugh
On 2 Sep 2009, at 21:56, Jhonny Freire de Oliveira wrote:
> Hi,
>
> I’m trying to add VLan definitions with a second Authby clause in a
> “per user basis”. This seems to work with TTLS (I’m not sure),
> unfortunately, it doesn’t for PEAP tunneled requests. I think I
> already came across someone with the same problem, but now I’m
> unable to find it. How can I fix this behavior?
>
> Wed Sep 2 11:35:51 2009: DEBUG: EAP result: 1, Not authenticated by
> this AuthBy
> Wed Sep 2 11:35:51 2009: DEBUG: AuthBy LDAP2 result: REJECT, Not
> authenticated by this AuthBy
> Wed Sep 2 11:35:51 2009: DEBUG: vlan-override-based-on-UL-realm-
> postauth VLAN ID PostAuthHook called
> Wed Sep 2 11:35:51 2009: INFO: Access rejected for
> testew3 at nic.ul.pt: Not authenticated by this AuthBy
> Wed Sep 2 11:35:51 2009: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
>
> Later on the configuration I’m also trying to change the VLAN on a
> domain basis (if the LDAP attribute was not filled). I’m posting the
> hook here to share it with the community. Any suggestions are welcome.
>
>
> Configuration:
>
> (…)
> # Generic Auth
> <AuthBy NTLM>
> Identifier Auth4Tunneled
> UsernameFormat %U
> DomainFormat %R
> EAPType MSCHAP-V2
> </AuthBy>
>
> # To add vlan attributes
> <AuthBy LDAP2>
> Identifier LDAP_VLan_attr
> Host 192.168.1.2 192.168.1.3
> Port 3268
> AuthDN OU=eU,OU=Services,DC=ul,DC=pt
> AuthPassword XXXXXXXXXXXXXXX
> BaseDN DC=ul,DC=pt
>
> ServerChecksPassword
> UsernameAttr userPrincipalName
> NoCheckPassword
> AuthAttrDef extensionAttribute14,rad_vlan_attr,request
>
> StripFromReply Tunnel-Type, Tunnel-Medium-Type, Tunnel-
> Private-Group-ID, Filter-Id, cisco-avpair
> AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-
> Private-Group-ID=%{rad_vlan_attr}
>
> NoDefault
> </AuthBy>
>
> <Handler TunnelledByPEAP=1, Realm=nic.ul.pt, Client-Identifier=wism>
> AuthByPolicy ContinueWhileAccept
>
> AuthBy Auth4Tunneled
> # Adding VLan config
> AuthBy LDAP_VLan_attr
>
> PostAuthHook file:"%D/hooks/vlan-override-based-on-UL-realm-
> postauth"
> </Handler>
> (…)
>
> Logs:
>
> (…)
> Wed Sep 2 11:35:51 2009: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1, Realm=nic.ul.pt, Client-Identifier=wism'
> Wed Sep 2 11:35:51 2009: DEBUG: SessionDB Deleting session for testew3 at nic.ul.pt
> , 10.99.4.221, 29
> Wed Sep 2 11:35:51 2009: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='10.99.4.221' and NASPORT=029':
> Wed Sep 2 11:35:51 2009: DEBUG: Handling with Radius::AuthNTLM:
> Auth4Tunneled
> Wed Sep 2 11:35:51 2009: DEBUG: Handling with EAP: code 2, 11, 2, 26
> Wed Sep 2 11:35:51 2009: DEBUG: Response type 26
> Wed Sep 2 11:35:51 2009: DEBUG: EAP result: 0,
> Wed Sep 2 11:35:51 2009: DEBUG: AuthBy NTLM result: ACCEPT,
> Wed Sep 2 11:35:51 2009: DEBUG: Handling with Radius::AuthLDAP2:
> LDAP_VLan_attr
> Wed Sep 2 11:35:51 2009: DEBUG: Handling with EAP: code 2, 11, 2, 26
> Wed Sep 2 11:35:51 2009: DEBUG: Response type 26
> Wed Sep 2 11:35:51 2009: DEBUG: EAP result: 1, Not authenticated by
> this AuthBy
> Wed Sep 2 11:35:51 2009: DEBUG: AuthBy LDAP2 result: REJECT, Not
> authenticated by this AuthBy
> Wed Sep 2 11:35:51 2009: DEBUG: vlan-override-based-on-UL-realm-
> postauth VLAN ID PostAuthHook called
> Wed Sep 2 11:35:51 2009: INFO: Access rejected for
> testew3 at nic.ul.pt: Not authenticated by this AuthBy
> Wed Sep 2 11:35:51 2009: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
> Identifier: UNDEF
> Authentic: X)<23><169>^<250><223><190><214><153><143>"s<199>>!
