[RADIATOR] AuthBy-File cannot match user

Heikki Vatiainen hvn at open.com.au
Fri Aug 5 02:03:36 CDT 2011


On 08/03/2011 06:22 PM, Roel Hoek wrote:

Hello Roel,

> I changed the Handler Realm match as specified and changed EAPAnonymous to %0. Now the right handler handels the request and the
> username/identity is found by AuthBy FILE. (after stripping off the realm). So it works now!
> I also added an extra Handler to handel PEAP when no identity is known yet.

Good to hear it works.

About the extra handler: if someone leaves out the @realm part and uses
just the username for the inner identity, then the whole authentication
is done using the extra Handler. I did not try the code but I'd say this
is what would happen.

The default Filename is %D/users, so you may want to check if the extra
Handler does what you expect with realmless identities.

Thanks!

> Thanks for your help!
> 
> <Handler Realm=/^$/, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>                 <AuthBy FILE>
>                         Identifier PEAP-inner-without-realm
>                         EAPType MSCHAP-V2
>                         NoCheckPassword
>                 </AuthBy>
> </Handler>
> <Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>                 AuthByPolicy ContinueWhileAccept
>                 RewriteUsername s/^([^@]+).*/$1/
>                 RewriteUsername s/^\s*//
>                 RewriteUsername s/\s*$//
> 
>                 <AuthBy LDAP2>
>                         Identifier PEAP-inner-productieoid-peap
>                         EAPType MSCHAP-V2
>                         # Rest of the config
>                 </AuthBy>
>                 <AuthBy FILE>
>                         Identifier add-vlan-attributes
>                         Filename %D/users-wlan-peap_v3
>                         NoCheckPassword
>                         NoEAP
>                 </AuthBy>
> </Handler>
> 
> --------------------------------------------------------------------------------------------------------------
> 
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <232><174><210><229>+M<192> <152>L<148><31>.o!T
> Attributes:
>         EAP-Message = <2><0><0><27><1>d3126217 at utwente.test2
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         NAS-IP-Address = 172.31.178.10
>         NAS-Identifier = "wlc-1"
>         NAS-Port = 13
>         Calling-Station-Id = "00271026a434"
>         User-Name = ""
> 
> Wed Aug  3 17:15:24 2011: DEBUG: Handling request with Handler 'Realm=/^$/,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier ''
> Wed Aug  3 17:15:24 2011: DEBUG: Handling with Radius::AuthFILE: PEAP-inner-without-realm
> Wed Aug  3 17:15:24 2011: DEBUG: Handling with EAP: code 2, 0, 27, 1
> Wed Aug  3 17:15:24 2011: DEBUG: Response type 1
> Wed Aug  3 17:15:24 2011: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Wed Aug  3 17:15:24 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP MSCHAP-V2 Challenge
> Wed Aug  3 17:15:24 2011: DEBUG: Access challenged for : EAP MSCHAP-V2 Challenge
> Wed Aug  3 17:15:24 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> .
> .
> .
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <150><207><169><232>HP-<233><201><25><185><247>E<129><207>"
> Attributes:
>         EAP-Message =
> <2><1><0>Q<26><2><1><0>L1qwo<236><185><7><241>b at p<169><10><221><136>r<186><0><0><0><0><0><0><0><0><248><150>m<239><163><133>L!<219>G'<199><240>Vt<131><21><251><193>S<245><18><224><155><0>d3126217 at utwente.test2
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         NAS-IP-Address = 172.31.178.10
>         NAS-Identifier = "wlc-1"
>         NAS-Port = 13
>         Calling-Station-Id = "00271026a434"
>         User-Name = "d3126217 at utwente.test2"
> 
> Wed Aug  3 17:15:24 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
> Wed Aug  3 17:15:24 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
> Wed Aug  3 17:15:24 2011: DEBUG: Response type 26
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote identity to d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote identity to d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote identity to d3126217
> Wed Aug  3 17:15:24 2011: INFO: Connecting to oid.utwente.nl:389
> Wed Aug  3 17:15:24 2011: INFO: Attempting to bind to LDAP server <.>
> Wed Aug  3 17:15:24 2011: DEBUG: LDAP got result for uid=d3126217, <.>
> Wed Aug  3 17:15:24 2011: DEBUG: LDAP got chappassword: <.>
> Wed Aug  3 17:15:24 2011: DEBUG: LDAP got orclisenabled: ENABLED
> Wed Aug  3 17:15:24 2011: DEBUG: Radius::AuthLDAP2 looks for match with d3126217 [d3126217 at utwente.test2]
> Wed Aug  3 17:15:24 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 [d3126217 at utwente.test2]
> Wed Aug  3 17:15:24 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
> Wed Aug  3 17:15:24 2011: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
> Wed Aug  3 17:15:24 2011: DEBUG: Access challenged for d3126217: EAP MSCHAP V2 Challenge: Success
> Wed Aug  3 17:15:24 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> .
