[RADIATOR] PEAP and realm check

Roberto Pantoja rpantoja at lageo.com.sv
Tue Aug 19 15:39:02 CDT 2014 

On 08/19/2014 11:50 AM, Klara Mall wrote:
> Hi,
>
> we have a problem concerning authentication with PEAP/MSCHAP-V2. We want to use
> different handlers per realm the user authenticates with. This is the
> configuration which does not work:
>
> -------------------------------------------------------------------------------------
> <AuthBy NTLM>
>         Identifier ntlm-wifi2vlan
>         Domain KIT
>         NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>         UsernameMatchesWithoutRealm
>         EAPType MSCHAP-V2
> </AuthBy>
>
> <AuthBy LDAP2>
>         Identifier ldap-ad-kit-eap
>         Include %D/server/KIT-DC-01
>         BaseDN          dc=kit,dc=edu
>         Timeout 5
>         ServerChecksPassword
>         UsernameAttr sAMAccountName
>         PasswordAttr
>
>         EAPType PEAP
>         EAPTLS_CAFile %D/certificates/chain-kit-ca.pem
>         EAPTLS_CertificateFile %D/certificates/server.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_MaxFragmentSize 1000
>         EAPTLS_PrivateKeyFile %D/certificates/server.key
>         EAPTLS_PEAPVersion 0
>         EAPTLS_PEAPBrokenV1Label
>         AutoMPPEKeys
> </AuthBy>
>
> # this does work
> # <Handler TunnelledByPEAP=1>
> # this does not work
> <Handler TunnelledByPEAP=1, Realm=colubris-test>
>         Identifier SCC-WLAN-colubris-test
>         AuthBy ntlm-wifi2vlan
> </Handler>
>
> <Handler NAS-Identifier=colubris-wifi2vlan>
>         AuthBy ldap-ad-kit-eap
> </Handler>
>
> -------------------------------------------------------------------------------------
>
> In the comments you see that the problem is the check of the realm. I test this with eapol_test:
> /usr/bin/eapol_test \
>         -N 32:s:colubris-wifi2vlan -c conf.colubris -a xxx.xx.xx.xx -p 1812 -s "xxxxxxxxxxxxxxx"
>
> conf.colubris:
> network={
> ssid="wifi2vlantest"
> pairwise=CCMP TKIP
> group=CCMP TKIP WEP104 WEP40
> eap=PEAP
> eapol_flags=0
> key_mgmt=IEEE8021X
> identity="scc-netadmin-0001 at colubris-test"
> password="xxxxxxxxxxxxxxxxx"
> ca_cert="/etc/ssl/certs/deutsche-telekom-root-ca-2.pem"
> phase2="auth=MSCHAPV2"
> anonymous_identity="qwerty at colubris-test"
> }
>
> I added some debug logging in the radiator source. Then I could see
> that the realm is empty. So if I check for "Realm=" instead for the
> real realm it works, too.
>
> If you need the radiator log file (debug level) just tell. Only two
> eapol_test attempts (one with the non-working and one with the working
> configuration) produce a 82K file. 
>
> BTW: The same setup with EAP-TTLS/PAP is no problem. With TTLS I see that the
> checked realm is the one of the inner identity which seams reasonable for me.
>
> I'm also wondering where User-Name anonymous in the log comes from
> as I don't use "anonymous" as anonymous identity here. 
>
> Can you help here? I need this because later I have to expand ntlm_auth with
> --require-membership-of= with a variable group name (though I had to patch
> radiator for this to work - there will be another email for this :) ).
>
> Thanks in advance
> Klara
>
you can do something similar to this:

<Handler TunnelledByPEAP=1>
        AuthByPolicy ContinueUntilAcceptOrChallenge

        # ActiveDirectory Group 1
        <AuthBy NTLM>
                Identifier Group1-PEAP
                NtlmAuthProg /usr/bin/ntlm_auth 
--helper-protocol=ntlm-server-1 --require-membership-of=KIT/Group1
                Domain KIT
                DefaultDomain KIT
                EAPType MSCHAP-V2
                ## Specific configuration for this group
        </AuthBy>  

        # ActiveDirectory Group 2
        <AuthBy NTLM>
                Identifier Group2-PEAP
                NtlmAuthProg /usr/bin/ntlm_auth 
--helper-protocol=ntlm-server-1 --require-membership-of=KIT/Group2
                Domain KIT
                DefaultDomain KIT
                EAPType MSCHAP-V2
                ## Specific configuration for this group
        </AuthBy>
</Handler>

<Handler>
        AuthByPolicy ContinueUntilAcceptOrChallenge
        <AuthBy FILE>
                Filename %D/users
                EAPType PEAP
                EAPTLS_CAFile %D/certificates/cacert.pem
                EAPTLS_CertificateFile %D/certificates/radiator-cert.pem
                EAPTLS_CertificateType PEM 
                EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem
                EAPTLS_PrivateKeyPassword scdm2k13
                EAPTLS_MaxFragmentSize 1024
                EAPTLS_PEAPVersion 0
                EAPTLS_PEAPBrokenV1Lablel
                AutoMPPEKeys
        </AuthBy>
</Handler>

Greetings.

-- 


This message has been scanned for malware by Websense. www.websense.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20140819/c2eeae0a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: FIRMAELECTRONICASANTATECLAotro-44rpantoja.jpg
Type: image/jpeg
Size: 20611 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20140819/c2eeae0a/attachment-0001.jpg

More information about the radiator mailing list