[RADIATOR] AuthBy-File cannot match user
Roel Hoek
r.h.hoek at utwente.nl
Mon Aug 1 06:44:21 CDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Heikki,
EAPAnonymous is set back to %u and EAPType is set to MSCHAP-V2
Now, indeed, the user-name/identity is found in the users-file, and is found in the LDAP-server, but now failed on EAP MSCHAP V2 (no
such user???)
This has, I think, something to do that mschapv2 needs for challange and responce the whole username including the realm. This works
with 'NoEAP', but not with EAPType MSCHAP-V2.
Code: Access-Request
Identifier: UNDEF
Authentic: <239>d<146>I.<193>%#<14><13><189><176><200>.<182>Y
Attributes:
EAP-Message = <2><1><0>Q<26><2><1><0>L1<162>VxN6pv<15>|<129><140>Y<241>`<200><166><0><0><0><0><0><0><0><0>
<16><2>I<201>wr7<205><216><230>n<172><8>\<229>0{<219><160>@9<176>"<0>d3126217 at utwente.test2
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 172.31.178.10
NAS-Identifier = "wlc-1"
NAS-Port = 13
Calling-Station-Id = "00271026a434"
User-Name = "jupiter at utwente.test2"
Mon Aug 1 12:15:31 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthFILE:
Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
Mon Aug 1 12:15:31 2011: DEBUG: Response type 26
Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
Mon Aug 1 12:15:31 2011: DEBUG: Reading users file /etc/radiator//users-wlan-peap
Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE looks for match with d3126217 [jupiter at utwente.test2]
Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
Mon Aug 1 12:15:31 2011: DEBUG: Response type 26
Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
Mon Aug 1 12:15:31 2011: INFO: Connecting to oid.utwente.nl:389
Mon Aug 1 12:15:31 2011: INFO: Attempting to bind to LDAP server oid.utwente.nl:389
Mon Aug 1 12:15:31 2011: DEBUG: LDAP got result for uid=d3126217, ou=Employees, cn=Users, o=university of twente,c=nl
Mon Aug 1 12:15:31 2011: DEBUG: LDAP got chappassword: {rcrypt}bla bla bla
Mon Aug 1 12:15:31 2011: DEBUG: LDAP got orclisenabled: ENABLED
Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 looks for match with d3126217 [jupiter at utwente.test2]
Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 [jupiter at utwente.test2]
Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP V2 Challenge: Success: d3126217 [jupiter at utwente.test2]
Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user d3126217
Mon Aug 1 12:15:31 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2 failed: no such user d3126217
Mon Aug 1 12:15:31 2011: INFO: Access rejected for jupiter at utwente.test2: EAP MSCHAP V2 failed: no such user d3126217
Mon Aug 1 12:15:32 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Reject
On 2011-07-30 08:19, Heikki Vatiainen wrote:
> On 07/29/2011 04:12 PM, Roel Hoek wrote:
>
>> Thanks for you comment. Although it did not work.
>> I changed EAPAnonymous to %0. But now Username is "" and no handler can be found.
>
> Unfortunately that's true. Taking another look at the configuration, the
> reason for this is the NoEAP option. Since EAP is not run for the inner
> authentication, the EAP identity will not be available.
>
> Going back to your original configuration, would replacing "NoEAP" with
> "EAPType MSCHAP-V2" work? EAP MSCHAP-V2 will work fine with AuthBy FILE.
>
> Thanks!
