[RADIATOR] Cannot process multiple AuthBy sections during authentication request
Tuure Vartiainen
vartiait at open.com.au
Mon Oct 2 10:26:41 UTC 2017
Hi,
> On 29 Sep 2017, at 20.04, <S.Schwarz at lumc.nl> <S.Schwarz at lumc.nl> wrote:
>
> Additional info:
> Old servers: Windows 2008R2 – Radiator 4.14
> New servers: Windows 2016 – Radiator 4.19
>
>
> In our old configuration we have something like this:
>
> <Handler Identifier=LUMCusers>
> Identifier LUMCusers_AD
> <AuthBy GROUP>
> AuthByPolicy ContinueWhileReject
> <AuthBy LSA>
> EAPType MSCHAP-V2
> DefaultDomain lumcnet
> UsernameMatchesWithoutRealm
> Group eduroam-wireless
> AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:420
> </AuthBy>
> <AuthBy LSA>
> EAPType MSCHAP-V2
> DefaultDomain lumcnet
> UsernameMatchesWithoutRealm
> Group lumc-wireless-1
> AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:281
> </AuthBy>
> </AuthBy>
> </Handler>
>
> ...
>
> In the logfiles I see something like this:
>
> Fri Sep 29 18:44:47 2017: DEBUG: Handling request with Handler 'TunnelledByPEAP=1', Identifier 'Handler_PEAP'
> Fri Sep 29 18:44:47 2017: DEBUG: Deleting session for testuser at lumc.nl, 10.250.88.245, 8
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthHANDLER:
> Fri Sep 29 18:44:47 2017: DEBUG: AuthBy HANDLER is redirecting to Handler 'Auth_ActiveDirectory2'
> Fri Sep 29 18:44:47 2017: DEBUG: Handling request with Handler 'Identifier=^(Handler_PEAP|Handler_TTLS)$', Identifier 'Auth_ActiveDirectory2'
> Fri Sep 29 18:44:47 2017: DEBUG: Deleting session for testuser at lumc.nl, 10.250.88.245, 8
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthGROUP:
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthLSA:
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with EAP: code 2, 9, 75, 26
> Fri Sep 29 18:44:47 2017: DEBUG: Response type 26
> Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthLSA looks for match with testuser [testuser at lumc.nl]
> Fri Sep 29 18:44:47 2017: DEBUG: Checking LSA Group membership for \\LUMC-DC01, eduroam-wireless, testuser
> Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: testuser [testuser at lumc.nl]
> Fri Sep 29 18:44:47 2017: DEBUG: EAP Failure, elapsed time 0.044654
> Fri Sep 29 18:44:47 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user testuser
> Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP V2 failed: no such user testuser
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthLSA:
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with EAP: code 2, 9, 75, 26
> Fri Sep 29 18:44:47 2017: DEBUG: Response type 26
> Fri Sep 29 18:44:47 2017: INFO: EAP Response type 26 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?
> Fri Sep 29 18:44:47 2017: DEBUG: EAP Failure, elapsed time 0.000006
> Fri Sep 29 18:44:47 2017: DEBUG: EAP result: 1, EAP Response type 26 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?
> ...
>
> The weird thing is that the whole AuthBy GROUP -> multiple AuthBy sections actually works for a different kind of request I process.
> ...
>
Radiator 4.18 introduced more checks within EAP state machine along a new optional configuration option EAP_MSCHAPv2_UseMultipleAuthBys
which should solve your problem.
http://www.open.com.au/radiator/ref/EAP_MSCHAPv2_UseMultipleAuthBys.html#EAP_MSCHAPv2_UseMultipleAuthBys
BR
--
Tuure Vartiainen <vartiait at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list