[RADIATOR] AuthBy-File cannot match user

Heikki Vatiainen hvn at open.com.au
Wed Jul 27 16:26:46 CDT 2011


On 07/26/2011 06:14 PM, Roel Hoek wrote:

Hello Roel,

> We experience a problem with a handler for authenticating wireless-lan users. AuthBy-File for a PEAP-mschapV2 cannot match a user if
> the outer and inner identity are not equal (normal situation).
> It looks like the userfile is searched by the outer-identity, although the inner-identity is used for authentication via LDAP.

Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section
"5.19.24 EAPAnonymous" for more info about EAPAnonymous.

Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then
use User-Name attribute instead of EAP Identity to do the authentication.

With EAPAnonymous you can set the inner request User-Name the same as
the EAP Identity is.

Please let us know if this works for you.

Thanks!
Heikki


> We want for certain users a different reply-item (Tunnel-Private-Group-ID = 1:131). Default users get "Tunnel-Private-Group-ID = 1:125".
> 
> 
> Is this a bug or a configuration error?
> 
> 
> 
> -------------------------------------------------------------------------------------
> part of logging:
> 
> Tue Jul 26 16:36:46 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  1<229>E<203><131>N'<132><236><210><232>)$<237>O<189>
> Attributes:
>         EAP-Message =
> <2><1><0>Q<26><2><1><0>L1:0<228><135><228><157>!<158>(-oL<26><178><213><199><0><0><0><0><0><0><0><0>>_<251>woZ;<156>-<13>r<204><W<179>DZ<173>,~<240>L<188><139><0>d3126217 at utwente.test2
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         NAS-IP-Address = 172.31.178.10
>         NAS-Identifier = "wlc-1"
>         NAS-Port = 13
>         Calling-Station-Id = "00271026a434"
>         User-Name = "jupiter at utwente.test2"
> 
> Tue Jul 26 16:36:46 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthGROUP:
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with jupiter at utwente.test2 [jupiter at utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE REJECT: No such user: jupiter at utwente.test2 [jupiter at utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with DEFAULT [jupiter at utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
> Tue Jul 26 16:36:46 2011: DEBUG: Response type 26
> Tue Jul 26 16:36:46 2011: DEBUG: Rewrote identity to d3126217
> Tue Jul 26 16:36:46 2011: DEBUG: Rewrote identity to d3126217
> Tue Jul 26 16:36:46 2011: DEBUG: Rewrote identity to d3126217
> Tue Jul 26 16:36:46 2011: INFO: Connecting to oid.utwente.nl:389
> Tue Jul 26 16:36:46 2011: INFO: Attempting to bind to LDAP server oid.utwente.nl:389
> Tue Jul 26 16:36:46 2011: DEBUG: LDAP got result for uid=d3126217, ou=Employees, bla bla bla
> Tue Jul 26 16:36:46 2011: DEBUG: LDAP got chappassword: {rcrypt}<------>
> Tue Jul 26 16:36:46 2011: DEBUG: LDAP got orclisenabled: ENABLED
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthLDAP2 looks for match with d3126217 [jupiter at utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 [jupiter at utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP V2 Challenge: Success: DEFAULT [jupiter at utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthGROUP:  result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
> Tue Jul 26 16:36:46 2011: DEBUG: AuthBy GROUP result: CHALLENGE, EAP MSCHAP V2 Challenge: Success
> Tue Jul 26 16:36:46 2011: DEBUG: Access challenged for jupiter at utwente.test2: EAP MSCHAP V2 Challenge: Success
> Tue Jul 26 16:36:46 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Challenge
> Identifier: UNDEF
> Authentic:  1<229>E<203><131>N'<132><236><210><232>)$<237>O<189>
> Attributes:
>         EAP-Message = <1><2><0>=<26><3><1><0>8S=9B980A90DF101E2389BFC05B92F3DE116CBEEF18 M=success
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         Tunnel-Type = 1:VLAN
>         Tunnel-Medium-Type = 1:Ether_802
>         Tunnel-Private-Group-ID = 1:125
> 
> Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: Access challenged for jupiter at utwente.test2: EAP PEAP inner authentication redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: Packet dump:
> *** Sending to 172.31.178.10 port 32770 ....
> Code:       Access-Challenge
> Identifier: 217
> Authentic:  <246>d:7<188><212>BEYlXK<20><156><19>*
> Attributes:
>         EAP-Message =
> <1><10><0>k<25><1><23><3><1><0>`<18><183><136><170><169><204><141>dst<231><150>w<150><165>6<!!<171>c?<173>L<200><135>?#<219>"f<142><165>G'h<192>q<168>(<246><249><247><140>6<152>X<215><22><23><227><197><1>d<31><193>`+<245>a<142><10><224><6>a<21><233>[&,<133>G<232><A<195><188><165>z<23><208><169>@<17><225><226>Q.<185><142>|,<6>f<14><229>
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Tue Jul 26 16:36:46 2011: DEBUG: Packet dump:
> *** Received from 172.31.178.10 port 32770 ....
> Code:       Access-Request
> Identifier: 218
> Authentic:  <231><3>)mlW<168><158>X<18>A<29><141>1<226><210>
> Attributes:
>         User-Name = "jupiter at utwente.test2"
>         Calling-Station-Id = "00271026a434"
>         Called-Station-Id = "001874d28d00:eduroam"
>         NAS-Port = 13
>         NAS-IP-Address = 172.31.178.10
>         NAS-Identifier = "wlc-1"
>         Airespace-WLAN-Id = 2
>         Service-Type = Framed-User
>         Framed-MTU = 1300
>         NAS-Port-Type = Wireless-IEEE-802-11
>         Tunnel-Type = 0:VLAN
>         Tunnel-Medium-Type = 0:802
>         Tunnel-Private-Group-ID = 131
