[RADIATOR] AuthBy-File cannot match user
Roel Hoek
r.h.hoek at utwente.nl
Wed Aug 3 10:22:37 CDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Heikki,
I changed the Handler Realm match as specified and changed EAPAnonymous to %0. Now the right handler handels the request and the
username/identity is found by AuthBy FILE. (after stripping off the realm). So it works now!
I also added an extra Handler to handel PEAP when no identity is known yet.
Thanks for your help!
<Handler Realm=/^$/, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
<AuthBy FILE>
Identifier PEAP-inner-without-realm
EAPType MSCHAP-V2
NoCheckPassword
</AuthBy>
</Handler>
<Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
AuthByPolicy ContinueWhileAccept
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername s/^\s*//
RewriteUsername s/\s*$//
<AuthBy LDAP2>
Identifier PEAP-inner-productieoid-peap
EAPType MSCHAP-V2
# Rest of the config
</AuthBy>
<AuthBy FILE>
Identifier add-vlan-attributes
Filename %D/users-wlan-peap_v3
NoCheckPassword
NoEAP
</AuthBy>
</Handler>
- --------------------------------------------------------------------------------------------------------------
Code: Access-Request
Identifier: UNDEF
Authentic: <232><174><210><229>+M<192> <152>L<148><31>.o!T
Attributes:
EAP-Message = <2><0><0><27><1>d3126217 at utwente.test2
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 172.31.178.10
NAS-Identifier = "wlc-1"
NAS-Port = 13
Calling-Station-Id = "00271026a434"
User-Name = ""
Wed Aug 3 17:15:24 2011: DEBUG: Handling request with Handler 'Realm=/^$/,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier ''
Wed Aug 3 17:15:24 2011: DEBUG: Handling with Radius::AuthFILE: PEAP-inner-without-realm
Wed Aug 3 17:15:24 2011: DEBUG: Handling with EAP: code 2, 0, 27, 1
Wed Aug 3 17:15:24 2011: DEBUG: Response type 1
Wed Aug 3 17:15:24 2011: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Wed Aug 3 17:15:24 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP MSCHAP-V2 Challenge
Wed Aug 3 17:15:24 2011: DEBUG: Access challenged for : EAP MSCHAP-V2 Challenge
Wed Aug 3 17:15:24 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Challenge
.
.
.
Code: Access-Request
Identifier: UNDEF
Authentic: <150><207><169><232>HP-<233><201><25><185><247>E<129><207>"
Attributes:
EAP-Message =
<2><1><0>Q<26><2><1><0>L1qwo<236><185><7><241>b at p<169><10><221><136>r<186><0><0><0><0><0><0><0><0><248><150>m<239><163><133>L!<219>G'<199><240>Vt<131><21><251><193>S<245><18><224><155><0>d3126217 at utwente.test2
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 172.31.178.10
NAS-Identifier = "wlc-1"
NAS-Port = 13
Calling-Station-Id = "00271026a434"
User-Name = "d3126217 at utwente.test2"
Wed Aug 3 17:15:24 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
Wed Aug 3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
Wed Aug 3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
Wed Aug 3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
Wed Aug 3 17:15:24 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
Wed Aug 3 17:15:24 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
Wed Aug 3 17:15:24 2011: DEBUG: Response type 26
Wed Aug 3 17:15:24 2011: DEBUG: Rewrote identity to d3126217
Wed Aug 3 17:15:24 2011: DEBUG: Rewrote identity to d3126217
Wed Aug 3 17:15:24 2011: DEBUG: Rewrote identity to d3126217
Wed Aug 3 17:15:24 2011: INFO: Connecting to oid.utwente.nl:389
Wed Aug 3 17:15:24 2011: INFO: Attempting to bind to LDAP server <.>
Wed Aug 3 17:15:24 2011: DEBUG: LDAP got result for uid=d3126217, <.>
Wed Aug 3 17:15:24 2011: DEBUG: LDAP got chappassword: <.>
Wed Aug 3 17:15:24 2011: DEBUG: LDAP got orclisenabled: ENABLED
Wed Aug 3 17:15:24 2011: DEBUG: Radius::AuthLDAP2 looks for match with d3126217 [d3126217 at utwente.test2]
Wed Aug 3 17:15:24 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 [d3126217 at utwente.test2]
Wed Aug 3 17:15:24 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
Wed Aug 3 17:15:24 2011: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
Wed Aug 3 17:15:24 2011: DEBUG: Access challenged for d3126217: EAP MSCHAP V2 Challenge: Success
Wed Aug 3 17:15:24 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Challenge
.
.
.
