[RADIATOR] PEAP and realm check

Klara Mall klara.mall at kit.edu
Tue Aug 19 12:50:39 CDT 2014


we have a problem concerning authentication with PEAP/MSCHAP-V2. We want to use
different handlers per realm the user authenticates with. This is the
configuration which does not work:

<AuthBy NTLM>
        Identifier ntlm-wifi2vlan
        Domain KIT
        NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
        EAPType MSCHAP-V2

<AuthBy LDAP2>
        Identifier ldap-ad-kit-eap
        Include %D/server/KIT-DC-01
        BaseDN          dc=kit,dc=edu
        Timeout 5
        UsernameAttr sAMAccountName

        EAPType PEAP
        EAPTLS_CAFile %D/certificates/chain-kit-ca.pem
        EAPTLS_CertificateFile %D/certificates/server.pem
        EAPTLS_CertificateType PEM
        EAPTLS_MaxFragmentSize 1000
        EAPTLS_PrivateKeyFile %D/certificates/server.key
        EAPTLS_PEAPVersion 0

# this does work
# <Handler TunnelledByPEAP=1>
# this does not work
<Handler TunnelledByPEAP=1, Realm=colubris-test>
        Identifier SCC-WLAN-colubris-test
        AuthBy ntlm-wifi2vlan

<Handler NAS-Identifier=colubris-wifi2vlan>
        AuthBy ldap-ad-kit-eap


In the comments you see that the problem is the check of the realm. I test this with eapol_test:
/usr/bin/eapol_test \
        -N 32:s:colubris-wifi2vlan -c conf.colubris -a xxx.xx.xx.xx -p 1812 -s "xxxxxxxxxxxxxxx"

pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
identity="scc-netadmin-0001 at colubris-test"
anonymous_identity="qwerty at colubris-test"

I added some debug logging in the radiator source. Then I could see
that the realm is empty. So if I check for "Realm=" instead for the
real realm it works, too.

If you need the radiator log file (debug level) just tell. Only two
eapol_test attempts (one with the non-working and one with the working
configuration) produce a 82K file. 

BTW: The same setup with EAP-TTLS/PAP is no problem. With TTLS I see that the
checked realm is the one of the inner identity which seams reasonable for me.

I'm also wondering where User-Name anonymous in the log comes from
as I don't use "anonymous" as anonymous identity here. 

Can you help here? I need this because later I have to expand ntlm_auth with
--require-membership-of= with a variable group name (though I had to patch
radiator for this to work - there will be another email for this :) ).

Thanks in advance

Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)

Klara Mall
Netze und Telekommunikation (NET)
Hermann-von-Helmholtz-Platz 1
76344 Eggenstein-Leopoldshafen
Telefon: +49 721 608-28630
Telefon: +49 721 608-48946
E-Mail: klara.mall at kit.edu
Web: http://www.scc.kit.edu

KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft

More information about the radiator mailing list