>         EAP-Message = <2><10><0>`<25><1><23><3><1><0>
> ~<235>4<196><203><245><217>q<228>Jw<175><207><200>,<200><223><<2>i:<149>]<169>G<24><253><154>+K<29>C<23><3><1><0>0<207>{<235>i<253>a7<214>\<13><250><189><190><217>\<228><130>U><4>$<29><131><163><230>L<149><230><136><235>*<242><237>q<241><217><181>a<169><254><0>\B<14><215><155>R<8>
>         Message-Authenticator = <214><202><221>j<3><11>~<177><153>z<217><183>D<149><211><135>
> 
> --
> Tue Jul 26 16:36:46 2011: DEBUG: Response type 25
> Tue Jul 26 16:36:46 2011: DEBUG: EAP PEAP inner authentication request for jupiter at utwente.test2
> Tue Jul 26 16:36:46 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <252><197>V?<232><180>fF<18>n<<176><151><212><141>n
> Attributes:
>         EAP-Message = <2><2><0><6><26><3>
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         NAS-IP-Address = 172.31.178.10
>         NAS-Identifier = "wlc-1"
>         NAS-Port = 13
>         Calling-Station-Id = "00271026a434"
>         User-Name = "jupiter at utwente.test2"
> 
> Tue Jul 26 16:36:46 2011: DEBUG: Handling request with Handler 'Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 'PEAP-inner-utwente-test2'
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthGROUP:
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with jupiter at utwente.test2 [jupiter at utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE REJECT: No such user: jupiter at utwente.test2 [jupiter at utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with DEFAULT [jupiter at utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthLDAP2: productieoid-peap
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26
> Tue Jul 26 16:36:46 2011: DEBUG: Response type 26
> Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 0,
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [jupiter at utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthGROUP:  result: ACCEPT,
> Tue Jul 26 16:36:46 2011: DEBUG: AuthBy GROUP result: ACCEPT,
> Tue Jul 26 16:36:46 2011: DEBUG: Access accepted for jupiter at utwente.test2
> Tue Jul 26 16:36:46 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <252><197>V?<232><180>fF<18>n<<176><151><212><141>n
> Attributes:
>         EAP-Message = <3><2><0><4>
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         Tunnel-Type = 1:VLAN
>         Tunnel-Medium-Type = 1:Ether_802
>         Tunnel-Private-Group-ID = 1:125
> 
> Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: Access challenged for jupiter at utwente.test2: EAP PEAP inner authentication redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: Packet dump:
> *** Sending to 172.31.178.10 port 32770 ....
> 
> -------------------------------------------------------------------------------------
> part of radiator.cfg:
> 
> # WLAN (utwente.test2) inner authentication (PEAP)
> #
> <Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
> 
>                 AuthByPolicy ContinueWhileReject
> 
>                 # Hook om class-attrib te setten wanneer geen anonymous
>                 # (temp disabled):PreAuthHook file:"%D/hooks/anonymous.pl"
>                 AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
>                 <AuthBy GROUP>
>                         AuthByPolicy ContinueWhileReject
> 
>                         <AuthBy FILE>
>                                 AuthenticateAttribute User-Name
>                                 RewriteUsername s/^([^@]+).*/$1/
>                                 RewriteUsername s/^\s*//
>                                 RewriteUsername s/\s*$//
>                                 Filename %D/users-wlan-peap
> 
>                                 # This tells the PEAP client what types of inner EAP requests
>                                 # we will honour
>                                 NoEAP
> 
>                         </AuthBy>
>                 </AuthBy>
> </Handler>
> 
> # WLAN outer authenticatie
> #
> <Handler Realm=/utwente.test|utwente.test2/, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/>
>         <AuthBy FILE>
>                 EAPType TTLS,PEAP
>                 EAPTLS_CAFile /etc/radiator/pki/CAs/chain.pem
>                 EAPTLS_CertificateFile /etc/radiator/pki/server/cert.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile /etc/radiator/pki/server/key.pem
>                 EAPTLS_PrivateKeyPassword <---------->
>                 EAPTLS_MaxFragmentSize 1024
>                 EAPTLS_SessionResumption 0
>                 AutoMPPEKeys
>                 EAPTLS_PEAPBrokenV1Label
>                 EAPTTLS_NoAckRequired
>                 # %U (en %u (met realm)) zijn de Inner-auth username voor PEAP
>                 EAPAnonymous %u
>         </AuthBy>
> 
>         # stuur de authorisatie logging naar:
>         AuthLog authlogging-wlan
>         Identifier WLAN-OUTER-TEST
>         Description WLAN
>         AuthLog authlogging-tent
> </Handler>
> -------------------------------------------------------------------------------------
> part of users-wlan-peap:
> 
> DEFAULT Auth-Type = productieoid-peap
>         Tunnel-Type = 1:VLAN,
>         Tunnel-Medium-Type = 1:Ether_802,
>         Tunnel-Private-Group-ID = 1:125
> 
> d3126217 Auth-Type = productieoid-peap
>          Tunnel-Type = 1:VLAN,
>          Tunnel-Medium-Type = 1:Ether_802,
>          Tunnel-Private-Group-ID = 1:131,
>          Login-LAT-Group = "qnet"
> 
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list