[RADIATOR] PEAP and realm check

Heikki Vatiainen hvn at open.com.au
Tue Aug 19 16:34:36 CDT 2014

On 08/19/2014 08:50 PM, Klara Mall wrote:

> <AuthBy LDAP2>
>         Identifier ldap-ad-kit-eap
>         Include %D/server/KIT-DC-01
>         BaseDN          dc=kit,dc=edu
>         Timeout 5
>         ServerChecksPassword
>         UsernameAttr sAMAccountName
>         PasswordAttr
>         EAPType PEAP
>         EAPTLS_CAFile %D/certificates/chain-kit-ca.pem
>         EAPTLS_CertificateFile %D/certificates/server.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_MaxFragmentSize 1000
>         EAPTLS_PrivateKeyFile %D/certificates/server.key
>         EAPTLS_PEAPVersion 0
>         EAPTLS_PEAPBrokenV1Label
>         AutoMPPEKeys

Try adding 'EAPAnonymous %u' here. The default value for EAPAnonymous is
'anonymous'. See below for more.

> </AuthBy>

> BTW: The same setup with EAP-TTLS/PAP is no problem. With TTLS I see that the
> checked realm is the one of the inner identity which seams reasonable for me.

The first request that gets tunnelled by EAP-TTLS/PAP contains
User-Name. This is why you do not see 'anonymous' but the real inner
User-Name in the request.

> I'm also wondering where User-Name anonymous in the log comes from
> as I don't use "anonymous" as anonymous identity here. 

EAPAnonymous in the outer request sets the value of User-Name attribute
in the inner request if the inner request does not have User-Name.
EAP-TTLS/PAP does have User-Name, so that's why you see what you expect.

PEAP encapsulates inner EAP messages and for these inner EAP requests
Radiator creates a message that looks like a RADIUS message. The inner
EAP message goes to EAP-Message attribute, a User-Name is created and
NAS-IP-Address, NAS-Identifier and Calling-Station-Id are copied from
the outer request so that they can be used by the inner AuthBy if needed.

If you set EAPAnonymous to %u, the inner User-Name will get its value
from the outer User-Name. %0 is special: the inner User-Name will be the
EAP Identity which is carried by the first tunnelled request.

This also means that the first tunnelled request will have empty
User-Name since the identity is not know yet. After the first request
has been processed by the inner AuthBy, then the subsequent tunnelled
requests will have User-Name with a value; the identity inner EAP uses.

> Can you help here? I need this because later I have to expand ntlm_auth with
> --require-membership-of= with a variable group name (though I had to patch
> radiator for this to work - there will be another email for this :) ).

Hopefully the above helps. With %u the users can use
anonymous at colubris-test to hide the real username (the inner identity in
PEAP/EAP-MSCHAP-V2) but will need to have the correct realm.

Note: User-Name allows you to select the correct Handler for the inner
request. The inner identity is used to for the authentication.


Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list