[RADIATOR] Cannot process multiple AuthBy sections during authentication request
Tuure Vartiainen
vartiait at open.com.au
Wed Oct 18 11:26:34 UTC 2017
Hi,
> On 5 Oct 2017, at 5.11, S.Schwarz at lumc.nl wrote:
>
> I have 1 more question while I'm at it..
>
> After using this UseMultipleAuthBys method, I get a different results than what I had on my old server.
> See the result below:
>
> Wed Oct 4 13:22:22 2017: DEBUG: Handling request with Handler 'TunnelledByPEAP=1', Identifier 'Handler_PEAP'
> Wed Oct 4 13:22:22 2017: DEBUG: Deleting session for useraccount at lumc.nl, 172.16.71.249, 0
> Wed Oct 4 13:22:22 2017: DEBUG: Handling with Radius::AuthHANDLER:
> Wed Oct 4 13:22:22 2017: DEBUG: AuthBy HANDLER is redirecting to Handler 'Auth_ActiveDirectory'
> Wed Oct 4 13:22:22 2017: DEBUG: Handling request with Handler 'Identifier=^(Handler_PEAP|Handler_TTLS|Handler_From_QManage)$', Identifier 'Auth_ActiveDirectory'
> Wed Oct 4 13:22:22 2017: DEBUG: Deleting session for useraccount at lumc.nl, 172.16.71.249, 0
> Wed Oct 4 13:22:22 2017: DEBUG: Handling with Radius::AuthGROUP:
> Wed Oct 4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA:
> Wed Oct 4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct 4 13:22:22 2017: DEBUG: Response type 26
> Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [useraccount at lumc.nl]
> Wed Oct 4 13:22:22 2017: DEBUG: Checking LSA Group membership for \\DomainController, eduroam-wireless, useraccount
> Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [useraccount at lumc.nl]
> Wed Oct 4 13:22:22 2017: DEBUG: EAP Failure, elapsed time 0.073829
> Wed Oct 4 13:22:22 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user useraccount
> Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP V2 failed: no such user useraccount
> Wed Oct 4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA:
> Wed Oct 4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct 4 13:22:22 2017: DEBUG: Response type 26
> Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [useraccount at lumc.nl]
> Wed Oct 4 13:22:22 2017: DEBUG: Checking LSA Group membership for \\DomainController, lumc-wireless-1, useraccount
> Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [useraccount at lumc.nl]
> Wed Oct 4 13:22:22 2017: DEBUG: EAP Failure, elapsed time 0.000004
> Wed Oct 4 13:22:22 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user useraccount
> Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP V2 failed: no such user useraccount
> Wed Oct 4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA:
> Wed Oct 4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct 4 13:22:22 2017: DEBUG: Response type 26
> Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [useraccount at lumc.nl]
> Wed Oct 4 13:22:22 2017: DEBUG: Checking LSA Group membership for \\DomainController, lumc-wireless-2, useraccount
> Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [useraccount at lumc.nl]
> Wed Oct 4 13:22:22 2017: DEBUG: EAP Failure, elapsed time 0.000004
> Wed Oct 4 13:22:22 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user useraccount
> Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP V2 failed: no such user useraccount
> Wed Oct 4 13:22:22 2017: DEBUG: Handling with Radius::AuthLSA:
> Wed Oct 4 13:22:22 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct 4 13:22:22 2017: DEBUG: Response type 26
> Wed Oct 4 13:22:22 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [useraccount at lumc.nl]
> Wed Oct 4 13:22:22 2017: DEBUG: Checking LSA Group membership for \\DomainController, lumc-wireless-3, useraccount
> Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [useraccount at lumc.nl]
> Wed Oct 4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000004
> Wed Oct 4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such user useraccount
> Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP V2 failed: no such user useraccount
> Wed Oct 4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA:
> Wed Oct 4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct 4 13:22:23 2017: DEBUG: Response type 26
> Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthLSA looks for match with useraccount [useraccount at lumc.nl]
> Wed Oct 4 13:22:23 2017: DEBUG: Checking LSA Group membership for \\DomainController, lumc-wireless-4, useraccount
> Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthLSA ACCEPT: : useraccount [useraccount at lumc.nl]
here “useraccount” is part of lumc-wireless-4 group
> Wed Oct 4 13:22:23 2017: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, The user name or password is incorrect.
