[RADIATOR] PEAP and realm check

Klara Mall klara.mall at kit.edu
Tue Aug 19 12:50:39 CDT 2014 

Hi,

we have a problem concerning authentication with PEAP/MSCHAP-V2. We want to use
different handlers per realm the user authenticates with. This is the
configuration which does not work:

-------------------------------------------------------------------------------------
<AuthBy NTLM>
        Identifier ntlm-wifi2vlan
        Domain KIT
        NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
        UsernameMatchesWithoutRealm
        EAPType MSCHAP-V2
</AuthBy>

<AuthBy LDAP2>
        Identifier ldap-ad-kit-eap
        Include %D/server/KIT-DC-01
        BaseDN          dc=kit,dc=edu
        Timeout 5
        ServerChecksPassword
        UsernameAttr sAMAccountName
        PasswordAttr

        EAPType PEAP
        EAPTLS_CAFile %D/certificates/chain-kit-ca.pem
        EAPTLS_CertificateFile %D/certificates/server.pem
        EAPTLS_CertificateType PEM
        EAPTLS_MaxFragmentSize 1000
        EAPTLS_PrivateKeyFile %D/certificates/server.key
        EAPTLS_PEAPVersion 0
        EAPTLS_PEAPBrokenV1Label
        AutoMPPEKeys
</AuthBy>

# this does work
# <Handler TunnelledByPEAP=1>
# this does not work
<Handler TunnelledByPEAP=1, Realm=colubris-test>
        Identifier SCC-WLAN-colubris-test
        AuthBy ntlm-wifi2vlan
</Handler>

<Handler NAS-Identifier=colubris-wifi2vlan>
        AuthBy ldap-ad-kit-eap
</Handler>

-------------------------------------------------------------------------------------

In the comments you see that the problem is the check of the realm. I test this with eapol_test:
/usr/bin/eapol_test \
        -N 32:s:colubris-wifi2vlan -c conf.colubris -a xxx.xx.xx.xx -p 1812 -s "xxxxxxxxxxxxxxx"

conf.colubris:
network={
ssid="wifi2vlantest"
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
eap=PEAP
eapol_flags=0
key_mgmt=IEEE8021X
identity="scc-netadmin-0001 at colubris-test"
password="xxxxxxxxxxxxxxxxx"
ca_cert="/etc/ssl/certs/deutsche-telekom-root-ca-2.pem"
phase2="auth=MSCHAPV2"
anonymous_identity="qwerty at colubris-test"
}

I added some debug logging in the radiator source. Then I could see
that the realm is empty. So if I check for "Realm=" instead for the
real realm it works, too.

If you need the radiator log file (debug level) just tell. Only two
eapol_test attempts (one with the non-working and one with the working
configuration) produce a 82K file. 

BTW: The same setup with EAP-TTLS/PAP is no problem. With TTLS I see that the
checked realm is the one of the inner identity which seams reasonable for me.

I'm also wondering where User-Name anonymous in the log comes from
as I don't use "anonymous" as anonymous identity here. 

Can you help here? I need this because later I have to expand ntlm_auth with
--require-membership-of= with a variable group name (though I had to patch
radiator for this to work - there will be another email for this :) ).

Thanks in advance
Klara

-- 
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)

Klara Mall
Netze und Telekommunikation (NET)
Hermann-von-Helmholtz-Platz 1
76344 Eggenstein-Leopoldshafen
Telefon: +49 721 608-28630
Telefon: +49 721 608-48946
E-Mail: klara.mall at kit.edu
Web: http://www.scc.kit.edu

KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft

More information about the radiator mailing list