[RADIATOR] eduroam request with EAP Nak desires type 26
RICHARD DUNNE
richard.dunne at dit.ie
Fri Mar 13 10:04:01 CDT 2015
Hello all
I have a problem that at this stage I cant see the answer
I have local users working fine, goes to an outer PEAPhandle, then innner
ms-chap handle.
all works fine.
I have a second set which a difference handle for accepting my users
requesting access from other radius servers.
If i use a RadEAP test client with the same ip range, it works, as it
shoud.
but for some reason the proxy access users are looking for type 26 in the
outer handle.
I know the answer is probly simple , but i cant see it
CONFIG
Foreground
LogStdout
LogDir .
DbDir .
DictionaryFile /etc/radiator/dictionary
# User a lower trace level in production systems:
Trace 4
<AuthLog FILE>
Identifier authlogger
# Filename /var/log/radiator/auth_log.%y%m%d
Filename /var/log/radiator/auth.%Y%m%d.log
FailureFormat Access-Reject at %H:%M:%S for User-Name: %u at
AP=%{Siemens-AP-Name},CSI=%{Calling-Station-Id}
,SSID=%{Siemens-SSID},profile=%{Filter-Id}
SuccessFormat Access-Accept at %H:%M:%S for User-Name: %u at
AP=%{Siemens-AP-Name},CSI=%{Calling-Station-Id}
,SSID=%{NAS-Identifier},profile=%{Filter-Id}
LogSuccess 1
LogFailure 1
</AuthLog>
<Log SYSLOG>
Facility local7
Identifier log-syslog
Trace 3
</Log>
<Log FILE>
Filename /var/log/radiator/radiator.%Y%m%d.log
Identifier log-file
Trace 4
</Log>
<AuthLog SYSLOG>
Identifier defaultAuthLog
Facility local7
LogIdent radiator
FailureFormat Access-Reject for %u
(User-Name=%{Reply:User-Name}) at Proxy=%c
(CSI=%{Calling-Station-Id}NAS=%{NAS-Identifier}/%N)
SuccessFormat Access-Accept for %u
(User-Name=%{Reply:User-Name}) at Proxy=%c
(CSI=%{Calling-Station-Id}NAS=%{NAS-Identifier}/%N)
EAP=%{HexAddress:EAP-Message}
LogSuccess 1
LogFailure 1
</AuthLog>
AuthPort 1812
AcctPort 1813
#DictionaryFile /etc/radiator/dictionary
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
#<Client 147.252.2.99>
# Secret mysecret
#Identifier leo
#IgnoreAcctSignature
#</Client>
<Client 147.252.0.0/16>
Secret mysecret
IgnoreAcctSignature
Identifier dit
</Client>
##################HEANET CLIENTS###############
<Client 193.1.219.44>
Secret
#Secret hello
Identifier heanet
IdenticalClients 193.1.219.45,30.30.30.30
IgnoreAcctSignature
</Client>
#############################################
<AuthBy LDAP2>
RewriteUsername s/^\@.*//
NoCheckPassword
Identifier AuthLDAP-DIT
Host 147.252.1.192
AuthDN cn=radius,cn=users,dc=ict,dc=ad,dc=dit,dc=ie
AuthPassword letmein
#BaseDN cn=users,DC=ict,DC=ad,DC=dit,DC=ie
BaseDN ou=DIT,DC=ict,DC=ad,DC=dit,DC=ie
UsernameAttr sAMAccountName
UsernameMatchesWithoutRealm 1
NoCheckPassword
#ServerChecksPassword
#EAPType MSCHAP-V2,PEAP
#EAPType TTLS PAP
NoEAP
AuthAttrDef employeeType,employeeType,request
AuthAttrDef sAMAccountName,sAMAccountName,request
#SearchFilter (&(employeeType=Staff))
#SearchFilter (&(sAMAccountName=%{User-Name})(employeeType=Staff))
