[RADIATOR] AuthBy-File cannot match user
Roel Hoek
r.h.hoek at utwente.nl
Tue Aug 2 05:39:47 CDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Heikki,
I changed the config as proposed. The <AuthBy LDAP2> is handled with success, but the second handler, <AuthBy FILE> fails again.
(AuthFILE REJECT: No such user: jupiter at utwente.test2 [jupiter at utwente.test2])
EAPAnonymous in the EAP-outer handler is %u. With %0 the Username is "" and no handler can be found.
Tue Aug 2 11:41:05 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
Tue Aug 2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
Tue Aug 2 11:41:05 2011: DEBUG: Response type 26
Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
Tue Aug 2 11:41:05 2011: INFO: Connecting to oid.utwente.nl:389
Tue Aug 2 11:41:05 2011: INFO: Attempting to bind to LDAP server oid.utwente.nl:389
Tue Aug 2 11:41:05 2011: DEBUG: LDAP got result for uid=d3126217,<...>
Tue Aug 2 11:41:05 2011: DEBUG: LDAP got chappassword: {rcrypt}blablabla
Tue Aug 2 11:41:05 2011: DEBUG: LDAP got orclisenabled: ENABLED
Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 looks for match with d3126217 [jupiter at utwente.test2]
Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 [jupiter at utwente.test2]
Tue Aug 2 11:41:05 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
Tue Aug 2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
Tue Aug 2 11:41:05 2011: DEBUG: Access challenged for jupiter at utwente.test2: EAP MSCHAP V2 Challenge: Success
Tue Aug 2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Challenge
.
.
.
Code: Access-Request
Identifier: UNDEF
Authentic: N<162><150>qf<254><242>:<4>'<14>n<245><251><191><147>
Attributes:
EAP-Message = <2><2><0><6><26><3>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 172.31.178.10
NAS-Identifier = "wlc-1"
NAS-Port = 13
Calling-Station-Id = "00271026a434"
User-Name = "jupiter at utwente.test2"
Tue Aug 2 11:41:05 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
Tue Aug 2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26
Tue Aug 2 11:41:05 2011: DEBUG: Response type 26
Tue Aug 2 11:41:05 2011: DEBUG: EAP result: 0,
Tue Aug 2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: ACCEPT,
Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthFILE: add-vlan-attributes
Tue Aug 2 11:41:05 2011: DEBUG: Reading users file /etc/radiator//users-wlan-peap_v3
Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with jupiter at utwente.test2 [jupiter at utwente.test2]
Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE REJECT: No such user: jupiter at utwente.test2 [jupiter at utwente.test2]
Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with DEFAULT [jupiter at utwente.test2]
Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [jupiter at utwente.test2]
Tue Aug 2 11:41:05 2011: DEBUG: AuthBy FILE result: ACCEPT,
Tue Aug 2 11:41:05 2011: DEBUG: Access accepted for jupiter at utwente.test2
Tue Aug 2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Accept
- -----------------------------------------------------------------------------------------------------------------
# WLAN (utwente.test2) inner authentication (PEAP)
#
<Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
AuthByPolicy ContinueWhileAccept
AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
<AuthBy LDAP2>
Identifier productieoid-peap
EAPType MSCHAP-V2
# Rest of the config
Version 2
Host <.>
BindAddress <.>
FailureBackoffTime 10
AuthDN <.>
AuthPassword <.>
BaseDN <.>
RcryptKey <.>
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername s/^\s*//
RewriteUsername s/\s*$//
UsernameAttr <.>
PasswordAttr <.>
AuthAttrDef orclisenabled, OIDactive, request
</AuthBy>
<AuthBy FILE>
Identifier add-vlan-attributes
Filename %D/users-wlan-peap_v3
NoCheckPassword
NoEAP
</AuthBy>
AuthLog authlogging-wlan-peap
Identifier PEAP-inner-utwente-test2
Description WLAN
AuthLog authlogging-tent
</Handler>
- -----------------------------------------------------------------------------------------------------------------
users-wlan-peap_v3:
DEFAULT
Tunnel-Type = 1:VLAN,
Tunnel-Medium-Type = 1:Ether_802,
Tunnel-Private-Group-ID = 1:125
d3126217
Tunnel-Type = 1:VLAN,
Tunnel-Medium-Type = 1:Ether_802,
Tunnel-Private-Group-ID = 1:131,
Login-LAT-Group = "qnet"
.
.
.
On 2011-08-01 22:42, Heikki Vatiainen wrote:
> On 08/01/2011 02:44 PM, Roel Hoek wrote:
>
> Hello Roel,
>
>> EAPAnonymous is set back to %u and EAPType is set to MSCHAP-V2
>> Now, indeed, the user-name/identity is found in the users-file, and is found in the LDAP-server, but now failed on EAP MSCHAP V2 (no
>> such user???)
