[RADIATOR] Cannot process multiple AuthBy sections during authentication request
S.Schwarz at lumc.nl
S.Schwarz at lumc.nl
Mon Oct 2 10:48:27 UTC 2017
Hi Tuure,
This explains why that worked on 4.14 and not on the servers where 4.19 is installed! Thanks. I should be able to fix this now at least.
I saw the disclaimer saying EAP_MSCHAPv2_UseMultipleAuthBys should be avoided, but instead try to use EAP_PEAP_MSCHAP_Convert.
What would normally be the recommended situation to use the EAP_PEAP_MSCHAP_Convert at?
Since we share our infrastructure, we use a proxy RADIUS server (also radiator) in order to forward the requests to the customer network for request handling. Would the best practice generally be to use the convert part at the proxy or on the validating RADIUS server?
Kind regards,
Stephan Schwarz
-----Original Message-----
From: radiator [mailto:radiator-bounces at lists.open.com.au] On Behalf Of Tuure Vartiainen
Sent: Monday, October 2, 2017 12:27 PM
To: radiator <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] Cannot process multiple AuthBy sections during authentication request
Hi,
> On 29 Sep 2017, at 20.04, <S.Schwarz at lumc.nl> <S.Schwarz at lumc.nl> wrote:
>
> Additional info:
> Old servers: Windows 2008R2 – Radiator 4.14
> New servers: Windows 2016 – Radiator 4.19
>
>
> In our old configuration we have something like this:
>
> <Handler Identifier=LUMCusers>
> Identifier LUMCusers_AD
> <AuthBy GROUP>
> AuthByPolicy ContinueWhileReject
> <AuthBy LSA>
> EAPType MSCHAP-V2
> DefaultDomain lumcnet
> UsernameMatchesWithoutRealm
> Group eduroam-wireless
> AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:420
> </AuthBy>
> <AuthBy LSA>
> EAPType MSCHAP-V2
> DefaultDomain lumcnet
> UsernameMatchesWithoutRealm
> Group lumc-wireless-1
> AddToReply Tunnel-Type=1:VLAN,Tunnel-Medium-Type=1:Ether_802,Tunnel-Private-Group-ID=1:281
> </AuthBy>
> </AuthBy>
> </Handler>
>
> ...
>
> In the logfiles I see something like this:
>
> Fri Sep 29 18:44:47 2017: DEBUG: Handling request with Handler 'TunnelledByPEAP=1', Identifier 'Handler_PEAP'
> Fri Sep 29 18:44:47 2017: DEBUG: Deleting session for
> testuser at lumc.nl, 10.250.88.245, 8 Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthHANDLER:
> Fri Sep 29 18:44:47 2017: DEBUG: AuthBy HANDLER is redirecting to Handler 'Auth_ActiveDirectory2'
> Fri Sep 29 18:44:47 2017: DEBUG: Handling request with Handler 'Identifier=^(Handler_PEAP|Handler_TTLS)$', Identifier 'Auth_ActiveDirectory2'
> Fri Sep 29 18:44:47 2017: DEBUG: Deleting session for
> testuser at lumc.nl, 10.250.88.245, 8 Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthGROUP:
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthLSA:
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with EAP: code 2, 9, 75, 26
> Fri Sep 29 18:44:47 2017: DEBUG: Response type 26 Fri Sep 29 18:44:47
> 2017: DEBUG: Radius::AuthLSA looks for match with testuser
> [testuser at lumc.nl] Fri Sep 29 18:44:47 2017: DEBUG: Checking LSA Group
> membership for \\LUMC-DC01, eduroam-wireless, testuser Fri Sep 29
> 18:44:47 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a
> member of any Group: testuser [testuser at lumc.nl] Fri Sep 29 18:44:47
> 2017: DEBUG: EAP Failure, elapsed time 0.044654 Fri Sep 29 18:44:47
> 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user testuser Fri Sep 29 18:44:47 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP V2 failed: no such user testuser Fri Sep 29 18:44:47 2017: DEBUG: Handling with Radius::AuthLSA:
> Fri Sep 29 18:44:47 2017: DEBUG: Handling with EAP: code 2, 9, 75, 26
> Fri Sep 29 18:44:47 2017: DEBUG: Response type 26 Fri Sep 29 18:44:47
> 2017: INFO: EAP Response type 26 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?
> Fri Sep 29 18:44:47 2017: DEBUG: EAP Failure, elapsed time 0.000006
> Fri Sep 29 18:44:47 2017: DEBUG: EAP result: 1, EAP Response type 26 in unexpected state. NAS did RADIUS server failover for an ongoing EAP authentication?
> ...
>
> The weird thing is that the whole AuthBy GROUP -> multiple AuthBy sections actually works for a different kind of request I process.
> ...
>
Radiator 4.18 introduced more checks within EAP state machine along a new optional configuration option EAP_MSCHAPv2_UseMultipleAuthBys which should solve your problem.
http://www.open.com.au/radiator/ref/EAP_MSCHAPv2_UseMultipleAuthBys.html#EAP_MSCHAPv2_UseMultipleAuthBys
BR
--
Tuure Vartiainen <vartiait at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator at lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
More information about the radiator
mailing list