> Heikki
>
>
>> Fri Jul 29 13:32:06 2011: DEBUG: Handling request with Handler 'Realm=/utwente.test|utwente.test2/,
>> Client-Identifier=/^WLANATUT-ID$|^LOCALH
>> OST-ID$/', Identifier 'WLAN-OUTER-TEST'
>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with Radius::AuthFILE:
>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with EAP: code 2, 9, 112, 25
>> Fri Jul 29 13:32:06 2011: DEBUG: Response type 25
>> Fri Jul 29 13:32:06 2011: DEBUG: EAP PEAP inner authentication request for
>> Fri Jul 29 13:32:06 2011: DEBUG: PEAP Tunnelled request Packet dump:
>> Code: Access-Request
>> Identifier: UNDEF
>> Authentic: <177>6<209>Wz<163><198><243><230>M<179><134><155><15><207><163>
>> Attributes:
>> EAP-Message = <2><0><0><27><1>d3126217 at utwente.test2
>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> NAS-IP-Address = 172.31.178.10
>> NAS-Identifier = "wlc-1"
>> NAS-Port = 13
>> Calling-Station-Id = "00271026a434"
>> User-Name = ""
>> Fri Jul 29 13:32:06 2011: DEBUG: EAP result: 1, No Handler for PEAP inner authentication
>> Fri Jul 29 13:32:06 2011: DEBUG: AuthBy FILE result: REJECT, No Handler for PEAP inner authentication
>> Fri Jul 29 13:32:06 2011: INFO: Access rejected for jupiter at utwente.test2: No Handler for PEAP inner authentication
>> Fri Jul 29 13:32:06 2011: DEBUG: Packet dump:
>> *** Sending to 172.31.178.10 port 32770 ....
>> Code: Access-Reject
>>
>> -------------------------------------------------------------------
>> <Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>> AuthByPolicy ContinueWhileReject
>> AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
>> <AuthBy FILE>
>> RewriteUsername s/^([^@]+).*/$1/
>> RewriteUsername s/^\s*//
>> RewriteUsername s/\s*$//
>> Filename %D/users-wlan-peap
>> NoEAP
>> </AuthBy>
>> AuthLog authlogging-wlan-peap
>> Identifier PEAP-inner-utwente-test2
>> Description WLAN
>> AuthLog authlogging-tent
>> </Handler>
>>
>> <Handler Realm=/utwente.test|utwente.test2/, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/>
>> <AuthBy FILE>
>> EAPType TTLS,PEAP
>> EAPTLS_CAFile
>> EAPTLS_CertificateFile
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile
>> EAPTLS_PrivateKeyPassword
>> EAPTLS_MaxFragmentSize 1024
>> EAPTLS_SessionResumption 0
>> AutoMPPEKeys
>> EAPTLS_PEAPBrokenV1Label
>> EAPTTLS_NoAckRequired
>> # %U (en %u (met realm)) zijn de Inner-auth username voor PEAP
>> #EAPAnonymous %u
>> EAPAnonymous %0
>> </AuthBy>
>> AuthLog authlogging-wlan
>> Identifier WLAN-OUTER-TEST
>> Description WLAN
>> AuthLog authlogging-tent
>> </Handler>
>>
>>> On 07/26/2011 06:14 PM, Roel Hoek wrote:
>>
>>> Hello Roel,
>>
>>>> We experience a problem with a handler for authenticating wireless-lan users. AuthBy-File for a PEAP-mschapV2 cannot match a user if
>>>> the outer and inner identity are not equal (normal situation).
>>>> It looks like the userfile is searched by the outer-identity, although the inner-identity is used for authentication via LDAP.
>>
>>> Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section
>>> "5.19.24 EAPAnonymous" for more info about EAPAnonymous.
>>
>>> Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then
>>> use User-Name attribute instead of EAP Identity to do the authentication.
>>
>>> With EAPAnonymous you can set the inner request User-Name the same as
>>> the EAP Identity is.
>>
>>> Please let us know if this works for you.
>>
>>> Thanks!
>>> Heikki
>>
>>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
- --
Met vriendelijke groeten,
Roel Hoek
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
Telephone +31 53 489 4598, Fax +31 53 489 2383
R.H.Hoek at utwente.nl; http://www.utwente.nl/icts
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk42kYsACgkQJwlRSGnYBcaiTACeLhwxHi5Or/LgHYS0bScL3bsi
rzkAnjEHsQG6CRqUMV1Ly64BZzsoqRFy
=+xVd
-----END PGP SIGNATURE-----
More information about the radiator
mailing list