> .
> .
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <30>B<132><240>:<19>6<159><187><31>Zo\T<175>*
> Attributes:
>         EAP-Message = <2><2><0><6><26><3>
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         NAS-IP-Address = 172.31.178.10
>         NAS-Identifier = "wlc-1"
>         NAS-Port = 13
>         Calling-Station-Id = "00271026a434"
>         User-Name = "d3126217 at utwente.test2"
> 
> Wed Aug  3 17:15:24 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
> Wed Aug  3 17:15:24 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26
> Wed Aug  3 17:15:24 2011: DEBUG: Response type 26
> Wed Aug  3 17:15:24 2011: DEBUG: EAP result: 0,
> Wed Aug  3 17:15:24 2011: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Wed Aug  3 17:15:24 2011: DEBUG: Handling with Radius::AuthFILE: add-vlan-attributes
> Wed Aug  3 17:15:24 2011: DEBUG: Reading users file /etc/radiator//users-wlan-peap_v3
> Wed Aug  3 17:15:24 2011: DEBUG: Radius::AuthFILE looks for match with d3126217 [d3126217 at utwente.test2]
> Wed Aug  3 17:15:24 2011: DEBUG: Radius::AuthFILE ACCEPT: : d3126217 [d3126217 at utwente.test2]
> Wed Aug  3 17:15:24 2011: DEBUG: AuthBy FILE result: ACCEPT,
> Wed Aug  3 17:15:24 2011: DEBUG: Access accepted for d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <30>B<132><240>:<19>6<159><187><31>Zo\T<175>*
> Attributes:
>         EAP-Message = <3><2><0><4>
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         Tunnel-Type = 1:VLAN
>         Tunnel-Medium-Type = 1:Ether_802
>         Tunnel-Private-Group-ID = 1:131
>         Login-LAT-Group = "qnet"
> 
> 
> 
> Regards,
> 
> Roel Hoek
> ICT Service Centre
> University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
> Telephone +31 53 489 4598, Fax +31 53 489 2383
> R.H.Hoek at utwente.nl; http://www.utwente.nl/icts
> 
> 
> On 2011-08-02 21:55, Heikki Vatiainen wrote:
>> On 08/02/2011 01:39 PM, Roel Hoek wrote:
> 
>> Hello Roel,
> 
>>> I changed the config as proposed. The <AuthBy LDAP2> is handled with success, but the second handler, <AuthBy FILE> fails again.
>>> (AuthFILE REJECT: No such user: jupiter at utwente.test2 [jupiter at utwente.test2])
>>> EAPAnonymous in the EAP-outer handler is %u. With %0 the Username is "" and no handler can be found.
> 
>> Can you do the following:
>> o EAPAnonymous %0
>> o Change the PEAP inner Handler to this:
> 
>> <Handler Realm=/^(|utwente.test2)$/,
>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
> 
>> The change is to have allow both empty realm and utwente.test2.
> 
>> Since the first EAP request establishes the identity, the first inner
>> request will be empty. After that, when the identity is known, the realm
>> can be looked up from the identity.
