[RADIATOR] Can AuthBy FAILUREPOLICY used together with EAP?

Ralf Wenk iz-osc2017 at hs-karlsruhe.de
Tue Feb 18 13:57:29 UTC 2020


Hello,

to move accounts with a wrong password into a special VLAN I tried
to expand our current authentication configuration with an AuthBy
FAILUREPOLICY clause.

Debugging at trace-level 4 showed that the Access-Accept packets
from the AuthBy FAILUREPOLICY are missing the EAP-Message attribute.

I have tried several possible configurations, but the result is
always the same. The EAP-Message attribute is missing and because of
that the outer EAP handler does not catch the packet.

The latest experimental configuration looks like:

<AuthBy FAILUREPOLICY>
        Identifier              LAN-FailurePolicy
        PolicyResult            ACCEPT
        FailurePolicyContext    FailPolicy-LAN
        ConsecutiveFailures         2
        ConsecutiveLockTime       300
        CumulativeFailures        200
        CumulativeLockTime      14400
        CumulativeWindow        43200
        NoEAP
</AuthBy>

<Handler TunnelledByPEAP=1, Realm=/^test\.hs-karlsruhe\.de$/io>
        Identifier      InnerUserAuthPEAPnoExt2
        <AuthBy GROUP>
                AuthBy          LAN-FailurePolicy
                StripFromReply  Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-G
roup-ID
                AddToReply      Tunnel-Type=VLAN,Tunnel-Medium-Type=802,Tunnel-
Private-Group-ID=1234,Session-Timeout=3600
        </AuthBy>
        <AuthBy GROUP>
                AuthByPolicy    ContinueWhileAccept
                <AuthBy GROUP>  
                        AuthByPolicy    ContinueWhileReject
                        AuthBy          SQL_stud
                        AuthBy          SQL_staff
                </AuthBy>
                <AuthBy GROUP>
                        AuthBy          SQL_UserPorts
                        StripFromReply  Tunnel-Type,Tunnel-Medium-Type,Tunnel-P
rivate-Group-ID
                        AddToReply      Tunnel-Type=VLAN,Tunnel-Medium-Type=802
,Session-Timeout=3600
                </AuthBy>
        </AuthBy>
        PostAuthHook    sub { Radius::AuthFAILUREPOLICY::failure_policy_post_au
th_hook(@_); }
</Handler>

<Handler Realm=/^test\.hs-karlsruhe\.de$/io>
        <AuthBy FILE>
                IgnoreAccounting
                Filename %D/802.1x_anonymous
                EAPType         PEAP
                EAPAnonymous    %0
                EAPTLS_CAFile           %D/certificates/CA_list.pem
                EAPTLS_CertificateFile  %D/certificates/radius-rsa.crt
                EAPTLS_CertificateType  PEM
                EAPTLS_PrivateKeyFile   %D/certificates/radius-rsa.key
                EAPTLS_PrivateKeyPassword       1234
                EAPTLS_Protocols        TLSv1.2
                EAPTLS_PEAPVersion 0
        </AuthBy>
        Identifier OuterUserAuth
</Handler>

And a typical trace of InnerUserAuthPEAPnoExt2 when LAN-FailurePolicy matches 
like

DEBUG: Handling request with Handler 'TunnelledByPEAP=1,
 Realm=/^test\.hs-karlsruhe\.de$/io, Identifier 'InnerUserAuthPEAPnoExt2'
DEBUG: Handling with Radius::AuthGROUP: 
DEBUG: Radius::AuthGROUP: LAN-FailurePolicy result: ACCEPT,
 Consecutive lock, seconds remaining 236
DEBUG: AuthBy GROUP result: ACCEPT, Consecutive lock,
 seconds remaining 236
DEBUG: Access accepted for a at test.hs-karlsruhe.de
DEBUG: Returned PEAP tunnelled packet dump:
Code:       Access-Accept
Identifier: UNDEF
Authentic:  <162>L<140>L~<229><197><13><12><133>@<226>&<245><229><156>
Attributes:
        Tunnel-Type = VLAN
        Tunnel-Medium-Type = 802
        Session-Timeout = 3600
        Tunnel-Private-Group-ID = 1234



I have also tried LAN-FailurePolicy without "NoEAP" or added "EAPType
MSCHAP-V2" and "EAP_MSCHAPv2_UseMultipleAuthBys", but the resulting
packet is always not picked up by the OuterUserAuth handler.


Do I miss/misunderstand something or can FAILUREPOLICY not used in EAP
authentication (yet)?

Regards, Ralf



More information about the radiator mailing list