Code: Access-Request
Identifier: UNDEF
Authentic: <30>B<132><240>:<19>6<159><187><31>Zo\T<175>*
Attributes:
EAP-Message = <2><2><0><6><26><3>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 172.31.178.10
NAS-Identifier = "wlc-1"
NAS-Port = 13
Calling-Station-Id = "00271026a434"
User-Name = "d3126217 at utwente.test2"
Wed Aug 3 17:15:24 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
Wed Aug 3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
Wed Aug 3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
Wed Aug 3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
Wed Aug 3 17:15:24 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
Wed Aug 3 17:15:24 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26
Wed Aug 3 17:15:24 2011: DEBUG: Response type 26
Wed Aug 3 17:15:24 2011: DEBUG: EAP result: 0,
Wed Aug 3 17:15:24 2011: DEBUG: AuthBy LDAP2 result: ACCEPT,
Wed Aug 3 17:15:24 2011: DEBUG: Handling with Radius::AuthFILE: add-vlan-attributes
Wed Aug 3 17:15:24 2011: DEBUG: Reading users file /etc/radiator//users-wlan-peap_v3
Wed Aug 3 17:15:24 2011: DEBUG: Radius::AuthFILE looks for match with d3126217 [d3126217 at utwente.test2]
Wed Aug 3 17:15:24 2011: DEBUG: Radius::AuthFILE ACCEPT: : d3126217 [d3126217 at utwente.test2]
Wed Aug 3 17:15:24 2011: DEBUG: AuthBy FILE result: ACCEPT,
Wed Aug 3 17:15:24 2011: DEBUG: Access accepted for d3126217
Wed Aug 3 17:15:24 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Accept
Identifier: UNDEF
Authentic: <30>B<132><240>:<19>6<159><187><31>Zo\T<175>*
Attributes:
EAP-Message = <3><2><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tunnel-Type = 1:VLAN
Tunnel-Medium-Type = 1:Ether_802
Tunnel-Private-Group-ID = 1:131
Login-LAT-Group = "qnet"
Regards,
Roel Hoek
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
Telephone +31 53 489 4598, Fax +31 53 489 2383
R.H.Hoek at utwente.nl; http://www.utwente.nl/icts
On 2011-08-02 21:55, Heikki Vatiainen wrote:
> On 08/02/2011 01:39 PM, Roel Hoek wrote:
>
> Hello Roel,
>
>> I changed the config as proposed. The <AuthBy LDAP2> is handled with success, but the second handler, <AuthBy FILE> fails again.
>> (AuthFILE REJECT: No such user: jupiter at utwente.test2 [jupiter at utwente.test2])
>> EAPAnonymous in the EAP-outer handler is %u. With %0 the Username is "" and no handler can be found.
>
> Can you do the following:
> o EAPAnonymous %0
> o Change the PEAP inner Handler to this:
>
> <Handler Realm=/^(|utwente.test2)$/,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>
> The change is to have allow both empty realm and utwente.test2.
>
> Since the first EAP request establishes the identity, the first inner
> request will be empty. After that, when the identity is known, the realm
> can be looked up from the identity.
>
> If you do not want to allow empty realm, you can add an inner Handler
> that allows emtpy realm and has a (possibly dummy) AuthBy that is
> willing to do EAP. That will match the identity exchange and your
> current handler can then take care of the actual authentication.
>
> Please let us know if this works.
>
> Thanks!
>
>> Tue Aug 2 11:41:05 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
>> Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
>> Tue Aug 2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
>> Tue Aug 2 11:41:05 2011: DEBUG: Response type 26
>> Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
>> Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
>> Tue Aug 2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
>> Tue Aug 2 11:41:05 2011: INFO: Connecting to oid.utwente.nl:389
>> Tue Aug 2 11:41:05 2011: INFO: Attempting to bind to LDAP server oid.utwente.nl:389
>> Tue Aug 2 11:41:05 2011: DEBUG: LDAP got result for uid=d3126217,<...>
>> Tue Aug 2 11:41:05 2011: DEBUG: LDAP got chappassword: {rcrypt}blablabla
>> Tue Aug 2 11:41:05 2011: DEBUG: LDAP got orclisenabled: ENABLED
>> Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 looks for match with d3126217 [jupiter at utwente.test2]
>> Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 [jupiter at utwente.test2]
>> Tue Aug 2 11:41:05 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
>> Tue Aug 2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
>> Tue Aug 2 11:41:05 2011: DEBUG: Access challenged for jupiter at utwente.test2: EAP MSCHAP V2 Challenge: Success
>> Tue Aug 2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump:
>> Code: Access-Challenge
>> .
>> .
>> .