> Attributes:
> EAP-Message = <3><11><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
> (…)
>
> The Vlan override hook:
>
> # -*- mode: Perl -*-
> # vlan-override-based-on-UL-realm-postauth
> #
> # PostAuthHook to change or add VLAN attributes
> # in a domain basis if needed
> #
> # Author: Jhonny Oliveira (joliveira at reitoria.ul.pt)
> # Nucleo de Informatica e Comunicacoes
> # Universidade de Lisboa
> #
>
> use strict;
> use warnings;
>
> sub
> {
> my $p = ${$_[0]};
> my $rp = ${$_[1]};
> my $result = ${$_[2]};
>
> my $ASCIIvlan;
> my $binaryvlan;
>
> my $identifier;
> my $tag;
>
> my %realmVlan;
>
> $realmVlan{"somedomain1.ul.pt"}=40;
> $realmVlan{"somedomain2.ul.pt"}=41;
> $realmVlan{"somedomain3.ul.pt "}=42;
> $realmVlan{"somedomain4.ul.pt "}=43;
> $realmVlan{"default "}=100;
>
> &main::log($main::LOG_DEBUG, "vlan-override-based-on-UL-realm-
> postauth VLAN ID PostAuthHook called");
>
> $identifier = $p->{Client}->{Identifier};
> if (($result == $main::ACCEPT) && ($identifier == "wism"))
> {
> &main::log($main::LOG_DEBUG, "vlan-override: Getting VLAN
> ID");
> $ASCIIvlan = $rp->get_attr('Tunnel-Private-Group-ID');
>
> # The username is the EAP identitiy or the User-Name
> my $username = $p->{EAPIdentity};
> $username = $p->getUserName() unless defined $username;
> &main::log($main::LOG_DEBUG, "vlan-override: Got username <
> $username>");
>
> my $realm;
> ($username, $realm) = split(/\@/, lc $username);
> &main::log($main::LOG_DEBUG, "vlan-override: Got realm <
> $realm>");
>
> my $newVlan = $realmVlan{$realm};
> $newVlan = $realmVlan{"default"} unless defined $newVlan;
>
> if (!defined $ASCIIvlan)
> {
> # Add attribute
> &main::log($main::LOG_DEBUG, "vlan-override: Adding
> vlan attributes for vlan <$newVlan>");
> $rp->add_attr('Tunnel-Type','VLAN');
> $rp->add_attr('Tunnel-Medium-Type',802);
> $rp->add_attr('Tunnel-Private-Group-ID', $newVlan);
> }
> elsif ( $ASCIIvlan =~ /^(\d+):(\s*)($realmVlan{"default"})$/
> or $ASCIIvlan =~ '')
> {
> # Either it is on the default VLAN or the LDAP
> attribute was not set
> # Replace attribute
> &main::log($main::LOG_DEBUG, "vlan-override:
> Replacing vlan tag <$ASCIIvlan> with <$newVlan>");
> $rp->change_attr('Tunnel-Private-Group-ID', $newVlan);
> }
> }
> return;
> }
>
> Cumprimentos,
> ____________________________________________________________________
> Jhonny Freire Oliveira Núcleo de Informática e Comunicações da UL
> joliveira at reitoria.ul.pt Reitoria da UL, Alameda da Universidade
> Tel: +351 210170194 Campo Grande – 1649-004 Lisboa, Portugal
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list