> 
>> If you do not want to allow empty realm, you can add an inner Handler
>> that allows emtpy realm and has a (possibly dummy) AuthBy that is
>> willing to do EAP. That will match the identity exchange and your
>> current handler can then take care of the actual authentication.
> 
>> Please let us know if this works.
> 
>> Thanks!
> 
>>> Tue Aug  2 11:41:05 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
>>> Tue Aug  2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
>>> Tue Aug  2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
>>> Tue Aug  2 11:41:05 2011: DEBUG: Response type 26
>>> Tue Aug  2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
>>> Tue Aug  2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
>>> Tue Aug  2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
>>> Tue Aug  2 11:41:05 2011: INFO: Connecting to oid.utwente.nl:389
>>> Tue Aug  2 11:41:05 2011: INFO: Attempting to bind to LDAP server oid.utwente.nl:389
>>> Tue Aug  2 11:41:05 2011: DEBUG: LDAP got result for uid=d3126217,<...>
>>> Tue Aug  2 11:41:05 2011: DEBUG: LDAP got chappassword: {rcrypt}blablabla
>>> Tue Aug  2 11:41:05 2011: DEBUG: LDAP got orclisenabled: ENABLED
>>> Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 looks for match with d3126217 [jupiter at utwente.test2]
>>> Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 [jupiter at utwente.test2]
>>> Tue Aug  2 11:41:05 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
>>> Tue Aug  2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
>>> Tue Aug  2 11:41:05 2011: DEBUG: Access challenged for jupiter at utwente.test2: EAP MSCHAP V2 Challenge: Success
>>> Tue Aug  2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump:
>>> Code:       Access-Challenge
>>> .
>>> .
>>> .
>>> Code:       Access-Request
>>> Identifier: UNDEF
>>> Authentic:  N<162><150>qf<254><242>:<4>'<14>n<245><251><191><147>
>>> Attributes:
>>>         EAP-Message = <2><2><0><6><26><3>
>>>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>         NAS-IP-Address = 172.31.178.10
>>>         NAS-Identifier = "wlc-1"
>>>         NAS-Port = 13
>>>         Calling-Station-Id = "00271026a434"
>>>         User-Name = "jupiter at utwente.test2"
>>>
>>> Tue Aug  2 11:41:05 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
>>> Tue Aug  2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
>>> Tue Aug  2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26
>>> Tue Aug  2 11:41:05 2011: DEBUG: Response type 26
>>> Tue Aug  2 11:41:05 2011: DEBUG: EAP result: 0,
>>> Tue Aug  2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: ACCEPT,
>>> Tue Aug  2 11:41:05 2011: DEBUG: Handling with Radius::AuthFILE: add-vlan-attributes
>>> Tue Aug  2 11:41:05 2011: DEBUG: Reading users file /etc/radiator//users-wlan-peap_v3
>>> Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with jupiter at utwente.test2 [jupiter at utwente.test2]
>>> Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthFILE REJECT: No such user: jupiter at utwente.test2 [jupiter at utwente.test2]
>>> Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with DEFAULT [jupiter at utwente.test2]
>>> Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [jupiter at utwente.test2]
>>> Tue Aug  2 11:41:05 2011: DEBUG: AuthBy FILE result: ACCEPT,
>>> Tue Aug  2 11:41:05 2011: DEBUG: Access accepted for jupiter at utwente.test2
>>> Tue Aug  2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump:
>>> Code:       Access-Accept
>>>
>>>
>>> -----------------------------------------------------------------------------------------------------------------
>>> # WLAN (utwente.test2) inner authentication (PEAP)
>>> #
>>> <Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>>>                 AuthByPolicy ContinueWhileAccept
>>>                 AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
