[RADIATOR] Cannot process multiple AuthBy sections during authentication request

[S.Schwarz at lumc.nl]

Thanks for the feedback, I have it working now with the EAP_MSCHAPv2_UseMultipleAuthBys workaround until I have implemented the convert method.

I have 1 more question while I'm at it..

After using this UseMultipleAuthBys method, I get a different results than what I had on my old server.
See the result below:

Wed Oct  4 13:22:22 2017: DEBUG: Handling request with Handler 'TunnelledByPEAP=1', Identifier 'Handler_PEAP'
Wed Oct  4 13:22:22 2017: DEBUG:  Deleting session for useraccount at lumc.nl, 172.16.71.249, 0
Wed Oct  4 13:22:22 2017: DEBUG: Handling with Radius::AuthHANDLER: 
Wed Oct  4 13:22:22 2017: DEBUG: AuthBy HANDLER is redirecting to Handler 'Auth_ActiveDirectory'
Wed Oct  4 13:22:22 2017: DEBUG: Handling request with Handler 'Identifier=^(Handler_PEAP|Handler_TTLS|Handler_From_QManage)$', Identifier 'Auth_ActiveDirectory'
Wed Oct  4 13:22:22 2017: DEBUG:  Deleting session for useraccount at lumc.nl, 172.16.71.249, 0
Wed Oct  4 13:22:22 2017: DEBUG: Handling with Radius::AuthGROUP: 
Wed Oct  4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA: 
Wed Oct  4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
Wed Oct  4 13:22:22 2017: DEBUG: Response type 26
Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [useraccount at lumc.nl]
Wed Oct  4 13:22:22 2017: DEBUG: Checking LSA Group membership for \\DomainController, eduroam-wireless, useraccount
Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [useraccount at lumc.nl]
Wed Oct  4 13:22:22 2017: DEBUG: EAP Failure, elapsed time 0.073829
Wed Oct  4 13:22:22 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user useraccount
Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP MSCHAP V2 failed: no such user useraccount
Wed Oct  4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA: 
Wed Oct  4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
Wed Oct  4 13:22:22 2017: DEBUG: Response type 26
Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [useraccount at lumc.nl]
Wed Oct  4 13:22:22 2017: DEBUG: Checking LSA Group membership for \\DomainController, lumc-wireless-1, useraccount
Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [useraccount at lumc.nl]
Wed Oct  4 13:22:22 2017: DEBUG: EAP Failure, elapsed time 0.000004
Wed Oct  4 13:22:22 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user useraccount
Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP MSCHAP V2 failed: no such user useraccount
Wed Oct  4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA: 
Wed Oct  4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
Wed Oct  4 13:22:22 2017: DEBUG: Response type 26
Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [useraccount at lumc.nl]
Wed Oct  4 13:22:22 2017: DEBUG: Checking LSA Group membership for \\DomainController, lumc-wireless-2, useraccount
Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [useraccount at lumc.nl]
Wed Oct  4 13:22:22 2017: DEBUG: EAP Failure, elapsed time 0.000004
Wed Oct  4 13:22:22 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user useraccount
Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP MSCHAP V2 failed: no such user useraccount
Wed Oct  4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA: 
Wed Oct  4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
Wed Oct  4 13:22:22 2017: DEBUG: Response type 26
Wed Oct  4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [useraccount at lumc.nl]
Wed Oct  4 13:22:22 2017: DEBUG: Checking LSA Group membership for \\DomainController, lumc-wireless-3, useraccount
Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [useraccount at lumc.nl]
Wed Oct  4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000004
Wed Oct  4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user useraccount
Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP MSCHAP V2 failed: no such user useraccount
Wed Oct  4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA: 
Wed Oct  4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
Wed Oct  4 13:22:23 2017: DEBUG: Response type 26
Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [useraccount at lumc.nl]
Wed Oct  4 13:22:23 2017: DEBUG: Checking LSA Group membership for \\DomainController, lumc-wireless-4, useraccount
Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthLSA ACCEPT: : useraccount [useraccount at lumc.nl]
Wed Oct  4 13:22:23 2017: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, The user name or password is incorrect.


