[RADIATOR] PEAP/MSCHAPv2 auth fails with username at realm
Christopher Bongaarts
cab at umn.edu
Thu Nov 1 16:38:26 CDT 2012
I'm trying to debug a problem with PEAP/MSCHAPv2 authentication against
LDAP as part of spinning up eduroam. I've included the relevant
Handlers from the configuration below, and the inner authentication part
of the (sanitized) log from an attempt to authenticate. Despite the
password being correct, the authentication fails.
This configuration works for MSCHAPv2 without PEAP (i.e. using the
TunneledByPEAP Handler as the actual handler instead of the PEAP outer
handler) if I have the RewriteUsername uncommented.
I've tried to stick to the eduroam recipes for Radiator as much as
possible, but I'm having trouble getting the MSCHAP auth to use the
"username at realm" syntax while having LDAP search on just the username
portion to find the user.
Any ideas? TIA...
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
----radiator config excerpt----
<Handler Client-Identifier=WIRELESS, TunnelledByPEAP=1,
Realm=/^(.*\.)?umn\.edu$/i>
# umn.edu - that's us! authenticate locally.
# MUST PRECEDE outer tunnel handler in the conf file!
Identifier WIRELESS-IN
<AuthBy GROUP>
# Strip the realm from all requests
# so LDAP will match against the bare username
#RewriteUsername s/^([^@]+).*/$1/
# let eap handling fall thru to next levels
NoEAP
<AuthBy LDAP2>
Host ldapserver-1.tc.umn.edu
include %D/ldap-common.cfg
AuthAttrDef umnValidUntil, ValidTo, check
AuthAttrDef umnValidAfter, ValidFrom, check
</AuthBy>
<AuthBy LDAP2>
Host ldapserver-2.tc.umn.edu
include %D/ldap-common.cfg
AuthAttrDef umnValidUntil, ValidTo, check
AuthAttrDef umnValidAfter, ValidFrom, check
</AuthBy>
</AuthBy>
AuthLog myauthlog
</Handler>
<Handler Client-Identifier=WIRELESS, Realm=/^(.*\.)?umn\.edu$/i>
# umn inbound, outer tunnel handler
Identifier WIRELESS-IN-TUNNEL
<AuthBy FILE>
# file containing word "anonymous" less quotes on its
own line
Filename %D/dot1x_anon
EAPType PEAP
EAPAnonymous %0
EAPTLS_CAFile %D/eaptls-cas.crt
EAPTLS_CertificateChainFile %D/eaptls.crt
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/eaptls.key
EAPTLS_PEAPBrokenV1Label 1
EAPTLS_MaxFragmentSize 1024
AutoMPPEKeys
</AuthBy>
AuthLog myauthlog
AcctLogFileName %L/%Y/wireless_tunnel_detail.%y%m%d
</Handler>
-----file: dot1x_anon-----
anonymous
-----file: ldap-common.cfg-----
AuthDN cn=Radius Manager, ou=Application Services,
o=University of Minnesota, c=US
AuthPassword (insert pw here)
BaseDN o=University of Minnesota, c=US
UsernameAttr uid
EncryptedPasswordAttr umnNTPasswordHash
Version 3
# include all attributes needed for authz later
AuthAttrDef umnXythosStatus, X-Xythos-Status, request
AuthAttrDef umnADMemberOf, X-AD-Member, request
# EAP Type settings
EAPType MSCHAP-V2
UsernameMatchesWithoutRealm
# don't bother looking up DEFAULT user if auth fails
NoDefault
# persist connections as long as possible
HoldServerConnection
-----log message for attempted auth----
Thu Nov 1 16:25:22 2012: DEBUG: Packet dump:
*** Received from 192.168.XX.XX port 20000 ....
Code: Access-Request
Identifier: 134
Authentic: <163><211>\<191><27><216><0><162><189><200>4d/Co<219>
Attributes:
NAS-Port-Id = "AP419/2"
Calling-Station-Id = "60-67-20-XX-XX-XX"
Called-Station-Id = "00-0B-0E-XX-XX-XX:Eduroam"
Service-Type = Framed-User
User-Name = "cab at umn.edu"
NAS-Port = 46701
EAP-Message =
<2><8><0>k<25><0><23><3><1><0>`{<163>y<177><239><241><15><179>y<239><30>G<207><230><149><141><144><246>"<208><239><255><175><12><169><154>#U<242>^r<249>)(%<252><214>V<150><174><196><168><191><170>_<20>,<177>,z<215><229>{<153>?<187>B.