>> Code: Access-Request
>> Identifier: UNDEF
>> Authentic: N<162><150>qf<254><242>:<4>'<14>n<245><251><191><147>
>> Attributes:
>> EAP-Message = <2><2><0><6><26><3>
>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> NAS-IP-Address = 172.31.178.10
>> NAS-Identifier = "wlc-1"
>> NAS-Port = 13
>> Calling-Station-Id = "00271026a434"
>> User-Name = "jupiter at utwente.test2"
>>
>> Tue Aug 2 11:41:05 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
>> Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
>> Tue Aug 2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26
>> Tue Aug 2 11:41:05 2011: DEBUG: Response type 26
>> Tue Aug 2 11:41:05 2011: DEBUG: EAP result: 0,
>> Tue Aug 2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: ACCEPT,
>> Tue Aug 2 11:41:05 2011: DEBUG: Handling with Radius::AuthFILE: add-vlan-attributes
>> Tue Aug 2 11:41:05 2011: DEBUG: Reading users file /etc/radiator//users-wlan-peap_v3
>> Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with jupiter at utwente.test2 [jupiter at utwente.test2]
>> Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE REJECT: No such user: jupiter at utwente.test2 [jupiter at utwente.test2]
>> Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with DEFAULT [jupiter at utwente.test2]
>> Tue Aug 2 11:41:05 2011: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [jupiter at utwente.test2]
>> Tue Aug 2 11:41:05 2011: DEBUG: AuthBy FILE result: ACCEPT,
>> Tue Aug 2 11:41:05 2011: DEBUG: Access accepted for jupiter at utwente.test2
>> Tue Aug 2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump:
>> Code: Access-Accept
>>
>>
>> -----------------------------------------------------------------------------------------------------------------
>> # WLAN (utwente.test2) inner authentication (PEAP)
>> #
>> <Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>> AuthByPolicy ContinueWhileAccept
>> AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
>> <AuthBy LDAP2>
>> Identifier productieoid-peap
>> EAPType MSCHAP-V2
>> # Rest of the config
>> Version 2
>> Host <.>
>> BindAddress <.>
>> FailureBackoffTime 10
>> AuthDN <.>
>> AuthPassword <.>
>> BaseDN <.>
>> RcryptKey <.>
>> RewriteUsername s/^([^@]+).*/$1/
>> RewriteUsername s/^\s*//
>> RewriteUsername s/\s*$//
>> UsernameAttr <.>
>> PasswordAttr <.>
>> AuthAttrDef orclisenabled, OIDactive, request
>> </AuthBy>
>>
>> <AuthBy FILE>
>> Identifier add-vlan-attributes
>> Filename %D/users-wlan-peap_v3
>> NoCheckPassword
>> NoEAP
>> </AuthBy>
>> AuthLog authlogging-wlan-peap
>> Identifier PEAP-inner-utwente-test2
>> Description WLAN
>> AuthLog authlogging-tent
>>
>> </Handler>
>> -----------------------------------------------------------------------------------------------------------------
>> users-wlan-peap_v3:
>>
>> DEFAULT
>> Tunnel-Type = 1:VLAN,
>> Tunnel-Medium-Type = 1:Ether_802,
>> Tunnel-Private-Group-ID = 1:125
>>
>> d3126217
>> Tunnel-Type = 1:VLAN,
>> Tunnel-Medium-Type = 1:Ether_802,
>> Tunnel-Private-Group-ID = 1:131,
>> Login-LAT-Group = "qnet"
>>
>> .
>> .
>> .
>>
>>
>> On 2011-08-01 22:42, Heikki Vatiainen wrote:
>>> On 08/01/2011 02:44 PM, Roel Hoek wrote:
>>
>>> Hello Roel,
>>
>>>> EAPAnonymous is set back to %u and EAPType is set to MSCHAP-V2
>>>> Now, indeed, the user-name/identity is found in the users-file, and is found in the LDAP-server, but now failed on EAP MSCHAP V2 (no
>>>> such user???)
>>
>>> Hmm, I was able to recreate this was two simple AuthBy FILEs too.
>>> However, I did not dig deeper to see why it fails.
>>
>>>> This has, I think, something to do that mschapv2 needs for challange and responce the whole username including the realm. This works
>>>> with 'NoEAP', but not with EAPType MSCHAP-V2.
>>
>>> Can you restructure your configuration a little. The restructure would
>>> put two AuthBys into the PEAP inner Handler. The first does EAP and is
>>> the LDAP check while the second gets the attributes from the file after
>>> successful LDAP check.
