[RADIATOR] Proxy'ing Client-Identifier to "slave" RADIUS processes

Johnson, Neil M neil-johnson at uiowa.edu
Mon Jan 28 13:53:35 CST 2013


Heikki,


Error Message in Trace 4 Debug:

Mon Jan 28 12:55:02 2013 938128: DEBUG: Handling request with Handler
'OSC-Client-Identifier=fromUIOWA, Called-Station-Id=/eduroam$/i,
Realm=/(uiowa\.edu$)/i ', Identifier ''
Mon Jan 28 12:55:02 2013 939117: DEBUG: PreProcessing Hook: called.
Mon Jan 28 12:55:02 2013 940237: DEBUG:  Deleting session for
wlantest02 at uiowa.edu, 127.0.0.1,
Mon Jan 28 12:55:02 2013 941097: DEBUG: Handling with Radius::AuthLSA:
Mon Jan 28 12:55:02 2013 942287: DEBUG: Handling with EAP: code 2, 6, 96,
25
Mon Jan 28 12:55:02 2013 943113: DEBUG: Response type 25
Mon Jan 28 12:55:02 2013 944861: DEBUG: EAP PEAP inner authentication
request for 
Mon Jan 28 12:55:02 2013 946176: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <209><152><247>m<197><187><210>K0f<22><146><134><204><2>{
Attributes:
	EAP-Message = <2><6><0><21><1>wlantest02 at uiowa.edu
	Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	User-Name = ""

Mon Jan 28 12:55:02 2013 948535: DEBUG: EAP result: 1, No Handler for PEAP
inner authentication
Mon Jan 28 12:55:02 2013 949427: DEBUG: AuthBy LSA result: REJECT, No
Handler for PEAP inner authentication
Mon Jan 28 12:55:02 2013 950295: INFO: Access rejected for
wlantest02 at uiowa.edu: No Handler for PEAP inner authentication
Mon Jan 28 12:55:02 2013 951305: DEBUG: PostProcessing Hook: called.
Mon Jan 28 12:55:02 2013 952703: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 51903 ....
Code:       Access-Reject
Identifier: 10
Authentic:  <240><146><195>;<236><146>?<168><11><218>K<7>a<203>ck
Attributes:
	Reply-Message = "Request Denied"

Note I tried adding:
AddToRequest OSC-Client-Identifier=%{Client:Identifier}

To the Outer Handler section, but it didn't work.

Thanks.
-Neil



-- 
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-johnson at uiowa.edu






On 1/28/13 1:36 PM, "Johnson, Neil M" <neil-johnson at uiowa.edu> wrote:

>Heikki,
>
>I'm having trouble with PEAP and TTLS authentication and using the
>OSC-Client-Identifier attribute.
>
>I'm trying to use multiple <Handler> Requests with both the
>OSC-Client-Identifier  and TunneledByPEAP=1/TunneledByTTLS=1 selectors.
>
>It appears that when the Outer handler re-dispatches the request for
>processing by the PEAP and TLS inner Handlers that the
>OSC-Client-Identifier attribute is not also sent.
>
>Unless I have a "default" PEAP and TTLS Handler configured I get a "AuthBy
>LSA result: REJECT, No Handler for PEAP inner Authentication" error.
>
>Thanks.
>-Neil
>
>-- 
>Neil Johnson
>Network Engineer
>The University of Iowa
>Phone: 319 384-0938
>Fax: 319 335-2951
>Mobile: 319 540-2081
>E-Mail: neil-johnson at uiowa.edu
>
>
>
>
>
>
>On 1/28/13 12:13 PM, "Heikki Vatiainen" <hvn at open.com.au> wrote:
>
>>On 01/28/2013 07:42 PM, Johnson, Neil M wrote:
>>
>>> Is there a way to pass the "Client-Identifier" to another RADIATOR
>>> process ? Perhaps as an RADIUS Attribute ?
>>
>>There were already a number of good ideas, so I'll just suggest one
>>attribute you could use. OSC-Client-Identifier has been in the
>>dictionary for years, so that might be the easiest to use. No dictionary
>>modifications needed provided you use version 4.0 or later.
>>
>>Something like this should do it:
>>
>> AddToRequest OSC-Client-Identifier=%{Client:Identifier}
>>
>>Thanks,
>>Heikki
>>
>>-- 
>>Heikki Vatiainen <hvn at open.com.au>
>>
>>Radiator: the most portable, flexible and configurable RADIUS server
>>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>>NetWare etc.
>>_______________________________________________
>>radiator mailing list
>>radiator at open.com.au
>>http://www.open.com.au/mailman/listinfo/radiator
>
>_______________________________________________
>radiator mailing list
>radiator at open.com.au
>http://www.open.com.au/mailman/listinfo/radiator



More information about the radiator mailing list