[RADIATOR] Question about regex matching realm in handlers

David Rose rosed at iit.edu
Wed Feb 10 15:31:50 CST 2016 

Not sure if this is normal behavior or not as I am a bit new to
Radiator, however it seems odd to me. Maybe someone can explain it or
point out what I might be doing wrong?

Configuring a Radiator server (tried with both 4.15 & 4.16) to provide
authentication for wireless, and most things have gone well. However I
have come across something that doesn't seem quite right. If I only have
handlers for the inner authentication that have a regex to match realms,
Radiator doesn't seem to parse the request packet properly.

If I include "generic" inner authentication handlers (which don't get
used), then the handlers with the regex work just fine.

Here is my working configuration:

Foreground
LogStdout
DbDir           /etc/radiator
LogDir          .
DictionaryFile  %D/dictionary
Trace           4
AuthPort 1812
AcctPort 1813
include %D/clients.cfg
DisabledRuntimeChecks CVE-2014-0160
<AuthBy NTLM>
        Identifier NTLM_MSCHAP_NoRealm
        UsernameMatchesWithoutRealm
        EAPType MSCHAP-V2
</AuthBy>
<AuthBy FILE>
        Identifier FILE_OuterRequests
        Filename %D/dot1x_anon
        EAPType TTLS PEAP
        EAPAnonymous %0
        EAPTLS_CAFile %D/certificates/cacert.pem
        EAPTLS_CertificateFile %D/certificates/cert-srv.pem
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
        EAPTLS_PrivateKeyPassword whatever
        EAPTLS_PEAPVersion 0
        EAPTTLS_NoAckRequired
        AutoMPPEKeys
        EAPTLS_Ciphers DEFAULT:!EXPORT:!LOW:!RC4
</AuthBy>
<Handler TunnelledByTTLS=1, Realm=/iit\.edu$/i>
        Identifier TTLS_INNER_IITdEDU
                AuthBy NTLM_MSCHAP_NoRealm
</Handler>
<Handler TunnelledByPEAP=1, Realm=/iit\.edu$/i>
        Identifier PEAP_INNER_IITdEDU
                AuthBy NTLM_MSCHAP_NoRealm
</Handler>
<Handler TunnelledByTTLS=1>
        Identifier TTLS_INNER_GENERIC
                AuthBy NTLM_MSCHAP_NoRealm
</Handler>
<Handler TunnelledByPEAP=1>
        Identifier PEAP_INNER_GENERIC
                AuthBy NTLM_MSCHAP_NoRealm
</Handler>
<Handler Realm=/^$/>
        Identifier NO_REALM
        AccountingHandled
        StripFromReply Reply-Message
        AddToReply Reply-Message="Misconfigured client: empty realm!"
</Handler>
<Handler Realm=/iit\.edu$/i>
        Identifier EAP_OUTER_IITdEDU
        AuthBy FILE_OuterRequests
</Handler>



This works as expected for "tuser at iit.edu" with the outer authentication
being handled by the "EAP_OUTER_IITdEDU" and the inner authentication
using "[TTLS|PEAP]_INNER_IITdEDU" correctly depending on client
configuration.

However, if I comment out the two "[TTLS|PEAP]_INNER_GENERIC" handlers
and associated statements (i.e. no other changes to client config or
anywhere else) and restart Radiator, "tuser at iit.edu" no longer matches
the regex and the inner request is then caught by "NO_REALM". Here is
the debug from a request where things stop working as expected (I think
the key is that in the packet dump, the username is in the "EAP-Message"
field and not the "User-Name" field):

Tue Feb  9 23:21:42 2016: DEBUG: Handling request with Handler
'Realm=/iit\.edu$/i', Identifier 'EAP_OUTER_IITdEDU'
Tue Feb  9 23:21:42 2016: DEBUG:  Deleting session for
anonymous at iit.edu, 192.168.50.70, 14337
Tue Feb  9 23:21:42 2016: DEBUG: Handling with Radius::AuthFILE:
FILE_OuterRequests
Tue Feb  9 23:21:42 2016: DEBUG: Handling with EAP: code 2, 5, 63, 21
Tue Feb  9 23:21:42 2016: DEBUG: Response type 21
Tue Feb  9 23:21:42 2016: DEBUG: EAP TTLS data, 3, 5, 4
Tue Feb  9 23:21:42 2016: DEBUG: EAP TTLS inner authentication request for
Tue Feb  9 23:21:42 2016: DEBUG: TTLS Tunnelled Diameter Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/
Attributes:
        EAP-Message = <2><0><0><18><1>tuser at iit.edu
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        User-Name = ""

Tue Feb  9 23:21:42 2016: DEBUG: Handling request with Handler
'Realm=/^$/', Identifier 'NO_REALM'
Tue Feb  9 23:21:42 2016: DEBUG:  Deleting session for , 192.168.50.70,
Tue Feb  9 23:21:42 2016: INFO: Access rejected for : No AuthBy found
Tue Feb  9 23:21:42 2016: DEBUG: Returned TTLS tunnelled Diameter Packet
dump:
Code:       Access-Reject
Identifier: UNDEF
Authentic:  <143><164>i<235>]<132>Uf<206>Y<200><210><211><241><191>/
Attributes:
        Reply-Message = "Misconfigured client: empty realm!"

Tue Feb  9 23:21:42 2016: DEBUG: EAP Failure, elapsed time 0.135382
Tue Feb  9 23:21:42 2016: DEBUG: EAP result: 1, EAP TTLS inner
authentication redispatched to a Handler
Tue Feb  9 23:21:42 2016: DEBUG: AuthBy FILE result: REJECT, EAP TTLS
inner authentication redispatched to a Handler
Tue Feb  9 23:21:42 2016: INFO: Access rejected for anonymous at iit.edu:
EAP TTLS inner authentication redispatched to a Handler
Tue Feb  9 23:21:42 2016: DEBUG: Packet dump:
*** Sending to 192.168.50.70 port 38670 ....
Code:       Access-Reject
Identifier: 48
Authentic:  <199><166><198><217>p55<139>9?<235>9<167><127><2><147>
Attributes:
        EAP-Message = <4><5><0><4>
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"



Any help or insight would be appreciated.

-- 
David Rose
Sr. Network Engineer
Office of Technology Services
Illinois Institute of Technology
(O) 312.567.3249
(F) 312.567.5968
rosed at iit.edu

More information about the radiator mailing list