>
> Hmm, I was able to recreate this was two simple AuthBy FILEs too.
> However, I did not dig deeper to see why it fails.
>
>> This has, I think, something to do that mschapv2 needs for challange and responce the whole username including the realm. This works
>> with 'NoEAP', but not with EAPType MSCHAP-V2.
>
> Can you restructure your configuration a little. The restructure would
> put two AuthBys into the PEAP inner Handler. The first does EAP and is
> the LDAP check while the second gets the attributes from the file after
> successful LDAP check.
>
> Something like this should do it:
>
> # WLAN (utwente.test2) inner authentication (PEAP)
> #
> <Handler Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
> AuthByPolicy ContinueWhileAccept
> <AuthBy LDAP2>
> Identifier productieoid-peap
> EAPType MSCHAP-V2
> # Rest of the config
> </AuthBy>
> <AuthBy FILE>
> Identifier add-vlan-attributes
> Filename %D/users-wlan-peap
> NoCheckPassword
> NoEAP
> </AuthBy>
>
> # Rest of the Handler
> </Handler>
>
> The file users-wlan-peap would be the same as currently but without the
> Auth-Type check items:
>
> d3126217
> Tunnel-Type = 1:VLAN,
> Tunnel-Medium-Type = 1:Ether_802,
> Tunnel-Private-Group-ID = 1:131,
> Login-LAT-Group = "qnet"
>
> # Rest of users-wlan-peap
>
> This should still collect then user specific VLAN attributes but
> otherwise do the authentication the same for all users.
>
> Please let us know how this works.
>
> Thanks!
> Heikki
>
>
>> Code: Access-Request
>> Identifier: UNDEF
>> Authentic: <239>d<146>I.<193>%#<14><13><189><176><200>.<182>Y
>> Attributes:
>> EAP-Message = <2><1><0>Q<26><2><1><0>L1<162>VxN6pv<15>|<129><140>Y<241>`<200><166><0><0><0><0><0><0><0><0>
>> <16><2>I<201>wr7<205><216><230>n<172><8>\<229>0{<219><160>@9<176>"<0>d3126217 at utwente.test2
>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> NAS-IP-Address = 172.31.178.10
>> NAS-Identifier = "wlc-1"
>> NAS-Port = 13
>> Calling-Station-Id = "00271026a434"
>> User-Name = "jupiter at utwente.test2"
>>
>> Mon Aug 1 12:15:31 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthFILE:
>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
>> Mon Aug 1 12:15:31 2011: DEBUG: Response type 26
>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>> Mon Aug 1 12:15:31 2011: DEBUG: Reading users file /etc/radiator//users-wlan-peap
>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE looks for match with d3126217 [jupiter at utwente.test2]
>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
>> Mon Aug 1 12:15:31 2011: DEBUG: Response type 26
>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>> Mon Aug 1 12:15:31 2011: INFO: Connecting to oid.utwente.nl:389
>> Mon Aug 1 12:15:31 2011: INFO: Attempting to bind to LDAP server oid.utwente.nl:389
>> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got result for uid=d3126217, ou=Employees, cn=Users, o=university of twente,c=nl
>> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got chappassword: {rcrypt}bla bla bla
>> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got orclisenabled: ENABLED
>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 looks for match with d3126217 [jupiter at utwente.test2]
>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 [jupiter at utwente.test2]
>> Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP V2 Challenge: Success: d3126217 [jupiter at utwente.test2]
>> Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user d3126217
>> Mon Aug 1 12:15:31 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2 failed: no such user d3126217
>> Mon Aug 1 12:15:31 2011: INFO: Access rejected for jupiter at utwente.test2: EAP MSCHAP V2 failed: no such user d3126217
>> Mon Aug 1 12:15:32 2011: DEBUG: Returned PEAP tunnelled packet dump:
>> Code: Access-Reject
>>
>>
>> On 2011-07-30 08:19, Heikki Vatiainen wrote:
>>> On 07/29/2011 04:12 PM, Roel Hoek wrote:
>>
>>>> Thanks for you comment. Although it did not work.
>>>> I changed EAPAnonymous to %0. But now Username is "" and no handler can be found.
>>
>>> Unfortunately that's true. Taking another look at the configuration, the
>>> reason for this is the NoEAP option. Since EAP is not run for the inner
>>> authentication, the EAP identity will not be available.
>>
>>> Going back to your original configuration, would replacing "NoEAP" with
>>> "EAPType MSCHAP-V2" work? EAP MSCHAP-V2 will work fine with AuthBy FILE.
>>
>>> Thanks!
