[RADIATOR] AuthBy-File cannot match user
Heikki Vatiainen
hvn at open.com.au
Mon Aug 1 15:42:20 CDT 2011
On 08/01/2011 02:44 PM, Roel Hoek wrote:
Hello Roel,
> EAPAnonymous is set back to %u and EAPType is set to MSCHAP-V2
> Now, indeed, the user-name/identity is found in the users-file, and is found in the LDAP-server, but now failed on EAP MSCHAP V2 (no
> such user???)
Hmm, I was able to recreate this was two simple AuthBy FILEs too.
However, I did not dig deeper to see why it fails.
> This has, I think, something to do that mschapv2 needs for challange and responce the whole username including the realm. This works
> with 'NoEAP', but not with EAPType MSCHAP-V2.
Can you restructure your configuration a little. The restructure would
put two AuthBys into the PEAP inner Handler. The first does EAP and is
the LDAP check while the second gets the attributes from the file after
successful LDAP check.
Something like this should do it:
# WLAN (utwente.test2) inner authentication (PEAP)
#
<Handler Realm=utwente.test2,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
AuthByPolicy ContinueWhileAccept
<AuthBy LDAP2>
Identifier productieoid-peap
EAPType MSCHAP-V2
# Rest of the config
</AuthBy>
<AuthBy FILE>
Identifier add-vlan-attributes
Filename %D/users-wlan-peap
NoCheckPassword
NoEAP
</AuthBy>
# Rest of the Handler
</Handler>
The file users-wlan-peap would be the same as currently but without the
Auth-Type check items:
d3126217
Tunnel-Type = 1:VLAN,
Tunnel-Medium-Type = 1:Ether_802,
Tunnel-Private-Group-ID = 1:131,
Login-LAT-Group = "qnet"
# Rest of users-wlan-peap
This should still collect then user specific VLAN attributes but
otherwise do the authentication the same for all users.
Please let us know how this works.
Thanks!
Heikki
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <239>d<146>I.<193>%#<14><13><189><176><200>.<182>Y
> Attributes:
> EAP-Message = <2><1><0>Q<26><2><1><0>L1<162>VxN6pv<15>|<129><140>Y<241>`<200><166><0><0><0><0><0><0><0><0>
> <16><2>I<201>wr7<205><216><230>n<172><8>\<229>0{<219><160>@9<176>"<0>d3126217 at utwente.test2
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 172.31.178.10
> NAS-Identifier = "wlc-1"
> NAS-Port = 13
> Calling-Station-Id = "00271026a434"
> User-Name = "jupiter at utwente.test2"
>
> Mon Aug 1 12:15:31 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
> Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthFILE:
> Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
> Mon Aug 1 12:15:31 2011: DEBUG: Response type 26
> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
> Mon Aug 1 12:15:31 2011: DEBUG: Reading users file /etc/radiator//users-wlan-peap
> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE looks for match with d3126217 [jupiter at utwente.test2]
> Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
> Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
> Mon Aug 1 12:15:31 2011: DEBUG: Response type 26
> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
> Mon Aug 1 12:15:31 2011: INFO: Connecting to oid.utwente.nl:389
> Mon Aug 1 12:15:31 2011: INFO: Attempting to bind to LDAP server oid.utwente.nl:389
> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got result for uid=d3126217, ou=Employees, cn=Users, o=university of twente,c=nl
> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got chappassword: {rcrypt}bla bla bla
> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got orclisenabled: ENABLED
> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 looks for match with d3126217 [jupiter at utwente.test2]
> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 [jupiter at utwente.test2]
> Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP V2 Challenge: Success: d3126217 [jupiter at utwente.test2]
> Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user d3126217
> Mon Aug 1 12:15:31 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2 failed: no such user d3126217
> Mon Aug 1 12:15:31 2011: INFO: Access rejected for jupiter at utwente.test2: EAP MSCHAP V2 failed: no such user d3126217
> Mon Aug 1 12:15:32 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code: Access-Reject
>
>
> On 2011-07-30 08:19, Heikki Vatiainen wrote:
>> On 07/29/2011 04:12 PM, Roel Hoek wrote:
>
>>> Thanks for you comment. Although it did not work.
>>> I changed EAPAnonymous to %0. But now Username is "" and no handler can be found.
>
>> Unfortunately that's true. Taking another look at the configuration, the
>> reason for this is the NoEAP option. Since EAP is not run for the inner
>> authentication, the EAP identity will not be available.
