[RADIATOR] AuthBy-File cannot match user
Roel Hoek
r.h.hoek at utwente.nl
Tue Jul 26 10:14:50 CDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
We experience a problem with a handler for authenticating wireless-lan users. AuthBy-File for a PEAP-mschapV2 cannot match a user if
the outer and inner identity are not equal (normal situation).
It looks like the userfile is searched by the outer-identity, although the inner-identity is used for authentication via LDAP.
We want for certain users a different reply-item (Tunnel-Private-Group-ID = 1:131). Default users get "Tunnel-Private-Group-ID = 1:125".
Is this a bug or a configuration error?
- -------------------------------------------------------------------------------------
part of logging:
Tue Jul 26 16:36:46 2011: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: 1<229>E<203><131>N'<132><236><210><232>)$<237>O<189>
Attributes:
EAP-Message =
<2><1><0>Q<26><2><1><0>L1:0<228><135><228><157>!<158>(-oL<26><178><213><199><0><0><0><0><0><0><0><0>>_<251>woZ;<156>-<13>r<204><W<179>DZ<173>,~<240>L<188><139><0>d3126217 at utwente.test2
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 172.31.178.10
NAS-Identifier = "wlc-1"
NAS-Port = 13
Calling-Station-Id = "00271026a434"
User-Name = "jupiter at utwente.test2"
Tue Jul 26 16:36:46 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthGROUP:
Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthFILE:
Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with jupiter at utwente.test2 [jupiter at utwente.test2]
Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE REJECT: No such user: jupiter at utwente.test2 [jupiter at utwente.test2]
Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with DEFAULT [jupiter at utwente.test2]
Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
Tue Jul 26 16:36:46 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
Tue Jul 26 16:36:46 2011: DEBUG: Response type 26
Tue Jul 26 16:36:46 2011: DEBUG: Rewrote identity to d3126217
Tue Jul 26 16:36:46 2011: DEBUG: Rewrote identity to d3126217
Tue Jul 26 16:36:46 2011: DEBUG: Rewrote identity to d3126217
Tue Jul 26 16:36:46 2011: INFO: Connecting to oid.utwente.nl:389
Tue Jul 26 16:36:46 2011: INFO: Attempting to bind to LDAP server oid.utwente.nl:389
Tue Jul 26 16:36:46 2011: DEBUG: LDAP got result for uid=d3126217, ou=Employees, bla bla bla
Tue Jul 26 16:36:46 2011: DEBUG: LDAP got chappassword: {rcrypt}<------>
Tue Jul 26 16:36:46 2011: DEBUG: LDAP got orclisenabled: ENABLED
Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthLDAP2 looks for match with d3126217 [jupiter at utwente.test2]
Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 [jupiter at utwente.test2]
Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP V2 Challenge: Success: DEFAULT [jupiter at utwente.test2]
Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthGROUP: result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
Tue Jul 26 16:36:46 2011: DEBUG: AuthBy GROUP result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
Tue Jul 26 16:36:46 2011: DEBUG: Access challenged for jupiter at utwente.test2: EAP MSCHAP V2 Challenge: Success
Tue Jul 26 16:36:46 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Challenge
Identifier: UNDEF
Authentic: 1<229>E<203><131>N'<132><236><210><232>)$<237>O<189>
Attributes:
EAP-Message = <1><2><0>=<26><3><1><0>8S=9B980A90DF101E2389BFC05B92F3DE116CBEEF18 M=success
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tunnel-Type = 1:VLAN
Tunnel-Medium-Type = 1:Ether_802
Tunnel-Private-Group-ID = 1:125
Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
Tue Jul 26 16:36:46 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
Tue Jul 26 16:36:46 2011: DEBUG: Access challenged for jupiter at utwente.test2: EAP PEAP inner authentication redispatched to a Handler
Tue Jul 26 16:36:46 2011: DEBUG: Packet dump:
*** Sending to 172.31.178.10 port 32770 ....
Code: Access-Challenge
Identifier: 217
Authentic: <246>d:7<188><212>BEYlXK<20><156><19>*
Attributes:
EAP-Message =
<1><10><0>k<25><1><23><3><1><0>`<18><183><136><170><169><204><141>dst<231><150>w<150><165>6<!!<171>c?<173>L<200><135>?#<219>"f<142><165>G'h<192>q<168>(<246><249><247><140>6<152>X<215><22><23><227><197><1>d<31><193>`+<245>a<142><10><224><6>a<21><233>[&,<133>G<232><A<195><188><165>z<23><208><169>@<17><225><226>Q.<185><142>|,<6>f<14><229>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tue Jul 26 16:36:46 2011: DEBUG: Packet dump:
*** Received from 172.31.178.10 port 32770 ....
Code: Access-Request
Identifier: 218
Authentic: <231><3>)mlW<168><158>X<18>A<29><141>1<226><210>
Attributes:
User-Name = "jupiter at utwente.test2"
Calling-Station-Id = "00271026a434"
Called-Station-Id = "001874d28d00:eduroam"
NAS-Port = 13
NAS-IP-Address = 172.31.178.10
NAS-Identifier = "wlc-1"
Airespace-WLAN-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-IEEE-802-11
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 131
EAP-Message = <2><10><0>`<25><1><23><3><1><0>
~<235>4<196><203><245><217>q<228>Jw<175><207><200>,<200><223><<2>i:<149>]<169>G<24><253><154>+K<29>C<23><3><1><0>0<207>{<235>i<253>a7<214>\<13><250><189><190><217>\<228><130>U><4>$<29><131><163><230>L<149><230><136><235>*<242><237>q<241><217><181>a<169><254><0>\B<14><215><155>R<8>
Message-Authenticator = <214><202><221>j<3><11>~<177><153>z<217><183>D<149><211><135>
- --
Tue Jul 26 16:36:46 2011: DEBUG: Response type 25
Tue Jul 26 16:36:46 2011: DEBUG: EAP PEAP inner authentication request for jupiter at utwente.test2
Tue Jul 26 16:36:46 2011: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <252><197>V?<232><180>fF<18>n<<176><151><212><141>n
Attributes:
EAP-Message = <2><2><0><6><26><3>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 172.31.178.10
NAS-Identifier = "wlc-1"
NAS-Port = 13
Calling-Station-Id = "00271026a434"
User-Name = "jupiter at utwente.test2"
Tue Jul 26 16:36:46 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthGROUP:
Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthFILE:
Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with jupiter at utwente.test2 [jupiter at utwente.test2]
Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE REJECT: No such user: jupiter at utwente.test2 [jupiter at utwente.test2]
Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with DEFAULT [jupiter at utwente.test2]
Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
Tue Jul 26 16:36:46 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26
Tue Jul 26 16:36:46 2011: DEBUG: Response type 26
Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 0,
Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [jupiter at utwente.test2]
Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthGROUP: result: ACCEPT,
Tue Jul 26 16:36:46 2011: DEBUG: AuthBy GROUP result: ACCEPT,
Tue Jul 26 16:36:46 2011: DEBUG: Access accepted for jupiter at utwente.test2
Tue Jul 26 16:36:46 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Accept
Identifier: UNDEF
Authentic: <252><197>V?<232><180>fF<18>n<<176><151><212><141>n
Attributes:
EAP-Message = <3><2><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Tunnel-Type = 1:VLAN
Tunnel-Medium-Type = 1:Ether_802
Tunnel-Private-Group-ID = 1:125
Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
Tue Jul 26 16:36:46 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
Tue Jul 26 16:36:46 2011: DEBUG: Access challenged for jupiter at utwente.test2: EAP PEAP inner authentication redispatched to a Handler
Tue Jul 26 16:36:46 2011: DEBUG: Packet dump:
*** Sending to 172.31.178.10 port 32770 ....
- -------------------------------------------------------------------------------------
part of radiator.cfg:
# WLAN (utwente.test2) inner authentication (PEAP)
#
<Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
AuthByPolicy ContinueWhileReject
# Hook om class-attrib te setten wanneer geen anonymous
# (temp disabled):PreAuthHook file:"%D/hooks/anonymous.pl"
AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
<AuthBy GROUP>
AuthByPolicy ContinueWhileReject
<AuthBy FILE>
AuthenticateAttribute User-Name
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername s/^\s*//
RewriteUsername s/\s*$//
Filename %D/users-wlan-peap
# This tells the PEAP client what types of inner EAP requests
# we will honour
NoEAP
</AuthBy>
</AuthBy>
</Handler>
# WLAN outer authenticatie
#
<Handler Realm=/utwente.test|utwente.test2/, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/>
<AuthBy FILE>
EAPType TTLS,PEAP
EAPTLS_CAFile /etc/radiator/pki/CAs/chain.pem
EAPTLS_CertificateFile /etc/radiator/pki/server/cert.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/pki/server/key.pem
EAPTLS_PrivateKeyPassword <---------->
EAPTLS_MaxFragmentSize 1024
EAPTLS_SessionResumption 0
AutoMPPEKeys
EAPTLS_PEAPBrokenV1Label
EAPTTLS_NoAckRequired
# %U (en %u (met realm)) zijn de Inner-auth username voor PEAP
EAPAnonymous %u
</AuthBy>
# stuur de authorisatie logging naar:
AuthLog authlogging-wlan
Identifier WLAN-OUTER-TEST
Description WLAN
AuthLog authlogging-tent
</Handler>
- -------------------------------------------------------------------------------------
part of users-wlan-peap:
DEFAULT Auth-Type = productieoid-peap
Tunnel-Type = 1:VLAN,
Tunnel-Medium-Type = 1:Ether_802,
Tunnel-Private-Group-ID = 1:125
d3126217 Auth-Type = productieoid-peap
Tunnel-Type = 1:VLAN,
Tunnel-Medium-Type = 1:Ether_802,
Tunnel-Private-Group-ID = 1:131,
Login-LAT-Group = "qnet"
- --
Met vriendelijke groeten,
Roel Hoek
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
Telephone +31 53 489 4598, Fax +31 53 489 2383
R.H.Hoek at utwente.nl; http://www.utwente.nl/icts
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4u2egACgkQJwlRSGnYBcbd2QCgxjmA6ojeraNX/ARRGNBCt2wV
xhUAoL0TvFiU53EmHibZ7Y3TbaOYhqK4
=fQcs
-----END PGP SIGNATURE-----
More information about the radiator
mailing list