>>> Heikki
>>
>>
>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling request with Handler 'Realm=/utwente.test|utwente.test2/,
>>>> Client-Identifier=/^WLANATUT-ID$|^LOCALH
>>>> OST-ID$/', Identifier 'WLAN-OUTER-TEST'
>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with Radius::AuthFILE:
>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with EAP: code 2, 9, 112, 25
>>>> Fri Jul 29 13:32:06 2011: DEBUG: Response type 25
>>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP PEAP inner authentication request for
>>>> Fri Jul 29 13:32:06 2011: DEBUG: PEAP Tunnelled request Packet dump:
>>>> Code: Access-Request
>>>> Identifier: UNDEF
>>>> Authentic: <177>6<209>Wz<163><198><243><230>M<179><134><155><15><207><163>
>>>> Attributes:
>>>> EAP-Message = <2><0><0><27><1>d3126217 at utwente.test2
>>>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>> NAS-IP-Address = 172.31.178.10
>>>> NAS-Identifier = "wlc-1"
>>>> NAS-Port = 13
>>>> Calling-Station-Id = "00271026a434"
>>>> User-Name = ""
>>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP result: 1, No Handler for PEAP inner authentication
>>>> Fri Jul 29 13:32:06 2011: DEBUG: AuthBy FILE result: REJECT, No Handler for PEAP inner authentication
>>>> Fri Jul 29 13:32:06 2011: INFO: Access rejected for jupiter at utwente.test2: No Handler for PEAP inner authentication
>>>> Fri Jul 29 13:32:06 2011: DEBUG: Packet dump:
>>>> *** Sending to 172.31.178.10 port 32770 ....
>>>> Code: Access-Reject
>>>>
>>>> -------------------------------------------------------------------
>>>> <Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>>>> AuthByPolicy ContinueWhileReject
>>>> AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
>>>> <AuthBy FILE>
>>>> RewriteUsername s/^([^@]+).*/$1/
>>>> RewriteUsername s/^\s*//
>>>> RewriteUsername s/\s*$//
>>>> Filename %D/users-wlan-peap
>>>> NoEAP
>>>> </AuthBy>
>>>> AuthLog authlogging-wlan-peap
>>>> Identifier PEAP-inner-utwente-test2
>>>> Description WLAN
>>>> AuthLog authlogging-tent
>>>> </Handler>
>>>>
>>>> <Handler Realm=/utwente.test|utwente.test2/, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/>
>>>> <AuthBy FILE>
>>>> EAPType TTLS,PEAP
>>>> EAPTLS_CAFile
>>>> EAPTLS_CertificateFile
>>>> EAPTLS_CertificateType PEM
>>>> EAPTLS_PrivateKeyFile
>>>> EAPTLS_PrivateKeyPassword
>>>> EAPTLS_MaxFragmentSize 1024
>>>> EAPTLS_SessionResumption 0
>>>> AutoMPPEKeys
>>>> EAPTLS_PEAPBrokenV1Label
>>>> EAPTTLS_NoAckRequired
>>>> # %U (en %u (met realm)) zijn de Inner-auth username voor PEAP
>>>> #EAPAnonymous %u
>>>> EAPAnonymous %0
>>>> </AuthBy>
>>>> AuthLog authlogging-wlan
>>>> Identifier WLAN-OUTER-TEST
>>>> Description WLAN
>>>> AuthLog authlogging-tent
>>>> </Handler>
>>>>
>>>>> On 07/26/2011 06:14 PM, Roel Hoek wrote:
>>>>
>>>>> Hello Roel,
>>>>
>>>>>> We experience a problem with a handler for authenticating wireless-lan users. AuthBy-File for a PEAP-mschapV2 cannot match a user if
>>>>>> the outer and inner identity are not equal (normal situation).
>>>>>> It looks like the userfile is searched by the outer-identity, although the inner-identity is used for authentication via LDAP.
>>>>
>>>>> Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section
>>>>> "5.19.24 EAPAnonymous" for more info about EAPAnonymous.
>>>>
>>>>> Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then
>>>>> use User-Name attribute instead of EAP Identity to do the authentication.
>>>>
>>>>> With EAPAnonymous you can set the inner request User-Name the same as
>>>>> the EAP Identity is.
>>>>
>>>>> Please let us know if this works for you.
>>>>
>>>>> Thanks!
>>>>> Heikki
>>>>
>>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>
- --
Met vriendelijke groeten,
Roel Hoek
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
Telephone +31 53 489 4598, Fax +31 53 489 2383
R.H.Hoek at utwente.nl; http://www.utwente.nl/icts
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk430+4ACgkQJwlRSGnYBcZnvwCdFHFHgukvPSOEewciNwIczumt
DNQAoK79HTthH7M32AfTKjgAHLpHFwxH
=EAbN
-----END PGP SIGNATURE-----
More information about the radiator
mailing list