>>
>>> Something like this should do it:
>>
>>> # WLAN (utwente.test2) inner authentication (PEAP)
>>> #
>>> <Handler Realm=utwente.test2,
>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>>> AuthByPolicy ContinueWhileAccept
>>> <AuthBy LDAP2>
>>> Identifier productieoid-peap
>>> EAPType MSCHAP-V2
>>> # Rest of the config
>>> </AuthBy>
>>> <AuthBy FILE>
>>> Identifier add-vlan-attributes
>>> Filename %D/users-wlan-peap
>>> NoCheckPassword
>>> NoEAP
>>> </AuthBy>
>>
>>> # Rest of the Handler
>>> </Handler>
>>
>>> The file users-wlan-peap would be the same as currently but without the
>>> Auth-Type check items:
>>
>>> d3126217
>>> Tunnel-Type = 1:VLAN,
>>> Tunnel-Medium-Type = 1:Ether_802,
>>> Tunnel-Private-Group-ID = 1:131,
>>> Login-LAT-Group = "qnet"
>>
>>> # Rest of users-wlan-peap
>>
>>> This should still collect then user specific VLAN attributes but
>>> otherwise do the authentication the same for all users.
>>
>>> Please let us know how this works.
>>
>>> Thanks!
>>> Heikki
>>
>>
>>>> Code: Access-Request
>>>> Identifier: UNDEF
>>>> Authentic: <239>d<146>I.<193>%#<14><13><189><176><200>.<182>Y
>>>> Attributes:
>>>> EAP-Message = <2><1><0>Q<26><2><1><0>L1<162>VxN6pv<15>|<129><140>Y<241>`<200><166><0><0><0><0><0><0><0><0>
>>>> <16><2>I<201>wr7<205><216><230>n<172><8>\<229>0{<219><160>@9<176>"<0>d3126217 at utwente.test2
>>>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>> NAS-IP-Address = 172.31.178.10
>>>> NAS-Identifier = "wlc-1"
>>>> NAS-Port = 13
>>>> Calling-Station-Id = "00271026a434"
>>>> User-Name = "jupiter at utwente.test2"
>>>>
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
>>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthFILE:
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Response type 26
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Reading users file /etc/radiator//users-wlan-peap
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE looks for match with d3126217 [jupiter at utwente.test2]
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Response type 26
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>>>> Mon Aug 1 12:15:31 2011: INFO: Connecting to oid.utwente.nl:389
>>>> Mon Aug 1 12:15:31 2011: INFO: Attempting to bind to LDAP server oid.utwente.nl:389
>>>> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got result for uid=d3126217, ou=Employees, cn=Users, o=university of twente,c=nl
>>>> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got chappassword: {rcrypt}bla bla bla
>>>> Mon Aug 1 12:15:31 2011: DEBUG: LDAP got orclisenabled: ENABLED
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 looks for match with d3126217 [jupiter at utwente.test2]
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 [jupiter at utwente.test2]
>>>> Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
>>>> Mon Aug 1 12:15:31 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP V2 Challenge: Success: d3126217 [jupiter at utwente.test2]
>>>> Mon Aug 1 12:15:31 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user d3126217
>>>> Mon Aug 1 12:15:31 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2 failed: no such user d3126217
>>>> Mon Aug 1 12:15:31 2011: INFO: Access rejected for jupiter at utwente.test2: EAP MSCHAP V2 failed: no such user d3126217
>>>> Mon Aug 1 12:15:32 2011: DEBUG: Returned PEAP tunnelled packet dump:
>>>> Code: Access-Reject
>>>>
>>>>
>>>> On 2011-07-30 08:19, Heikki Vatiainen wrote:
>>>>> On 07/29/2011 04:12 PM, Roel Hoek wrote:
>>>>
>>>>>> Thanks for you comment. Although it did not work.
>>>>>> I changed EAPAnonymous to %0. But now Username is "" and no handler can be found.
>>>>
>>>>> Unfortunately that's true. Taking another look at the configuration, the
>>>>> reason for this is the NoEAP option. Since EAP is not run for the inner
>>>>> authentication, the EAP identity will not be available.
>>>>
>>>>> Going back to your original configuration, would replacing "NoEAP" with
>>>>> "EAPType MSCHAP-V2" work? EAP MSCHAP-V2 will work fine with AuthBy FILE.
>>>>
>>>>> Thanks!