NoDefault
NoDefaultIfFound
#AuthAttrDef sAMAccountName,sAMAccountName,request
PostSearchHook sub {my ($self,$p,$rp,$entry)=($_[0],$_[2],$_[5],$_[4]);\
my @attr = $_[4]->get('employeeType');\
my $attr = @attr[0];\
$_[3]->get_reply->add_attr('Filter-Id',\
$attr);}
#NoCheckPassword
</AuthBy>
################################################
<AuthBy FILE>
Filename %D/users-TEST
#EAPType MSCHAP-V2
Identifier AuthTEST
</AuthBy>
##################################################
<AuthBy NTLM>
RewriteUsername s/^\@.*//
UsernameMatchesWithoutRealm 1
Domain ICTDOMAIN
DefaultDomain ICTDOMAIN
# This tells the PEAP client what types of inner EAP
requests
# we will honour
EAPType MSCHAP-V2
Identifier AuthNTLM-DIT
</AuthBy>
###########################################################
<AuthBy ROUNDROBIN>
Identifier EDUROAM_FED
Secret
Retries 2
RetryTimeout 15
FailureBackoffTime 300
<Host 193.1.219.44>
AuthPort 1812
AcctPort 1813
</Host>
<Host 193.1.219.45>
AuthPort 1812
AcctPort 1813
</Host>
</AuthBy>
#############################################################
#############################################################
# This is where we authenticate a PEAP inner request, which will be an
# EAP request. The username of the inner request will anonymous by
# default, although the identity of the EAP request will be the real
# username we are trying to authenticate.
#############################
<Handler NAS-Identifier=test, TunnelledByPEAP=1>
<AuthBy GROUP>
#AuthByPolicy ContinueUntilAccept
#AuthByPolicy Continueuntilreject
AuthByPolicy ContinueWhileAccept
AuthBy AuthNTLM-DIT
AuthBy AuthLDAP-DIT
</AuthBy>
AuthLog authlogger
</Handler>
##############################
##############################
<Handler NAS-Identifier=eduroam, TunnelledByPEAP=1, Realm=dit.ie>
<AuthBy GROUP>
#AuthByPolicy ContinueUntilAccept
#AuthByPolicy Continueuntilreject
AuthByPolicy ContinueWhileAccept
AuthBy AuthNTLM-DIT
AuthBy AuthLDAP-DIT
</AuthBy>
AuthLog authlogger
</Handler>
##########################################################
<Handler NAS-Identifier=ditwifi, TunnelledByPEAP=1, Realm=dit.ie>
AuthBy AuthNTLM-DIT
AuthLog authlogger
</Handler>
##############################################################
<Handler NAS-Identifier=ditwifi, Realm=/^$/>
AuthLog authlogger
AuthBy AuthNTLM-DIT
AuthLog authlogger
</Handler>
###############################################################
<Handler Client-Identifier=leo>
RewriteUsername s/^\@.*//
AuthBy AuthTEST
</Handler>
#####################################################
#############################HEANET #################
<Handler NAS-Identifier=/^$/, TunnelledByPEAP=1, Realm=dit.ie>
AuthBy AuthNTLM-DIT
AuthLog authlogger
</Handler>
########################
####################################################
<Handler Client-Identifier=dit, Realm=dit.ie >
<AuthBy FILE>
Identifier PEAP_OUTER
# users file will not be used for tunnelled EAP outer
# authentication. PEAP inner authentication is handled
# by its own Handler above.
#Filename %D/users
#EAPType PEAP,MSCHAP-V2
EAPType PEAP
EAPTLS_CAFile /etc/radiator/certificates/rad2013.chain
EAPTLS_CertificateFile
/etc/radiator/certificates/rad2013.crt
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/certificates/rad2013.key
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
# You can configure the User-Name that will be used for the
inner
# authentication. Defaults to 'anonymous'. This can be
useful
# when proxying the inner authentication. If there is a
realm, it can
# be used to choose a Handler to handle the inner
authentication.
# %0 is replaced with the EAP identitiy
EAPAnonymous %{User-Name}
#EAPTLS_SessionResumptionLimit 10
# You can control which version of the PEAP protocol
# to honour with EAPTLS_PEAPVersion. Defaults to
# 0. Set it to 1 for unusual clients.
EAPTLS_PEAPVersion 0
</AuthBy>
</Handler>
###################################################################
########################
<Handler Client-Identifier=heanet, Realm=DIT.IE>
RewriteUsername tr/A-Z/a-z/
AuthBy PEAP_OUTER
</Handler>
###################################################################
<Handler Client-Identifier=heanet, Realm=dit.ie>
EAPType MSCHAP-V2,PEAP
AuthBy PEAP_OUTER
#Strip any VLAN stuff from the reply.
