[RADIATOR] Proxy'ing Client-Identifier to "slave" RADIUS processes

Heikki Vatiainen hvn at open.com.au
Thu Feb 7 17:08:19 CST 2013


On 02/07/2013 11:59 PM, Johnson, Neil M wrote:

> My goal was to select an inner handler based on the Client Identifier (now
> passed in as OSC-Client-Identifier), Called-Station-Id, and the
> User-Name's Realm.

The problem is this: the tunnelled inner request in the log is the first
EAP message in this EAP authentication session carrying the EPA Identity
method.

Since the identity is not known yet, but it will be once the request has
been processed, EAPAnonymous or anything else can not set the correct
User-Name for the tunnelled request. Once this request has been
processed, then e.g., EAPAnonymous %0 works.

Below is one construct that I thought about once: the purpose of the
first Handler is to do the actual authentication. However, the first
message carrying the Identity will not match the Handler's checklist, so
the request will hit the second Handler. This will establish the
identity and return Challenge. The subsequent requests from the client
will then match the first Handler.

If something would actually try to authenticate using the second
Handler, this would always fail.

<Handler TunnelledByPEAP=1, Realm=example.com>
        Identifier inner-main-handler
        <AuthBy FILE>
                Identifier inner-main-authby
                Filename %D/users
                UsernameMatchesWithoutRealm
                NoDefault
                EAPType MSCHAP-V2
        </AuthBy>
</Handler>

<Handler TunnelledByPEAP=1>
        Identifier inner-identity-bootstrap-handler
        <AuthBy FILE>
                Identifier inner-identity-bootstrap-authby
                Filename /dev/null
                NoDefault
                EAPType MSCHAP-V2
        </AuthBy>
</Handler>

Thanks,
Heikki

> From my config:
> # Handler PEAP requests for "uiowa.edu" realm
> <Handler OSC-Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i,
> TunnelledByPEAP=1, Realm=/(uiowa\.edu$)/i  >	
>   AuthByPolicy ContinueUntilAcceptOrChallenge	
>   AuthBy authUIOWA
>   AuthBy authUIOWA_Quarantine
>   AuthBy authEduroam_test_users
> 	
>   AuthLog authlogger
> </Handler>
> 
> I tried adding the PreHandlerHook code to copy the "OSC-Client-Identifier"
> attribute to the inner tunnel as you suggested, but I also needed to copy
> the "Called-Station-Id" attribute as well.
> 
> Now I've run into an issue that the first inner request had the
> "User-Name" attribute set to "", which makes it fail the Realm check. It
> appears in subsequent inner tunnel request.
> 
> Trace output below:
> 
> Thu Feb  7 15:28:32 2013 320803: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 59428 ....
> Code:       Access-Request
> Identifier: 113
> Authentic:  s<221><191>8<160>PG<137>2<8><7>V<128>[W<18>
> Attributes:
> 	User-Name = "wlantest02 at uiowa.edu"
> 	NAS-IP-Address = 127.0.0.1
> 	Calling-Station-Id = "02-00-00-00-00-01"
> 	Framed-MTU = 1400
> 	NAS-Port-Type = Wireless-IEEE-802-11
> 	Connect-Info = "CONNECT 11Mbps 802.11b"
> 	Called-Station-Id = "eduroam"
> 	EAP-Message = <2><6><0>`<25><0><23><3><1><0>
> Wg^<133>e<128><163><185>t<171><238>V#1&<219><221><185>q_M<225><238>'<23>O_]
> <208>-<222><251><23><3><1><0>0<168>oY<246>-<187><148>w;<243>4-%<141>i<201><
> 245><22><221>Y;<133><148><183>.<176><21><240>g<242><203><180><164>5<243><19
> 0><157>2<176><180><188><138><133>F<131>.PN
> 	Message-Authenticator =
> <222><133><236><252><249><150><9>y<6><223>'\<183><2>i<228>
> 	OSC-Client-Identifier = "fromUIOWA"
> 
> Thu Feb  7 15:28:32 2013 322779: DEBUG: Handling request with Handler
> 'OSC-Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i,
> Realm=/(uiowa\.edu$)/i ', Identifier ''
> Thu Feb  7 15:28:32 2013 323727: DEBUG: PreProcessing Hook: called.
> Thu Feb  7 15:28:32 2013 324738: DEBUG:  Deleting session for
> wlantest02 at uiowa.edu, 127.0.0.1,
> Thu Feb  7 15:28:32 2013 325580: DEBUG: Handling with Radius::AuthLSA:
> Thu Feb  7 15:28:32 2013 326562: DEBUG: Handling with EAP: code 2, 6, 96,
> 25
> Thu Feb  7 15:28:32 2013 327395: DEBUG: Response type 25
> Thu Feb  7 15:28:32 2013 329030: DEBUG: EAP PEAP inner authentication
> request for 
> Thu Feb  7 15:28:32 2013 330409: DEBUG: PEAP Tunnelled request Packet dump:
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  O<227>x%<<238><130><166><133><203><143>5<195>-<135><166>
> Attributes:
> 	EAP-Message = <2><6><0><21><1>wlantest02 at uiowa.edu
> 	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 	NAS-IP-Address = 127.0.0.1
> 	Calling-Station-Id = "02-00-00-00-00-01"
> 	User-Name = "" <-- Null User Name
> 	OSC-Client-Identifier = "fromUIOWA"
> 
> Thu Feb  7 15:28:32 2013 332695: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1', Identifier ''
> Thu Feb  7 15:28:32 2013 333811: DEBUG:  Deleting session for , 127.0.0.1,
> Thu Feb  7 15:28:32 2013 335132: DEBUG: Handling with Radius::AuthLSA:
> authUIOWA
> Thu Feb  7 15:28:32 2013 336242: DEBUG: Handling with EAP: code 2, 6, 21, 1
> Thu Feb  7 15:28:32 2013 337089: DEBUG: Response type 1
> Thu Feb  7 15:28:32 2013 344248: DEBUG: EAP result: 3, EAP MSCHAP-V2
> Challenge
> Thu Feb  7 15:28:32 2013 345188: DEBUG: AuthBy LSA result: CHALLENGE, EAP
> MSCHAP-V2 Challenge
> Thu Feb  7 15:28:32 2013 346450: DEBUG: Access challenged for : EAP
> MSCHAP-V2 Challenge
> 
> 
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list