>>>>> Heikki
>>>>
>>>>
>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling request with Handler 'Realm=/utwente.test|utwente.test2/,
>>>>>> Client-Identifier=/^WLANATUT-ID$|^LOCALH
>>>>>> OST-ID$/', Identifier 'WLAN-OUTER-TEST'
>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with Radius::AuthFILE:
>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with EAP: code 2, 9, 112, 25
>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Response type 25
>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP PEAP inner authentication request for
>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: PEAP Tunnelled request Packet dump:
>>>>>> Code: Access-Request
>>>>>> Identifier: UNDEF
>>>>>> Authentic: <177>6<209>Wz<163><198><243><230>M<179><134><155><15><207><163>
>>>>>> Attributes:
>>>>>> EAP-Message = <2><0><0><27><1>d3126217 at utwente.test2
>>>>>> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>>> NAS-IP-Address = 172.31.178.10
>>>>>> NAS-Identifier = "wlc-1"
>>>>>> NAS-Port = 13
>>>>>> Calling-Station-Id = "00271026a434"
>>>>>> User-Name = ""
>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP result: 1, No Handler for PEAP inner authentication
>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: AuthBy FILE result: REJECT, No Handler for PEAP inner authentication
>>>>>> Fri Jul 29 13:32:06 2011: INFO: Access rejected for jupiter at utwente.test2: No Handler for PEAP inner authentication
>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Packet dump:
>>>>>> *** Sending to 172.31.178.10 port 32770 ....
>>>>>> Code: Access-Reject
>>>>>>
>>>>>> -------------------------------------------------------------------
>>>>>> <Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>>>>>> AuthByPolicy ContinueWhileReject
>>>>>> AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
>>>>>> <AuthBy FILE>
>>>>>> RewriteUsername s/^([^@]+).*/$1/
>>>>>> RewriteUsername s/^\s*//
>>>>>> RewriteUsername s/\s*$//
>>>>>> Filename %D/users-wlan-peap
>>>>>> NoEAP
>>>>>> </AuthBy>
>>>>>> AuthLog authlogging-wlan-peap
>>>>>> Identifier PEAP-inner-utwente-test2
>>>>>> Description WLAN
>>>>>> AuthLog authlogging-tent
>>>>>> </Handler>
>>>>>>
>>>>>> <Handler Realm=/utwente.test|utwente.test2/, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/>
>>>>>> <AuthBy FILE>
>>>>>> EAPType TTLS,PEAP
>>>>>> EAPTLS_CAFile
>>>>>> EAPTLS_CertificateFile
>>>>>> EAPTLS_CertificateType PEM
>>>>>> EAPTLS_PrivateKeyFile
>>>>>> EAPTLS_PrivateKeyPassword
>>>>>> EAPTLS_MaxFragmentSize 1024
>>>>>> EAPTLS_SessionResumption 0
>>>>>> AutoMPPEKeys
>>>>>> EAPTLS_PEAPBrokenV1Label
>>>>>> EAPTTLS_NoAckRequired
>>>>>> # %U (en %u (met realm)) zijn de Inner-auth username voor PEAP
>>>>>> #EAPAnonymous %u
>>>>>> EAPAnonymous %0
>>>>>> </AuthBy>
>>>>>> AuthLog authlogging-wlan
>>>>>> Identifier WLAN-OUTER-TEST
>>>>>> Description WLAN
>>>>>> AuthLog authlogging-tent
>>>>>> </Handler>
>>>>>>
>>>>>>> On 07/26/2011 06:14 PM, Roel Hoek wrote:
>>>>>>
>>>>>>> Hello Roel,
>>>>>>
>>>>>>>> We experience a problem with a handler for authenticating wireless-lan users. AuthBy-File for a PEAP-mschapV2 cannot match a user if
>>>>>>>> the outer and inner identity are not equal (normal situation).
>>>>>>>> It looks like the userfile is searched by the outer-identity, although the inner-identity is used for authentication via LDAP.
>>>>>>
>>>>>>> Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section
>>>>>>> "5.19.24 EAPAnonymous" for more info about EAPAnonymous.
>>>>>>
>>>>>>> Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then
>>>>>>> use User-Name attribute instead of EAP Identity to do the authentication.
>>>>>>
>>>>>>> With EAPAnonymous you can set the inner request User-Name the same as
>>>>>>> the EAP Identity is.
>>>>>>
>>>>>>> Please let us know if this works for you.
>>>>>>
>>>>>>> Thanks!
>>>>>>> Heikki
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>>
>>>>
>>
>>
>>
>
- --
Met vriendelijke groeten,
Roel Hoek
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
Telephone +31 53 489 4598, Fax +31 53 489 2383
R.H.Hoek at utwente.nl; http://www.utwente.nl/icts
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk45Z7sACgkQJwlRSGnYBcZPLQCglkvu1lne5FqOfHrq6QolmBlK
KMIAnjFInFX6nAzBVjejABRR1YOhWBLC
=WnGn
-----END PGP SIGNATURE-----
More information about the radiator
mailing list