Wed Oct  4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000005
Wed Oct  4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP MSCHAP-V2 Authentication failure
Wed Oct  4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA: 
Wed Oct  4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
Wed Oct  4 13:22:23 2017: DEBUG: Response type 26
Wed Oct  4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000004
Wed Oct  4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 mschaptype Response in state FAILED
Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED
Wed Oct  4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA: 
Wed Oct  4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
Wed Oct  4 13:22:23 2017: DEBUG: Response type 26
Wed Oct  4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000004
Wed Oct  4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 mschaptype Response in state FAILED
Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED
Wed Oct  4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA: 
Wed Oct  4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
Wed Oct  4 13:22:23 2017: DEBUG: Response type 26
Wed Oct  4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000003
Wed Oct  4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 mschaptype Response in state FAILED
Wed Oct  4 13:22:23 2017: DEBUG: Radius::AuthGROUP:  result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED
Wed Oct  4 13:22:23 2017: DEBUG: AuthBy GROUP result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED
Wed Oct  4 13:22:23 2017: DEBUG: AuthBy HANDLER result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED
Wed Oct  4 13:22:23 2017: INFO: Access rejected for useraccount at lumc.nl: EAP MSCHAP-V2 mschaptype Response in state FAILED


While processing the multiple auth by's and a user provided a wrong password I was used to seeing this behavior:
Lets say the user account was part of AD group 2
Processing will proceed with the first couple of groups and then give this result each time
DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [useraccount at lumc.nl]
Once it arrived at the proper group for that user account, while the user had provided the wrong password it would say
WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, The user name or password is incorrect.
After that it would continue processing the other groups again (don't see why it would do this, but whatever :D) unless it was the last group check.
Incase there were still groups left to check, it would process those and then exit with the message below again
DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [useraccount at lumc.nl]

In my resulting logfile why a user account was denied access, the reason provided was " LSA User is not a member of any Group" instead of " The user name or password is incorrect".

However I don't understand what exactly is going on now on my new setup.
Would it actually be possible to just stop processing entirely after it encountered one " WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, The user name or password is incorrect." Message? Since that way in my resulting logfile I at least would always see usefull messages as to why an authentication has been rejected (compared having to look at the debug output).

Kind regards,
Stephan Schwarz




 
-----Original Message-----
From: radiator [mailto:radiator-bounces at lists.open.com.au] On Behalf Of Tuure Vartiainen
Sent: Monday, October 2, 2017 3:57 PM
To: radiator <radiator at lists.open.com.au>
Subject: Re: [RADIATOR] Cannot process multiple AuthBy sections during authentication request

Hi Stephan,

> On 2 Oct 2017, at 13.48, <S.Schwarz at lumc.nl> <S.Schwarz at lumc.nl> wrote:
> 
> I saw the disclaimer saying EAP_MSCHAPv2_UseMultipleAuthBys should be avoided, but instead try to use EAP_PEAP_MSCHAP_Convert.
> What would normally be the recommended situation to use the EAP_PEAP_MSCHAP_Convert at?
> 

When you are proxying requests to RADIUS server which does not support EAP-MSCHAPv2 but can still handle ordinary RADIUS-MSCHAPV2.

http://www.open.com.au/radiator/ref/EAP_PEAP_MSCHAP_Convert.html#EAP_PEAP_MSCHAP_Convert


Currently, EAP_MSCHAPv2_UseMultipleAuthBys is a kind of a workaround, but should not be needed in a future.

> 
> Since we share our infrastructure, we use a proxy RADIUS server (also radiator) in order to forward the requests to the customer network for request handling. Would the best practice generally be to use the convert part at the proxy or on the validating RADIUS server?
> 

To do the conversion at the proxying RADIUS server.


BR
--
Tuure Vartiainen <vartiait at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

_______________________________________________
radiator mailing list
radiator at lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator