[RADIATOR] PEAP Anonymous Hook
Raúl Tejeda Calero
raul.tejeda at satec.es
Tue Feb 22 08:57:24 CST 2011
Hello,
I finally fixed the problem, as Mikem show in the eap_anon_hook, my client send an "[anonymous] <user>" when i try to handle PEAP.
I want to use the eap_anon_hook, but i don´t understand how it works.
¿Where´s the location of the hook? ¿it works with Active Directory?
Thanks in advance!
Raúl Tejeda
________________________________________
De: radiator-bounces at open.com.au [radiator-bounces at open.com.au] En nombre de Raúl Tejeda Calero [raul.tejeda at satec.es]
Enviado el: martes, 22 de febrero de 2011 11:45
Para: Heikki Vatiainen
CC: radiator at open.com.au
Asunto: Re: [RADIATOR] PEAP Unknow Problem
Hello, i´m here again.
> It looks better, but don´t work. Now, the challenge pass-through to the MSCHAP-V2 Handler, but it shows the same error message:
>Christian already took care of most issues, I'll try to continue.
>You are currently using RewriteUsername. That may cause problems if
>Radiator and the client calculate MSCHAPv2 challenges and responses
>using different (original and rewritten) usernames.
>However, it looks like you are using mikem as the username and it does
>not get changed. Or is mikem exactly what you use with your client? You
>may try commenting out RewriteUsername while you do testing.
I have tried it. Using rewrite username with $1 (mikem), $2 (anonymous) and without "rewriteusername". And the result was the same.
>About your clients file. If you really had this:
>mikem user-password = xxxxx
>you would get an error since user-name is not written as User-Password.
>The error would be something like this: "Check item user-password
>expression 'password' does not match '' in request" for a line like this
>in the users file:
>mikem user-password = "password"
Sorry, it was a writing-mistake. My user file is correct and works with AAA.
Any troubleshooting idea?
Regards and thanks in advance,
Raúl Tejeda
New Radius.cfg:
> ######################################################################################################
> ######################################################################################################
>
> #basic configuration
> # inner auth with MS-CHAP-V2
> <Handler NAS-IP-Address="<IP-WLC>",TunnelledByPEAP=1>
> Identifier EAP-MSCHAP-V2
> <AuthBy FILE>
> EAPType MSCHAP-V2
> Filename %D/users
> </AuthBy>
> </Handler>
>
> # outer auth with just PEAP
> <Handler NAS-IP-Address="<IP-WLC>">
> Identifier EAP-PEAP
> <AuthBy FILE>
> EAPType PEAP
> Filename %D/users-eap
> EAPTLS_CAFile %D/certificados/CA.pem
> EAPTLS_CAPath %D/certificados
> EAPTLS_CertificateFile %D/certificados/Serv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificados/Serv.key
> EAPTLS_MaxFragmentSize 1000
> </AuthBy>
> </Handler>
>
New logfile:
###################################################################################################### ######################################################################################################
Tue Feb 22 12:23:03 2011: NOTICE: SIGTERM received: stopping
Tue Feb 22 12:23:04 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
Tue Feb 22 12:23:04 2011: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
Tue Feb 22 12:23:04 2011: DEBUG: Creating authentication port <RAD IP>:1812
Tue Feb 22 12:23:04 2011: DEBUG: Creating accounting port <RAD IP>:1813
Tue Feb 22 12:23:04 2011: NOTICE: Server started: Radiator 4.7 on <hostname>
#############################################################################################
# SOME Access Request - Access Challenge - PEAP -> MSCHAP-V2 ################################
#############################################################################################
Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
*** Received from <WLC IP> port 32768 ....
Code: Access-Request
Identifier: 216
Authentic: <140>x<254>U/o<215><214>E<160><14><205><2><183><224><144>
Attributes:
User-Name = "mikem"
Calling-Station-Id = "<MAC AP>"
Called-Station-Id = "<MAC WLC>:Prueba"
NAS-Port = 13
NAS-IP-Address = <WLC IP>
NAS-Identifier = "<WLC 1>"
Airespace-WLAN-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 509
EAP-Message = <2><12><0>W<25><0><23><3><1><0>L<1>{<230><144><241><7>|@<227>X<193>?<17><222>Z<183><20><11>}m<160><236><181>OX<132><148>-<226><201><25>G<27><18><25><216>s<222>`_<203><154><14><227>[[<<166><180>q<135><162><154><211>wF<21><217><157>M<17><157><136><131>=<209><142><10><161><188><216><157><153>jo<201>
Message-Authenticator = L<19>b<233><240><218><211>k<155><135><167>aww<23><226>
Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC IP>"', Identifier 'EAP-PEAP'
Tue Feb 22 12:23:19 2011: DEBUG: Deleting session for mikem, <WLC IP>, 13
Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE:
Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 12, 87, 25
Tue Feb 22 12:23:19 2011: DEBUG: Response type 25
Tue Feb 22 12:23:19 2011: DEBUG: EAP PEAP inner authentication request for anonymous
Tue Feb 22 12:23:19 2011: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <26>Y<152><144><228><185>S'3w<207><248><200><4><170>^
Attributes:
EAP-Message = <2><12><0><<26><2><12><0>;1<177><183>Jv<24>KJ<169>I<169><31><140><251>,.<214><0><0><0><0><0><0><0><0>I<175>d<206><166><160>Gn-<233>Q<12>{<5><186><12><178><166><217><189><232><28><176>h<0>mikem
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = <WLC IP>
NAS-Identifier = "<WLC 1>"
NAS-Port = 13
Calling-Station-Id = "<MAC AP>"
User-Name = "anonymous"
Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC IP>",TunnelledByPEAP=1', Identifier 'EAP-MSCHAP-V2'
Tue Feb 22 12:23:19 2011: DEBUG: Deleting session for anonymous, <WLC IP>, 13
Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE:
Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 12, 60, 26
Tue Feb 22 12:23:19 2011: DEBUG: Response type 26
Tue Feb 22 12:23:19 2011: DEBUG: Reading users file /etc/radiator/users
Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE looks for match with mikem [anonymous]
Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE ACCEPT: : mikem [anonymous]
Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP-V2 Authentication failure
Tue Feb 22 12:23:19 2011: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure
Tue Feb 22 12:23:19 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Reject
Identifier: UNDEF
Authentic: <26>Y<152><144><228><185>S'3w<207><248><200><4><170>^
Attributes:
EAP-Message = <4><12><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
Tue Feb 22 12:23:19 2011: DEBUG: Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler
Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
*** Sending to <WLC IP> port 32768 ....
Code: Access-Challenge
Identifier: 216
Authentic: <20><212><236><140>G<192>iVF<225><234><248><165><239><128><171>
Attributes:
EAP-Message = <1><13><0>&<25><0><23><3><1><0><27>w<235><158><132><202><146><217><246><174><196><159><127><135><233><217>r<211><153><190><150>Hq<178>B<164><3><7>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
*** Received from <WLC IP> port 32768 ....
Code: Access-Request
Identifier: 217
Authentic: R<139><173><202><152><143>oz<172>R<195><214>z+<235>1
Attributes:
User-Name = "mikem"
Calling-Station-Id = "<MAC AP>"
Called-Station-Id = "<MAC WLC>:Prueba"
NAS-Port = 13
NAS-IP-Address = <WLC IP>
NAS-Identifier = "<WLC 1>"
Airespace-WLAN-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 509
EAP-Message = <2><13><0>&<25><0><23><3><1><0><27>z<1><138><217><25>S<183><234>'<1><162><214><176>x V<147>=<194>7<218><164><239>L<245>GO
Message-Authenticator = S<23><243>80<10><196>M<204><173><253><181><245><<227>U
Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC IP>"', Identifier 'EAP-PEAP'
Tue Feb 22 12:23:19 2011: DEBUG: Deleting session for mikem, <WLC IP>, 13
Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE:
Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 13, 38, 25
Tue Feb 22 12:23:19 2011: DEBUG: Response type 25
Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 1, PEAP Authentication Failure
Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: REJECT, PEAP Authentication Failure
Tue Feb 22 12:23:19 2011: INFO: Access rejected for mikem: PEAP Authentication Failure
Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
*** Sending to <WLC IP> port 32768 ....
Code: Access-Reject
Identifier: 217
Authentic: $<9>N<172><128><12>v<252><235><204><183><194><31><142>Qi
Attributes:
EAP-Message = <4><13><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list