<191><208><167><142>l<N<221><173>i-><247><133>&<189><12>$<<14><173><211>)n<201><204><21>O#<233>m<201><166><154><0>5<130>
NAS-Port-Type = Wireless-IEEE-802-11
NAS-IP-Address = 192.168.XX.XX
NAS-Identifier = "Trapeze"
Message-Authenticator =
r<18><165>lI<170><144><173>.<205><239><231><209><11>7<232>
Thu Nov 1 16:25:22 2012: DEBUG: Handling request with Handler
'Client-Identifier=WIRELESS, Realm=/^(.*\.)?umn\.edu$/i'
Thu Nov 1 16:25:22 2012: DEBUG: Deleting session for cab at umn.edu,
192.168.241.21, 46701
Thu Nov 1 16:25:22 2012: DEBUG: Handling with Radius::AuthFILE:
Thu Nov 1 16:25:22 2012: DEBUG: Handling with EAP: code 2, 8, 107, 25
Thu Nov 1 16:25:22 2012: DEBUG: Response type 25
Thu Nov 1 16:25:22 2012: DEBUG: EAP PEAP inner authentication request
for cab at umn.edu
Thu Nov 1 16:25:22 2012: DEBUG: PEAP Tunnelled request Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: ;<231>$D<236> <242><186>D<182><254>=K<219><128>r
Attributes:
EAP-Message =
<2><8><0>B<26><2><8><0>A1<175><9><147><134>NvH<140><191><253>]<194>D<7><229><235><0><0><0><0><0><0><0><0><201><192><223>+<192>$<185>4<20><175><155>H<135>Q<158>O<246><170>~w5Jk<28><0>cab at umn.edu
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = "cab at umn.edu"
NAS-IP-Address = 192.168.241.21
NAS-Identifier = "Trapeze"
NAS-Port = 46701
Calling-Station-Id = "60-67-20-XX-XX-XX"
Thu Nov 1 16:25:22 2012: DEBUG: Handling request with Handler
'Client-Identifier=WIRELESS, TunnelledByPEAP=1, Realm=/^(.*\.)?umn\.edu$/i'
Thu Nov 1 16:25:22 2012: DEBUG: Deleting session for cab at umn.edu,
192.168.241.21, 46701
Thu Nov 1 16:25:22 2012: DEBUG: Handling with Radius::AuthGROUP:
Thu Nov 1 16:25:22 2012: DEBUG: Handling with Radius::AuthLDAP2:
Thu Nov 1 16:25:22 2012: DEBUG: Handling with EAP: code 2, 8, 66, 26
Thu Nov 1 16:25:22 2012: DEBUG: Response type 26
Thu Nov 1 16:25:22 2012: INFO: Connecting to ldapserver-1.tc.umn.edu:389
Thu Nov 1 16:25:22 2012: INFO: Attempting to bind to LDAP server
lde-a.tc.umn.edu:389
Thu Nov 1 16:25:22 2012: DEBUG: LDAP got result for cn=Christopher A
Bongaarts-2,ou=People,o=University of Minnesota,c=US
Thu Nov 1 16:25:22 2012: DEBUG: LDAP got umnNTPasswordHash:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Thu Nov 1 16:25:22 2012: DEBUG: LDAP got umnXythosStatus: A
Thu Nov 1 16:25:22 2012: DEBUG: Radius::AuthLDAP2 looks for match with
cab [cab at umn.edu]
Thu Nov 1 16:25:22 2012: DEBUG: Radius::AuthLDAP2 ACCEPT: : cab
[cab at umn.edu]
Thu Nov 1 16:25:22 2012: DEBUG: EAP result: 1, EAP MSCHAP-V2
Authentication failure
Thu Nov 1 16:25:22 2012: DEBUG: AuthBy GROUP result: REJECT, EAP
MSCHAP-V2 Authentication failure
Thu Nov 1 16:25:22 2012: INFO: Access rejected for cab at umn.edu: EAP
MSCHAP-V2 Authentication failure
