[RADIATOR] Can AuthBy FAILUREPOLICY used together with EAP?
Ralf Wenk
iz-osc2017 at hs-karlsruhe.de
Tue Feb 18 13:57:29 UTC 2020
Hello,
to move accounts with a wrong password into a special VLAN I tried
to expand our current authentication configuration with an AuthBy
FAILUREPOLICY clause.
Debugging at trace-level 4 showed that the Access-Accept packets
from the AuthBy FAILUREPOLICY are missing the EAP-Message attribute.
I have tried several possible configurations, but the result is
always the same. The EAP-Message attribute is missing and because of
that the outer EAP handler does not catch the packet.
The latest experimental configuration looks like:
<AuthBy FAILUREPOLICY>
Identifier LAN-FailurePolicy
PolicyResult ACCEPT
FailurePolicyContext FailPolicy-LAN
ConsecutiveFailures 2
ConsecutiveLockTime 300
CumulativeFailures 200
CumulativeLockTime 14400
CumulativeWindow 43200
NoEAP
</AuthBy>
<Handler TunnelledByPEAP=1, Realm=/^test\.hs-karlsruhe\.de$/io>
Identifier InnerUserAuthPEAPnoExt2
<AuthBy GROUP>
AuthBy LAN-FailurePolicy
StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-G
roup-ID
AddToReply Tunnel-Type=VLAN,Tunnel-Medium-Type=802,Tunnel-
Private-Group-ID=1234,Session-Timeout=3600
</AuthBy>
<AuthBy GROUP>
AuthByPolicy ContinueWhileAccept
<AuthBy GROUP>
AuthByPolicy ContinueWhileReject
AuthBy SQL_stud
AuthBy SQL_staff
</AuthBy>
<AuthBy GROUP>
AuthBy SQL_UserPorts
StripFromReply Tunnel-Type,Tunnel-Medium-Type,Tunnel-P
rivate-Group-ID
AddToReply Tunnel-Type=VLAN,Tunnel-Medium-Type=802
,Session-Timeout=3600
</AuthBy>
</AuthBy>
PostAuthHook sub { Radius::AuthFAILUREPOLICY::failure_policy_post_au
th_hook(@_); }
</Handler>
<Handler Realm=/^test\.hs-karlsruhe\.de$/io>
<AuthBy FILE>
IgnoreAccounting
Filename %D/802.1x_anonymous
EAPType PEAP
EAPAnonymous %0
EAPTLS_CAFile %D/certificates/CA_list.pem
EAPTLS_CertificateFile %D/certificates/radius-rsa.crt
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/radius-rsa.key
EAPTLS_PrivateKeyPassword 1234
EAPTLS_Protocols TLSv1.2
EAPTLS_PEAPVersion 0
</AuthBy>
Identifier OuterUserAuth
</Handler>
And a typical trace of InnerUserAuthPEAPnoExt2 when LAN-FailurePolicy matches
like
DEBUG: Handling request with Handler 'TunnelledByPEAP=1,
Realm=/^test\.hs-karlsruhe\.de$/io, Identifier 'InnerUserAuthPEAPnoExt2'
DEBUG: Handling with Radius::AuthGROUP:
DEBUG: Radius::AuthGROUP: LAN-FailurePolicy result: ACCEPT,
Consecutive lock, seconds remaining 236
DEBUG: AuthBy GROUP result: ACCEPT, Consecutive lock,
seconds remaining 236
DEBUG: Access accepted for a at test.hs-karlsruhe.de
DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Accept
Identifier: UNDEF
Authentic: <162>L<140>L~<229><197><13><12><133>@<226>&<245><229><156>
Attributes:
Tunnel-Type = VLAN
Tunnel-Medium-Type = 802
Session-Timeout = 3600
Tunnel-Private-Group-ID = 1234
I have also tried LAN-FailurePolicy without "NoEAP" or added "EAPType
MSCHAP-V2" and "EAP_MSCHAPv2_UseMultipleAuthBys", but the resulting
packet is always not picked up by the OuterUserAuth handler.
Do I miss/misunderstand something or can FAILUREPOLICY not used in EAP
authentication (yet)?
Regards, Ralf
More information about the radiator
mailing list