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,cisco-avpair,Filter-Id
</Handler>
#############################################################################
#<Handler Client-Identifier=heanet, Realm=dit.ie>
# <AuthBy FILE>
# #Filename %D/users
# #EAPType PEAP,MSCHAP-V2
# EAPType PEAP
# EAPTLS_CAFile /etc/radiator/certif
# EAPTLS_CertificateFile /etc/radiator/certifi.crt
# EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile /etc/radiator/certificates/.key
# EAPTLS_MaxFragmentSize 1000
# AutoMPPEKeys
# EAPAnonymous %{User-Name}
# #EAPTLS_SessionResumptionLimit 10
#
# # 0. Set it to 1 for unusual clients.
# EAPTLS_PEAPVersion 0
# </AuthBy>
#Strip any VLAN stuff from the reply.
#StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,cisco-avpair,Filter-Id
#</Handler>
############################################################################
#Unknown realms in the own domain
<Handler Realm=/.*\.dit.ie$/i>
AccountingHandled
StripFromReply Reply-Message
AddToReply Reply-Message="Misconfigured supplicant or
downstream server: uses non-existing realm in dit.ie!"
AuthLog authlogger
</Handler>
###################################################
#Handling empty realms on ditwifi
<Handler NAS-Identifier=ditwifi,Realm=/^$/>
AuthBy AuthNTLM-DIT
AuthLog authlogger
</Handler>
#########################################
#Handling empty realms on test
<Handler NAS-Identifier=test,Realm=/^$/>
AuthBy AuthNTLM-DIT
AuthLog authlogger
</Handler>
####################################################
#Handling empty realms
#<Handler Realm=/^$/>
# AccountingHandled
# StripFromReply Reply-Message
# AddToReply Reply-Message="Misconfigured client: empty
realm! Rejected by dit.ie."
# AuthLog authlogger
#</Handler>
########################################
# Default Handler forwards to eduraom-IE top domain
<Handler>
AuthBy EDUROAM_FED
AddToReply Filter-Id = eduroam-guest
AuthLog authlogger
</Handler>
################################################################################
root at cura:/etc/radiator#
LOG PART
they shoudl be coming in looking to set up a peap tunnel, but in the log
file i get :
Fri Mar 13 10:25:38 2015: DEBUG: Handling request with Handler
'Client-Identifier=heanet, Realm=dit.ie', Identifier ''
Fri Mar 13 10:25:38 2015: DEBUG: Deleting session for 026076 at dit.ie,
127.0.0.1,
Fri Mar 13 10:25:38 2015: DEBUG: Handling with Radius::AuthFILE:
Fri Mar 13 10:25:38 2015: DEBUG: Handling with EAP: code 2, 9, 2, 3
Fri Mar 13 10:25:38 2015: DEBUG: Response type 3
*Fri Mar 13 10:25:38 2015: DEBUG: EAP Nak desires type 26*
Fri Mar 13 10:25:38 2015: DEBUG: Desired EAP type MSCHAP-V2 (26) not
permitted
Fri Mar 13 10:25:38 2015: DEBUG: EAP result: 1, None of the desired EAP
types (26) are available
Fri Mar 13 10:25:38 2015: DEBUG: AuthBy FILE result: REJECT, None of the
desired EAP types (26) are available
Fri Mar 13 10:25:38 2015: INFO: Access rejected for 026076 at dit.ie: None of
the desired EAP types (26) are available
CONFIG
--
This email originated from DIT. If you received this email in error, please
delete it from your system. Please note that if you are not the named
addressee, disclosing, copying, distributing or taking any action based on
the contents of this email or attachments is prohibited. www.dit.ie
Is ó ITBÁC a tháinig an ríomhphost seo. Má fuair tú an ríomhphost seo trí
earráid, scrios de do chóras é le do thoil. Tabhair ar aird, mura tú an
seolaí ainmnithe, go bhfuil dianchosc ar aon nochtadh, aon chóipeáil, aon
dáileadh nó ar aon ghníomh a dhéanfar bunaithe ar an ábhar atá sa
ríomhphost nó sna hiatáin seo. www.dit.ie
Tá ITBÁC ag aistriú go Gráinseach Ghormáin – DIT is on the move to
Grangegorman <http://www.dit.ie/grangegorman>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20150313/66039d99/attachment-0001.html
More information about the radiator
mailing list