>>>                 <AuthBy LDAP2>
>>>                         Identifier productieoid-peap
>>>                         EAPType MSCHAP-V2
>>>                         # Rest of the config
>>>                         Version 2
>>>                         Host <.>
>>>                         BindAddress <.>
>>>                         FailureBackoffTime 10
>>>                         AuthDN <.>
>>>                         AuthPassword <.>
>>>                         BaseDN <.>
>>>                         RcryptKey <.>
>>>                         RewriteUsername s/^([^@]+).*/$1/
>>>                         RewriteUsername s/^\s*//
>>>                         RewriteUsername s/\s*$//
>>>                         UsernameAttr <.>
>>>                         PasswordAttr <.>
>>>                         AuthAttrDef orclisenabled, OIDactive, request
>>>                 </AuthBy>
>>>
>>>                 <AuthBy FILE>
>>>                         Identifier add-vlan-attributes
>>>                         Filename %D/users-wlan-peap_v3
>>>                         NoCheckPassword
>>>                         NoEAP
>>>                 </AuthBy>
>>>         AuthLog authlogging-wlan-peap
>>>         Identifier PEAP-inner-utwente-test2
>>>         Description WLAN
>>>         AuthLog authlogging-tent
>>>
>>> </Handler>
>>> -----------------------------------------------------------------------------------------------------------------
>>> users-wlan-peap_v3:
>>>
>>> DEFAULT
>>>          Tunnel-Type = 1:VLAN,
>>>          Tunnel-Medium-Type = 1:Ether_802,
>>>          Tunnel-Private-Group-ID = 1:125
>>>
>>> d3126217
>>>          Tunnel-Type = 1:VLAN,
>>>          Tunnel-Medium-Type = 1:Ether_802,
>>>          Tunnel-Private-Group-ID = 1:131,
>>>          Login-LAT-Group = "qnet"
>>>
>>> .
>>> .
>>> .
>>>
>>>
>>> On 2011-08-01 22:42, Heikki Vatiainen wrote:
>>>> On 08/01/2011 02:44 PM, Roel Hoek wrote:
>>>
>>>> Hello Roel,
>>>
>>>>> EAPAnonymous is set back to %u and EAPType is set to MSCHAP-V2
>>>>> Now, indeed, the user-name/identity is found in the users-file, and is found in the LDAP-server, but now failed on EAP MSCHAP V2 (no
>>>>> such user???)
>>>
>>>> Hmm, I was able to recreate this was two simple AuthBy FILEs too.
>>>> However, I did not dig deeper to see why it fails.
>>>
>>>>> This has, I think, something to do that mschapv2 needs for challange and responce the whole username including the realm. This works
>>>>> with 'NoEAP', but not with EAPType MSCHAP-V2.
>>>
>>>> Can you restructure your configuration a little. The restructure would
>>>> put two AuthBys into the PEAP inner Handler. The first does EAP and is
>>>> the LDAP check while the second gets the attributes from the file after
>>>> successful LDAP check.
>>>
>>>> Something like this should do it:
>>>
>>>> # WLAN (utwente.test2) inner authentication (PEAP)
>>>> #
>>>> <Handler Realm=utwente.test2,
>>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>>>>    AuthByPolicy ContinueWhileAccept
>>>>    <AuthBy LDAP2>
>>>>        Identifier productieoid-peap
>>>>        EAPType MSCHAP-V2
>>>>        # Rest of the config
>>>>    </AuthBy>
>>>>    <AuthBy FILE>
>>>>        Identifier add-vlan-attributes
>>>>        Filename %D/users-wlan-peap
>>>>        NoCheckPassword
>>>>        NoEAP
>>>>    </AuthBy>
>>>
>>>>    # Rest of the Handler
>>>> </Handler>
>>>
>>>> The file users-wlan-peap would be the same as currently but without the
>>>> Auth-Type check items:
>>>
>>>> d3126217
>>>>          Tunnel-Type = 1:VLAN,
>>>>          Tunnel-Medium-Type = 1:Ether_802,
>>>>          Tunnel-Private-Group-ID = 1:131,
>>>>          Login-LAT-Group = "qnet"
>>>
>>>> # Rest of users-wlan-peap
>>>
>>>> This should still collect then user specific VLAN attributes but
>>>> otherwise do the authentication the same for all users.
>>>
>>>> Please let us know how this works.
>>>
>>>> Thanks!
>>>> Heikki
>>>
>>>
>>>>> Code:       Access-Request
>>>>> Identifier: UNDEF
>>>>> Authentic:  <239>d<146>I.<193>%#<14><13><189><176><200>.<182>Y
>>>>> Attributes:
>>>>>         EAP-Message = <2><1><0>Q<26><2><1><0>L1<162>VxN6pv<15>|<129><140>Y<241>`<200><166><0><0><0><0><0><0><0><0>
>>>>> <16><2>I<201>wr7<205><216><230>n<172><8>\<229>0{<219><160>@9<176>"<0>d3126217 at utwente.test2
>>>>>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>>         NAS-IP-Address = 172.31.178.10
>>>>>         NAS-Identifier = "wlc-1"
>>>>>         NAS-Port = 13
>>>>>         Calling-Station-Id = "00271026a434"
>>>>>         User-Name = "jupiter at utwente.test2"
>>>>>
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
>>>>> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Handling with Radius::AuthFILE:
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Response type 26
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Reading users file /etc/radiator//users-wlan-peap
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Radius::AuthFILE looks for match with d3126217 [jupiter at utwente.test2]
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Response type 26
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
>>>>> Mon Aug  1 12:15:31 2011: INFO: Connecting to oid.utwente.nl:389
>>>>> Mon Aug  1 12:15:31 2011: INFO: Attempting to bind to LDAP server oid.utwente.nl:389
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: LDAP got result for uid=d3126217, ou=Employees, cn=Users, o=university of twente,c=nl
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: LDAP got chappassword: {rcrypt}bla bla bla
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: LDAP got orclisenabled: ENABLED
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 looks for match with d3126217 [jupiter at utwente.test2]
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 [jupiter at utwente.test2]
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP V2 Challenge: Success: d3126217 [jupiter at utwente.test2]
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user d3126217
>>>>> Mon Aug  1 12:15:31 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2 failed: no such user d3126217
>>>>> Mon Aug  1 12:15:31 2011: INFO: Access rejected for jupiter at utwente.test2: EAP MSCHAP V2 failed: no such user d3126217
>>>>> Mon Aug  1 12:15:32 2011: DEBUG: Returned PEAP tunnelled packet dump:
>>>>> Code:       Access-Reject
>>>>>
>>>>>
>>>>> On 2011-07-30 08:19, Heikki Vatiainen wrote:
>>>>>> On 07/29/2011 04:12 PM, Roel Hoek wrote:
>>>>>
>>>>>>> Thanks for you comment. Although it did not work.
>>>>>>> I changed EAPAnonymous to %0. But now Username is "" and no handler can be found.
>>>>>
>>>>>> Unfortunately that's true. Taking another look at the configuration, the
>>>>>> reason for this is the NoEAP option. Since EAP is not run for the inner
>>>>>> authentication, the EAP identity will not be available.
>>>>>
>>>>>> Going back to your original configuration, would replacing "NoEAP" with
>>>>>> "EAPType MSCHAP-V2" work? EAP MSCHAP-V2 will work fine with AuthBy FILE.
>>>>>
>>>>>> Thanks!
>>>>>> Heikki
>>>>>
>>>>>
>>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling request with Handler 'Realm=/utwente.test|utwente.test2/,
>>>>>>> Client-Identifier=/^WLANATUT-ID$|^LOCALH
>>>>>>> OST-ID$/', Identifier 'WLAN-OUTER-TEST'
>>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with Radius::AuthFILE:
>>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with EAP: code 2, 9, 112, 25
>>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Response type 25
>>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP PEAP inner authentication request for
>>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: PEAP Tunnelled request Packet dump:
>>>>>>> Code:       Access-Request
>>>>>>> Identifier: UNDEF
>>>>>>> Authentic:  <177>6<209>Wz<163><198><243><230>M<179><134><155><15><207><163>
>>>>>>> Attributes:
>>>>>>>         EAP-Message = <2><0><0><27><1>d3126217 at utwente.test2
>>>>>>>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>>>>>         NAS-IP-Address = 172.31.178.10
>>>>>>>         NAS-Identifier = "wlc-1"
>>>>>>>         NAS-Port = 13
>>>>>>>         Calling-Station-Id = "00271026a434"
>>>>>>>         User-Name = ""
>>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: EAP result: 1, No Handler for PEAP inner authentication
>>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: AuthBy FILE result: REJECT, No Handler for PEAP inner authentication
>>>>>>> Fri Jul 29 13:32:06 2011: INFO: Access rejected for jupiter at utwente.test2: No Handler for PEAP inner authentication
>>>>>>> Fri Jul 29 13:32:06 2011: DEBUG: Packet dump:
>>>>>>> *** Sending to 172.31.178.10 port 32770 ....
