[RADIATOR] PEAP Anonymous Hook

Heikki Vatiainen hvn at open.com.au
Wed Feb 23 01:56:26 CST 2011


On 02/22/2011 04:57 PM, Raúl Tejeda Calero wrote:

> I finally fixed the problem, as Mikem show in the eap_anon_hook, my client send an "[anonymous] <user>" when i try to handle PEAP.

Sorry, did not fully understand the above, but about the log message:
Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE looks for match with
mikem [anonymous]

Here "mikem" is the actual username that is used for looking up user
information. "[anonymous]" is the original username from the request.

In other words, "mikem" is what should be in the AuthBy FILE file.

> I want to use the eap_anon_hook, but i don´t understand how it works.

That is used to match authentication messages to their related
accounting messages. With PEAP, for example, the WLAN AP or controller
sees only the outer identity, such as @example.com. The real identity,
for example hvn at example.com, is part of MSCHAPv2 and is known only by
the client and the RADIUS server.

This hook modifies the accounting requests WLAN AP or controller sends
and changes User-Name @example.com to hvn at example.com.

So it does not help with your authentication problem.

> ¿Where´s the location of the hook? ¿it works with Active Directory?

The hook is in goodies/ directory. You can use it with any AuthBy

> Thanks in advance!
> 
> Raúl Tejeda
> ________________________________________
> De: radiator-bounces at open.com.au [radiator-bounces at open.com.au] En nombre de Raúl Tejeda Calero [raul.tejeda at satec.es]
> Enviado el: martes, 22 de febrero de 2011 11:45
> Para: Heikki Vatiainen
> CC: radiator at open.com.au
> Asunto: Re: [RADIATOR] PEAP Unknow  Problem
> 
> Hello, i´m here again.
> 
>> It looks better, but don´t work. Now, the challenge pass-through to the MSCHAP-V2 Handler, but it shows the same error message:
> 
>> Christian already took care of most issues, I'll try to continue.
> 
>> You are currently using RewriteUsername. That may cause problems if
>> Radiator and the client calculate MSCHAPv2 challenges and responses
>> using different (original and rewritten) usernames.
> 
>> However, it looks like you are using mikem as the username and it does
>> not get changed. Or is mikem exactly what you use with your client? You
>> may try commenting out RewriteUsername while you do testing.
> 
> I have tried it. Using rewrite username with $1 (mikem), $2 (anonymous) and without "rewriteusername". And the result was the same.
> 
>> About your clients file. If you really had this:
>> mikem user-password = xxxxx
>> you would get an error since user-name is not written as User-Password.
>> The error would be something like this: "Check item user-password
>> expression 'password' does not match '' in request" for a line like this
>> in the users file:
>> mikem user-password = "password"
> 
> Sorry, it was a writing-mistake. My user file is correct and works with AAA.
> 
> Any troubleshooting idea?
> 
>  Regards and thanks in advance,
>  Raúl Tejeda
> 
> New Radius.cfg:
>>  ######################################################################################################
>>  ######################################################################################################
>>
>> #basic configuration
>> # inner auth with MS-CHAP-V2
>> <Handler NAS-IP-Address="<IP-WLC>",TunnelledByPEAP=1>
>>         Identifier EAP-MSCHAP-V2
>>          <AuthBy FILE>
>>                  EAPType MSCHAP-V2
>>                  Filename %D/users
>>          </AuthBy>
>> </Handler>
>>
>> # outer auth with just PEAP
>> <Handler NAS-IP-Address="<IP-WLC>">
>>         Identifier EAP-PEAP
>>          <AuthBy FILE>
>>                  EAPType PEAP
>>                  Filename %D/users-eap
>>                 EAPTLS_CAFile %D/certificados/CA.pem
>>                 EAPTLS_CAPath %D/certificados
>>                 EAPTLS_CertificateFile %D/certificados/Serv.pem
>>                 EAPTLS_CertificateType PEM
>>                 EAPTLS_PrivateKeyFile %D/certificados/Serv.key
>>                 EAPTLS_MaxFragmentSize 1000
>>          </AuthBy>
>> </Handler>
>>
> 
> 
> New logfile:
> ###################################################################################################### ######################################################################################################
> Tue Feb 22 12:23:03 2011: NOTICE: SIGTERM received: stopping
> Tue Feb 22 12:23:04 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg'
> Tue Feb 22 12:23:04 2011: DEBUG: Reading dictionary file '/etc/radiator/dictionary'
> Tue Feb 22 12:23:04 2011: DEBUG: Creating authentication port <RAD IP>:1812
> Tue Feb 22 12:23:04 2011: DEBUG: Creating accounting port <RAD IP>:1813
> Tue Feb 22 12:23:04 2011: NOTICE: Server started: Radiator 4.7 on <hostname>
> 
> #############################################################################################
> # SOME Access Request - Access Challenge - PEAP -> MSCHAP-V2 ################################
> #############################################################################################
> 
> 
> 
> 
> Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
> *** Received from <WLC IP> port 32768 ....
> Code:       Access-Request
> Identifier: 216
> Authentic:  <140>x<254>U/o<215><214>E<160><14><205><2><183><224><144>