>
>> Going back to your original configuration, would replacing "NoEAP" with
>> "EAPType MSCHAP-V2" work? EAP MSCHAP-V2 will work fine with AuthBy FILE.
>
>> Thanks!
>> Heikki
>
>
>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling request with Handler 'Realm=/utwente.test|utwente.test2/,
>>> Client-Identifier=/^WLANATUT-ID$|^LOCALH
>>> OST-ID$/', Identifier 'WLAN-OUTER-TEST'
>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with Radius::AuthFILE:
>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with EAP: code 2, 9, 112, 25
>>> Fri Jul 29 13:32:06 2011: DEBUG: Response type 25
>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP PEAP inner authentication request for
>>> Fri Jul 29 13:32:06 2011: DEBUG: PEAP Tunnelled request Packet dump:
>>> Code: Access-Request
>>> Identifier: UNDEF
>>> Authentic: <177>6<209>Wz<163><198><243><230>M<179><134><155><15><207><163>
>>> Attributes:
>>> EAP-Message = <2><0><0><27><1>d3126217 at utwente.test2
>>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>> NAS-IP-Address = 172.31.178.10
>>> NAS-Identifier = "wlc-1"
>>> NAS-Port = 13
>>> Calling-Station-Id = "00271026a434"
>>> User-Name = ""
>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP result: 1, No Handler for PEAP inner authentication
>>> Fri Jul 29 13:32:06 2011: DEBUG: AuthBy FILE result: REJECT, No Handler for PEAP inner authentication
>>> Fri Jul 29 13:32:06 2011: INFO: Access rejected for jupiter at utwente.test2: No Handler for PEAP inner authentication
>>> Fri Jul 29 13:32:06 2011: DEBUG: Packet dump:
>>> *** Sending to 172.31.178.10 port 32770 ....
>>> Code: Access-Reject
>>>
>>> -------------------------------------------------------------------
>>> <Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>>> AuthByPolicy ContinueWhileReject
>>> AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
>>> <AuthBy FILE>
>>> RewriteUsername s/^([^@]+).*/$1/
>>> RewriteUsername s/^\s*//
>>> RewriteUsername s/\s*$//
>>> Filename %D/users-wlan-peap
>>> NoEAP
>>> </AuthBy>
>>> AuthLog authlogging-wlan-peap
>>> Identifier PEAP-inner-utwente-test2
>>> Description WLAN
>>> AuthLog authlogging-tent
>>> </Handler>
>>>
>>> <Handler Realm=/utwente.test|utwente.test2/, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/>
>>> <AuthBy FILE>
>>> EAPType TTLS,PEAP
>>> EAPTLS_CAFile
>>> EAPTLS_CertificateFile
>>> EAPTLS_CertificateType PEM
>>> EAPTLS_PrivateKeyFile
>>> EAPTLS_PrivateKeyPassword
>>> EAPTLS_MaxFragmentSize 1024
>>> EAPTLS_SessionResumption 0
>>> AutoMPPEKeys
>>> EAPTLS_PEAPBrokenV1Label
>>> EAPTTLS_NoAckRequired
>>> # %U (en %u (met realm)) zijn de Inner-auth username voor PEAP
>>> #EAPAnonymous %u
>>> EAPAnonymous %0
>>> </AuthBy>
>>> AuthLog authlogging-wlan
>>> Identifier WLAN-OUTER-TEST
>>> Description WLAN
>>> AuthLog authlogging-tent
>>> </Handler>
>>>
>>>> On 07/26/2011 06:14 PM, Roel Hoek wrote:
>>>
>>>> Hello Roel,
>>>
>>>>> We experience a problem with a handler for authenticating wireless-lan users. AuthBy-File for a PEAP-mschapV2 cannot match a user if
>>>>> the outer and inner identity are not equal (normal situation).
>>>>> It looks like the userfile is searched by the outer-identity, although the inner-identity is used for authentication via LDAP.
>>>
>>>> Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section
>>>> "5.19.24 EAPAnonymous" for more info about EAPAnonymous.
>>>
>>>> Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then
>>>> use User-Name attribute instead of EAP Identity to do the authentication.
>>>
>>>> With EAPAnonymous you can set the inner request User-Name the same as
>>>> the EAP Identity is.
>>>
>>>> Please let us know if this works for you.
>>>
>>>> Thanks!
>>>> Heikki
>>>
>>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list