[RADIATOR] AuthBy-File cannot match user

Fri Jul 29 08:12:08 CDT 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Heikki,

Thanks for you comment. Although it did not work.
I changed EAPAnonymous to %0. But now Username is "" and no handler can be found.

Fri Jul 29 13:32:06 2011: DEBUG: Handling request with Handler 'Realm=/utwente.test|utwente.test2/,
Client-Identifier=/^WLANATUT-ID$|^LOCALH
OST-ID$/', Identifier 'WLAN-OUTER-TEST'
Fri Jul 29 13:32:06 2011: DEBUG: Handling with Radius::AuthFILE:
Fri Jul 29 13:32:06 2011: DEBUG: Handling with EAP: code 2, 9, 112, 25
Fri Jul 29 13:32:06 2011: DEBUG: Response type 25
Fri Jul 29 13:32:06 2011: DEBUG: EAP PEAP inner authentication request for
Fri Jul 29 13:32:06 2011: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <177>6<209>Wz<163><198><243><230>M<179><134><155><15><207><163>
Attributes:
        EAP-Message = <2><0><0><27><1>d3126217 at utwente.test2
        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        NAS-IP-Address = 172.31.178.10
        NAS-Identifier = "wlc-1"
        NAS-Port = 13
        Calling-Station-Id = "00271026a434"
        User-Name = ""
Fri Jul 29 13:32:06 2011: DEBUG: EAP result: 1, No Handler for PEAP inner authentication
Fri Jul 29 13:32:06 2011: DEBUG: AuthBy FILE result: REJECT, No Handler for PEAP inner authentication
Fri Jul 29 13:32:06 2011: INFO: Access rejected for jupiter at utwente.test2: No Handler for PEAP inner authentication
Fri Jul 29 13:32:06 2011: DEBUG: Packet dump:
*** Sending to 172.31.178.10 port 32770 ....
Code:       Access-Reject

- -------------------------------------------------------------------
<Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
                AuthByPolicy ContinueWhileReject
                AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
                        <AuthBy FILE>
                                RewriteUsername s/^([^@]+).*/$1/
                                RewriteUsername s/^\s*//
                                RewriteUsername s/\s*$//
                                Filename %D/users-wlan-peap
                                NoEAP
                       </AuthBy>
        AuthLog authlogging-wlan-peap
        Identifier PEAP-inner-utwente-test2
        Description WLAN
        AuthLog authlogging-tent
</Handler>

<Handler Realm=/utwente.test|utwente.test2/, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/>
        <AuthBy FILE>
                EAPType TTLS,PEAP
                EAPTLS_CAFile
                EAPTLS_CertificateFile
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile
                EAPTLS_PrivateKeyPassword
                EAPTLS_MaxFragmentSize 1024
                EAPTLS_SessionResumption 0
                AutoMPPEKeys
                EAPTLS_PEAPBrokenV1Label
                EAPTTLS_NoAckRequired
                # %U (en %u (met realm)) zijn de Inner-auth username voor PEAP
                #EAPAnonymous %u
                EAPAnonymous %0
        </AuthBy>
        AuthLog authlogging-wlan
        Identifier WLAN-OUTER-TEST
        Description WLAN
        AuthLog authlogging-tent
</Handler>

> On 07/26/2011 06:14 PM, Roel Hoek wrote:
> 
> Hello Roel,
> 
>> We experience a problem with a handler for authenticating wireless-lan users. AuthBy-File for a PEAP-mschapV2 cannot match a user if
>> the outer and inner identity are not equal (normal situation).
>> It looks like the userfile is searched by the outer-identity, although the inner-identity is used for authentication via LDAP.
> 
> Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section
> "5.19.24 EAPAnonymous" for more info about EAPAnonymous.
> 
> Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then
> use User-Name attribute instead of EAP Identity to do the authentication.
> 
> With EAPAnonymous you can set the inner request User-Name the same as
> the EAP Identity is.
> 
> Please let us know if this works for you.
> 
> Thanks!
> Heikki
> 

- -- 

Regards,

Roel Hoek
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
Telephone +31 53 489 4598, Fax +31 53 489 2383
R.H.Hoek at utwente.nl; http://www.utwente.nl/icts
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4ysYsACgkQJwlRSGnYBcbjjACgooyw2MlzvMzll+LoRlYdpLz2
8yQAnAq9ESBiKIaeAJv5sW3/8g9MB8X8
=QhyV
-----END PGP SIGNATURE-----