Thu Nov 1 16:25:22 2012: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Reject
Identifier: UNDEF
Authentic: ;<231>$D<236> <242><186>D<182><254>=K<219><128>r
Attributes:
EAP-Message = <4><8><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
Thu Nov 1 16:25:22 2012: DEBUG: EAP result: 3, EAP PEAP inner
authentication redespatched to a Handler
Thu Nov 1 16:25:22 2012: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP
inner authentication redespatched to a Handler
Thu Nov 1 16:25:22 2012: DEBUG: Access challenged for cab at umn.edu: EAP
PEAP inner authentication redespatched to a Handler
Thu Nov 1 16:25:22 2012: DEBUG: Packet dump:
*** Sending to 192.168.XX.XX port 20000 ....
Code: Access-Challenge
Identifier: 134
Authentic: <163><211>\<191><27><216><0><162><189><200>4d/Co<219>
Attributes:
EAP-Message = <1><9><0>+<25><0><23><3><1><0>
:<153><245><156><209><27>\v<166>_<212><252>B<182><225>J<221><20><178>}K<148><247>t<183>3WDE<11>F<218>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Thu Nov 1 16:25:22 2012: DEBUG: Packet dump:
*** Received from 192.168.XX.XX port 20000 ....
Code: Access-Request
Identifier: 135
Authentic: <231>tVW<234><201>F<219>4[<175><149><163><10><228><6>
Attributes:
NAS-Port-Id = "AP419/2"
Calling-Station-Id = "60-67-20-XX-XX-XX"
Called-Station-Id = "00-0B-0E-XX-XX-XX:Eduroam"
Service-Type = Framed-User
User-Name = "cab at umn.edu"
NAS-Port = 46701
EAP-Message = <2><9><0>+<25><0><23><3><1><0>
<177>7<189>:/<2>c:<244><137><177><190><241><21><140>,<216><188><127>1W><217><127>bN<181><149><215><20><23>u
NAS-Port-Type = Wireless-IEEE-802-11
NAS-IP-Address = 192.168.XX.XX
NAS-Identifier = "Trapeze"
Message-Authenticator = A?<170><182><216>e<212>s_y<151>i|9<19>~
Thu Nov 1 16:25:22 2012: DEBUG: Handling request with Handler
'Client-Identifier=WIRELESS, Realm=/^(.*\.)?umn\.edu$/i'
Thu Nov 1 16:25:22 2012: DEBUG: Deleting session for cab at umn.edu,
192.168.241.21, 46701
Thu Nov 1 16:25:22 2012: DEBUG: Handling with Radius::AuthFILE:
Thu Nov 1 16:25:22 2012: DEBUG: Handling with EAP: code 2, 9, 43, 25
Thu Nov 1 16:25:22 2012: DEBUG: Response type 25
Thu Nov 1 16:25:22 2012: DEBUG: EAP result: 1, PEAP Authentication Failure
Thu Nov 1 16:25:22 2012: DEBUG: AuthBy FILE result: REJECT, PEAP
Authentication Failure
Thu Nov 1 16:25:22 2012: INFO: Access rejected for cab at umn.edu: PEAP
Authentication Failure
Thu Nov 1 16:25:22 2012: DEBUG: Packet dump:
*** Sending to 192.168.XX.XX port 20000 ....
Code: Access-Reject
Identifier: 135
Authentic: <231>tVW<234><201>F<219>4[<175><149><163><10><228><6>
Attributes:
EAP-Message = <4><9><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
-----end of log-----
More information about the radiator
mailing list