>>>>>>> Code:       Access-Reject
>>>>>>>
>>>>>>> -------------------------------------------------------------------
>>>>>>> <Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>>>>>>>                 AuthByPolicy ContinueWhileReject
>>>>>>>                 AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
>>>>>>>                         <AuthBy FILE>
>>>>>>>                                 RewriteUsername s/^([^@]+).*/$1/
>>>>>>>                                 RewriteUsername s/^\s*//
>>>>>>>                                 RewriteUsername s/\s*$//
>>>>>>>                                 Filename %D/users-wlan-peap
>>>>>>>                                 NoEAP
>>>>>>>                        </AuthBy>
>>>>>>>         AuthLog authlogging-wlan-peap
>>>>>>>         Identifier PEAP-inner-utwente-test2
>>>>>>>         Description WLAN
>>>>>>>         AuthLog authlogging-tent
>>>>>>> </Handler>
>>>>>>>
>>>>>>> <Handler Realm=/utwente.test|utwente.test2/, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/>
>>>>>>>         <AuthBy FILE>
>>>>>>>                 EAPType TTLS,PEAP
>>>>>>>                 EAPTLS_CAFile
>>>>>>>                 EAPTLS_CertificateFile
>>>>>>>                 EAPTLS_CertificateType PEM
>>>>>>>                 EAPTLS_PrivateKeyFile
>>>>>>>                 EAPTLS_PrivateKeyPassword
>>>>>>>                 EAPTLS_MaxFragmentSize 1024
>>>>>>>                 EAPTLS_SessionResumption 0
>>>>>>>                 AutoMPPEKeys
>>>>>>>                 EAPTLS_PEAPBrokenV1Label
>>>>>>>                 EAPTTLS_NoAckRequired
>>>>>>>                 # %U (en %u (met realm)) zijn de Inner-auth username voor PEAP
>>>>>>>                 #EAPAnonymous %u
>>>>>>>                 EAPAnonymous %0
>>>>>>>         </AuthBy>
>>>>>>>         AuthLog authlogging-wlan
>>>>>>>         Identifier WLAN-OUTER-TEST
>>>>>>>         Description WLAN
>>>>>>>         AuthLog authlogging-tent
>>>>>>> </Handler>
>>>>>>>
>>>>>>>> On 07/26/2011 06:14 PM, Roel Hoek wrote:
>>>>>>>
>>>>>>>> Hello Roel,
>>>>>>>
>>>>>>>>> We experience a problem with a handler for authenticating wireless-lan users. AuthBy-File for a PEAP-mschapV2 cannot match a user if
>>>>>>>>> the outer and inner identity are not equal (normal situation).
>>>>>>>>> It looks like the userfile is searched by the outer-identity, although the inner-identity is used for authentication via LDAP.
>>>>>>>
>>>>>>>> Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section
>>>>>>>> "5.19.24 EAPAnonymous" for more info about EAPAnonymous.
>>>>>>>
>>>>>>>> Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then
>>>>>>>> use User-Name attribute instead of EAP Identity to do the authentication.
>>>>>>>
>>>>>>>> With EAPAnonymous you can set the inner request User-Name the same as
>>>>>>>> the EAP Identity is.
>>>>>>>
>>>>>>>> Please let us know if this works for you.
>>>>>>>
>>>>>>>> Thanks!
>>>>>>>> Heikki
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> radiator mailing list
>>>>>> radiator at open.com.au
>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>
> 
> 
> 

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list