[RADIATOR] AuthBy-File cannot match user

Heikki Vatiainen hvn at open.com.au
Sat Jul 30 01:19:19 CDT 2011 

On 07/29/2011 04:12 PM, Roel Hoek wrote:

> Thanks for you comment. Although it did not work.
> I changed EAPAnonymous to %0. But now Username is "" and no handler can be found.

Unfortunately that's true. Taking another look at the configuration, the
reason for this is the NoEAP option. Since EAP is not run for the inner
authentication, the EAP identity will not be available.

Going back to your original configuration, would replacing "NoEAP" with
"EAPType MSCHAP-V2" work? EAP MSCHAP-V2 will work fine with AuthBy FILE.

Thanks!
Heikki


> Fri Jul 29 13:32:06 2011: DEBUG: Handling request with Handler 'Realm=/utwente.test|utwente.test2/,
> Client-Identifier=/^WLANATUT-ID$|^LOCALH
> OST-ID$/', Identifier 'WLAN-OUTER-TEST'
> Fri Jul 29 13:32:06 2011: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 29 13:32:06 2011: DEBUG: Handling with EAP: code 2, 9, 112, 25
> Fri Jul 29 13:32:06 2011: DEBUG: Response type 25
> Fri Jul 29 13:32:06 2011: DEBUG: EAP PEAP inner authentication request for
> Fri Jul 29 13:32:06 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  <177>6<209>Wz<163><198><243><230>M<179><134><155><15><207><163>
> Attributes:
>         EAP-Message = <2><0><0><27><1>d3126217 at utwente.test2
>         Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         NAS-IP-Address = 172.31.178.10
>         NAS-Identifier = "wlc-1"
>         NAS-Port = 13
>         Calling-Station-Id = "00271026a434"
>         User-Name = ""
> Fri Jul 29 13:32:06 2011: DEBUG: EAP result: 1, No Handler for PEAP inner authentication
> Fri Jul 29 13:32:06 2011: DEBUG: AuthBy FILE result: REJECT, No Handler for PEAP inner authentication
> Fri Jul 29 13:32:06 2011: INFO: Access rejected for jupiter at utwente.test2: No Handler for PEAP inner authentication
> Fri Jul 29 13:32:06 2011: DEBUG: Packet dump:
> *** Sending to 172.31.178.10 port 32770 ....
> Code:       Access-Reject
> 
> -------------------------------------------------------------------
> <Handler Realm=utwente.test2, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
>                 AuthByPolicy ContinueWhileReject
>                 AddToRequest Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
>                         <AuthBy FILE>
>                                 RewriteUsername s/^([^@]+).*/$1/
>                                 RewriteUsername s/^\s*//
>                                 RewriteUsername s/\s*$//
>                                 Filename %D/users-wlan-peap
>                                 NoEAP
>                        </AuthBy>
>         AuthLog authlogging-wlan-peap
>         Identifier PEAP-inner-utwente-test2
>         Description WLAN
>         AuthLog authlogging-tent
> </Handler>
> 
> <Handler Realm=/utwente.test|utwente.test2/, Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/>
>         <AuthBy FILE>
>                 EAPType TTLS,PEAP
>                 EAPTLS_CAFile
>                 EAPTLS_CertificateFile
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile
>                 EAPTLS_PrivateKeyPassword
>                 EAPTLS_MaxFragmentSize 1024
>                 EAPTLS_SessionResumption 0
>                 AutoMPPEKeys
>                 EAPTLS_PEAPBrokenV1Label
>                 EAPTTLS_NoAckRequired
>                 # %U (en %u (met realm)) zijn de Inner-auth username voor PEAP
>                 #EAPAnonymous %u
>                 EAPAnonymous %0
>         </AuthBy>
>         AuthLog authlogging-wlan
>         Identifier WLAN-OUTER-TEST
>         Description WLAN
>         AuthLog authlogging-tent
> </Handler>
> 
>> On 07/26/2011 06:14 PM, Roel Hoek wrote:
> 
>> Hello Roel,
> 
>>> We experience a problem with a handler for authenticating wireless-lan users. AuthBy-File for a PEAP-mschapV2 cannot match a user if
>>> the outer and inner identity are not equal (normal situation).
>>> It looks like the userfile is searched by the outer-identity, although the inner-identity is used for authentication via LDAP.
> 
>> Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section
>> "5.19.24 EAPAnonymous" for more info about EAPAnonymous.
> 
>> Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then
>> use User-Name attribute instead of EAP Identity to do the authentication.
> 
>> With EAPAnonymous you can set the inner request User-Name the same as
>> the EAP Identity is.
> 
>> Please let us know if this works for you.
> 
>> Thanks!
>> Heikki
> 
> 
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list