[RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Hugo Veiga hveiga at ubi.pt
Mon Jan 25 11:57:55 CST 2016 

Hi,

I'm upgrading from 4.9 to radiator 4.16 and I'm stuck because I can't get
radiator to get to the inner authentication phase.

It simply doesn't dispatch to the inner handler! Am I missing to install
something?

Light on this would be great.

Best regards,
Hugo Veiga


Here is my config:
---------------------
LogDir          /var/log/radius
DbDir           /etc/radiator/
Trace           9
AuthPort 1812
AcctPort 1813


<Client 10.240.1.1>
        Secret test123..123
</Client>

<AuthLog FILE>
        Identifier localusers
        Filename %L/localusers.log
        #SuccessFormat %l|%u|OK
        SuccessFormat %l|%N|%{Request:Calling-Station-Id}|%u|OK|%P
        FailureFormat %l|%N|%{Request:Calling-Station-Id}|%u|Reason:%1|KO
        LogSuccess 1
        LogFailure 1
</AuthLog>

#Inner-Request-the-real-authentication
<AuthBy SQL>
        Identifier PEAP_CONVIDADO_INNER
        DBSource dbi:mysql:radius-temp
        DBUsername db_user
        DBAuth passwd_teste123
        Timeout 10
        SQLRetries 4
        FailureBackoffTime 10
        EAPType MSCHAP-V2
#uses the outer username no anonymous allowed
        AuthSelect SELECT password FROM convidado WHERE
username=SUBSTRING('%u',1,LOCATE('@','%u'))
AND datai<"%Y-%m-%d %H:%M:%S" AND dataf>"%Y-%m-%d %H:%M:%S"
#PacketTrace
</AuthBy>

#Outer-request-to-exchange-certificate-keys
<AuthBy INTERNAL>
        Identifier PEAP_CONVIDADO
        EAPType PEAP
        EAPAnonymous %u
        EAPTLS_PEAPVersion 0
        EAPTTLS_NoAckRequired
        EAPTLS_CAFile /etc/radiator/terena_ca.pem
        EAPTLS_CertificateFile /etc/radiator/dc2_2.pem
        EAPTLS_CertificateType PEM
        EAPTLS_PrivateKeyFile /etc/radiator/dc2key_2.pem
        EAPTLS_MaxFragmentSize 1000
        AutoMPPEKeys
</AuthBy>

#handler for inner
<Handler TunnelledByPEAP=1>
      AuthBy PEAP_CONVIDADO_INNER
</Handler>


#handler for outer
<Handler Realm=/^convidado$/i>
        AuthBy PEAP_CONVIDADO
</Handler>


#Default
<Handler>
 <AuthBy INTERNAL>
                DefaultResult   REJECT
    </AuthBy>
        <AuthLog FILE>
                Filename %L/localusers.log
                FailureFormat
%l|%N|%{Request:Calling-Station-Id}|%u|Reason:DEFAULT REALM|KO
        </AuthLog>
        AccountingHandled
</Handler>

-------------------------------

Trace:

Mon Jan 25 17:51:59 2016: DEBUG: Finished reading configuration file
'/etc/radiator/radius.cfg'
Mon Jan 25 17:51:59 2016: DEBUG: Reading dictionary file
'/etc/radiator//dictionary'
Mon Jan 25 17:51:59 2016: DEBUG: This system is IPv6 capable. IPv6
capability provided by: core
Mon Jan 25 17:51:59 2016: INFO: Using Net::SSLeay 1.71 with SSL/TLS library
version 0x1000205f (OpenSSL 1.0.2e-fips 3 Dec 2015)
Mon Jan 25 17:51:59 2016: DEBUG: Creating authentication port 0.0.0.0:1812
Mon Jan 25 17:51:59 2016: DEBUG: Creating accounting port 0.0.0.0:1813
Mon Jan 25 17:51:59 2016: NOTICE: Server started: Radiator 4.16 on radius02.
ubi.pt
Mon Jan 25 17:52:08 2016: DEBUG: Packet dump:
*** Received from 10.240.1.1 port 20002 ....

Packet length = 163
01 90 00 a3 e9 8b 9f 43 90 88 16 f2 7c 53 68 0a
99 7f b3 88 57 07 41 50 33 2f 31 1f 13 43 34 2d
38 35 2d 30 38 2d 41 36 2d 43 30 2d 32 46 1e 1b
30 30 2d 31 31 2d 38 38 2d 44 32 2d 44 44 2d 30
34 3a 63 63 74 65 73 74 65 06 06 00 00 00 02 4f
15 02 01 00 13 01 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 01 10 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 05 06 00 00 93 d0 3d 06 00 00 00 13
04 06 0a f0 01 01 20 0b 65 6e 74 65 72 61 73 79
73 50 12 61 c8 48 b8 9a 0b 4b 42 12 7a e1 f9 cd
b1 ea 22
Code:       Access-Request
Identifier: 144
Authentic:  <233><139><159>C<144><136><22><242>|Sh<10><153><127><179><136>
Attributes:
        NAS-Port-Id = "AP3/1"
        Calling-Station-Id = "C4-85-08-A6-C0-2F"
        Called-Station-Id = "00-11-88-D2-DD-04:ccteste"
        Service-Type = Framed-User
        EAP-Message = <2><1><0><19><1>1745 at convidado
        User-Name = "1745 at convidado"
        NAS-Port = 37840
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-IP-Address = 10.240.1.1
        NAS-Identifier = "enterasys"
        Message-Authenticator =
a<200>H<184><154><11>KB<18>z<225><249><205><177><234>"

