[RADIATOR] Proxy'ing Client-Identifier to "slave" RADIUS processes

Johnson, Neil M neil-johnson at uiowa.edu
Thu Feb 7 15:59:54 CST 2013 

Having issues with this:

My goal was to select an inner handler based on the Client Identifier (now
passed in as OSC-Client-Identifier), Called-Station-Id, and the
User-Name's Realm.

>From my config:
# Handler PEAP requests for "uiowa.edu" realm
<Handler OSC-Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i,
TunnelledByPEAP=1, Realm=/(uiowa\.edu$)/i  >	
  AuthByPolicy ContinueUntilAcceptOrChallenge	
  AuthBy authUIOWA
  AuthBy authUIOWA_Quarantine
  AuthBy authEduroam_test_users
	
  AuthLog authlogger
</Handler>

I tried adding the PreHandlerHook code to copy the "OSC-Client-Identifier"
attribute to the inner tunnel as you suggested, but I also needed to copy
the "Called-Station-Id" attribute as well.

Now I've run into an issue that the first inner request had the
"User-Name" attribute set to "", which makes it fail the Realm check. It
appears in subsequent inner tunnel request.

Trace output below:

Thu Feb  7 15:28:32 2013 320803: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 59428 ....
Code:       Access-Request
Identifier: 113
Authentic:  s<221><191>8<160>PG<137>2<8><7>V<128>[W<18>
Attributes:
	User-Name = "wlantest02 at uiowa.edu"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-IEEE-802-11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	Called-Station-Id = "eduroam"
	EAP-Message = <2><6><0>`<25><0><23><3><1><0>
Wg^<133>e<128><163><185>t<171><238>V#1&<219><221><185>q_M<225><238>'<23>O_]
<208>-<222><251><23><3><1><0>0<168>oY<246>-<187><148>w;<243>4-%<141>i<201><
245><22><221>Y;<133><148><183>.<176><21><240>g<242><203><180><164>5<243><19
0><157>2<176><180><188><138><133>F<131>.PN
	Message-Authenticator =
<222><133><236><252><249><150><9>y<6><223>'\<183><2>i<228>
	OSC-Client-Identifier = "fromUIOWA"

Thu Feb  7 15:28:32 2013 322779: DEBUG: Handling request with Handler
'OSC-Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i,
Realm=/(uiowa\.edu$)/i ', Identifier ''
Thu Feb  7 15:28:32 2013 323727: DEBUG: PreProcessing Hook: called.
Thu Feb  7 15:28:32 2013 324738: DEBUG:  Deleting session for
wlantest02 at uiowa.edu, 127.0.0.1,
Thu Feb  7 15:28:32 2013 325580: DEBUG: Handling with Radius::AuthLSA:
Thu Feb  7 15:28:32 2013 326562: DEBUG: Handling with EAP: code 2, 6, 96,
25
Thu Feb  7 15:28:32 2013 327395: DEBUG: Response type 25
Thu Feb  7 15:28:32 2013 329030: DEBUG: EAP PEAP inner authentication
request for 
Thu Feb  7 15:28:32 2013 330409: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  O<227>x%<<238><130><166><133><203><143>5<195>-<135><166>
Attributes:
	EAP-Message = <2><6><0><21><1>wlantest02 at uiowa.edu
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	User-Name = "" <-- Null User Name
	OSC-Client-Identifier = "fromUIOWA"

Thu Feb  7 15:28:32 2013 332695: DEBUG: Handling request with Handler
'TunnelledByPEAP=1', Identifier ''
Thu Feb  7 15:28:32 2013 333811: DEBUG:  Deleting session for , 127.0.0.1,
Thu Feb  7 15:28:32 2013 335132: DEBUG: Handling with Radius::AuthLSA:
authUIOWA
Thu Feb  7 15:28:32 2013 336242: DEBUG: Handling with EAP: code 2, 6, 21, 1
Thu Feb  7 15:28:32 2013 337089: DEBUG: Response type 1
Thu Feb  7 15:28:32 2013 344248: DEBUG: EAP result: 3, EAP MSCHAP-V2
Challenge
Thu Feb  7 15:28:32 2013 345188: DEBUG: AuthBy LSA result: CHALLENGE, EAP
MSCHAP-V2 Challenge
Thu Feb  7 15:28:32 2013 346450: DEBUG: Access challenged for : EAP
MSCHAP-V2 Challenge



-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-johnson at uiowa.edu






On 1/28/13 2:11 PM, "Heikki Vatiainen" <hvn at open.com.au> wrote:

>On 01/28/2013 09:36 PM, Johnson, Neil M wrote:
>
>> It appears that when the Outer handler re-dispatches the request for
>> processing by the PEAP and TLS inner Handlers that the
>> OSC-Client-Identifier attribute is not also sent.
>
>That's true. Only some attributes are copied automatically. For the rest
>you can do something like this in the outer Handler's AuthBy:
>
>PreHandlerHook sub { \
>  my $tp = ${$_[0]}; \
>  $tp->add_attr('OSC-Client-Identifier',
>$tp->{outerRequest}->get_attr('OSC-Client-Identifier')); \
>  }
>
>This should copy OSC-Client-Identifier from outer request into tunneled
>request.
>
>You should also see it in Trace 4 output which does not show it now, as
>you had noticed.
>
>Thanks,
>Heikki
>
>
>-- 
>Heikki Vatiainen <hvn at open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.

More information about the radiator mailing list