> Wed Oct 4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000005
> Wed Oct 4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
> Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP-V2 Authentication failure
so the password is verified and the verification fails “REJECT, EAP MSCHAP-V2 Authentication failure"
as configured AuthByPolicy is ContinueWhileReject, rest of AuthBys in AuthBy GROUP are evaluated but
as EAP-MSCHAPv2 already failed, rest of AuthBy LSAs return “REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED"
> Wed Oct 4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA:
> Wed Oct 4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct 4 13:22:23 2017: DEBUG: Response type 26
> Wed Oct 4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000004
> Wed Oct 4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 mschaptype Response in state FAILED
> Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED
> Wed Oct 4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA:
> Wed Oct 4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct 4 13:22:23 2017: DEBUG: Response type 26
> Wed Oct 4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000004
> Wed Oct 4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 mschaptype Response in state FAILED
> Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED
> Wed Oct 4 13:22:23 2017: DEBUG: Handling with Radius::AuthLSA:
> Wed Oct 4 13:22:23 2017: DEBUG: Handling with EAP: code 2, 134, 76, 26
> Wed Oct 4 13:22:23 2017: DEBUG: Response type 26
> Wed Oct 4 13:22:23 2017: DEBUG: EAP Failure, elapsed time 0.000003
> Wed Oct 4 13:22:23 2017: DEBUG: EAP result: 1, EAP MSCHAP-V2 mschaptype Response in state FAILED
> Wed Oct 4 13:22:23 2017: DEBUG: Radius::AuthGROUP: result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED
> Wed Oct 4 13:22:23 2017: DEBUG: AuthBy GROUP result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED
> Wed Oct 4 13:22:23 2017: DEBUG: AuthBy HANDLER result: REJECT, EAP MSCHAP-V2 mschaptype Response in state FAILED
> Wed Oct 4 13:22:23 2017: INFO: Access rejected for useraccount at lumc.nl: EAP MSCHAP-V2 mschaptype Response in state FAILED
>
>
> While processing the multiple auth by's and a user provided a wrong password I was used to seeing this behavior:
> Lets say the user account was part of AD group 2
> Processing will proceed with the first couple of groups and then give this result each time
> DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [useraccount at lumc.nl]
> Once it arrived at the proper group for that user account, while the user had provided the wrong password it would say
> WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, The user name or password is incorrect.
> After that it would continue processing the other groups again (don't see why it would do this, but whatever :D) unless it was the last group check.
that’s because of AuthPolicy for AuthBy GROUP has been configured to ContinueWhileReject.
> Incase there were still groups left to check, it would process those and then exit with the message below again
> DEBUG: Radius::AuthLSA REJECT: AuthBy LSA User is not a member of any Group: useraccount [useraccount at lumc.nl]
>
> In my resulting logfile why a user account was denied access, the reason provided was " LSA User is not a member of any Group" instead of " The user name or password is incorrect".
>
> However I don't understand what exactly is going on now on my new setup.
hopefully my explanation above shed some light on a reason.
> Would it actually be possible to just stop processing entirely after it encountered one " WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, The user name or password is incorrect." Message? Since that way in my resulting logfile I at least would always see usefull messages as to why an authentication has been rejected (compared having to look at the debug output).
>
a reject reason you will now see in your AuthLog is
"EAP MSCHAP-V2 mschaptype Response in state FAILED”.
If evaluating AuthBys would stop after EAP-MSCHAPv2 password verification failure,
the reject reason would be
"EAP MSCHAP-V2 Authentication failure”.
I tried to create an example config where group based attributes would have been assigned
with AuthBy FILE which is de facto method currently for doing that, but it doesn’t work with
EAP-MSCHAPv2, so I created a feature request for handling group based attributes
(as VLAN ID assignment) in a case like this.
BR
--
Tuure Vartiainen <vartiait at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list