Mon Jan 25 17:52:08 2016: DEBUG: Handling request with Handler 'Realm=/^
convidado$/i', Identifier ''
Mon Jan 25 17:52:08 2016: DEBUG:  Deleting session for 1745 at convidado,
10.240.1.1, 37840
Mon Jan 25 17:52:08 2016: DEBUG: Handling with AuthINTERNAL: PEAP_CONVIDADO
Mon Jan 25 17:52:08 2016: DEBUG: AuthBy INTERNAL result: IGNORE, Fixed by
DefaultResult
Mon Jan 25 17:52:13 2016: DEBUG: Packet dump:
*** Received from 10.240.1.1 port 20002 ....

Packet length = 163
01 90 00 a3 e9 8b 9f 43 90 88 16 f2 7c 53 68 0a
99 7f b3 88 57 07 41 50 33 2f 31 1f 13 43 34 2d
38 35 2d 30 38 2d 41 36 2d 43 30 2d 32 46 1e 1b
30 30 2d 31 31 2d 38 38 2d 44 32 2d 44 44 2d 30
34 3a 63 63 74 65 73 74 65 06 06 00 00 00 02 4f
15 02 01 00 13 01 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 01 10 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 05 06 00 00 93 d0 3d 06 00 00 00 13
04 06 0a f0 01 01 20 0b 65 6e 74 65 72 61 73 79
73 50 12 61 c8 48 b8 9a 0b 4b 42 12 7a e1 f9 cd
b1 ea 22
Code:       Access-Request
Identifier: 144
Authentic:  <233><139><159>C<144><136><22><242>|Sh<10><153><127><179><136>
Attributes:
        NAS-Port-Id = "AP3/1"
        Calling-Station-Id = "C4-85-08-A6-C0-2F"
        Called-Station-Id = "00-11-88-D2-DD-04:ccteste"
        Service-Type = Framed-User
        EAP-Message = <2><1><0><19><1>1745 at convidado
        User-Name = "1745 at convidado"
        NAS-Port = 37840
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-IP-Address = 10.240.1.1
        NAS-Identifier = "enterasys"
        Message-Authenticator =
a<200>H<184><154><11>KB<18>z<225><249><205><177><234>"

Mon Jan 25 17:52:13 2016: INFO: Duplicate request id 144 received from
10.240.1.1(20002): ignored
Mon Jan 25 17:52:18 2016: DEBUG: Packet dump:
*** Received from 10.240.1.1 port 20002 ....

Packet length = 163
01 90 00 a3 e9 8b 9f 43 90 88 16 f2 7c 53 68 0a
99 7f b3 88 57 07 41 50 33 2f 31 1f 13 43 34 2d
38 35 2d 30 38 2d 41 36 2d 43 30 2d 32 46 1e 1b
30 30 2d 31 31 2d 38 38 2d 44 32 2d 44 44 2d 30
34 3a 63 63 74 65 73 74 65 06 06 00 00 00 02 4f
15 02 01 00 13 01 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 01 10 31 37 34 35 40 63 6f 6e 76 69
64 61 64 6f 05 06 00 00 93 d0 3d 06 00 00 00 13
04 06 0a f0 01 01 20 0b 65 6e 74 65 72 61 73 79
73 50 12 61 c8 48 b8 9a 0b 4b 42 12 7a e1 f9 cd
b1 ea 22
Code:       Access-Request
Identifier: 144
Authentic:  <233><139><159>C<144><136><22><242>|Sh<10><153><127><179><136>
Attributes:
        NAS-Port-Id = "AP3/1"
        Calling-Station-Id = "C4-85-08-A6-C0-2F"
        Called-Station-Id = "00-11-88-D2-DD-04:ccteste"
        Service-Type = Framed-User
        EAP-Message = <2><1><0><19><1>1745 at convidado
        User-Name = "1745 at convidado"
        NAS-Port = 37840
        NAS-Port-Type = Wireless-IEEE-802-11
        NAS-IP-Address = 10.240.1.1
        NAS-Identifier = "enterasys"
        Message-Authenticator =
a<200>H<184><154><11>KB<18>z<225><249><205><177><234>"

Mon Jan 25 17:52:18 2016: INFO: Duplicate request id 144 received from
10.240.1.1(20002): ignored
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20160125/d4dae75c/attachment-0001.html

More information about the radiator mailing list