[RADIATOR] EAP-TTLS authentication problem
Bengi Sağlam
bengi at socialandbeyond.com
Thu Dec 11 06:05:44 CST 2014
Hello,
Thanks for the answers, I figured out that my problem was in the user-eap
file, I was missing to define User-Password check attribute. So for the
ones who might have the same problem like me, my handler and my file as
following:
Configuration File :
<Handler TunnelledByTTLS=1>
> <AuthBy FILE>
> Filename %D/users-eap
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
<Handler Realm=bengi>
> <AuthBy FILE>
> Filename %D/users-eap
> EAPType TTLS
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_MaxFragmentSize 1000
> EAPTTLS_NoAckRequired
> AutoMPPEKeys
> </AuthBy>
> </Handler>
users-eap file :
bengi at bengi User-Password=whatever
Now I have another question, after having a success with this simple
example I wanted to authenticate the users from the database. For this I
changed the inner handler as following:
<Handler TunnelledByTTLS=1>
> SessionDatabase Normal
> PreProcessingHook sub { \
> my $p = ${$_[0]};\
> my $aref = $p->{Client}->{DupCacheOrder}[0]->{Attributes};\
> my %h ;\
> foreach my $pair ( @$aref ) { $h{$pair->[0]} = $pair->[1] } ;\
> ${$_[0]}->add_attr('Threshold',80000);\
> ${$_[0]}->add_attr('Interim-Update',300);\
> }
> <AuthBy SQL>
> EAPType MSCHAP-V2
> DBSource dbi:Pg:dbname=test;host=127.0.0.1
> DBUsername bengi
> DBAuth xxxxxx
> FailureBackoffTime 2
> NoDefault
> Timeout 10
> AuthSelect SELECT 'whatever' AS PASSWORD, 'bengi at bengi' AS NAME \
> FROM DEVICES \
> WHERE MAC='%{Calling-Station-Id}'
> AuthColumnDef 0, User-Password, check
> </AuthBy>
> </Handler>
However in the log I realised that inner handler missing
attribute '%{Calling-Station-Id}' and that is why my user is rejected. When
I hard coded my query as "SELECT 'whatever' AS PASSWORD, 'bengi at bengi' AS
NAME FROM DEVICES WHERE MAC='04_46_65_66_D6_0D' , my user is being
authenticated successfully. So my question is how can I use
attributes,which comes from the Access-Request packet, in the inner handler?
Code: Access-Request
Identifier: 252
Authentic: Ael<151><135>L<232>'[<255><27>9<146><223><183><15>
Attributes:
User-Name = "bengi at bengi"
NAS-IP-Address = 192.168.88.241
NAS-Port = 0
NAS-Identifier = "9C-1C-12-CE-41-CC"
NAS-Port-Type = Wireless-IEEE-802-11
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = <2><9><0><176><21><0><23><3><1><0>
<159><178><159>J<138>9<206>&<213><217><139>U<8><218><236>oE<138><243><164><232><232><202><180><131>i<16>f]<216><176>I<23><3><1><0><128><146><200>lHm<176>3<161>><132>e<230><135><221>_<208><219><185><234><139>~<25><218><187><254><180><12>4]<213>QfB<161><158>$<219><140><24><189>7A<168>Z<224>r!$<142><190>xTA<30><10>V%|<205>?<136>g<215>?K<195><5>b<207><210>!<241><20><12><149><252><180>M<15>^<6>
<224><176><28>[<213>7<155><204>&<26><253><26>0<170>#i<19><254><237>O<207>r3<254>R<149><19><186><235><167><159>/<181>m,<180><8>(<8>I[<180>B<184><213><173>
Aruba-Essid-Name = "EmployeeBengi"
Aruba-Location-Id = "9c:1c:12:ce:41:cc"
Aruba-AP-Group = "instant-CE:41:CC"
Message-Authenticator =
?<127><201><213><215>G<15><136><24><130><152><7><13><234><241><140>
Called-Station-Id = "9C-1C-12-CE-41-CC"
Calling-Station-Id = "04_46_65_66_D6_0D"
Thu Dec 11 06:47:35 2014 000000: DEBUG: Handling request with Handler
'Realm=bengi', Identifier ''
Thu Dec 11 06:47:35 2014 000000: DEBUG: Normal Deleting session for
bengi at bengi, 192.168.88.241, 0
Thu Dec 11 06:47:35 2014 000000: DEBUG: do query to
'dbi:Pg:dbname=test;host=127.0.0.1': 'SELECT 'Deleting...'':
Thu Dec 11 06:47:35 2014 000000: DEBUG: Handling with Radius::AuthFILE:
Thu Dec 11 06:47:35 2014 000000: DEBUG: Handling with EAP: code 2, 9, 176,
21
Thu Dec 11 06:47:35 2014 000000: DEBUG: Response type 21
Thu Dec 11 06:47:35 2014 000000: DEBUG: EAP TTLS data, 3, 9, 8
Thu Dec 11 06:47:35 2014 000000: DEBUG: EAP TTLS inner authentication
request for bengi at bengi
Thu Dec 11 06:47:35 2014 000000: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: <246><249>K<200><198><7>`;<23><16>,Y<22>Q<154><170>
Attributes:
User-Name = "bengi at bengi"
MS-CHAP-Challenge = <12><3><168><127>5<184><198>D
MS-CHAP-Response =
<216><1><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><192><217>D<163><30>uT<167><140>W<200>qT<247><180><28>`n<7><179><154><141><12><150>
Thu Dec 11 06:47:35 2014 000000: DEBUG: Handling request with Handler
'TunnelledByTTLS=1', Identifier ''
Thu Dec 11 06:47:35 2014 000000: DEBUG: Normal Deleting session for
bengi at bengi, 192.168.88.241,
Thu Dec 11 06:47:35 2014 000000: DEBUG: do query to
'dbi:Pg:dbname=test;host=127.0.0.1': 'SELECT 'Deleting...'':
Thu Dec 11 06:47:35 2014 000000: DEBUG: Handling with Radius::AuthSQL:
Thu Dec 11 06:47:35 2014 000000: DEBUG: Handling with Radius::AuthSQL:
Thu Dec 11 06:47:35 2014 000000: DEBUG: Query to
'dbi:Pg:dbname=test;host=127.0.0.1': 'SELECT 'whatever' AS PASSWORD,
'bengi at bengi' AS NAME FROM DEVICES d WHERE d.MAC=''':
Thu Dec 11 06:47:35 2014 000000: DEBUG: Radius::AuthSQL looks for match
with bengi at bengi [bengi at bengi]
Thu Dec 11 06:47:35 2014 000000: DEBUG: Radius::AuthSQL REJECT: No such
user: bengi at bengi [bengi at bengi]
Thu Dec 11 06:47:35 2014 000000: DEBUG: AuthBy SQL result: REJECT, No such
user
Thu Dec 11 06:47:35 2014 000000: INFO: Access rejected for bengi at bengi: No
such user
Thu Dec 11 06:47:35 2014 000000: DEBUG: Returned TTLS tunnelled Diameter
Packet dump:
Code: Access-Reject
Identifier: UNDEF
Authentic: <246><249>K<200><198><7>`;<23><16>,Y<22>Q<154><170>
Attributes:
Reply-Message = "Request Denied"
Regards,
Bengi.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20141211/df3a5a39/attachment.html
More information about the radiator
mailing list