> Attributes:
>         User-Name = "mikem"
>         Calling-Station-Id = "<MAC AP>"
>         Called-Station-Id = "<MAC WLC>:Prueba"
>         NAS-Port = 13
>         NAS-IP-Address = <WLC IP>
>         NAS-Identifier = "<WLC 1>"
>         Airespace-WLAN-Id = 4
>         Service-Type = Framed-User
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Tunnel-Type = 0:VLAN
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 509
>         EAP-Message = <2><12><0>W<25><0><23><3><1><0>L<1>{<230><144><241><7>|@<227>X<193>?<17><222>Z<183><20><11>}m<160><236><181>OX<132><148>-<226><201><25>G<27><18><25><216>s<222>`_<203><154><14><227>[[<<166><180>q<135><162><154><211>wF<21><217><157>M<17><157><136><131>=<209><142><10><161><188><216><157><153>jo<201>
>         Message-Authenticator = L<19>b<233><240><218><211>k<155><135><167>aww<23><226>
> 
> Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC IP>"', Identifier 'EAP-PEAP'
> Tue Feb 22 12:23:19 2011: DEBUG:  Deleting session for mikem, <WLC IP>, 13
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 12, 87, 25
> Tue Feb 22 12:23:19 2011: DEBUG: Response type 25
> Tue Feb 22 12:23:19 2011: DEBUG: EAP PEAP inner authentication request for anonymous
> Tue Feb 22 12:23:19 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <26>Y<152><144><228><185>S'3w<207><248><200><4><170>^
> Attributes:
>         EAP-Message = <2><12><0><<26><2><12><0>;1<177><183>Jv<24>KJ<169>I<169><31><140><251>,.<214><0><0><0><0><0><0><0><0>I<175>d<206><166><160>Gn-<233>Q<12>{<5><186><12><178><166><217><189><232><28><176>h<0>mikem
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         NAS-IP-Address = <WLC IP>
>         NAS-Identifier = "<WLC 1>"
>         NAS-Port = 13
>         Calling-Station-Id = "<MAC AP>"
>         User-Name = "anonymous"
> 
> Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC IP>",TunnelledByPEAP=1', Identifier 'EAP-MSCHAP-V2'
> Tue Feb 22 12:23:19 2011: DEBUG:  Deleting session for anonymous, <WLC IP>, 13
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 12, 60, 26
> Tue Feb 22 12:23:19 2011: DEBUG: Response type 26
> Tue Feb 22 12:23:19 2011: DEBUG: Reading users file /etc/radiator/users
> Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE looks for match with mikem [anonymous]
> Tue Feb 22 12:23:19 2011: DEBUG: Radius::AuthFILE ACCEPT: : mikem [anonymous]
> Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
> Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP-V2 Authentication failure
> Tue Feb 22 12:23:19 2011: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure
> Tue Feb 22 12:23:19 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Reject
> Identifier: UNDEF
> Authentic:  <26>Y<152><144><228><185>S'3w<207><248><200><4><170>^
> Attributes:
>         EAP-Message = <4><12><0><4>
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         Reply-Message = "Request Denied"
> 
> Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 22 12:23:19 2011: DEBUG: Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler
> Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
> *** Sending to <WLC IP> port 32768 ....
> Code:       Access-Challenge
> Identifier: 216
> Authentic:  <20><212><236><140>G<192>iVF<225><234><248><165><239><128><171>
> Attributes:
>         EAP-Message = <1><13><0>&<25><0><23><3><1><0><27>w<235><158><132><202><146><217><246><174><196><159><127><135><233><217>r<211><153><190><150>Hq<178>B<164><3><7>
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
> *** Received from <WLC IP> port 32768 ....
> Code:       Access-Request
> Identifier: 217
> Authentic:  R<139><173><202><152><143>oz<172>R<195><214>z+<235>1
> Attributes:
>         User-Name = "mikem"
>         Calling-Station-Id = "<MAC AP>"
>         Called-Station-Id = "<MAC WLC>:Prueba"
>         NAS-Port = 13
>         NAS-IP-Address = <WLC IP>
>         NAS-Identifier = "<WLC 1>"
>         Airespace-WLAN-Id = 4
>         Service-Type = Framed-User
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Tunnel-Type = 0:VLAN
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 509
>         EAP-Message = <2><13><0>&<25><0><23><3><1><0><27>z<1><138><217><25>S<183><234>'<1><162><214><176>x V<147>=<194>7<218><164><239>L<245>GO
>         Message-Authenticator = S<23><243>80<10><196>M<204><173><253><181><245><<227>U
> 
> Tue Feb 22 12:23:19 2011: DEBUG: Handling request with Handler 'NAS-IP-Address="<WLC IP>"', Identifier 'EAP-PEAP'
> Tue Feb 22 12:23:19 2011: DEBUG:  Deleting session for mikem, <WLC IP>, 13
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Feb 22 12:23:19 2011: DEBUG: Handling with EAP: code 2, 13, 38, 25
> Tue Feb 22 12:23:19 2011: DEBUG: Response type 25
> Tue Feb 22 12:23:19 2011: DEBUG: EAP result: 1, PEAP Authentication Failure
> Tue Feb 22 12:23:19 2011: DEBUG: AuthBy FILE result: REJECT, PEAP Authentication Failure
> Tue Feb 22 12:23:19 2011: INFO: Access rejected for mikem: PEAP Authentication Failure
> Tue Feb 22 12:23:19 2011: DEBUG: Packet dump:
> *** Sending to <WLC IP> port 32768 ....
> Code:       Access-Reject
> Identifier: 217
> Authentic:  $<9>N<172><128><12>v<252><235><204><183><194><31><142>Qi
> Attributes:
>         EAP-Message = <4><13><0><4>
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         Reply-Message = "Request Denied"
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list